The MAJOR advantage of the risk assessment approach over the
baseline approach to information security management is that
it ensures:
A. information assets are over protected.
B. a basic level of protection is applied regardless of
asset value.
C. appropriate levels of protection are applied to
information assets.
D. an equal proportion of resources are devoted to
protecting all information assets.
- 1 Answers
- 7112 Views
- I also Faced
- E-Mail Answers
Answer / guest
Answer: C
Full risk assessment determines the level of protection most
appropriate to a given level of risk, while the baseline
approach merely applies a standard set of protection
regardless of risk. There is a cost advantage in not over
protecting information. However, an even bigger advantage is
making sure that no information assets are over or under
protected. The risk assessment approach will ensure an
appropriate level of protection is applied commensurate with
the level of risk and asset value, and therefore, considers
asset value. The baseline approach allows more resources to
be directed towards the assets at greater risk rather than
equally directing resources to all assets.
| Is This Answer Correct ? | 5 Yes | 0 No |
An IS auditor is conducting substantive audit tests of a new accounts receivable module. The IS auditor has a tight schedule and limited computer expertise. Which would be the BEST audit technique to use in this situation? A. Test data B. Parallel simulation C. Integrated test facility D. Embedded audit module
Which of the following is an IS control objective? A. Output reports are locked in a safe place. B. Duplicate transactions do not occur. C. System backup/recovery procedures are updated periodically. D. System design and development meet users' requirements.
Which of the following would an IS auditor consider to be the MOST helpful when evaluating the effectiveness and adequacy of a computer preventive maintenance program? A. A system downtime log B. Vendors' reliability figures C. Regularly scheduled maintenance log D. A written preventive maintenance schedule
The MOST effective method for limiting the damage of an attack by a software virus is: A. software controls. B. policies, standards and procedures. C. logical access controls. D. data communication standards.
Which of the following Internet security threats could compromise integrity? A. Theft of data from the client B. Exposure of network configuration information C. A trojan horse browser D. Eavesdropping on the net
An IS auditor conducting a review of disaster recovery planning at a financial processing organization has discovered the following: * The existing disaster recovery plan was compiled two years ago by a systems analyst in the organization's IT department using transaction flow projections from the operations department. * The plan was presented to the deputy CEO for approval and formal issue, but it is still awaiting his attention. * The plan has never been updated, tested or circulated to key management and staff, though interviews show that each would know what action to take for their area in the event of a disruptive incident. The IS auditor's report should recommend that: A. the deputy CEO be censured for his failure to approve the plan. B. a board of senior managers be set up to review the existing plan. C. the existing plan be approved and circulated to all key management and staff. D. a manager coordinate the creation of a new or revised plan within a defined time limit.
A strength of an implemented quality system based on ISO 9001 is that it: A. guarantees quality solutions to business problems. B. results in improved software life cycle activities. C. provides clear answers to questions concerning cost-effectiveness. D. does not depend on the maturity of the implemented quality system.
Security administration procedures require read-only access to: A. access control tables. B. security log files. C. logging options. D. user profiles.
Which of the following procedures should be implemented to help ensure the completeness of inbound transactions via electronic data interchange (EDI)? A. Segment counts built into the transaction set trailer B. A log of the number of messages received, periodically verified with the transaction originator C. An electronic audit trail for accountability and tracking D. Matching acknowledgement transactions received to the log of EDI messages sent
Java applets and ActiveX controls are distributed executable programs that execute in the background of a web browser client. This practice is considered reasonable when: A. a firewall exists. B. a secure web connection is used. C. the source of the executable is certain. D. the host website is part of your organization.
The most common problem in the operation of an intrusion detection system (IDS) is: A. the detection of false positives. B. receiving trap messages. C. reject error rates. D. denial-of-service attacks.
A vendor/contractor?s performance against service level agreements must be evaluated by the: A. customer. B. contractor. C. third-party. D. contractor?s management.
Cisco Certifications 
