Domain 5: Protection of Information Assets
Difference between "Shall" and "Should" when they are used in the context of regulations.
"Shall" implies the action is compulsory irrespective of the financial impact, while "should" represents information that is discretionary in a regulation.
Which of the following conditions is likely to represent a control failure and therefore be a concern to the auditor.
A policy without an underlying standard of monitoring and enforcement. A policy w/o the standards of enforcement is practically worthless. Monitoring is required to determine whether the standard is being met or violated. The lack of monitoring and enforcement is a serious concern to the auditor.
Remote Journaling
Backing up transaction logs to an offsite facility. Is a technology used to transmit data to an offsite facility, but this usually only includes moving the journal or transaction logs to the offsite facility, not the actual files.
With what, you can relate the term auditor independence?
It is needed for an external audit.
Controls that belong in physical security programs
Response, detection, deterrence, delaying and assessment
Application level access control
Restricts users to the functions required to perform their duties. Application level access control programs work best for management controls as the allow restricting access to the functions required for performing their duties by limiting the users.
Biometric with the lowest false acceptance rate (FAR) and highest reliability is
Retina Scan. *Face biometric images are captured for common facial features. It is a and natural biometric and it's drawback is that it is not unique.
Positive pressurization pertaining to ventilation implies
The air goes out when a door opens. The air from the outside does not enter. If the doors of a facility were opened when it were on fire, positive pressure causes the smoke to exit and not get pushed back inside the building.
What does it mean if a cipher lock includes a door delay option?
The alarm goes off when a door remains opened for a specific period.
What indicates the modification of a message?
The change in the message digest. To detect if a modification has taken place, hashing algorithms generate message digests. Individual digests are generated by the sender and receiver and these values are compared by the receiver. In case of a difference, the receiver recognizes the modification in the message.
On what basis, the final opinion of the auditor is made?
The testing and evidence results. An auditor is a questioner who performs the testing of management assertions and provides an opinion on the basis of evidence found while performing the audit.
An auditors concern that the audit report needs to be explained with their findings is for
Undue restrictions from management on audit procedures or evidence. Management should not place restrictions on the auditor.
An e-commerce application is running on local network which is processing electronic fund transfers (EFT) and orders. For preventing data integrity or confidentiality loss in such cases, the best action would be to...
Use Virtual private networks and tunnels to transfer data. Can encrypt it with the use of VPN tunnels.
Effective length of DES key
64 Bits. The key size for DES is 64 bits, however it uses 8 bits for parity. Therefore the exact size is 56 bits. The DEA algorithm is utilized for the DES Standard. DEA is the algorithm, whle DES is the standard.
With respect to the properties of facility construction, what is correct?
1. For various types of attacks and explosives, the approximate penetration time's calculations depend on the concrete walls thickness and the rebar gauged. 2. With the use of thick rebar, and it's proper placement in the concrete gives effective protection 3. Rebar , reinforced walls, double walls can be utilized for delaying mechanisms. 4. Rebar are steel rods encased in concrete
Properties of one way hash function:
1. It needs to be infeasible to compute and find the corresponding msg, given the digest value. 2. It transforms a msg with an arbitrary length to a fixed length value 3. it should be rare or not possible to get the same digest from two different messages. A hashing algorithm inputs a variable-length string and the message of any size. It computes a value of fixed length, which is the message digest. The SHA family creates the value of fixed length of 160 bits, while the MD family creates it of 128 bits.
Delaying mechanisms
1. defense in depth measures 2. locks 3. access controls
A cipher lock
A lock that uses a keypad. Also known as programmable locks. Cipher locks make use of keypads for controlling access into a facility or an area. They may need a card to swipe and a combination that is specifically entered into the keypad
In comparison to a guideline, what is the definition of a standard?
A standard is a compulsory control for supporting a policy. It is discretionary to follow guidelines. Standards are implemented for ensuring uniform compliance at the minimum level. A guidelines is advisory information that is used when a standard is absent. It is mandatory to comply to standards, while complying with guidelines is discretionary.
Key wrapping
A technique used to store and transmit a symmetric encryption key.
Which of the following types of downloadable programs is known to present the most serious security risk?
ActiveX. More dangerous because the authenticode method of digitally signing a program does not protect against malicious software nor does it protect the user from poorly written programs. Malicious activex programs can subvert security of the operating system.
