Ch. 12 & Analytics
A critical virus created by a group of hackers succeeded in disrupting the information systems of Company DYC. Company DYC, as a result of the hack, is unable to continue its business transactions for the next few weeks due to the crash of its essential information systems. Which of the following information security objectives did Company DYC violate the most? A. Availability B. Confidentiality C. Communications D. Integrity
A
ABC company wants to apply appropriate data analytics techniques to analyze gross margin. Which of the following is the most appropriate data analytics technique for ABC? A. Ratio Analysis B. Trend Analysis C. Aggregation Analysis D. Forecasting Analysis
A
Assume you are the CEO of ABC company and gets weekly update on each division's status. These reports are organized by computer programs and support your decision-making process. What is the most appropriate responsibility you should possess? a. Information owner responsibilities b. Information Custodian responsibilities c. Third-party responsibilities d. User responsibilities
A
Brian is a registered user on Legitimate Realties' website, www.legitimaterealities.com. Legitimate Realties sends weekly emails to Brian with new listings of houses and apartments that cater to his interest. One day, Brian receives an email from "Legitimate Realties" claiming that he needs to reply to the email with his personal address and social security to confirm his identity. When he checks the email address, he realizes that it is not from a typical @legitimaterealities.com email, but from a shady email with scrambled letters and numbers. Which of the following potential cybercrime best describes what Brian would have fallen victim to had he chosen to reply with his personal information? A. Phishing B. Trojan Horse C. Malware D. Denial-of-service
A
Common cybercrime techniques include - (Information security, Part 2, Pg.17) A) Spamming, phishing, denial of service attack B) Spamming, phishing, access control C) Phishing, denial of service attach, logical access D) All of the above
A
Company JHC adopts a new IT Audit Program for Change Control Management that aims at testing changes implemented in applications, databases, networks, and operating systems. The group responsible for testing the operating new changes selects a sample of system changes to determine whether the change is in accordance with the installation guide. Which of the audit control activities is being implemented at JHC? A. CCM 2.03 B. CCM 1.02 C. ISEC 1.07 D. ISEC 1.09
A
Company JHC recently figured out that its IPO strategic plans were leaked to the competitors in the market. Which of the following information security objectives is most closely associated with the given situation of Company JHC? A. Confidentiality B. Integrity C. Availability D. Responsibility
A
Company YHC requested an information security audit primarily in its mobile device management operations. When embarking on information security audits related to mobile devices impacting the IT Environment of the company, which of the following sources is the most appropriate reference for the auditors? A. National Institute of Standards and Technology B. ISACA C. SANS Institute D. IIA
A
Due to lack of information security protection, hackers have gained 10+ millions of customer information from Company Oma. Which of the following information security objectives is mostly related to the given situation of Company Oma? A) Confidentiality B) Availability C) Integrity D) Agility
A
In 1981, nine students were charged with using computers and private telephone services to make illegal calls and have merchandise delivered to three drop-off locations. They never paid and made off with $212,000 of services and $100,000 in stolen merchandise. Which cyber threat source observed by the FBI is this group a part of? A) Criminal groups B) Hacktivists C) Disgruntle Insiders D) Botnet
A
Maria completed the Paycheck Protection Program application online. Few weeks passed by and she still didn't receive any notification on her application. After spending time researching, she realized the website was fake. Maria most likely experienced which one of the cybercrimes techniques? A) Spoofing B) Worm C) Spamming D) Malware
A
Maria's company is in the process of implementing a new technology. The entire team have a great understanding of the technology. The technology provides the business with relevant timely information. The company needs help with complying with legal and regulatory requirements. Which framework should Maria's company use? A) ISO/IES B) COBIT C) NIST D) ITIL
A
Sera's has started a new remote job. The company mails her a Mac computer, printer and other items that she needs for her first day. Sera realizes that she needs Microsoft Excel and the Mac does not have it. She has an unused product key and tries to install Excel on the Mac. However, she is met with a message prompt that tells her the action is unauthorized and she must contact her system admin in order to proceed. What is this an example of? A) Mobile Device Management B) Enterprise Resource Planning C) Cloud Computing D) None of the above
A
Student A has to complete a math quiz and uses an excel spreadsheet to show their work. The only acceptable document format is a pdf, so Student A has to convert their excel spreadsheet into a pdf document. This is an example of: A) Data Transformation B) Big Data C) Analytics Architects D) Analytics Modelers
A
The IT auditor's client works in the banking industry and has additional systems that are connected to the enterprise network. Which of the following statements would most likely cause the auditor to be concerned with the clients inventory and control of hardware assets? A. The clients allow their employees to bring their own laptops and cell phones to work. B. The client monitors the guest networks set up due to their work with lawyers C. Each machine has an IP address listed in the asset inventory. D. The client pulls information from routers
A
The first step of an analytics mindset is to ask the right questions. Which of the following statements is not part of the analytics mindset as defined by the EY? A. Exercise professional skepticism when using data B. Implement ETL process to gather data from multiple sources and consolidate it into a single and centralized location. C. Interpret and share the results with stakeholders D. Use tableau software to translate queries into a visualization that helps anyone understand data better.
