CISA Exam QAE Domain 5
OSI Layer 4: Transport
- Concerned with reliability of data transfer between two systems - Ensures that data reaches its destination - Uses connection-oriented protocols - Implements a flow control mechanism that can detect congestion, reduce data, transmission rates during congestion and increase transmission rates when the network appears to no longer be congested CISA EXAM KEYWORDS: Reliable delivery, connection oriented, delivery in proper order, congestion control
OSI Layer 2: Data Link
- Connects to another device on the same network using a MAC address - Bit stream (received through physical layer) is converted into data packets and sent to network layer - Data packets (received from network) layer is converted into bit stream and sent to physical layer - Frames consist of original data and control fields for synchronization, error detection and flow control CISA EXAM KEYWORDS: MAC Address or Bit Conversion it's about Data Link
OSI Layer 7: Application
- Contains programs that communicate directly with end user - Works close to the user - Provides interface for application to communicate CISA EXAM KEYWORDS: End user
OSI Layer 6: Presentation
- Converts data into presentable format that is acceptable by all - Provides services such as encryption, text comprehension and re-formatting CISA EXAM KEYWORDS: Format
OSI Layer 1: Physical
- Electrical and physical specification devices. - Provides hardware that transmits and receives the bit - Defines the cable, connector, cards, and physical aspects of hardware required for physical connection of devices to the network CISA EXAM KEYWORDS: Electrical signal or Hardware device has to do with Physical layers
Virtual Private Network (VPN)
- Great for small organizations. It is the most economically and secure method for connecting a private network over the internet - Most comprehensive method to protect a remote access network with multiple and diversified systems
Advantages of Single Sign On (SSO)
- Multiple password not required. Encourages users to select stronger password - Improves admin availability to manage user account - Reduces administrative overhead cost in resetting passwords due to lower number of IT help desk calls about password - Reduces time users take to login to multiple applications
ISACA'S Privacy Principle
- Organizations should specify the purpose for which personal information is collected - Organizations should obtain appropriate consent before transferring of personal information to another jurisdiction - Organizations required to retain personal information only as long as necessary - Organizations should have appropriate security safeguards for protecting personal information - Organizations should have an appropriate process for reporting with privacy policy, standards and laws - Organizations should have appropriate governance mechanisms over the third-party service provider processing data on the behalf of organizations
OSI Layer 3: Network
- Responsible for inserting information into packet header for proper addressing and routing - Understands the IP addresses and is responsible for routing - Provides confidentiality, authentication, and data integrity services *CISA QUESTION TIP: Routing, IP Address
Disadvantages of Single Sign On (SSO)
- Single point of failure - Support of all major operating system environments is difficult
RSA vs Elliptic Curve Encryption
- Smaller keys results in shorter computation time
OSI Layer 5: Session
- Used to control connections that are established between systems - Establishes, manages, and terminates the connection between the application layers CISA EXAM KEYWORDS: Manages connections
The most effective control against short term reduction in electrical power is
A power line conditioner
Most effective control to protect against short-term reduction in electrical power is:
A power line conditioner A device intended to improve the quality of power that is delivered to electrical equipment. It compensates for leaks and valleys in the power supply
The most effective control to protect against a high-voltage power burst is:
A surge device
Most effective control to protect against a high-voltage power burst is:
A surge devices
A company is implementing a Dynamic Host Configuration Protocol. Given that the following conditions exist, which represents the GREATEST concern?
Access to a network port is not restricted. Given physical access to a port, anyone can connect to the internal network. This would allow individuals to connect that were not authorized to be on the corporate network.
The most effective control against the long term unavailability of the electrical power is
Alternative power supplies
Dry Pipe Sprinkling System (DPSS)
An electronic fire alarm activates the water pump to send water into the system. Less effective and reliable than WBS Advantage of not exposing the facility to water damage even if pipe leaks or breaks.
Which of the following types of firewalls provide the GREATEST degree and granularity of control?
Application gateway This is similar to a circuit gateway, but it has specific proxies for each service. To handle web services, it has a Hypertext Transmission Protocol (HTTP) proxy that acts as an intermediary between externals and internals but is specifically for HTTP. This means that it not only checks the packet Internet Protocol (IP) addresses (Open Systems Interconnection [OSI] Layer 3) and the ports it is directed to (in this case port 80, or layer 4), it also checks every HTTP command (OSI Layers 5 and 7). Therefore, it works in a more detailed (granularity) way than the other choices.