What should the auditor do when during a new business intelligence project the auditor finds expanded needs and time constraints as the root causes for corporate data definition standards violation?
Align standards by increasing the resources of the project. Given the technical, data architecture and operational needs are currently documented, the standards alignment can be treated as a particular work package that is assigned to new resources of the project.
A digital signature is best described as a method to:
Allow the msg receiver to prove the integrity and source of a message. A digital signature offers integrity (because of the involvement of hashing algorithm), authentication (as the msg is known) and non repudiation (the msg cannot be denied by the sender)
For regulatory compliance, which is the best description of an ongoing audit program?
An audit is a sequence of exclusive projects of small duration that include all the steps required for the annual compliance. Generally, projects are of limited duration and are exclusive. They have a fixed time period and have a fixed start and stop date. The projects can be combined into a project series to meet an operational need that is ongoing, such as perpetual quality program or an annual audit program.
First step to BCP
Analysis of the business impact. The team must first analyze the business impact before building a development BCP. The risk assessment must be a precursor to this activity and disaster recovery site and possibilities after the same.
5 phases of Business Continuity planning according to ISACA?
Analyze business impact, develop strategy, develop plan, implement, test plan.
Five phases of business continuity planning according to ISACA?
Analyze the business impact, develop strategy, develop plan, implement, plan testing. Notice the business impact is always the first step. Then criteria are selected to guide the strategy selection. A detailed plan is written using the strategy. The written plan is then implemented. After implementation, the plan and staff are tested for effectiveness. The plan is revised and then the testing and maintenance cycle begins.
Difference between a tumbler or a warded lock
As compared to a warded lock, a tumblr lock has more components. It includes more parts and pieces. The metal pieces of the lock are raised to the right height for the bolt to slide to the unlocked or locked position. This happens when the key fits into a cylinder. As compared to a tumbler lock, a warded lock is simpler to circumvent.
In relation to an audit, what statement gives the best assessment description?
As compared to assessments, audits are more formal. An assessment is less formal. The assessment objective is to find the value on the basis of relevance. The value of assessments is lower as they are not regimented independent audits or independent.
What is the issuing concerning right to audit?
Audit requests can be denied because of resources and time consumed. Every outsourced agreement should contain a specific clause granting the right to audit. The service provider may respond with an SAS-70 report in place of an audit, unless the right to audit clause specifically states the client may conduct their own audit of the service provider organization.
During a review of EDI (electronic data interchange) the IS auditor finds unauthorized transactions. The IS auditor would most likely recommend improving...
Authentication techniques to send and review messages. Because authentication techniques to send and receive messages have an important role to play to minimize the exposures to transactions that are unauthorized. An EDI trading partner agreement helps in minimizing exposure to legal issues.
What is the biggest concern with regards to controls?
Authorization. Authorization must be separated from all other functions. Changes in activities require separate authorization using the concept of separation of duties or compensating controls. The objective is to prevent an individual from violating an internal control. All control deviations should generate an audit trail, along with awareness of the deviation by management.
Administrative controls that pertain to emergency procedures
Awareness and training, Delegation of duties, drills and inspections.
What does it default to if an access does not have a fail secure property?
Being locked. If an access control has a fail safe setting, it implies that in case a power disruption, affects the automated locking system. by default, the doors will be unlocked. This type of configuration implies that if there were any problems with power, a door would default to being locked.
Back up method to be used on a computers files before a forensic investigation
Bit stream. Also known as physical imaging. The only backup method recording the deleted files with the swap and slack space contents is bit streaming.
By which method the auditor should help solve problems found while auditing?
By never taking the ownership of issues and providing advising the auditee in general, including clarification of what need to be looked at while performing the audit. The remediation plan needs to be designed by the auditee. Auditors participating in the remediation planning at the detail level are no longer independent nor objective.
Software worm
Can travel freely across the network for infecting other systems. Has the capability to infect files without the file closing or opening.
What the the properties of the charge coupled devices used by most CCTV systems?
