Chapter 7
Which audit data collection method helps ensure that the information-gathering process covers all relevant areas? A. Checklist B. Interviews C. Questionnaires D. Observation
A. Checklist: Audit Data Collection Methods Explanation: Auditors use checklists to ensure that they have covered all of the relevant information items during their data collection process.
Curtis is conducting an audit of an identity management system. Which question is NOT likely to be in the scope of his audit? A. Does the organization have an effective password policy? B. Does the firewall properly block unsolicited network connection attempts? C. Who grants approval for access requests? D. Is the password policy uniformly enforced?
B. Does the firewall properly block unsolicited network connection attempts?: Control Checks and Identity Management Explanation: When auditing an identity management system, you should focus on three key questions. First, who grants approval for access requests? Second, which mechanisms are used for specific security requirements? Finally, does the organization have an effective password policy and is it uniformly enforced? Firewalls are not generally in scope for an identity management system audit.
Anthony is responsible for tuning his organization's intrusion detection system. He notices that the system reports an intrusion alert each time that an administrator connects to a server using Secure Shell (SSH). What type of error is occurring? A. Remote administration error B. False positive error C. Clipping error D. False negative error
B. False positive error: Logging Anomalies Explanation: A false positive error occurs when a system indicates malicious activity but it is not a real security event. False alarms are distractions that waste administrative effort.
Gina is preparing to monitor network activity using packet sniffing. Which technology is most likely to interfere with this effort if used on the network? A. Transmission Control Protocol/Internet Protocol (TCP/IP) B. Secure Sockets Layer (SSL) C. Domain Name System (DNS) D. Dynamic Host Configuration Protocol (DHCP)
B. Secure Sockets Layer (SSL): Monitoring Issues Explanation: SSL is an application-level encryption technology that may interfere with network monitoring by obscuring the contents of communications.
Which item is an auditor least likely to review during a system controls audit? A. Resumes of system administrators B. Incident records C. Application logs D. Penetration test results
A. Resumes of system administrators: Defining the Scope of the Plan Explanation: While auditors are entitled to review any documentation or records relevant to the audit, they are much more likely to review logs, incident records, and penetration test results than the resumes of system administrators.
Isaac is responsible for performing log reviews for his organization in an attempt to identify security issues. He has a massive amount of data to review. What type of tool would best assist him with this work? A. Security information and event management (SIEM) B. Intrusion prevention system (IPS) C. Data loss prevention (DLP) D. Virtual private network (VPN)
A. Security information and event management (SIEM): Types of Log Information to Capture Explanation: SIEM systems help organizations manage the explosive growth of log files. SIEMs provide a platform to capture and analyze logs from many different sources.
What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system? A. Network IDS B. System integrity monitoring C. CCTV D. Data loss prevention
B. System integrity monitoring: Security Monitoring for Computer Systems Explanation: System integrity monitoring tools, such as Tripwire, enable you to watch computer systems for unauthorized changes and report them to administrators in near real time.
Which intrusion detection system strategy relies upon pattern matching? A. Behavior detection B. Traffic-based detection C. Statistical detection D. Signature detection
D. Signature detection: Analysis Methods Explanation: Signature detection systems use rule-based detection and rely upon pattern matching to compare current traffic with activity patterns of known network attacks.
Fran is conducting a security test of a new application. She does not have any access to the source code or other details of the application she is testing. What type of test is Fran conducting? A. Black-box test B. White-box test C. Grey-box test D. Blue-box test
A. Black-box test: Testing Methods Explanation: In a black-box test, the assessor uses test methods that aren't directly based on knowledge of a program's architecture or deign. The tester does not have the source code.
Ricky is reviewing security logs to independently assess security controls. Which security review process is Ricky engaging in? A. Monitor B. Audit C. Improve D. Secure
B. Audit: Security Controls Address Risk Explanation: During the audit phase of a security review, professionals review the logs and overall environment to provide an independent analysis of how well the security policy and controls work.