Safe/Unsafe Gases
Argonite: Environmentally friendly but people can suffocate by breathing it in mistakenly. Environmentally friendly and non-toxic Carbon Dioxide (CO2): Not safe for human life
The best method to provide access to a user is:
Authorization from the data owner and implementation of user authorization tables by the administrator The data owner is responsible for approving the access rights to the user. Once the user is approved the system administrator should implement or update user authorization tables.
Which of the following is the highest risk (to be given priority) with respect to use of CO2 and Halon gas as fire extinguishers:
Both present a risk to human life if used in closed room.
Carbon Dioxide (CO2) System
CO2 System releases pressurized CO2 gas in the area protected to replace the oxygen required for combustion Unlike FM-200 & Argonite it is unable to sustain human life Most countries it's illegal for their to be an automatic release system if any human may be in the area
Not safe for human for human consumption
Carbon Dioxide
Which of the following controls will MOST effectively detect the presence of bursts of errors in network transmissions?
Cyclic Redundancy Check CRC can check for a block of transmitted data. The workstations generate the CRC and transmit it with the data. The receiving workstation computes a CRC and compares it to the transmitted CRC. If both of them are equal, then the block is assumed error free. In this case (such as in parity error or echo check), multiple errors can be detected. In general, CRC can detect all single-bit and double-bit errors.
The objective of raising the floor in a computer room is to prevent:
Damage to the cables of compute and servers
Who is accountable for the appropriate maintenance of security controls above information assets?
Data and system owners. They may delegate routine security responsibilities to a security administrator. However, it is the owners who remain accountable for the maintenance of appropriate security measure.
Which of the following ensures security of a VPN?
Data encapsulation The VPN uses data encapsulation or tunneling to encrypt the traffic payload for secured transmission of data.
Responsibility for reviewing users' access right?
Data owners
Responsibility of granting access to data with help of security driver
Data owners
Which of the following line media would provide the BEST security for a telecommunication network?
Dedicated lines These are set apart for a particular user or organization. Because there is no sharing of lines or intermediate entry points, the risk of interception or disruption of telecommunications messages is lower.
An IS auditor is reviewing fire safety arrangement in data center. Which of the following is the MOST EFFECTIVE and environmentally friendly?
Dry-pipe sprinklers
Most prevalent risk of a VPN?
Entry of malicious code into the network.
What is the first step in data classification?
Establishing ownership
Safe for human consumption
FM-200
Safest to use in presence of human life?
FM-200
Which of the following types of transmission media provide the BEST security against unauthorized access?
Fiber-optic cables Fiber-optic cables have proven to be more secure and more difficult to tap than the other media.
Which of the following network components is PRIMARILY set up to serve as a security measure by preventing unauthorized traffic between different segments of the network?
Firewalls Firewall systems are the primary tool that enables an organization to prevent unauthorized access between networks. An organization may choose to deploy one or more systems that function as firewalls.
Which of the following BEST ensures the integrity of a server's operating system?
Hardening the server configuration This means to configure it in the most secure manner (install latest security patches, properly define access authorization for users and administrators, disable insecure options and uninstall unused services) to prevent nonprivileged users from gaining the right to execute privileged instructions and, thus, take control of the entire machine, jeopardizing the integrity of the OS.
Which control is the BEST way to ensure that the data in a file has not been changed during transmission?
Hash values These are calculated on the file and are very sensitive to any changes in the data values in the file. Thus, they are the best way to ensure that data has not changed.
The function of a VPN is to?
Hide data traveling in the network
What is the first step when reviewing an IT security baseline
IT security baseline is the minimum security requirements First step is to determine the sufficiency and adequacy of the baseline
Which of the following is a major risk of electromagnetic emission from a computer room
It may be detected and displayed May be detected and displayed by a sophisticated device and thus there is the loss of unauthorized data. Most electromagnetic emissions are of low frequency, so there is no impact on the health of the storage device or processor
The most effective safeguard for securing software and data within an information processing facility is:
Logical access controls. Logical access controls are technical controls, such as authentication, encryption, firewall, IDS, and so on, which are very difficult to bypass by a layman. The security committee address the broader perspective of security
Halon System
NOT SAFE FOR HUMAN LIFE Fire protection system that provides for the transfer of halogenated agents between fire extinguishers supply containers and recharge and recovery containers so that none of the halogenated agents escape into the atmosphere. Banned as it adversely effects the ozone layer. REPLACED by FM-200 & Argonite
When reviewing the implementation of a local area network, an IS auditor should FIRST review the:
Network diagram To properly review a local area network implementation, an IS auditor should first verify the network diagram to identify risk or single points of failure.
The feature of a digital signature that ensures the sender cannot later deny generating and sending the message is called:
Nonrepudiation Integrity, authentication, nonrepudiation, and replay protection are all features of a digital signature. Nonrepudiation ensures that the claimed sender cannot later deny generating and sending the message.
OSI Layer
PLEASE (Physical) DO (Data) NOT (Network) TEACH (Transport) STUPID (Session) PEOPLE (Presentation) ANYTHING (Application)
The information security policy that states "each individual must have his/her badge read at every controlled door" addresses which of the following attack methods?
Piggybacking This refers to unauthorized persons following authorized persons, either physically or virtually, into restricted areas. This policy addresses the polite behavior problem of holding doors open for a stranger. If every employee must have their badge read at every controlled door, no unauthorized person could enter the sensitive area.
In a small organization, an employee performs computer operations and, when the situation demands, program modifications. Which of the following should the IS auditor recommend?
Procedures that verify that only approved program changes are implemented An IS auditor must consider recommending a better process. An IS auditor should recommend a formal change control process that manages and can detect changes to production source and object code, such as code comparisons, so the changes can be reviewed on a regular basis by a third party. This is a compensating control process.
Which of the following is the BEST audit procedure to determine if a firewall is configured in compliance with an organization's security policy?
Review the parameter settings A review of the parameter settings will provide a good basis for comparison of the actual configuration to the security policy and will provide audit evidence documentation.
FM 200 System
SAFE FOR HUMANS Does not remove the oxygen from the air and has also been approved by the EPA
Argonite
SAFE FOR THE ENVIRONMENT AND NON-TOXIC BUT NOT FOR HUMAN LIFE Mixture of 50% Argon & 50% Nitrogen Uses a gaseous fire suppression agent
Which of the following types of firewalls would BEST protect a network from an Internet attack?
Screened subnet firewall This would provide the best protection. The screening router can be a commercial router or a node with routing capabilities and the ability to allow or avoid traffic between nets or nodes based on addresses, ports, protocols, interfaces, etc. The subnet would isolate Internet-based traffic from the rest of the corporate network.
Which of the following would be the BEST overall control for an Internet business looking for confidentiality, reliability and integrity of data?
Secure Sockets Layer This is used for many e-commerce applications to set up a secure channel for communications providing confidentiality through a combination of public and symmetric key encryption and integrity through hash message authentication code.
Which of the following components is responsible for the collection of data in an intrusion detection system?
Sensor Sensors are responsible for collecting data. Sensors may be attached to a server or other location and may gather data from many points for later analysis
With respect to the IT security baseline, the IS auditor should first ensure:
Sufficiency of the baseline
Which of the following should be included in an organization's information security policy?
The basis for access control authorization The security policy provides the broad framework of security as laid down and approved by senior management. It includes a definition of those authorized to grant access and the basis for granting the access.
Who should be accountable for the appropriate maintenance of security controls over information assets?
The data and system owners
Who is responsible for reviewing users' access rights?
The data owner
Which of the following would be the BEST access control procedure?
The data owner formally authorizes access and an administrator implements the user authorization tables. The data owner holds the privilege and responsibility for formally establishing the access rights. An IS administrator should then implement or update user authorization tables at the direction of the owner.
Logical access controls are designed and developed on the basis of:
The information system security policy of the organization User requirements and industry practices should be considered. However, the implementation of logical controls should be done in accordance with the approved security policy
Most important concern for a badge entry system:
The process for promptly disabling a lost or stolen badge is not followed
What is the risk associated with the use of an access card for entering a computer room?
The risk of an unauthorized person entering behind an authorized person
What is the basis for designing and developing logical access controls?
The security policy
Basis for designing logical access controls?
The security policy. Logical access controls are designed on the basis of approved information systems security policy of the organization
Java applets and Active X controls are distributed programs that execute in the background of a client web browser. This practice is considered reasonable when:
The source of the executable file is certain Acceptance of these mechanisms should be based on established trust. The control is provided by only knowing the source and then allowing the acceptance of the applets. Hostile applets can be received from anywhere.
Which of the following is the first step in data classification?
To establish ownership Without ownership being defined, it's hard to conduct critical analysis or to develop an access matrix
Which of the following exposures associated with the spooling of sensitive reports for offline printing should an IS auditor consider to be the MOST serious?
Unauthorized report copies might be printed. Spooling for offline printing may enable additional copies to be printed unless adequate safeguards exist as compensating controls.
When reviewing an organization's logical access security to its remote systems, which of the following would be of GREATEST concern to an IS auditor?
Unencrypted passwords are used. When evaluating the technical aspects of logical security, unencrypted passwords represent the greatest risk because it would be assumed that remote access would be over an untrusted network where passwords could be discovered.
An Is Auditor is reviewing fire safety arrangement in a data center. Which of the following is the area of MOST concern?
Use of CO2 gas in a manned data center
Which of the following is the MOST effective control when granting temporary access to vendors?
User accounts are created with expiration dates and are based on services provided. The most effective control is to ensure that the granting of temporary access is based on services to be provided and that there is an expiration date (automated is best) associated with each unique ID. The use of an identity management system enforces temporary and permanent access for users, at the same time ensuring proper accounting of their activities.
Which of the following is an example of the defense in-depth security principle?
Using a firewall as well as logical access controls on the hosts to control incoming network traffic Defense in-depth means using different security mechanisms that back each other up. When network traffic passes the firewall unintentionally, the logical access controls form a second line of defense.
Most secure and cost effective method of remote access?
VPN
Water-Based Systems (WBS)
Water remains in the system piping More effective and reliable than DPSS Disadvantage of exposing the facility to water damage if pipe leaks or breaks
An IS auditor is reviewing fire safety in a data center where dry-pipe sprinkles are installed. A dry pipe fire extinguishers uses:
Water, but it enters the pipe only when fire is detected
Risk of damage to equipment
Wet-Pipe Sprinkler
A Transmission Control Protocol/Internet Protocol (TCP/IP)-based environment is exposed to the Internet. Which of the following BEST ensures that complete encryption and authentication protocols exist for protecting information while transmitted?
Work is completed in tunnel mode with IP security. Tunnel mode with Internet Protocol (IP) security provides encryption and authentication of the complete IP package. To accomplish this, the authentication header and encapsulating security payload services can be nested. This is known as IP Security.
The implementation of access controls FIRST requires:
an inventory of IS resources. The first step in implementing access controls is an inventory of IS resources, which is the basis for establishing ownership and classification.
With the help of a security officer, granting access to data is the responsibility of:
data owners These individuals are responsible for the access to and use of data. Written authorization for users to gain access to computerized information should be provided by the data owners. Security administration with the owners' approval sets up access rules stipulating which users or group of users are authorized to access data or files and the level of authorized access (e.g., read or update).
The MOST important difference between hashing and encryption is that hashing:
is irreversible Hashing works one way—by applying a hashing algorithm to a message, a message hash/digest is created. If the same hashing algorithm is applied to the message digest, it will not result in the original message. As such, hashing is irreversible, while encryption is reversible. This is the basic difference between hashing and encryption.
An IT steering committee should:
maintain minutes of its meetings and keep the board of directors informed. It is important to keep detailed IT steering committee minutes to document the decisions and activities of the IT steering committee. The board of directors should be informed about those decisions on a timely basis.
Security administration procedures require read-only access to:
security log files. Security administration procedures require read-only access to security log files to ensure that, once generated, the logs are not modified. Logs provide evidence and track suspicious transactions and activities.
The output of the risk management process is an input for making:
security policy decisions. The risk management process is about making specific, security-related decisions, such as the level of acceptable risk.
The initial step in establishing an information security program is the:
the adoption of a corporate information security policy statement. A policy statement reflects the intent and support provided by executive management for proper security and establishes a starting point for developing the security program.
During a logical access controls review, an IS auditor observes that user accounts are shared. The GREATEST risk resulting from this situation is that:
user accountability may not be established. The use of a user ID by more than one individual precludes knowing who, in fact, used that ID to access a system; therefore, it is impossible to hold anyone accountable.