Captures signals in the infrared range. Receives input through the lenses and converts it into an electronic signal. Provides better quality images. A CCD is defined as an electrical circuit converts lights into an electronic signal when it receives it from the lens. It then displays it on the monitor. A lens is used to focus on images onto the CCD chip surface, which creates the optical image's electrical representation. With the help of the tech, capturing surprising details of objects is possible. It is also possible to have precise representation as it has sensors to work in the infrared range. This helps in better quality and granularity in the video. Data is not recorded by a CCD.
Management method that provides the greatest control and not discretionary flexibility
Centralized. Also known as discretionary control. Distributed management allows local decisions that depend on various factors. The lowest overall control is provided by distributed methods.
What is the primary role of CA's in infrastructure using public keys?
Certificate issue and record maintenance. The CA is responsible for issuing digital certificates credentials and providing parties with verification regarding digital certificate validity. The CA also maintains the records of certificates, either valid, revoked or expired.
What is the best definition of user identity?
Claim. The user identity if a claim made by the user. This claim of identity must be verified against a known record by using the authentication process. Authentication is a one time match attempt to determine whether access should be granted.
When a system shuts down in an improper manner, the dump file is created. What does it include that proves useful in a forensic investigation?
Contents from RAM memory. This file includes the working memory contents and the tasks list that were being processed. During forensic investigation, this special diagnostic file is very helpful.
Management must implement appropriate internal controls as they are responsible for detection of irregular and possibly illegal activity. What is not a method of internal controls?
Contractual Control.
The probability of a material error that cannot be detected or prevented is an example of which risk?
Control Risk. That a material error is there and the auditor will not be able to detect it when introduced. This risk shows a loss of control.
Which control minimizes the impact of an event that has already occurred?
Corrective.
Which control ties to reduce the effect of a threat?
Corrective. Corrective controls solve a problem post occurrence.
Identifying information assets and their owners is a significant control activity. Social engineering methods can be used to compromise information assets. Which method represents social engineering?
Deceiving a person into voluntarily cooperating with the attacker. Social engineering refers to the using of tricks and deceit to ensure an otherwise honest person voluntarily cooperates with the attacker. Passwords and access are often procured by asking a user for assistance under a guise of a genuine need.
Which sampling method should be used when there is almost no margin of error or the risk of failure if very high?
Discovery. Discovery sampling is use when the risk of failure is very high. 100% of the available evidence will be tested because there is almost no margin for error. This is the most intensive type of testing.
An IS auditor is performing a review of the disaster recovery hot site used by a financial institution. Which of the following will be of great concern?
Disk space utilization data is not kept current.
What is the most effective and environment-friendly method to suppress a fire in a data center?
Dry pipe sprinklers. With the use of an automatic power shutoff system, water sprinklers have become more efficient as they can release automatically with no life threat. The dry pipe prevents leakage risk. Halon is effective because it does not cause any human life threat and it can also be set for automatic release but is not friendly to the environment and is costly. Car. bon dioxide is an acceptable gas but not as efficient as one cannot set it to automatic release because it causes life threats
Auditors apply professional judgement with an attitude of professional skepticism to prevent negligence. What is the best indication of professional judgement?
Due care. Due care in professional judgement means concern given to protect from loss. The minimum level of attention needed to prevent fraud of neglect is known as due care.
Following the evidence rule, what could the auditor use to best determine that a given policy is actually being used?
Enforcement emails. The presence of emails regarding enforcement of the policy would be the best determination that a policy is in use. A second choice might be a random sampling of user awareness, followed by the minutes of mtgs where the policy was discussed.
According to ISACA, which of the following are the 5 of the 6 business process re-engineering (BPR) steps?
Envision the goal, initiate the protect, diagnose the current process, redesign the process, reconstruct with the use of change management and evaluate the results by checking the new process to find out if it met the original objective.
A modification test results in a system dealing with payment calculation are evaluated by an IS auditor. The auditor discovers that 50% of the computations do not match with the determined totals. Most likely, the next audit step would be oto
Examine some of the test cases to confirm the results. The auditor should examine and confirm the cases with incorrect computations. Further tests can be then performed and reviewed. Until all results are confirmed, preparation of reports, findings and recommendations are not made.
Drawback of installing intrusion detection and monitoring systems
Expensive installation. Human response requirement. Subject to false alarms.
Objective of a skills matrix
Explain the person required while the audits performance phase. During preplanning, a skills matrix is made for identifying the skills essential to do a competent audit. It justifies the personnel training or explains the skills required by the audit team members. Additionally it prevents the auditor from getting stuck with a "warm body" that is unskilled.
