Which of the following is the MOST significant operational risk associated with the use of virtualization?
Correct Answer: D
Question 462
What is the recommended minimum length of a good password?
Correct Answer: B
Section: Protection of Information Assets Explanation: Passwords are the first defensive line in protecting your data and information. Your users need to be made aware of what a password provides them and what can be done with their password. They also need to be made aware of the things that make up a good password versus a bad password. A good password has mixed-case alphabetic characters, numbers, and symbols. Do use a password that is at least eight or more characters.
Question 463
Which of the following is MOST important for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros?
Correct Answer: C
Question 464
If senior management is not committed to strategic planning, how likely is it that a company's implementation of IT will be successful?
Correct Answer: C
Section: Protection of Information Assets Explanation: A company's implementation of IT will be less likely to succeed if senior management is not committed to strategic planning.
Question 465
The PRIMARY purpose of an incident response plan is to:
Correct Answer: A
The primary purpose of an incident response plan is to reduce the impact of an adverse event on information assets. An incident response plan is a set of instructions and procedures that guide the organization's actions in the event of a security breach, cyberattack, or other disruption that affects its information systems and data. An incident response plan aims to: * Detect and identify the incident as soon as possible. * Contain and isolate the incident to prevent further damage or spread. * Analyze and investigate the incident to determine its cause, scope, and impact. * Eradicate and eliminate the incident and its root causes from the affected systems and data. * Recover and restore the normal operations and functionality of the systems and data. * Learn and improve from the incident by documenting the lessons learned, best practices, and recommendations for future prevention and mitigation. By following an incident response plan, the organization can minimize the negative consequences of an adverse event on its information assets, such as: * Loss or corruption of data or information. * Disclosure or theft of confidential or sensitive data or information. * Interruption or degradation of system or service availability or performance. * Legal or regulatory noncompliance or liability. * Financial or reputational loss or damage. An incident response plan also helps the organization to demonstrate its due diligence and accountability in protecting its information assets and complying with its legal and contractual obligations. The other options are not the primary purpose of an incident response plan, although they may be secondary benefits or outcomes of having one. Increasing the effectiveness of preventive controls is not the primary purpose of an incident response plan. Preventive controls are controls that aim to prevent or deter incidents from occurring in the first place, such as firewalls, antivirus software, encryption, authentication, etc. An incident response plan is a reactive control that deals with incidents after they have occurred. However, an incident response plan may help to improve the effectiveness of preventive controls by identifying and addressing their weaknesses or gaps. Reducing the maximum tolerable downtime (MTD) of impacted systems is not the primary purpose of an incident response plan. MTD is a measure of how long an organization can tolerate a system or service outage before it causes unacceptable harm or loss to its business operations or objectives. An incident response plan may help to reduce the MTD of impacted systems by facilitating a faster and smoother recovery process. However, reducing the MTD is not the main goal of an incident response plan, but rather a desired outcome. Increasing awareness of impacts from adverse events to IT systems is not the primary purpose of an incident response plan. Awareness is a state of being informed or conscious of something. An incident response plan may help to increase awareness of impacts from adverse events to IT systems by providing information and communication channels for stakeholders, such as management, employees, customers, regulators, etc. However, increasing awareness is not the main objective of an incident response plan, but rather a means to achieve other objectives, such as reducing impact, ensuring compliance, or maintaining trust.
