AIS Quiz Questions Test 3
Which of the following is not one of the three important factors determining the strength of any encryption system? A. Choice of Ciphertext B. Key length C. Key management policies D. Encryption algorithm
A. Choice of Ciphertext
Which of the following is true? A. Cloud computing is a control technique for system availability. B. Cloud computing eliminates the need for security. C. Cloud computing eliminates the need for backup of applications and data. D. Cloud computing refers to the practice of storing application files and backup data on satellites in the clouds.
A. Cloud computing is a control technique for system availability.
Which of the following statements is false? A. Organizations should not provide individuals with the ability to access, review, correct, or delete the personal information stored about them. B. Employee use of e-mail and instant messaging probably represents two of the greatest threats to the confidentiality of sensitive information. C. To protect yourself from identity theft you should only print your initials and last name, rather than your full name on checks. D. The phrase ¿garbage in, garbage out¿ highlights the importance of data quality.
A. Organizations should not provide individuals with the ability to access, review, correct, or delete the personal information stored about them.
Which of the following data entry controls would not be useful if you are recording the checkout of library books by members? A. Sequence check B. Closed loop verification C. Prompting D. Validity check
A. Sequence check
Which of the following statements is true? A. Symmetric encryption is faster than asymmetric encryption but cannot be used to provide nonrepudiation of contracts. B. Symmetric encryption is faster than asymmetric encryption and can be used to provide nonrepudiation of contracts. C. Asymmetric encryption is faster than symmetric encryption and can be used to provide nonrepudiation of contracts. D. Asymmetric encryption is faster than symmetric encryption but cannot be used to provide nonrepudiation of contracts.
A. Symmetric encryption is faster than asymmetric encryption but cannot be used to provide nonrepudiation of contracts.
Which of the following requires organizations to protect the privacy of their customers personal information. A. The Health Insurance Portability and Accountability Act B. COBIT DS 11 C. AICPA D. Data Loss Prevention Act
A. The Health Insurance Portability and Accountability Act
A client approached Paxton Uffe and said, "Paxton, I need for my customers to make payments online using credit cards, but I want to make sure that the credit card data isn't intercepted. What do you suggest?" Paxton responded, "The most effective solution is to implement A. an encryption system with digital signatures." B. a private cloud environment." C. a data masking program." D. Hashing."
A. an encryption system with digital signatures."
A digital signature is ___________ A. created by hashing a document and then encrypting the hash with the signer's private key B. created by hashing a document and the encrypting the has with the signer's public key C. created by hashing a document and then encrypting the hash with the signer's symmetric key D. none of the above
A. created by hashing a document and then encrypting the hash with the signer's private key
Which of the following techniques is the most effective way for a firewall to use to protect the perimeter? A. deep packet inspection B. packet filtering C. access control lists D. All of the above are equally effective
A. deep packet inspection
Which data entry application control would detect and prevent entry of alphabetic characters as the price of an inventory item? A. field check B. limit check C. reasonableness check D. sign check
A. field check
Which of the following statements is true? A. incremental daily backups are faster to perform than differential daily backups, but restoration is slower and more complex B. incremental daily backups are faster to perform than differential daily backups, but restoration is faster and simpler C. differential daily backups are faster to perform than incremental daily backups, but restoration is slower and more complex D.differential daily backups are faster to perform than incremental daily backups, but restoration is faster and simpler
A. incremental daily backups are faster to perform than differential daily backups, but restoration is slower and more complex
Multi-factor authentication A. involves the use of two or more basic authentication methods. B. requires the use of more than one effective password. C. provides weaker authentication than the use of effective passwords. D. is a table specifying which portions of the systems users are permitted to access.
A. involves the use of two or more basic authentication methods.
All employees of E.C. Hoxy are required to pass through a gate and present their photo identification cards to the guard before they are admitted. Entry to secure areas, such as the Information Technology Department offices, requires further procedures. This is an example of a(n) A. physical access control. B. hardening procedure. C. authentication control. D. authorization control.
A. physical access control.
The maximum acceptable down time after a computer system failure is determined by a company's A. recovery time objective. B. recovery point objective. C. recovery objective. D. maximum time recovery objective.