Which technology can be considered for the identity management to accomplish few needs of the company?
Federated Identity. With the help of federation identification, the company and it's partners can enable themselves to share the authentication information of the customer. The retail company can have the authentication information when a customer authenticates to a partner website. Therefore when visiting the website of the retail company, the customer needs to submit less user profile information. As a result the steps to of the purchase process get reduced. This type of functionality and structure becomes feasible when companies possess and share the similar or same settings of the federated identity management software under a trust model.
Inherent risk is typically covered by insurance. Banker's blanket bonds are used as a form of insurance to cover losses due to employees. What does this refer to among the terms below?
Fidelity Coverage. Fidelity coverage protects an org through insurance against theft losses incurred through an employee. The fidelity bond is usually in the form of blanket bonds.
Best example of media and vital records:
Financial records, specialized forms, back up tapes and how to manuals.
When an enterprise resource planning financial systems audit for the logical access control was being done, an IS auditor discovered that there were some user accounts that were being shared by more than one user. The user IDs were made on the basis of roles rather and not on individual identities. With these accounts, one could access the ERP financial transactions. The IS auditor should do what?
Find compensating controls. To define accountability, the best access control would be to create user ID's for every user. One can do so only by creating a one to one relationship between users and ID's. On the other hand, if the ID's have been created on the basis of role designations, the auditor must first understand the objective behind this before evaluating the efficiency of the controls.
A DSS or decision support system
Focuses on flexibility in users approach of decision making. The objective is to solve problems that are less structured by combining models and techniques used for analytic with retrieval functions and traditional data access. it provides support to decision making tasks that are semi-structured.
Why are the standard terms of reference used?
For ensuring an unbiased and honest communication. The purpose of using standard terms of reference is to make sure an unbiased and honest between the auditor and everyone else. Without this, knowing whether the same issue is being discussed or the same outcome is being agreed would be difficult.
Access control procedure
Formally, access is authorized by the data owner and the user authorization tables are implemented by an administrator. Data owner can and is responsible for forming the access rights formally. The user authorization tables are then implemented or updated by an IS administrator.
Hierarchy of controls
General, pervasive, detailed, application. General controls show the highest controls class applicable to all within a company. Pervasive controls signify the required protection necessary when the technology is being used. In all departments that use computers, IS controls are pervasive. Detailed controls stipulate the execution procedure. Application controls work at the lowest level and are the govern it's use or built into the software. If the high level controls are absent, application controls are compromised.
An IS auditor should use the following for detecting duplicate invoice records in an invoice master file
Generalized audit software (GAS).
First step to assessing logical access controls
Get an understanding of the security risks to information processing. The auditor can do this by inquiring, reviewing the appropriate documentation and performing a risk assessment. Next step would be to assess the adequacy, deficiency or redundancy in controls in documentation and evaluation. Testing access paths is the third step. Lastly, security environment is evaluated for assessing its adequacy by observing and comparing the practices with appropriate best practices of security and reviewing the written policies.
Best way to prove an auditors competence is by
Having the IS auditor quote each point in a regulation with a specific test and an audit aim. Each auditor should create a list of al points that are contained in a regulation, while mentioning every point by page, paragraph and line number. It is used for explaining how the audit process is meeting the goal. Each item should ave specific tests. In the event the tests need to be run again, the auditor should always discover same or similar results with the use of your documentation.
Difference between authentication and identification
Identification is only a claim until verified while authentication is a match. Authentication happens when there is a match between the claim and reference which indicates the identity is correct.
First step to manage a cyber attack risk
Identify critical information assets. After this, threats and vulnerabilities are identified and potential damages are calculated.
After a system failure, which action should take place for restoring a system and it's data files?
Implement recovery procedures. Recovery procedures should be implemented in such situations, which in most of the cases include data recovery from the backup media. These recovery procedures could comprise of steps to rebuild a system from the start, apply the required configurations and patches and ensure what needs to happen for ensuring that productivity is not affected. A redundant system may also need to be considered.
What is true about materiality?
Information that would change the outcome of the audit is material. Refers to the information that would have a direct bearing on the outcome of final determination. It is not necessary to document all information related to the subject.