A
There are four characteristics of Big Data: the four V's of Big Data (volume, variety, velocity, veracity). An example of a data that is generated with high velocity would most likely be: A) Twitter messages or Facebook posts. B) All credit card transactions on a day within Europe. C) Data from a medical experiment or trial. D) The CCTV audio and video files that are generated at various locations in a city.
A
What are the three objectives for information security? A) Confidentiality B) Accessibility C) Mobility D) A and B
A
What is not a key question to ask yourself when analyzing data? A: Where did this data come from? B: what expectations did I have for this data? C: Based off what I know about the company, is this logical? D: what are my initial thoughts when analyzing this data?
A
What is security policy for? A. protect company's information B. Segregation of duties C. Avoid any thread D. Monitor employee's access
A
What is the most common audit objectives of an information security audit: A. To ensure that effective security is implemented to protect against unauthorized access and modifications of systems and information B. To ensure that the security administration function should be separate from the IT function. C. Formal policies and procedures define the organization's information security objectives. D. B and C
A
When browsing online shopping platforms, David clicks a pop-up window for a fake anti-virus programs that claims his computer is infected and invites to pay for a software to clean it up. After realizing that it was fake, David finds out that some of his important files and documents were destroyed. David most likely experienced which one of the cybercrimes techniques? A. Trojan horse B. Denial-of-service attack C. Spyware D. Pharming
A
Which is still the most important characteristic needed in data and analytics? A) Critical thinking and professional judgment B) Detail-oriented and creative C) Data-driven and responsible D) Logical and high level of mathematical ability
A
Which is the first key step in beginning the analytics process? A) Ask the right questions B) Go through the ETL process (extract, transform, load) C) Apply appropriate data analytics techniques D) Interpret and share results with stakeholders
A
Which of the cyber threats observed by the FBI doesn't require much knowledge on computer intrusions to commit a crime? A) Disgruntle insiders B) Spamming C) Malware D) Criminal Group
A
Which of the following IS NOT a reason that veracity important for big data? A) It shows how easily data can be sorted through in excel B) It shows that the data is untrusted and uncleansed C) It shows that the date is reliable D) It assures we relied on the appropriate tests
A
Which of the following is NOT true about information security? A) It is easy to quantify the value of investment in information security for an organization. B) The information security needs to protect information from unauthorized access. C) Maintaining the quality of information is important for organization to make decisions. D) Risks association with information security system includes failure of information systems, loss of the ability to process business transactions, etc.
A
Which of the following is the Best explanation of vulnerability management? A. Vulnerability management is the practice of finding and fixing potential weaknesses in an organization's network security, and its basic goal is to apply these fixes to prevent a cybersecurity breach. B. Vulnerability management is integration between people, processes, and technology and that are used by cybersecurity professionals to manage the threat to identify and respond to it with speed and accuracy. C. Vulnerability management refers to manage the trust of end-user the cryptographic techniques are popular to apply across the organization D. Vulnerability management is the overarching discipline for verifying a user's identity and level of access to the system. Vulnerability management is also interacted with authentication mechanisms and access control.
A
Which of the following represents the key difference between the COBIT 2019 and ISO 27002 security standards? A: COBIT has a "maturity perspective" that ISO 27002 lacks. B: COBIT is focused on yes/no questions while ISO 27002 is focused on enabling the business. C: COBIT is required in the USA and ISO 27002 is required in Europe. D: COBIT is less likely to be accepted in the boardroom than ISO 27002.
A
Which of the following scenarios describe a fraud that will be of HIGHEST priority to the FBI? A) A large public company has been accused of continuously transferring huge amounts of extra inventory to a few customers, where they have the option to return any unsold amounts. In 2020, the extra inventory totalled $50 million. B) A midsize company experienced a malware attack where their programs were infected with viruses. C) A midsize company fell victim to a ransomware attack where the attacker demanded $3 million to release access to the data. D) An online-based clothing retailer suffered a cyber security attack that costed the company $5 million.
A
Which of the following statements about the ETL process is correct? A) The purpose of data cleaning is to prepare it for loading it into an analytics tool. B) Data cleaning only needs to be performed before the data loading process. C) Data integrity is ensured once it is being transformed and loaded into the analytics tool. D) All steps in capturing data can be automated to avoid human errors.