A. recovery time objective.
Which of the following is a preventive control? A. training B. log analysis C. CIRT D. Virtualization
A. training
If an online file is damaged, the __________ can be used for reconstruction purposes. A. transaction log B. hash total C. record count D. field check
A. transaction log
Full backups are time-consuming, so most organizations only do full backups _______ and supplement them with _______ partial backups. A. weekly; daily B. annually; quarterly C. monthly; weekly D. quarterly; monthly
A. weekly; daily
A customer failed to include her account number on her check, and the accounts receivable clerk credited her payment to a different customer with the same last name. Which control could have been used to most effectively to prevent this error? A. Duplicate values check B. Closed-loop verification C. Validity check D. Reconciliation of a batch control total
B. Closed-loop verification
__________ protects records from errors that occur when two or more users attempt to update the same record simultaneously. A. Cross-footing balance test B. Concurrent update controls C. Online processing controls D. Zero-balance test
B. Concurrent update controls
Which of the following statements is true? A. Encryption is sufficient to protect confidentiality and privacy B. Cookies are text files that only store information. They cannot perform an actions C. The controls for protecting confidentiality are not effective for protecting privacy D. All of the above are true
B. Cookies are text files that only store information. They cannot perform an actions
While this type of backup process takes longer than the alternative, restoration is easier and faster. A. Archive B. Differential backup C. Incremental backup D. Cloud computing
B. Differential backup
Which of the following statements is true? A. Encryption and hashing are both reversible (can be decoded) B. Encryption is reversible, but hashing is not C. Hashing is reversible, but encryption is not D. Neither hashing or encryption is reversible
B. Encryption is reversible, but hashing is not
Which of the following statements is true? A. The concept of defense-in-depth reflects the fact that security involves the use of a few sophisticated technical controls B. Information Security is necessary for protecting confidentiality, privacy, integrity of processing, and availability of information resources C. The time-based model of security can be expressed as: P < C + D D. Information security is primarily an IT issue, not a managerial concern
B. Information Security is necessary for protecting confidentiality, privacy, integrity of processing, and availability of information resources
Which of the following statements about obtaining consent to collect and use a customer's personal information is true? A. The default policy in Europe is opt-out, but in the US the default is opt-in B. The default policy in Europe is opt-in, but in the US the default is opt-out C. The default policy in both Europe and the US is opt-in D. The default policy in both Europe and the US is opt-out
B. The default policy in Europe is opt-in, but in the US the default is opt-out
This protocol specifies the procedures for dividing files and documents into packets to be sent over the Internet. A. Packet switching protocol B. Transmission control protocol C. Internet protocol D. Access control list
B. Transmission control protocol
Which of the following uses encryption to create a secure pathway to transmit data? A. Hashing B. Virtual Private Network (VPN) C. Demilitarized Zone D. None of the above
B. Virtual Private Network (VPN)
Which of the following combinations of credentials is an example of multifactor authentiation? A. voice recognition and a fingerprint reader B. a PIN and an ATM card C. password and a user ID D. all of the above
B. a PIN and an ATM card
Information that needs to be stored for 10 years or more would most likely be stored in which type of file? A. backup B. archive C. encrypted D. log
B. archive
The control procedure designed to restrict what portions of an information system an employee can access and what actions he or she can perform is called _________? A. authentication B. authorization C. intrusion prevention D. intrusion detection
B. authorization
Which disaster recovery strategy involves contracting for use of a physical site to which all necessary computing equipment will be delivered within 24 to 36 hours? A. virtualization B. cold site C. hot site D. data mirroring
B. cold site
The system and processes used to issue and manage asymmetric keys and digital certificates are known as A. digital signature. B. public key infrastructure. C. asymmetric encryption. D. certificate authority.
B. public key infrastructure.
Which of the following measures the amount of data that might be potentially lost as a result of a system failure? A. recover time objective B. recovery point objective C. disaster recovery plan D. business communication plan
B. recovery point objective
Social engineering attacks that take place via e-mail are known as: A. phreaking B. spear phishing C. vishing D. Bluesnarfing
B. spear phishing
Encryption has a remarkably long and varied history. Spies have been using it to convey secret messages ever since there were secret messages to convey. One powerful method of encryption uses random digits. Two documents are prepared with the same random sequence of numbers. The spy is sent out with one and the spy master retains the other. The digits are used as follows. Suppose that the word to be encrypted is SPY and the random digits are 352. Then S becomes V (three letters after S), P becomes U (five letters after P), and Y becomes A (two letters after Y, restarting at A after Z). The spy would encrypt a message and then destroy the document used to encrypt it. This is an early example of A. a hashing algorithm. B. symmetric key encryption. C. asymmetric key encryption. D. public key encryption.
B. symmetric key encryption.
Which of the following is an example of the kind of batch total called a hash total? A. the sum of the purchase amount field in a set of purchase order B. the sum of the purchase order number field in a set of purchase orders C. the number of completed documents in a set of purchase order D. all of the above
B. the sum of the purchase order number field in a set of purchase orders
Which of the following is an example of a corrective control? A. Encryption B. Intrusion detection C. Incident response teams D. Physical access controls
C. Incident response teams
On April 1, 2012, students enrolled in an economics course at Harvard University received an e-mail stating that class would be cancelled. The e-mail claimed to be from the professor, but it wasn't. Computer forensic experts determined that the e-mail was sent from a computer in one of the campus labs at 6:32 A.M. They were then able to uniquely identify the computer that was used by means of its network interface card's ________ address. Security cameras revealed the identity of the student responsible for spoofing the class. A. IDS B. TCP/IP C. MAC D. DMZ
C. MAC
Which of the following is not a requirement of effective passwords? A. Passwords should be changed at regular intervals. B. Passwords should contain a mixture of upper and lowercase letters, numbers and characters. C. Passwords should be no more than 8 characters in length. D. Passwords should not be words found in dictionaries.