Audit tool that include dummy transactions into the normal processing on a system
Integrated Test Facility. An auditor can make use of an embedded audit module for creating a dummy transaction set which is processed with genuine transactions. The output data is compared by the auditor with its on calculation. It lets substantial testing to happen without any disruption in the normal processing schedule.
What is true pertaining to data encryption when it is used to protect data?
It requires careful key management. Data encryption always requires careful key management. Most algorithms are so strong today it is much easier to go after key management rather than to launch a brute force attack. Hashing algorithms are used for data integrity, encryption does require a good amount of resources and keys do not have to be escrowed for encryption.
Best way of protecting encryption keys from compromise
Limiting the individual key use. Encryption keys are also applied by separation of duties. Every encryption key should be used for a specific purpose.
After reviewing the controls of a database, an IS auditor found that a set of procedures were used to handle changes while normal working hours. On the other hand, after normal hours, these changes needed a reduced number of steps only. What is an appropriate compensating control for this situation?
Make database changes, log them and then the next day review the change log with the normal user account. Generally a DBA user account is set up for logging all the changes. This the most suitable for changes that are made beyond normal hours. Changes can be reviewed using the change log that records the changes. Without logging, the DBA user account will allow uncontrolled changes in databases as soon as account access is received. With a normal user, account and w/o any restrictions it will permit uncontrolled changes to the database. With the log, information on changes can be obtained only. It does not limit the authorized changes. Therefore logging along with review help creating a suitable set of compensating controls.
With respect to management and auditor roles, which of the below is true?
Management must make their assertions before report from the auditor. Management must make their assertions before the report and independent of the report. The auditor determines if the claims of management can be verified correctly with the help of evidence available.
Final hurdles to a business continuity are threats that may include...
Missed targets, Natural disasters, Profit Loss. The continuity objective is to make sure that revenue is not disturbed and critical targets are not missed.
Which system simulates human brain and makes a decision on weighted probabilities?
Neural Network. The neural network is patterned based on the design of the human brain, with logic comparable to the human synapses. Decisions are based on the program weight factors and probabilities.
Reason why continuity planners are capable of creating plans without a business impact analysis is because
Not possible. Critical processes change constantly. BIA recognizes critical processes and the related dependencies.
An IS auditor is reviewing access controls for a manufacturing organization. During the review, the IS auditor discovers that data owners have the ability to change access controls for a low risk application. The best course of action for the IS auditor would be
Not report this issue since discretionary access controls are already in place. DAC allows data owners to modify access which is a normal procedure and is a benefit of DAC.
What is best evidence?
Objective. Objective is best evidence as it is unbiased, factual and proves the point indicating the relationship to the audit area.
One can validate operating standards and procedures by
Observing the operation of a data center. Best way to be objective and collect evidence for validating operating procedures.
Various types of audits
Operational, Integrated, Administrative and compliance,
Most significant document for IS control
Org. Blueprint showing entry and exit into the unit.
Responsibility of the audit committee
Oversee the management of executives. Can hire and fire executives. Members from the board of directors are included in this committee. The committee can hire external auditors who can have quarterly meetings with the committee in the absence of other executives. The committee gives a method to senior executives to bring problems into a confidential discussion to explore a solution.
What is the process of following a systematic process of mandatory steps required to accomplish the objective?
Policies. Provide a cookbook recipe of steps necessary to ensure compliance in support of management's objective. The hierarchy is management's high level policy, supported by mid-level standard, which is supported by a lower-level procedure. Compliance to procedures is mandatory.
Risk
Potential that a given threat will exploit the vulnerability of an asset or group of assets to cause loss or damage to the assets.
Phases of incident response
Preparation, detection and analysis, containment eradication and recovery, and post incident activity including lessons learned.
Verification during a tape back up is an example of
Preventative control. A preventative control for preventing data loss. Verification and audits are detective controls always.
Base-case system evaluation
Process that utilizes test data for an all inclusive program controls test in a constant online manner. In a base case system evaluation, test data sets are used and developed for all inclusive testing programs. Before acceptance an periodic validation, this is done for verifying the right systems operations. On the other hand, test data/deck mimics transactions with the use of real programs. Parallel simulation is a process in which the production of processed data takes place with the use of computer programs that mimic the program logic of application. However an ITF (Integrated test facility) makes false files in the database and processes test transactions along with live input.