When should an organization's managers have an opportunity to respond to the findings in an audit? A. Managers should write a report after receiving the final audit report. B. Managers should include their responses to the draft audit report in the final audit report. C. Managers should not have an opportunity to respond to audit findings. D. Managers should write a letter to the Board following receipt of the audit report.
B. Managers should include their responses to the draft audit report in the final audit report.: Generation of Audit Report Explanation: Managers should review the draft audit report and have an opportunity to provide a management response to each finding that will be included in the final copy of the audit report.
Which regulatory standard would NOT require audits of companies in the United States? A. Sarbanes-Oxley Act (SOX) B. Personal Information Protection and Electronic Documents Act (PIPEDA) C. Health Insurance Portability and Accountability Act (HIPAA) D. Payment Card Industry Data Security Standard (PCI DSS)
B. Personal Information Protection and Electronic Documents Act (PIPEDA): Purpose of Audits Explanation: PIPEDA is a Canadian law and would not affect companies in the United States.
Which activity is an auditor least likely to conduct during the information-gathering phase of an audit? A. Vulnerability testing B. Report writing C. Penetration testing D. Configuration review
B. Report writing: Audit Data Collection Methods Explanation: Auditors do not write reports during the information-gathering phase of an audit. Instead, they collect information through interviews, configuration reviews, penetration tests, vulnerability tests, and other techniques.
What is NOT generally a section in an audit report? A. Findings B. System configurations C. Recommendations D. Timeline for Implementation
B. System configurations: Generation of Audit Report Explanation: The audit report generally contains these broad sections: findings, recommendations, timeline for implementation, level of risk, management response, and follow-up
What information should an auditor share with the client during an exit interview? A. Draft copy of the audit report B. Final copy of the audit report C. Details on major issues D. The auditor should not share any information with the client at this phase
C. Details on major issues: Exit Interview Explanation: During the exit interview, the auditor should alert key personnel of major issues and recommendations that will come later in the audit report. This enables management to respond quickly and act on serious issues. Aside from these early alerts, auditors should not provide details before the final report.
What is a set of concepts and policies for managing IT infrastructure, development, and operations? A. ISO 27002 B. Control Objectives for Information and related Technology (COBIT) C. IT Infrastructure Library (ITIL) D. NIST Cybersecurity Framework (CSF)
C. IT Infrastructure Library (ITIL): Auditing Benchmarks Explanation: ITIL is a set of concepts and policies for managing IT infrastructure, development, and operations. ITIL is published in a series of books, each covering a separate IT management topic.
Which security testing activity uses tools that scan for services running on systems? A. Reconnaissance B. Penetration testing C. Network mapping D. Vulnerability testing
C. Network mapping: A Testing Road Map Explanation: Network mapping uses software tools that scan for services running on an organization's systems and networks.
Christopher is designing a security policy for his organization. He would like to use an approach that allows a reasonable list of activities but does not allow other activities. Which permission level is he planning to use? A. Promiscuous B. Permissive C. Prudent D. Paranoid
C. Prudent Permission Levels Explanation: The prudent permission level allows a reasonable list of activities to take place and prohibits all other activities. This permission level is suitable for most businesses.
Emily is the information security director for a large company that handles sensitive personal information. She is hiring an auditor to conduct an assessment demonstrating that her firm is satisfying requirements regarding customer private data. What type of assessment should she request? A. SOC 1 B. SOC 2 C. SOC 3 D. SOC 4
C. SOC 3: Customer Confidence Explanation: The SOC 3 report is commonly required for the customers of SOC 2 service providers to verify and validate that the organization is satisfying customer private data and compliance law requirements.
Jacob is conducting an audit of the security controls at an organization as an independent reviewer. Which question would NOT be part of his audit? A. Is the level of security control suitable for the risk it addresses? B. Is the security control in the right place and working well? C. Is the security control effective in addressing the risk it was designed to address? D. Is the security control likely to become obsolete in the near future?
D. Is the security control likely to become obsolete in the near future? Explanation: The purpose of an audit is to check whether controls are appropriate, installed correctly, and addressing their purpose. Audits do not attempt to determine the expected lifetime of controls.