A
Which of the following statements are most likely true about SOC reports? I. The SOC 3 and the SOC for cybersecurity are available for general use whereas SOC 2 is not. II. The SOC 1 report most likely follows COSO and the SOC 2 report most likely follows the trust service criteria. III. A type 2 report can be used for all SOC reports with the exception of a SOC 3. IV. A SOC 3 is the most detailed report. A. I and II B. II, III, IV C. I, II, and III D. I, II, III, IV
A
You are auditing the local VA (Veteran Affairs) hospital and you have been given direction to observe a few employees whose role weeks is fax outgoing medical documents to outside clinics. You notice an employee has made a number of mistakes with sending a fax, such as sending the full medical document to the wrong destination by inputting the wrong digits. What CIA principle does this employee potentially violate? A) Confidentiality B) Integrity C) Availability D) HIPPA law
A
There are Top 5 biggest Cybersecurity threats. Which of the following is least likely one of them: A) Social engineering B) Third party software C) Password Theft D) Cloud computing vulnerabilities
C
Higher use of technology is correlated with increased risks of data communications systems. Timala Inc has recently been subject to a data communication breach. The source of the attack has not been identified yet, however the firm hired a consultant to identify key aspects of the multi-characteristic attack. The consultant's findings showed that part of the confidential data was destroyed, the network was disabled for a brief period of time, and the attacker was able to control the devices through which the data was extracted.Which of the following techniques did the hacker NOT use in the data communication system attack? A. Botnet B. Worm C. Denial-of-service D. All of the above were used in the attack
B
A Company Iflower is looking to test their operations. What do they need to choose in order to implement their needs? A) Type 1 B) Type 2 C) SOC 3 D) SOC 4
B
A data controller in an organization is responsible for the approval and review process for requests to access the database or take a copy of the database. Which of the following is the most relevant information role and responsibility for this example? A. information custodian B. information owner C. user D. Third-party
B
ABC Accountants want to work on incorporating analytics into their work. They want to learn to use analytics to provide better services to their clients and optimize business solutions. Which of the following best matches their analytics mindset? A) Analytic modelers B) Business analysts C) Analytic architects D) Analytic specialists
B
All of the following concerning the ability of an analytics mindset is true except for? A. Ask the right questions B. Select and analyze computerized data C. Apply appropriate data analytics techniques D. Interpret and share the results with stakeholders
B
Among the following possible common techniques used to commit cybercrimes, which one is a high-tech scam that frequently uses spam messages to steal identity information and password? A. Spamming B. Phishing C. Spoofing D. Pharming
B
As an employee of BOGO, Inc., Susan has knowledge of sensitive organization information. Part of her responsibilities are to ensure that she implements and maintains efficient security measures to ensure the information is safeguarded. Which of the following match her Information Security Responsibilities? A) Information owner responsibilities B) Information custodian responsibilities C) User responsibilities D) Third-party responsibilities
B
Assume you are the CEO of XYZ company. You recently have noticed that more employees begin to bring two cell phones, one for personal use and the other one for work purposes to the workplace. Which of the following IT technology would you reinforce in the near term? a. Enterprise Resource Planning b. Mobile Device Management c. Cloud Computing d. Internet of Things
B
BOGO, Inc. notices that their information and network system may be prone to attack due to their weak and generic passwords. Which of the following CIS Controls does BOGO, Inc. need to strengthen? A) Email and Web Browser Protections B) Continuous Vulnerability Management C) Controlled Use of Administrative Privileges D) Boundary Defense
B
Company JHC adopts a new IT Audit Program for Information security that aims at protecting against unauthorized changes to programs and data that may result in incomplete, inaccurate, or invalid processing or recording of financial information by configuring and managing security features of applications, databases, networks, and operating systems. JHC implements and configures a new security software tools that was reviewed and approved by the management. Which of the audit control activities is being implemented at JHC? A. ISO 1.01 B. ISEC 1.04 C. CCM 2.01 D. CCM 3.01
B
Company JHC is considering to adopt a new information security policy to align with the company's strategic objectives. Among the policy template areas, JHC expects to provide high-level security controls and responsibilities in areas of Remote Access Policy including Bluetooth and Wireless Communication policies. Which of the 25 security policies is relevant for Company JHC? A. General B. Network Security C. Server Security D. Application Security
B
Company JHC is considering utilizing cloud computing to its business processes as it is considered one of the key trends driving business strategy. However, you, as the Head IT manager of the company, don't feel comfortable with this new model of configurable computing resources. Which of the following would be the most reasonable argument to make? A. The International Data Corporation predicted that cloud computing will grow at 19.4% annually over the next five years. B. Migrating information into a shared infrastructure, such as a cloud environment, exposes organizations' critical information to the risks of unknown access to the database. C. Cloud computing enables convenient, on-demand network access to shared networks and servers that can be rapidly provisioned and released with minimal management effort. D. Deloitte's 2016 Perspective's Cloud Computing report supports that cloud-stored information, such as patient data, banking details, and personnel records can't be vulnerable and susceptible to misuse because of the nature of cloud-computing that allows companies to save files to a remote database.
B
Company X has implemented a new quota sales based compensation plan to motivate their sales staff. Desperately wanting to meet the sales quota an employee has gained unauthorized access to the order entry system. After gaining access the employee alters previous sales orders that results in an inflation of sales. This manipulation of data is a risk associated with which information security objective? A) Availability B) Integrity C) Confidentiality D) None of the above
B
Jane is auditing their client's accounts. While reviewing she notices that there may be asset misappropriation due to fraudulent disbursements. Which of the following is NOT something she may be seeing with their client's accounts? A) Billing schemes B) False sales and shipping C) Shell company D) Check tampering
B
Last year, after conducting an audit, you gave an unqualified opinion on your client and noted that the AR turnover was stable. This year, as the auditor, you are aware of the trends in the industry, and you are surprised when you calculate that the accounts receivable turnover is decreasing. