CISA FINAL
10. The MOST important responsibility of a data security officer in an organization is: A. recommending and monitoring data security policies. B. promoting security awareness within the organization. C. establishing procedures for IT security policies. D. administering physical and logical access controls.
10. A. A data security officer's prime responsibility is recommending and monitoring data security policies. B is incorrect. Promoting security awareness within the organization is one of the responsibilities of a data security officer, but it is not as important as recommending and monitoring data security policies. C is incorrect. The IT department, not the data security officer, is responsible for establishing procedures for IT security policies recommended by the data security officer. D is incorrect. The IT department, not the data security officer, is responsible for the administration of physical and logical access controls.
100. An IS auditor has imported data from the client's database. The next step—confirming whether the imported data are complete—is performed by: A. matching control totals of the imported data to control totals of the original data. B. sorting the data to confirm whether the data are in the same order as the original data. C. reviewing the printout of the first 100 records of original data with the first 100 records of imported data. D. filtering data for different categories and matching them to the original data.
100. A. Matching control totals of the imported data with control totals of the original data is the next logical step, as this confirms the completeness of the imported data. It is not possible to confirm completeness by sorting the imported data, because the original data may not be in sorted order. Further, sorting does not provide control totals for verifying completeness. Reviewing a printout of 100 records of original data with 100 records of imported data is a process of physical verification and confirms the accuracy of only these records. Filtering data for different categories and matching them to original data would still require that control totals be developed to confirm the completeness of the data.
101. In a contract with a hot, warm or cold site, contractual provisions should cover which of the following considerations? A. Physical security measures B. Total number of subscribers C. Number of subscribers permitted to use a site at one time D. References by other users
101. C. The contract should specify the number of subscribers permitted to use the site at any one time. Physical security measures are not a part of the contract, although they are an important consideration when choosing a third-party site. The total number of subscribers is not a consideration; what is important is whether the agreement limits the number of subscribers in a building or in a specific area. The references that other users can provide is a consideration taken before signing the contract; it is by no means part of the contractual provisions.
102. Which of the following would be MOST important for an IS auditor to verify when conducting a business continuity audit? A. Data backups are performed on a timely basis B. A recovery site is contracted for and available as needed C. Human safety procedures are in place D. Insurance coverage is adequate and premiums are current
102. C. The most important element in any business continuity process is the protection of human life. This takes precedence over all other aspects of the plan.
106. Which of the following methods is best suited for an auditee to deliver evidence to an auditor during the audit of a background check process? A. FTP server B. Secure file transfer portal C. E-mail with SMTP over TLS D. Courier
106. B. A secure file transfer portal is the best choice, because sensitive information will be encrypted in transit, end to end, and can handle volumes of evidence that may be too large to e-mail. A is incorrect because an FTP server is not considered secure, since neither login credentials nor data in transit is encrypted. C is incorrect for two reasons. First, the evidence could well be too large to send over e-mail; second, SMTP over TLS only encrypts e-mail between mail servers, not end to end. D is incorrect because using a courier is inefficient, as evidence would first have to be printed and electronic analysis of the evidence would not be possible.
107. An auditor has delivered a Sarbanes-Oxley audit report containing 12 exceptions to the audit client, who disagrees with the findings. The audit client is upset and is asking the auditor to remove any six findings from the report in exchange for a payment of $25,000. A review of the audit findings resulted in the confirmation that all 12 findings are valid. How should the auditor proceed? A. The auditor should report the matter to his or her manager. B. The auditor should reject the payment and meet the auditee halfway by removing three of the findings. C. The auditor should reject the payment and remove six of the findings. D. The auditor should report the incident to the audit client's audit committee.
107. A. The auditor should first report the matter to his or her manager, who will in turn decide how to handle it. More than likely, the audit manager will notify the audit client's audit committee, who can decide to refer the matter to regulatory authorities. B and C are incorrect because the auditor should stand by the report and not make any changes to it. D is incorrect because a better course of action is to first notify his or her manager, who will decide how to handle the matter further.
109. What is the most important factor to consider in the development of a disaster recovery plan? A. The safety of personnel B. The availability of critical data C. Notification of civil authorities D. The continuity of critical operations
109. A. The safety of personnel should always be the highest priority in any disaster recovery plan. B is incorrect because the availability of critical data, while important, is less critical than the safety of personnel. C is incorrect because the notification of civil authorities is important, but less important than the safety of personnel. D is incorrect because the continuity of critical operations is key to the resilience of the organization, but less important than the safety of personnel.
111. A system engineer is reviewing critical systems in a data center and mapping them to individual electrical circuits. The engineer identified a system with two power supplies that are connected to the same plug strip. What should the engineer conclude from this? A. It is an acceptable practice to connect both power supplies to the same circuit. B. It is an acceptable practice to connect both power supplies to the same plug strip. C. The two power supplies should not be connected to the same circuit. D. The two power supplies should not be connected to the same plug strip.
111. C. The main issue at stake here is that the power supplies are both connected to the same electrical circuit. If the electrical circuit fails, the system will be powered down. A better practice is to connect the two power supplies to separate circuits. A and B are incorrect because it is not a recommended practice to connect both power supplies to the same plug strip or the same circuit. The plug strip and electrical circuit represent a single failure path, somewhat negating the purpose of multiple power supplies. D is incorrect because the bigger issue is not whether the power supplies are connected to the same plug strip, but that they are connected to the same circuit.
112. An IT architect is proposing a plan for improving the resilience of critical data in the organization. The architect proposes that applications be altered so that they confirm that transactions have been successfully written to two different storage systems. What scheme has been proposed? A. Journaling B. Mirroring C. Data replication D. Two-phase commit
112. D. Two-phase commit is the act of writing a transaction to separate storage systems and not completing the transaction until confirmation of successful write operations has been received. A is incorrect because journaling is the process of recording storage transactions in another part of a file system for redundancy and integrity purposes. B is incorrect because mirroring is a storage system function that applications are unaware of. C is incorrect because data replication is a storage system function that applications are unaware of.
113. A security analyst spends most of her time on a system that collects log data and correlates events from various systems to deduce potential attacks in progress. What kind of a system is the security analyst using? A. SIEM B. IPS C. IDS D. AV console
113. A. The security analyst is using a SIEM, or security information and event management system. A SIEM collects log data from devices throughout the environment and then correlates seemingly disparate events to deduce potential attacks. When such attacks are discerned, the SIEM will produce an alert that directs the security analyst to further investigate the matter and take possible action. B is incorrect because an IPS is an inline device that is used to detect and block unwanted network traffic. An IPS does not collect log data from devices in the network. C is incorrect because an IDS is a device that is used to monitor network traffic and detect unwanted traffic. An IDS does not collect log data from devices in the network. D is incorrect because an AV console is used to monitor antivirus software that is running on servers and endpoints.
114. The general counsel is becoming annoyed with notifications of minor security events occurring in the organization. This is most likely due to: A. Careless users clicking on too many phishing e-mails B. Ineffective defenses allowing frequent attacks C. Improper classification of security incidents D. Lack of a security incident severity scheme
114. D. The most likely reason the general counsel is being notified of minor incidents is the lack of an incident classification scheme in the organization's security incident response plan. Without a severity classification scheme, all incidents are treated as equal, regardless of their actual severity. In this case, the result is executives being notified of minor incidents that should be of little or no concern to them. A is incorrect because this is too narrow a scenario. B is incorrect because the scenario here involves minor incidents, not successful attacks on outer defenses. C is incorrect because improper classification of incidents would likely be resolved quickly.
115. In what manner does a PKI support whole disk encryption on end-user workstations? A. PKI stores the bootup passwords used on each end-user workstation. B. PKI detects unauthorized use of data on end-user workstations. C. PKI stores decryption keys in the event an end-user forgets their bootup password. D. PKI records encryption and decryption operations.
115. C. While a PKI is not required to implement whole disk encryption on end-user workstations, a PKI can be used to store administrative keys that can be used to unlock a workstation in the event that the user has forgotten their bootup password. A is incorrect because a PKI does not store the bootup password used on end-user workstations. B is incorrect, as a PKI does not monitor file access on systems. D is incorrect because a PKI does not record encryption and decryption operations, but instead can store administrative keys that can be used to unlock a workstation.
116. A browser contacts a web server and requests a web page. The web server responds with a status code 200. What is the meaning of this status code? A. The user has been redirected to another URL on the same domain. B. The user has been redirected to another URL on a different domain. C. The requested page requires prior authentication. D. The request is valid and has been accepted.
116. D. A response code 200 means the request is valid and has been responded to. A and B are incorrect because a code 200 is a successful transaction and not related to redirection. C is incorrect because a code 200 is a successful transaction and not related to authentication.
12. When an audit finding is considered material, it means that A. In terms of all possible risk and management risk tolerance, this finding is significant. B. It has actual substance in terms of hard assets. C. It is important to the audit in terms of the audit objectives and findings related to them. D. Management cares about this kind of finding so it needs to be reported regardless of the risk.
12. A. The correct answer is A. Materiality is a relative, professional judgment call that must take into context management's aggregate tolerance of risk, how this finding stacks up to all of the findings, and the potential cumulative effect of this error.
13. An IS auditor evaluates the test results of a modification to a system that deals with payment computation. The auditor finds that 50 percent of the calculations do not match predetermined totals. Which of the following would MOST likely be the next step in the audit? A. Design further tests of the calculations that are in error. B. Identify variables that may have caused the test results to be inaccurate. C. Examine some of the test cases to confirm the results. D. Document the results and prepare a report of findings, conclusions and recommendations.
13. C. An IS auditor should next examine cases where incorrect calculations occurred and confirm the results. After the calculations have been confirmed, further tests can be conducted and reviewed. Report preparation, findings and recommendations would not be made until all results are confirmed.
16. Which of the following is the best description of the Business Model for Information Security (BMIS)? A. Describes the relationships (as dynamic interconnections) between policy, people, process, and technology. B. Describes the relationships (as dynamic interconnections) between people, process, technology, and the organization. C. Describes the primary elements (people, process, and technology) in an organization. D. Describes the dynamic interconnections (people, process, and technology) in an organization.
16. B. The Business Model for Information Security (BMIS) describes the dynamic interconnections between the four elements of an organization: people, process, technology, and the organization itself. The dynamic interconnections describe the relationship between each of the relationship pairs. For example, the dynamic interconnection between people and technology, known as "human factors," describes the relationship between people and technology. A is incorrect because "organization" is one of the elements of BMIS that is missing in this answer. C is incorrect because there are four primary elements in an organization: people, process, technology, and the organization itself. D is incorrect because people, process, and technology are not the labels for the dynamic interconnections. Instead, the dynamic interconnections are human factors (between people and technology), emergence (between people and process), enabling and support (between process and technology), culture (between people and organization), architecture (between technology and organization), and governing (between process and organization).
2. An organization needs to hire an executive who will build a management program that considers threats and vulnerabilities. The best job title for this position is: A. CSO B. CRO C. CISO D. CIRO
2. B. The CRO (chief risk officer) is responsible for managing risk for multiple types of assets, commonly information assets, as well as physical assets and/or workplace safety. In financial services organizations, the CRO will also manage risks associated with financial transactions or financial asset portfolios. A is incorrect because the CSO (chief security officer) is not necessarily responsible for risk management, but instead with the design, deployment, and operation of protective controls, commonly for information systems, as well as other assets such as equipment or work centers. C is incorrect because the CISO (chief information security officer) is typically responsible for protection of only information assets and not other types of assets, such as property, plant, and equipment. D is incorrect because the CIRO (chief information risk officer) is typically responsible for risk management and protection of information assets, but not other types of assets, such as property, plant, and equipment.
20. For the purposes of audit planning, can an auditor rely upon the audit client's risk assessment? A. Yes, in all cases. B. Yes, if the risk assessment was performed by a qualified external entity. C. No. The auditor must perform a risk assessment himself or herself. D. No. The auditor does not require a risk assessment to develop an audit plan.
20. B. An auditor can use a risk assessment performed by a qualified external party to develop a risk-based audit plan. This will result in areas of higher risk being examined more closely than areas of lower risk. A is incorrect because there are certainly cases where an auditor cannot use a client's risk assessment—for example, if the client's risk assessment was performed by unqualified persons or if there were signs of bias. C is incorrect because it is not always necessary for an auditor to perform the audit himself or herself. Often an external risk assessment can be used, provided it is sound. D is incorrect because a risk assessment will result in a better audit plan that is risk-aligned.
23. Which of the following backup schemes best protects an organization from ransomware? A. Storage system replication B. Storage system mirroring C. Storage system snapshots D. RAID-5
23. C. Storage system snapshots effectively store the state of a storage system from time to time; if ransomware destroys files in the storage system, the system can be rolled back to a recent snapshot, effectively restoring damaged files. A is incorrect because replication will effectively replicate the damaging effects of ransomware from the primary storage system to other storage systems through their replication. B is incorrect because mirroring will effectively replicate the damaging effects of ransomware from primary storage to mirrored storage. D is incorrect because RAID-5 is used to improve storage system performance and would effectively allow ransomware to damage files more quickly.
25. An attack technique in which an attacker attempts to place arbitrary code into the instruction space of a running process is known as: A. Cross-site scripting B. A time-of-check to time-of-use attack C. A buffer overflow attack D. A race condition
25. C. A buffer overflow attack is a technique where the attacker attempts to overflow a running program's input buffer, resulting in arbitrary code overwriting other instructions in the program. Successful exploitation of a buffer overflow vulnerability gives the attacker complete control over the target program. A is incorrect because a cross-site scripting attack does not overwrite code in the instruction space of a running program, but instead is a technique where the attacker attempts to place client-side scripts into web pages so that a user's browser will execute the attacker's code. B and D are incorrect because a time-of-check to time-of-use attack (also known as a race condition) is an attack that exploits a software bug that allows two programs to control a resource that only one resource should be able to control.
29. Which of the following intrusion detection systems (IDSs) will MOST likely generate false alarms resulting from normal network activity? A. Statistical-based B. Signature-based C. Neural network D. Host-based
29. A. A statistical-based IDS relies on a definition of known and expected behavior of systems. Since normal network activity may at times include unexpected behavior (e.g., a sudden massive download by multiple users), these activities will be flagged as suspicious. A signature-based IDS is limited to its predefined set of detection rules, just like a virus scanner. A neural network combines the previous two IDSs to create a hybrid and better system. Host-based is another classification of IDS. Any of the three IDSs above may be host- or network-based.
31. An auditor is about to start an audit of a user account access request and fulfillment process. The audit covers a six-month period from January through June. The population contains 1,800 transactions. Which of the following sampling methodologies is best suited for this audit? A. Examine the results of the client's control self-assessment (CSA). B. Submit some user account access requests and observe how they are performed. C. Request the first 30 transactions from the auditee. D. Request the first five transactions from each month in the audit period.
31. D. This methodology captures transactions through the entire audit period. In a period of this length, there could be personnel changes and other changes that could result in instances of acceptable or unacceptable performance throughout the period. A is incorrect because an auditee's CSA might not be of sufficient integrity to be relied upon. Further, specific audit rules or standards might preclude the use of a CSA. B is incorrect because reperformance assesses the current effectiveness of a control, not whether the control was effective throughout the audit period. C is incorrect because this will assess the process only at the beginning of the six-month audit period. If the process was effective in January but ineffective for the rest of the period, this technique would conceal this possibility.
36. The system interface standard that includes process control, IPC, and shared memory is known as: A. Unix B. POSIX C. ActiveX D. Ultrix
36. B. POSIX is the system interface standard that includes several components, such as process control, interprocess communication (IPC), named pipes, and files and file systems. A is incorrect because Unix is not an interface standard, but an operating system. C is incorrect because ActiveX does not include all of these components. D is incorrect because Ultrix is not an interface standard, but an operating system.
38. An organization suspects one of its employees of a security violation regarding the use of their workstation. The workstation, a laptop computer that is powered down, has been delivered to a forensic expert. What is the first thing the expert should do? A. Remove the hard drive. B. Photograph the laptop. C. Power up the laptop. D. Remove the RAM from the laptop.
38. B. Prior to removing the hard drive to make a forensically identical copy for analysis, the forensic expert should first photograph the laptop to show its state prior to any disassembly. A is incorrect because the laptop should be photographed prior to removing the hard drive in order to document its pre-investigation state. C is incorrect because the laptop should not be powered up until after it has been photographed and its hard drive forensically copied. D is incorrect because the laptop should be photographed prior to any disassembly to document its pre-investigation state.
39. Which of the following answers contains the steps for business process reengineering (BPR) in proper sequence? A. Diagnose, envision, redesign, reconstruct B. Evaluate, envision, redesign, reconstruct, review C. Envision, initiate, diagnose, redesign, reconstruct, evaluate D. Initiate, evaluate, diagnose, reconstruct, review
39. C. According to ISACA the general steps in business process reengineering are to envision the need, initiate the project, diagnose the existing process, redesign the process, use change management to reconstruct the organization in transition, and evaluate the results.
40. What is the purpose of job descriptions and the change control review board? A. Provide optimum allocation of IT resources. B. Eliminate disputes over who has the authority. C. Identify the hierarchy of personnel seniority. D. Provide guidance to the IT steering committee.
40. A. Job descriptions specify the roles of each individual to ensure proper allocation of personnel. The change control review board ensures that changes and related activities are properly managed.
42. Which type of memory is used to permanently record programs on solid-state chips and retains the data even after power is turned off? A. Random access memory B. Read-only memory C. Flash memory D. Optical memory
42. B. Solid-state integrated circuits implementing read-only memory (ROM) will provide permanent storage of data, regardless of electrical power. ROM is programmed by burning electrical connections inside the integrated circuit (IC) chip. Optical memory is not a solid-state process. Flash memory can be erased and reprogrammed. Random access memory (RAM) is volatile and will be erased when power is turned off.
43. Which of the following statements is true concerning regression testing? A. Used to observe internal program logic B. Verifies that a change did not create a new problem C. Provides testing of black box functions D. Compares test results against a knowledge base
43. B. The purpose of regression testing is to ensure that a change does not create a new problem with other functions in the program. After a change is made, all of the validation tests are run from beginning to end to discover any conflicts or failures. Regression testing is part of the quality control process.
5. Which of the following is a network diagram that shows the critical path for a project? A. Program evaluation review technique B. Gantt chart with activity sequencing C. Shortest path diagramming technique D. Milestone reporting
5. A. A Program Evaluation Review Technique (PERT) is designed to show the critical path of a project. A Gantt chart shows activity sequences and milestones without identifying the critical path. Answers C and D are distracters.
51. Which of the following is the best example of a control self-assessment of a user account provisioning process? A. An examination of Active Directory to ensure that only domain administrators can make user account permission changes B. Checks to see that only authorized personnel made user account changes C. Confirmation that all user account changes were approved by appropriate personnel D. Reconciliation of all user account changes against approved requests in the ticketing system
51. D. A reconciliation of all user account changes with approved requests in the ticketing system ensures that all such changes were actually requested and approved. A is incorrect. Confirmation that only domain administrators can make user account changes does not reveal whether the user account provisioning process is effective. B is incorrect. Checks to see that only authorized personnel made user account changes does not reveal whether the user account provisioning process is effective. C is incorrect. Checking whether the approvers of user account changes were appropriate does not reveal whether the process is effective.
52. The proper sequence of an audit of an accounts payable process is: A. Identify control owners, make evidence requests, perform walkthroughs, do corroborative interviews. B. Make evidence requests, identify control owners, do corroborative interviews. C. Identify control owners, do corroborative interviews, make evidence requests, perform walkthroughs. D. Do corroborative interviews, identify control owners, make evidence requests, and perform walkthroughs.
52. A. It is necessary to identify control owners so that evidence requests can be sent to the right personnel. Next, walkthroughs are performed, and finally corroborative interviews are held. B is incorrect. If control owners are not first identified, evidence requests will be sent to the wrong personnel. C is incorrect. Corroborative interviews are performed after walkthroughs. D is incorrect. Corroborative interviews are performed after evidence requests and walkthroughs.
55. An attacker has targeted an organization in order to steal specific information. The attacker has found that the organization's defenses are strong and that very few phishing messages arrive at end-user inboxes. The attacker has decided to try a watering hole attack. What first steps should the hacker use to ensure a successful watering hole attack? A. Determine which web sites are frequently visited by the organization's end users. B. Determine which restaurants the organization's end users visit after working hours. C. Determine which protocols are blocked by the organization's Internet firewalls. D. Determine the IP addresses of public-facing web servers that can be attacked.
55. D. Determine the IP addresses of public-facing web servers that can be attacked. A. In order to conduct a successful watering hole attack, the attacker must first determine which web sites are frequently visited by employees in the organization. This will include cloud-based applications used for primary business processes such as accounting, sales, human resources, and file storage. B is incorrect because a watering hole attack involves attacks on web sites frequently visited by the target organization's personnel. C and D are incorrect because the attacker has already dismissed frontal attack techniques such as compromising exploitable server vulnerabilities.
59. What is the purpose of standard terms of reference? A. To meet the legal requirement of regulatory compliance B. To prove who is responsible C. To ensure honest and unbiased communication D. To ensure that requirements are clearly identified in a regulation
59. C. Standard terms of reference are used between the auditor and everyone else to ensure honest and unbiased communication. Without standard terminology, it would be difficult to know whether we were discussing the same issue or agreed on the same outcome.
6. What is the purpose of standard terms of reference? A. To meet the legal requirement of regulatory compliance B. To prove who is responsible C. To ensure honest and unbiased communication D. To ensure that requirements are clearly identified in a regulation
6. C. Standard terms of reference are used between the auditor and everyone else to ensure honest and unbiased communication. Without standard terminology, it would be difficult to know whether we were discussing the same issue or agreed on the same outcome.
61. Who sets the priorities and objectives of the IT balanced scorecard (BSC)? A. Chief information officer (CIO) B. Chief financial officer (CFO) C. Chief executive officer (CEO) D. IT steering committee
61. C. The BSC is intended to provide a unifying approach on how the CEO expects the business process to interact across the organization. IT's scorecard is a subset of the CEO's overall enterprise scorecard. The BSC's objective is to break down management barriers and convert department budgets into an entire cross‐function workflow. The CEO or COO will control decisions to eliminate waste and prevent self‐directed decisions by department managers.
72. Besides confidentiality, what is another purpose of using encryption? A. Provide a method of authentication B. Provide a method for data integrity C. Provide a method for protecting from nondisclosure D. Provide a method to ensure availability for authorized users
72. A. Encryption is frequently used for authentication. If the user is able to decrypt the message, it is believed that the user is genuine. However, if the encryption keys are poorly managed, an unauthorized user may be able to get in by using unauthorized copies of the encryption keys.
74. Which of the following should be considered when setting your business continuity strategy? A. Recovery time objectives B. Alternate sites available C. Testing time available at alternate sites D. All of the above
74. D. The strategy will be selected based on information obtained during the risk assessment and business impact analysis. All options should be considered when selecting the business continuity strategy.
75. Data mirroring should be implemented as a recovery strategy when: A. recovery point objective (RPO) is low. B. RPO is high. C. recovery time objective (RTO) is high. D. disaster tolerance is high.
75. A. Recovery point objective (RPO) is the earliest point in time to which it is acceptable to recover the data. In other words, RPO indicates the "age" of the recovered data (i.e., how long ago the data were backed up). If RPO is very low, such as minutes, it means that the organization cannot afford to lose even a few minutes of data. In such cases, data mirroring (synchronous data replication) should be used as a recovery strategy. B. If RPO is high, such as hours, then other backup procedures—such as tape backup and recovery—could be used. C. A high recovery time objective (RTO) will mean that the IT system may not be needed immediately after the disaster declaration/disruption (i.e., it can be recovered later). D. RTO is the time from the disruption/declaration of disaster during which the business can tolerate nonavailability of IT facilities. If RTO is high, "slower" recovery strategies that bring up IT systems and facilities can be used.
77. During the review of a problem management system, it is determined that several problems have been outstanding and unresolved for an excessively long period. Which of the following reasons is most questionable to the IS auditor reviewing the management controls of this process? A. The problem has been sent to the vendor who will send a fix with the next software release. B. The problem has been determined to be a user error and has been referred to the business unit for correction and additional training. C. The problem is intermittent and after researching, remains outstanding until reoccurrence. D. The problem is seen as a low risk issue and is therefore low on the priority list to be addressed.
77. D. The correct answer is D. The first three answers are all legitimate reasons to have an outstanding problem on the tracking logs. However, problems can be misleading at first read, and it should never be assumed that because of the way a problem is reported, it is inconsequential. Many security breaches occur in this manner. Management should ensure that all problems are quickly investigated and their root causes are determined. The need to prioritize problems for addressing them implies larger volumes than the organization is equipped to handle, indicating other more severe control and management issues.
78. During the problem analysis and solution design phases of an SDLC methodology, which of the following steps would you be most concerned with finding? A. Current state analysis and documentation processes B. Entity relationship diagramming and process flow definitions C. Pilot testing of planned solutions D. Gathering of functional requirements from business sponsors
78. C. The correct answer is C. The other three answers are all part of a well-executed SDLC methodology used to design a system or software. However, the initial problem analysis and design phases of a development cycle are not the appropriate place for the testing of solutions, especially by piloting them with end users.
79. In a well-segregated operational environment, which of the following scenarios would you expect to see? A. Computer operators responding to systems messages and initiating problem tickets for failed jobs B. Change control librarians making modifications to code only when notified of errors by the application programmers C. Tape librarians managing print queues and reloading paper for printers as well as loading off-site storage containers with back up tapes D. Operators assisting system programmers with troubleshooting the operating system by adjusting parameters while the programmers observed the results
79. A. The correct answer is A. This is a properly set of functions that restrict the operator to the role of response and notify. In Answer B, the librarian is making changes to code, which should not be allowed, even if he or she is asked to do so. In Answer C, the librarians have access to both the beginning and end of a process, thereby enabling them to control a process that is not intended. In Answer D, the operator is making changes and should instead support this effort by doing the observation instead of making the change.
8. Which of the following is the best choice to ensure that internal control objectives are met? A. Top executive issues a policy stating compliance objectives. B. Procedures are created to govern employee conduct. C. Suitable systems for tracking and reporting incidents are used. D. The clients operating records are audited annually.
8. C. Designing, implementing, and using suitable systems for tracking and reporting incidents is the best way to ensure that internal control objectives are met. What gets measured is what gets done, so tracking the detection of problems is the best answer. The other choices are also important actions, but in the hierarchy of controls the first priority is timely detection. Lack of detection is a total governance failure.
82. When reviewing role-based access, which of the following parameters should the IS auditor be least concerned with? A. Business functions and job descriptions provide the input to determine that the accesses defined are sufficient to performing the required tasks. B. The defined role is applicable to a job function or set of job functions that provides a categorization of need that defines a role. C. The access permissions of a particular role are reconciled to the actual functions performed on a periodic basis. D. The establishment of new roles is reviewed and approved by the data owner or steward.
82. B. The correct answer is B. This is the least important of these aspects of the role-based access definition. From the user's perspective, the role must be relevant and inclusive of the functions to be performed (A). These permissions must be periodically reviewed and validated (C) and changes have to be approved by the data owner to preserve the classification of data that they established (D). Whether these roles are unique to a particular user or applicable to a large number of users is the least important issue.
83. When reviewing the information recovery procedures, an IS auditor would be least concerned with finding procedures that A. Lay down the last complete back up and then all of the subsequent incremental back ups that are available B. Recover all available information from the available back up tapes and move forward with the available information C. Use hard copy transaction records to return the transactions processing history to the time of disaster from the last available back up D. Use the best information available and reconcile the inventories to understand the transactions that may have been lost during the disaster or disruption
83. B. The correct answer is B. A procedure that recognizes that some electronic records are bound to be lost and that requires hard copy transaction information be created and used to recover to the point of failure of the systems is the next best recovery model for a transaction processing system. The best would be mirrored, journaling at an off-site location. The other answers described here do not recognize the transactions in progress since the last back up was taken and will be less effective in providing for a complete recovery.
84. The most important aspect of a recovery plan in the initial hours of a recovery process will be that A. Call lists and rosters are included for contacting the recovery teams B. People have been trained what to do and where to meet to gather and begin recovery without the documented plan C. A disaster is declared by management and the EOC is activated as a control center D. Testing results have been included to show current recoverability
84. B. The correct answer is B. Knowing what to do without any of the plan documentation is critically important in the first hours of the recovery process when manuals and procedures may not be available from staging and storage areas. Call lists and rosters are critically important to this effort but will not be useable from within the recovery plan stored with the recovery materials or destroyed by the disaster (A). These lists and rosters must be available immediately; the copies with the recovery plan will only be used if all else fails (or as a check to ensure that everything was covered by the interim processes, which were used immediately after the disruption occurred). The other two items (C) and (D) are nice to have but are not as important as the training of key individuals who will lead the initial recovery of gathering and assessment processes.
88. Which of the following are valid reasons for considering an e-business solution in support of the business process? I. The customer base is widely scattered and remote to the physical business location. II. The costs of doing business over the Web have been shown to be more efficient for the business than other mechanisms. III.Everybody is doing it. IV. The sales department believes that adding functionality to the Web presence will move customers from a browse to a buy online model by making this business option available to them. V. Real time and immediate support of the business transactions can be best supported by an online transaction model. A. I, II, and III only B. I, II, III, and IV only C. I and II only D. I, II, and V only
88. A. The correct answer is A. Items I, II, and III are all valid reasons for considering an online solution for business processing. When customer locations are remote and disperse (I), online solutions add value to these existing customers and provide them options, making this a valid consideration. Anytime there is proof of lowered costs (II) supported by evidence, the consideration is a valid one. You may think that just because everybody is doing it (III) may be the wrong reason, but business trends go that way at times and consideration needs to be made or the business may get left behind. However, just because the sales department believes that if you build it, they will come (IV), the validity of the reasoning must be questioned by the auditor unless some substantiating evidence can by shown. Real-time, immediate needs are the worst rationale (V), because the use of the Internet cannot be assured and certain.
91. Which of the following is the MOST likely reason why e-mail systems have become a useful source of evidence for litigation? A. Multiple cycles of backup files remain available. B. Access controls establish accountability for e-mail activity. C. Data classification regulates what information should be communicated via e-mail. D. Within the enterprise, a clear policy for using e-mail ensures that evidence is available.
91. A. Backup files containing documents that supposedly have been deleted could be recovered from these files. Access controls may help establish accountability for the issuance of a particular document, but this does not provide evidence of the e-mail. Data classification standards may be in place with regards to what should be communicated via e-mail, but the creation of the policy does not provide the information required for litigation purposes.
93. An IS auditor noted that an organization had adequate business continuity plans (BCPs) for each individual process, but no comprehensive BCP. Which would be the BEST course of action for the IS auditor? A. Recommend that an additional comprehensive BCP be developed. B. Determine whether the BCPs are consistent. C. Accept the BCPs as written. D. Recommend the creation of a single BCP.
93. B. Depending on the complexity of the organization, there could be more than one plan to address various aspects of business continuity and disaster recovery. These do not necessarily have to be integrated into one single plan; however, each plan should be consistent with other plans to have a viable business continuity planning strategy.
97. An IS auditor should recommend the use of library control software to provide reasonable assurance that: A. program changes have been authorized. B. only thoroughly tested programs are released. C. modified programs are automatically moved to production. D. source and executable code integrity is maintained.
97. A. Library control software should be used to separate test from production libraries in mainframe and/or client server environments. The main objective of library control software is to provide assurance that program changes have been authorized. Library control software is concerned with authorized program changes and would not automatically move modified programs into production and cannot determine whether programs have been thoroughly tested. Library control software provides reasonable assurance that the source code and executable code are matched at the time a source code is moved to production. However, subsequent events such as a hardware failure can result in a lack of consistency between source and executable code.
98. Regarding a disaster recovery plan, the role of an IS auditor should include: A. identifying critical applications. B. determining the external service providers involved in a recovery test. C. observing the tests of the disaster recovery plan. D. determining the criteria for establishing a recovery time objective (RTO).
98. C. The IS auditor should be present when disaster recovery plans are tested, to ensure that the test meets the targets for restoration, and the recovery procedures are effective and efficient. As appropriate, the auditor should provide a report of the test results. All other choices are a responsibility of management.
122. The BEST overall quantitative measure of the performance of biometric control devices is: A. false-rejection rate. B. false-acceptance rate. C. equal-error rate. D. estimated-error rate.
A low equal error rate (EER) is a combination of a low false rejection rate and a low false acceptance rate.
27. A web application stores unique codes on each user's system in order to track the activities of each visitor. What is a common term for these codes? A. Http-only cookie B. Super cookie C. Session cookie D. Persistent cookie
A session cookie is used to uniquely identify each visitor to a web site and is used to manage user sessions.
55. What method is used by a transparent proxy filter to prevent a user from visiting a site that has been blacklisted? A. Proxy sends an HTTP 400 Bad Request to the user's browser. B. User is directed to a "web site blocked" splash page. C. Proxy filter simply drops the packets and the user's browser times out. D. User's workstation is quarantined to prevent malware from spreading.
A transparent proxy server will usually direct a user to a "splash page", informing the user that their request to access a forbidden web site has been blocked. Some organizatinos include information on their splash page that can direct a user to make a request to unblock access to the desired site.
109. An IS auditor reviewing a database application discovers that the current configuration does not match the originally designed structure. Which of the following should be the IS auditor's next action? A. Analyze the need for the structural change. B. Recommend restoration to the originally designed structure. C. Recommend the implementation of a change control process. D. Determine if the modifications were properly approved.
An IS auditor should first determine if the modifications were properly approved
131. After initial investigation, an IS auditor has reasons to believe that fraud may be present. The IS auditor should: A. expand activities to determine whether an investigation is warranted. B. report the matter to the audit committee. C. report the possibility of fraud to top management and ask how they would like to proceed. D. consult with external legal counsel to determine the course of action to be taken.
An IS auditor's responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended. - A
33. Which of the following represents the components of the project in graphical or tabular form and is a visual or structural representation of the system, software, or application? A. Data flow diagram (DFD) B. Work breakdown structure (WBS) C. Zachman model D. Object breakdown structure (OBS)
An OBS is a visual or structural representation of the system, software, or application in a hierarchical form, from high level to fine detail.
137. When two or more systems are integrated, input/output controls must be reviewed by an IS auditor in the: A. systems receiving the output of other systems. B. systems sending output to other systems. C. systems sending and receiving data. D. interfaces between the two systems.
Both of the systems must be reviewed for input output controls, since the output of one system is the input for another.
99. Due to changes in IT, the disaster recovery plan of a large organization has been changed. What is the PRIMARY risk if the new plan is not tested? A. Catastrophic service interruption B. High consumption of resources C. Total cost of the recovery may not be minimized D. Users and recovery teams may face severe difficulties when activating the plan
Catastrophic service interruption
23. Change management and configuration management are key to which phase of the SDLC? A. Requirement definition B. Design C. Maintenance D. Testing
Change management and configuration management are essential operational processes in the MAINTENANCE phase of SDLC. Requirements definition is before initial implementation, as is design
128. An IS auditor who was involved in designing an organization's business continuity plan (BCP) has been assigned to audit the plan. The IS auditor should: A. decline the assignment. B. inform management of the possible conflict of interest after completing the audit assignment. C. inform the business continuity planning (BCP) team of the possible conflict of interest prior to beginning the assignment. D. communicate the possibility of conflict of interest to management prior to starting the assignment.
Communicating a possibility of a conflict of interest to management prior to starting the assignment is the correct answer.
8. What is the principal issue surrounding the use of CAAT software? A. The capability of the software vendor B. Documentary evidence is more effective C. Inability of automated tools to consider the human characteristics of the environment D. The possible cost, complexity, and security of output
Computer Assisted audit tools are able to perform detailed technical tasks faster than humans and produce more accurate data during particular functions such as system scanning. Cost, training and security of output are major considerations
76. Which of the following procedures should be implemented to help ensure the completeness of inbound transactions via electronic data interchange (EDI)? A. Segment counts built into the transaction set trailer B. A log of the number of messages received, periodically verified with the transaction originator C. An electronic audit trail for accountability and tracking D. Matching acknowledgment transactions received to the log of EDI messages sent
Control totals built into the trailer record of each segment is the only option that would ensure all individual transactions sent are received completely
56. In a virtualized environment, which method is the fastest way to ensure rapid recovery of servers at an alternative processing center? A. Copy snapshots of virtual machine images to alternative processing center storage system. B. Provide build instructions for all servers and make master server images available. C. Perform full and incremental backups of all servers on a daily basis. D. Perform grandfather-father-son backups of all servers on a daily basis.
Copying snapshots of actual server images ensures that recent server images are available at the alternative processing center for rapid restoration.
34. Which type of tests will determine whether there are any failures or errors in input, processing, or output controls in an application? A. Referential integrity tests B. Data conversion tests C. Data integrity tests D. Static data storage tests
Data integrity testing is used to confirm whether an application properly accepts, processes, and stores information. Data integrity tests will determine whether there are any failures or errors in input, procesing, or output controls in an application
130. A manufacturing firm wants to automate its invoice payment system. Objectives state that the system should require considerably less time for review and authorization and the system should be capable of identifying errors that require follow up. Which of the following would BEST meet these objectives? A. Establishing an inter-networked system of client servers with suppliers for increased efficiencies B. Outsourcing the function to a firm specializing in automated payments and accounts receivable/invoice processing C. Establishing an EDI system of electronic business documents and transactions with key suppliers, computer to computer, in a standard format D. Reengineering the existing processing and redesigning the existing system
EDI is the best answer. Properly implemented (IE with agreements with trading partners transaction standards, controls over network security mechanisms in conjunction with application controls) EDI is best suited to identify and follow up on errors more quickly, given reduced opportunities for review and authorization. - C
38. In the context of information technology and information security, what is the purpose of fuzzing? A. To assess a physical server's resilience through a range of humidity settings B. To assess a physical server's ability to repel static electricity C. To assess a program's resistance to attack via the UI D. To assess a program's performance
Fuzzing refers to techniques where numerous iterations of data input combinations are offered to input fields to assess the presence and exploitability of security vulnerabilities
135. The network of an organization has been the victim of several intruders' attacks. Which of the following measures would allow for the early detection of such incidents? A. Antivirus software B. Hardening the servers C. Screening routers D. Honeypots
Honeypots can collect data on precursors of attacks. Since they serve no business function, honeypots are hosts that have no authorized users other than the honeypot administrators. All activity directed at them is considered suspicious.
12. Which of the following controls is not an example of a pervasive general control? A. IS security policy B. Humidity controls in the data center C. System-wide change control procedures D. IS strategic direction, mission, and vision statements
Humidity controls are specific to a single data center only
93. To prevent IP spoofing attacks, a firewall should be configured to drop a packet if: A. the source routing field is enabled. B. it has a broadcast address in the destination field. C. a reset flag (RST) is turned on for the TCP connection. D. dynamic routing is used instead of static routing.
IP spoofing takes advantage of the source routing option in the IP protocol. With this option enabled, an attacker can insert a spoofed IP address, the packet will travel the network according to the information within the source routing field, bypassing the logic in each router, icluding dynamic and static routing
9. The approach an IS auditor should use to plan IS audit coverage should be based on: A. risk. B. materiality. C. professional skepticism. D. sufficiency of audit evidence.
ISACA IS Audit and Assurance Standard 1202, Planning, establishes standards and provides guidance on planning an audit. It requires a risk based approach.
105. Which of the following would be the MOST cost-effective recommendation for reducing the number of defects encountered during software development projects? A. Increase the time allocated for system testing B. Implement formal software inspections C. Increase the development staff D. Require the sign-off of all project deliverables
Inspections of code and design are a proven software quality techique. An advantage of this approach is that defects are identified before they propagate through the development life cycle.
141. What should be the GREATEST concern to an IS auditor when employees use portable media (MP3 players, flash drives)? A. The copying of sensitive data on them B. The copying of songs and videos on them C. The cost of these devices multiplied by all the employees could be high D. They facilitate the spread of malicious code through the corporate network
Main concern is data leakage.
150. Accountability for the maintenance of appropriate security measures over information assets resides with the: A. security administrator. B. systems administrator. C. data and systems owners. D. systems operations group.
Management should ensure that all information assets (data and systems) have an appointed owner who makes decisions about classification and access rights. System owners typically delegate day to day custodianship to the systems delivery/operations group and security responsibilities to a security administrator. Owners, however, remain accountable for the maintenance of appropriate security measures
118. Naming conventions for system resources are important for access control because they: A. ensure that resource names are not ambiguous. B. reduce the number of rules required to adequately protect resources. C. ensure that user access to resources is clearly and uniquely identified. D. ensure that internationally recognized names are used to protect resources.
Naming conventions for system resources are important for the efficient administration of security controls. The conventions can be structured, so resources beginning with the same high level qualifier can be governed by one or more generic rules. - B
110. After reviewing its business processes, a large organization is deploying a new web application based on a VoIP technology. Which of the following is the MOST appropriate approach for implementing access control that will facilitate security management of the VoIP web application? A. Fine-grained access control B. Role-based access control (RBAC) C. Access control lists D. Network/service access control
Network/Service access control
65. Which of the following is a list of OSI model levels from the top down? A. Application, Physical, Session, Transport, Network, Data‐Link, Presentation B. Presentation, Data‐Link, Network, Transport, Session, Physical, Application C. Application, Presentation, Session, Transport, Network, Data‐Link, Physical D. Presentation, Network, Data‐Link, Transport, Session, Physical, Application
OSI Model: Please Do Not Throw Sausage Pizza Away
20. The PCI-DSS is an example of: A. An industry regulation that is enforced with fines B. A private industry standard that is enforced with contracts C. A voluntary standard that, if used, can reduce cyber insurance premiums D. An international law enforced through treaties with member nations
PCI-DSS was developed by a consortium of major credit card brands in the world. PCI is enforced through credit card brands' operating rules, as well as by acquiring banks
95. The information security policy that states "each individual must have their badge read at every controlled door" addresses which of the following attack methods? A. Piggybacking B. Shoulder surfing C. Dumpster diving D. Impersonation
Piggybacking
120. Which of the following should an IS auditor recommend to BEST enforce alignment of an IT project portfolio with strategic organizational priorities? A. Define a balanced scorecard (BSC) for measuring performance B. Consider user satisfaction in the key performance indicators (KPIs) C. Select projects according to business benefits and risks D. Modify the yearly process of defining the project portfolio
Prioritization of projects on the basis of their expected benefits to business and the related risks is the best measure for achieving alignment of the project portfolio to an organization's strategic priorities.
98. An efficient use of public key infrastructure (PKI) should encrypt the: A. entire message. B. private key. C. public key. D. symmetric session key.
Public key (asymmetric) cryptographic systems require larger keys (1024 bits) and involve intensive and time consuming computations. Symmetric is faster, but requires security when exchanging the key - D
24. Which of the following is a formal verification of system specifications and technologies? A. Design review B. User acceptance testing (UAT) C. Implementation review D. Quality assurance testing (QAT)
Quality Assurance testing is a formal verification of system specifications and technologies
86. When making a recommendation to establish a product review process that includes the security officer as part of the approval team, what should your strongest argument in the recommendation be? A. Security that is built into a process as part of the initial design can be seven times cheaper than the cost of implementing it after the product is in production. B. Plans should be documented and defended to upper management before they are used to implement a new program. C. The return on investment for products should be assessed prior to starting development so that these returns can be compared to actual gains after the product has been implemented. D. Plans should be evaluated to ensure that they follow the SDLC methodology standard in the organization and that the methodology has input from information security.
ROI is the strongest case you can make to management - C
87. When evaluating recovery plan documentation, an IS auditor determines that the plan's execution will result in the exposure of sensitive data to team members that do not have a need to know for this data. The auditor should A. Notify management of a material weakness in their final audit report. B. Recommend that stronger controls be applied to the data management during the recovery process. C. Focus their efforts on the recoverability of the business processes and note the control weakness for follow-up after the recovery is complete. D. Review the procedures for compensating controls or manual processes to control access during recovery.
Recovery plan documentation should be reviewed for its capability to provide for an effective recovery of the business process, not for its ability to protect the data with production level controls during recovery efforts
31. The capability wherein a server is constituted from backup media is known as which type of control? A. Primary control B. Manual control C. Compensating control D. Recovery control
Restoration of a server from backup media is known as recovery control.