Main objective of ISACA audit standards and professional ethics publication
Provide consistency without embarrassing you or our profession.
Purpose of a digital signature
Provides the recipient with a method of testing the document received from a sender. An electronic signature is worthless unless the recipient actually tests the signature by decrypting it.
Incident commander
Qualification of this individual is to be the first person at the scene. Irrespective of the position of the rank. As per the situation with less or more experience, the incident commander may be relieved. Throughout the crisis, the incident commander will change.
Sender uses which key for receiving party authentication?
Recipients public key. The public key of the recipient is used for encrypting a file that can be read only by the recipient. The private key gives authenticity while the public keys gives integrity.
Goal of strategy planning phase is to
Recognize time windows and minimum service. Recognize the time window that is available and minimum service necessary that is required for recovery. A specific product or a vendor should never be involved in this discussion. The objective is forcing to develop a specific specification and find solutions fitting the specifications.
In an insurance company, an IT executive approached an external auditor to evaluate the user D's (fire call ID's) during emergency access. The auditor discovered those accounts were granted without an specific expiration date. What should the auditor recommend?
Review the process of access control privilege authorization. Permission to emergency system administration level access should be allowed as and when required. They should be configured to a specific expiration date. Strong controls are required for accounts with temporary privileges for limiting the privileges lifetime and the utilization of these accounts should be monitor closely.
When a post implementation enterprise resource management system review is done, an IS auditor generally
Reviews the configuration of access control. As the first step, the auditor reviews access control configurations for determining if security has been mapped in the system appropriately. The review is performed once user acceptance testing and actual implementation is complete.
What is the acronym used during recovery that denotes the expected level of service.
SDO. Service delivery Objective. Demonstrates the expected level of service. Several SDO targets may exist for the organization on the basis of various recovery phases.
Most important issue to be considered with respect to insurance coverage?
Salvage, and not replacement, may be dictated. Salvage to save money may be dictated by the insurance company. It increases the delay prior to recovery. Any replacement purchases the company makes may not be covered under reimbursement.
Auditor provides the following function
Second set of eyes which are external with respect to the subject reviewed.
To let employees enroll for benefits on the corporate intranet through a website, the human resource department has developed a system. What protects the data confidentiality?
Secure Socket Layer (SSL).
The possible effect of social engineering attacks can be reduced to
Security awareness programs. Social engineering is dependent on the use deception. Therefore the best defense is security awareness as this option is user focused.
The key used for public key cryptography decryption for providing authentication of the person that is transmitting the message is
Senders public key. The public key of the sender offers authentication from where the message has come. A private key offers confidentiality.
Compensating controls are primarily intended to compensate for what?
Separation. Separation authorization, specifically separation of job duties. It may not be possible to have SOD because of small staff. Compensating controls - including audit logs, job rotation and audit and supervisory review - ensure that all activity is visible to another employee or manager to prevent misuse.
The originator of a transaction is effectively verified how?
Signing the transaction digitally using the private key of the source. Digital signature is created with a public key algorithm and represents an electronic identification of a person. Used for verifying the identity of the transaction source to a recipient and the content integrity.
Without using computer tools or programs a hacker can get passwords by using
Social engineering.
A critical success factor is explained as...
Something that need to happen perfectly each time. Also known as a showstopper. A critical success factor need to go correct each time for the success of the recovery.
The objective of the professional ethics statement of ISACA auditor is to...
Specify the acceptable and unacceptable behavior clearly. Professional ethics statement of ISACA states that IS auditors need to complete their duties while taking care of highest standards of truthful and honest representation. Violating the fiduciary relationship with the client cannot be accepted.
An IS auditor makes observations about weaknesses in the tape management system that exists at a data center A few parameters are set for bypassing tape header records. The most effective compensating control to handle this weakness is
Staging and job set up. A compensating control can be accepted if the IS auditor discovers there are job setup processes and effective staging. Supervisory of logs is a detective control. Regular back ups for tapes and offsite storage of tapes are corrective controls.
Biggest concern with respect to asset disposal
Standing data. Any data standing need to be eliminated from the equipment before it's disposal. This is the information recoverable from a device by any mean.