C. Passwords should be no more than 8 characters in length.
One of the ten Generally Accepted Privacy Principles concerns security. According to GAPP, what is the nature of the relationship between security and privacy? A. Privacy is a necessary, but not sufficient, precondition to effective security B. Privacy is both necessary and sufficient to effective security C. Security is a necessary, but not sufficient, precondition to protect privacy D. Security is both necessary and sufficient to effective privacy
C. Security is a necessary, but not sufficient, precondition to protect privacy
Which of the following statements is true with regards to system availability? A. Proper controls can maximize the risk of threats causing significant system downtime. B. Human error does not threaten system availability. C. Threats to system availability include hardware and software failures as well as natural and man-made disasters. D. Threats to system availability can be completely eliminated.
C. Threats to system availability include hardware and software failures as well as natural and man-made disasters.
It is important to control access to system output. Some of the control procedures include: A. The organization establishes a set of procedures and policies for protecting the privacy of personal information. B. Source documents and other forms should be designed to help ensure that errors and omissions are minimized. C. Train employees to not leave reports containing sensitive information in plain view on their desktops when they are not physically present. D. None of the above.
C. Train employees to not leave reports containing sensitive information in plain view on their desktops when they are not physically present.
Confidentiality focuses on protecting_____________. A. personal information collected from customers B. a company;s annual report stored on its website C. merger and acquisition plans d. all of the above
C. merger and acquisition plans
Which of the following is a control that can be used to verify the accuracy of information transmitted over a network? A. Completeness check B. check digit C. parity bit D. size check
C. parity bit
Which of the following is a detective control? A. endpoint hardening B. physical access controls C. penetration testing D. patch management
C. penetration testing
Which of the following controls would prevent entry of a nonexistent customer number in a sales transaction? A. field check B. completeness check C. validity check D. batch total
C. validity check
A weakness that an attacker can take advantage of to either disable or take control of a system is called? A. exploit B. patch C. vulnerability D. attact
C. vulnerability
Which of the following statements is true? A. VPNs protect the confidentiality of information while it is in transit over the Internet B. Encryption limits firewalls' ability to filter traffic C. A digital certificate contains that entity's public key D. All of the about are true
D. All of the about are true
Which of the following statements is true? A. Emergency changes need to be documented once the problem is resolved B. Changes should be tested in a system separate from the one used to process transactions C. Change controls are necessary to maintain adequate segregation of duties D. All of the above are true
D. All of the above are true
Able wants to send a file to Baker over the Internet and protect the file so that only Baker can read it and can verify that is came from Able. What should Able do? A. encrypt the file using Able's public key, and then encrypt it again using Baker's private key B. Encrypt the file using Able's private key and then encrypt it again using Baker's private key C. Encrypt the file using Able's public key, and then encrypt is again using Bakers public key. D. Encrypt the file using Able's private key, and then encrypt it again using Baker's public key
D. Encrypt the file using Able's private key, and then encrypt it again using Baker's public key
A biometric identifier includes: A. Passwords B. PINs C. smart cards D. Fingerprints
D. Fingerprints
It is especially important to encrypt sensitive information stored in: A. hard drives B. cell phones C. database D. all of the above
D. all of the above
Which of the following statements is true? A. Virtualization significantly reduce RTO for hardware problems B. Cloud computing reduces the risk that a single catastrophe from either a natural disaster or terrorist attack would result in significant downtime and loss of availability C. Backups still need to be made when using either virtualization or cloud computing D. All of the above are true
D. all of the above are true
All of the following controls for online entry of a sales order would be useful except A. concurrent update control. B. field check on the customer ID and dollar amount of the order. C. validity check on the inventory item numbers. D. check digit verification on the dollar amount of the order.
D. check digit verification on the dollar amount of the order.
Which of the following can organizations use to protect the privacy of a customer's personal information when giving programmers a realistic data set with which to test a new application? A. digital signature B. digital watermark C. data loss prevention D. data masking
D. data masking
An example of preventive controls would include: A. log analysis B. authorization controls C. encryption D. A and B E. B and C
E. B and C
Which of the following provides detailed procedures to resolve the problems resulting from a flash flood that completely destroys a company's data center? a. backup plan b. disaster recovery plan c. business continuity plan d. archive plan
b. disaster recovery plan
Which of the following is a corrective control designed to fix vulnerabilities? A. virtualization B. patch management C. penetration testing D. authorization
b. patch management
The Trust Services Framework reliability principle that states personal information should be protected from unauthorized disclosure is known as A. integrity. B. availability. C. privacy. D. security.
c. privacy
Modifying default configurations to turn off unnecessary programs and features to improve security is called _______? a. user account management b. defense-in-depth c. vulnerability d. hardening
d. hardening