126. During a review of a customer master file, an IS auditor discovered numerous customer name duplications arising from variations in customer first names. To determine the extent of the duplication, the IS auditor would use: A. test data to validate data input. B. test data to determine system sort capabilities. C. generalized audit software to search for address field duplications. D. generalized audit software to search for account field duplications.
Since the name is not the same (due to name variations), one method to detect duplications would be to compare other common fields, such as addresses. A subsequent review to determine common customer names at these addresses could then be conducted.
138. Which of the following would MOST effectively control the usage of universal storage bus (USB) storage devices? A. Policies that require instant dismissal if such devices are found B. Software for tracking and managing USB storage devices C. Administratively disabling the USB port D. Searching personnel for USB storage devices at the facility's entrance
Software for centralized tracking and monitoring would allow a USB usage policy to be applied to each user based on changing business requirements, and would provide for monitoring and reporting exceptions to management.
77. When conducting an audit of client-server database security, the IS auditor should be MOST concerned about the availability of: A. system utilities. B. application program generators. C. systems security documentation. D. access to stored procedures.
System utilities may enable unauthorized changes to be made to data on the client-server database. In an audit of database security, the controls over such utilities would be the primary concern of the IS auditor
85. During your review of an information security risk assessment, which of the following elements would you be least concerned with if no evidence was available to substantiate it? A. The exercise of risk assessment is re-performed periodically. B. The threats and vulnerabilities have been determined. C. The existing controls have been inventoried and assessed for effectiveness. D. The risk assessment included a tactical as well as a strategic initiatives assessment.
Tactical and strategic relate more to the resolution of the issues than it does to risks. Assessing risks identifies exposure to bad things happening
89. What aspect of the systems development testing process needs to be addressed during the systems design process? A. The use cases are documented to show how the product is supposed to work when completed. B. The detailed work plans and process steps are defined so that they can be checked for completeness during testing of the development process. C. The expectations and outcomes of the development process are defined formally to be used for testing criteria. D. The project design is checked against the functional requirements.
Testing criteria are formulated from the expectations and intentions of the design and its documentation. In fact, test scenarios should be sketched out for the design parameters as part of the design process
61. Which of these is not the purpose of the ISO 15489 standard for a records management system? A. Define the legal definition of the minimum handling requirements for data records. B. Provide a legal standard of negligence and culpability. C. Eliminate the need for a detailed classification list of each data set. D. Define governance responsibilities during the life cycle of data.
The ISO 15489 standard defines the minimum handling process for records of value using an information classification system, AKA a list of each data set to be protected. This is the most important governance control for compliance since it details each data item to be protected and what the acceptable incident response is. The absence of the RMS is usually a control failure.
148. An IS auditor reviewing an organization's IT strategic plan should FIRST review: A. the existing IT environment. B. the business plan. C. the present IT budget. D. current technology trends.
The IT strategic plan exists to support the organization's business plan. Learning the business plan is important for an auditor.
84. Which of the following should an IS auditor review when performing an assessment of a PBX? I. Ensure that the dial-in numbers enabling toll-free outbound access are turned off. II. Ensure that voicemail systems do not enable access to phone lines through hijacking. III.Ensure that the access codes for the maintenance ports have been changed from the default. IV. Ensure that outbound toll numbers, such as 900 numbers, are restricted. V. Ensure that excessive phone usage is flagged and investigated for fraud. A. I, II, III, and IV only B. II, III, and IV only C. II, III, IV, and V only D. I, II, III, IV, and V
The ability of obtaining an outbound toll free line is a business decision made by management, not the IS auditor
25. Which of the following is the best relationship between system security and the use of vulnerability scanning tools? A. Vulnerability scanning is performed proactively, and it drives the security patching and hardening functions. B. Vulnerability scanning is performed proactively, and it drives the security patching function. C. Patching and hardening are performed proactively, and vulnerability scanning is used to verify their effectiveness. D. Patching is performed proactively, and vulnerability scanning is used to verify its effectiveness.
The best use of vulnerability scanning is its functioning as a quality assurance activity, to ensure that security patching and system hardening are being performed effectively.
102. The IS management of a multinational company is considering upgrading its existing virtual private network (VPN) to support voice-over IP (VoIP) communications via tunneling. Which of the following considerations should be PRIMARILY addressed? A. Reliability and quality of service (QoS) B. Means of authentication C. Privacy of voice transmissions D. Confidentiality of data transmissions
The company currently has a VPN, issues such as authentication and confidentiality have been implemented by the VPN using tunneling. Privacy of voice transmission is similarly covered. Reliability and QOS are the primary considerations remaining
6. Highest authority for a project manager is in the ________ organizational structure. A. Projectized, followed by the strong matrix B. Functional C. Cross-functional matrix D. Business corporation
The highest level of authority is in the projectized organization, followed in decreasing authority by the strong matrix, balanced matrix, weak matrix, and functional. In functional and weak matrix organizations, the project manager has almost no authority and relies on begging and personal influence
134. Facilitating telecommunications continuity by providing redundant combinations of local carrier T-1 lines, microwaves and/or coaxial cables to access the local communication loop is: A. last-mile circuit protection. B. long-haul network diversity. C. diverse routing. D. alternative routing.
The method of providing telecommunication continuity through the use of many recovery facilities, providing redundant combinations of local carrier T-1's, microwave and or coaxial cable to access the local communication loop in the event of a disaster, is called last mile circuit protection.
58. Using public-key interchange (PKI) encryption, which key is used by the sender for authentication of the receiving party? A. Sender's private key B. Recipient's private key C. Recipient's public key D. Sender's public key
The sender uses the recipient's public key to encrypt a file that only the recipient can read (decrypt
94. Which testing approach is MOST appropriate to ensure that internal application interface errors are identified as soon as possible? A. Bottom up B. Sociability testing C. Top-down D. System test
The top down approach to testing ensures that interface errors are detected early and testing of major functions is done early. Bottum up begins with atomic units such as programs and modules, and works upward until a system test has taken place
62. What is the primary technique for reporting compliance with key requirements in operations? A. Technical recommendations from IT B. Identify business issues and governance objectives C. COBIT performance framework D. Individual elements created from contracts and regulations
Using a compliance matrix of individual items that have been committed to clients in signed contracts, advertised service level statements, and specific points within regulations will define the most critical service elements necessary to support business operations.
71. Which of the following is the most appropriate method to ensure confidentiality in data communications? A. Secure hash algorithm (SHA‐1) B. Virtual private network (VPN) C. Digital signatures D. Digital certificates with public‐key encryption
VPN would ensure confidentiality