A org is planing to deploy an outsourced cloud based application that is used to track job applicant data for the HR department. What is the great concern to an IS auditor?
The clouds provider data centers are in multiple cities and countries. Having data in multiple countries is the greatest concern because HR applicant data could contain PII. There may be legal compliance issues if the data is stored in a country with different laws regarding data privacy. While the org would be bound by the privacy laws where it is based, it may not have legal recourse if a data breach happens in a jurisdiction where the same laws do not apply.
Primary concern of the auditor when auditing the use of encryption.
The control of management over the encryption use. It needs to be checked if the encryption is managed under a complete life cycle governing the creation of keys, keys storage, proper authorization of keys, the correct use of keys using the correct algorithm, the keys usage tracking, keys reuse or archival, keys retirement and their destruction once all legal obligations are met.
Why are there concerns with light frame construction material that is utilized i building the internal walls of a company's facility?
The least protection against fire is provided and the least protection against forcible attempts of entry is provided. It has untreated lumber that during a fire could be combustible. The material is generally used for building homes as it is cheap and homes do not have threats of intrusion threats and fire as compared to office buildings.
Relationship b/w acceptable risk level, risk analysis, countermeasures, baselines and metrics can be defined as
The output of risk analysis is utilized for making the management know and a set a risk level that is acceptable. From this level, baseiines are derived. To track performance of countermeasures and make sure baselines are met, metrics are used.
What is the reason a certificate authority is revoked?
The private key of the user has been compromised. It warns people using the public key of the person. The authority warns they should not trust the public key anymore as the public key is not bound to the identity of that particular individual anymore. The reason could be that an employee has changed their name or left the company and required a new certificate.
What is true concerning digital signatures?
The recipient uses the signers public key. The message file is hashed, and the has is encrypted by the signer using the signer's private key. This creates a digital signature that can be verified (unlocked) by the recipient using the signer's public key.
A digital signature is created using:
The sender's private key. The senders private key is used to encrypt a digital signature, which is a message digest.
What is the greatest concern when conducting a test that compares job run logs to computer job schedules?
There were instances some jobs were overridden by computer operators. The overriding of computer processing jobs by computer operators could lead to unauthorized changes to data or programs. This is a control concern, thus it is always critical.
Who should be responsible for issuing the organizational policies?
They should be enforced and signed by the highest level of management. For ensuring compliance across the organization, policies should be issues, signed and enforced by the highest management level. Management is responsible for implementing internal controls, not the auditor.
Goal of Cryptanalysis
To determine the strength of an algorithm. It is the process of trying to reverse engineer a cryptosystem with the possible goal of uncovering the key used. Once the key is uncovered, all other messages encrypted with this key can be accessed. Cryptanalysis is carried out by the white hats to test the strength of the algorithm.
Best reason for creating a skill matrix?
To identify skills needed and justify training to fill the gaps. The primary goal is to identify all the skills needed and to justify additional training before conducting the audit. Adding a new personnel may be an acceptable option if training would not cute the problem in time. Using a skills matrix is one of the best practices in a project management; however that was not the best available choice.
Two common proximity identification device types
User activated devices and system sensing devices. With a user activated system, the user needs to enter a code or swipe the card using the reader. With a system sensing device, the presence of the card is recognized and communicated without the requirement of the user to perform any activity.
When is the business continuity plan likely to fail?
When a business impact analysis was not performed. No one can protect the business processes if they are unable to define them in a formal specification (BIA).
Greatest concern when auditing IT personnel.
When an IT person monitors the performance of the system, makes the required program changes and tracks all resultant problems. The duties separation prevents a person from authorizing their own changes or monitoring their own work. Self authorization and self monitoring become a problem as it violates governance intention. It would be required by the auditor to examine if the change control board reviewed and approved the changes formally before implementation.
Key Clustering
When for the same message, different keys generate the same cipher-text. The result is ciphertext Y when msg A is encrypted with key A. If key B is used to encrypt the same msg A, the result should be different from ciphertext Y because a different key was used. However, the occurrence is called key clustering if the ciphertext is the same.
Fiduciary Responsibility
Work for another person's benefit and keep the duties as honest and fair in front of personal interests. Lawyers, accountants and auditors work on behalf of the interests of their client unless with this, they violate the law. As per the law, it is the highest standard of duty for a guardian and trustee.