Interested to Buy Any Domain ? << Click Here >> for more details...
A primary function of risk management is the identification
of cost-effective controls. In selecting appropriate
controls, which of the following methods is best to study
the effectiveness of adding various safeguards in reducing
vulnerabilities?
A. "What if" analysis
B. Traditional cost/benefit analysis
C. Screening analysis
D. A "back-of-the-envelope" analysis
- 1 Answers
- 4412 Views
- I also Faced
- E-Mail Answers
Answer / guest
Answer: A
Choice (A) is the correct answer. With the "what if"
analysis method, the effect of adding various safeguards
(and therefore reducing vulnerabilities) is tested to see
what difference each makes. Trade-offs can then be made
based on the cost of the safeguard and its benefit in terms
of reduced risk. Choice (B) is incorrect. In traditional
cost/benefit analysis, the cost is based on the purchase and
operating costs of safeguards. The benefit is calculated
based on an expected decrease in future losses. Choice (C)
is incorrect. Screening analysis can be used to concentrate
on the highest-risk areas. One method is to examine risks
with very severe consequences, such as a high dollar loss or
loss of life. Choice (D) is incorrect. With "back-of-the
envelope" analysis, a high-medium-low ranking can often
provide all the information needed. However, especially for
the selection of expensive safeguards or the analysis of
systems with unknown consequences, more in-depth analysis
may be warranted.
| Is This Answer Correct ? | 3 Yes | 0 No |
An IS auditor performing a review of the IS department discovers that formal project approval procedures do not exist. In the absence of these procedures the IS manager has been arbitrarily approving projects that can be completed in a short duration and referring other more complicated projects to higher levels of management for approval. The IS auditor should recommend as a FIRST course of action that: A. users participate in the review and approval process. B. formal approval procedures be adopted and documented. C. projects be referred to appropriate levels of management for approval. D. the IS manager's job description be changed to include approval authority.
An IS auditor discovers that an organization?s business continuity plan provides for an alternate processing site that will accommodate fifty percent of the primary processing capability. Based on this, which of the following actions should the IS auditor take? A. Do nothing, because generally, less than twenty-five percent of all processing is critical to an organization?s survival and the backup capacity, therefore is adequate. B. Identify applications that could be processed at the alternate site and develop manual procedures to backup other processing. C. Ensure that critical applications have been identified and that the alternate site could process all such applications. D. Recommend that the information processing facility arrange for an alternate processing site with the capacity to handle at least seventy-five percent of normal processing.
The PKI element that manages the certificate life cycle, including certificate directory maintenance and certificate revocation list (CRL) maintenance and publication is the: A. certificate authority. B. digital certificate. C. certification practice statement. D. registration authority.
Which of the following is a telecommunication device that translates data from digital form to analog form and back to digital? A. Multiplexer B. Modem C. Protocol converter D. Concentrator
The MAIN reason for requiring that all computer clocks across an organization be synchronized is to: A. prevent omission or duplication of transactions. B. ensure smooth data transition from client machines to servers. C. ensure that email messages have accurate time stamps. D. support the incident investigation process.
Which of the following is the MOST reasonable option for recovering a noncritical system? A. Warm site B. Mobile site C. Hot site D. Cold site
Which of the following is a dynamic analysis tool for the purpose of testing software modules? A. Blackbox test B. Desk checking C. Structured walk-through D. Design and code
During an IS audit of the disaster recovery plan (DRP) of a global enterprise, the auditor observes that some remote offices have very limited local IT resources. Which of the following observations would be the MOST critical for the IS auditor? A. A test has not been made to ensure that local resources could maintain security and service standards when recovering from a disaster or incident. B. The corporate business continuity plan (BCP) does not accurately document the systems that exist at remote offices. C. Corporate security measures have not been incorporated into the test plan. D. A test has not been made to ensure that tape backups from the remote offices are usable.
When a complete segregation of duties cannot be achieved in an online system environment, which of the following functions should be separated from the others? A. Origination B. Authorization C. Recording D. Correction
Which of the following are data file controls? A. Internal and external labeling B. Limit check and logical relationship checks C. Total items and hash totals D. Report distribution procedures
The MOST appropriate person to chair the steering committee for a system development project with significant impact on a business area would be the: A. business analyst. B. chief information officer. C. project manager. D. executive level manager.
Which of the following is a control to detect an unauthorized change in a production environment? A. Denying programmers access to production data. B. Requiring change request to include benefits and costs. C. Periodically comparing control and current object and source programs. D. Establishing procedures for emergency changes.
Cisco Certifications 
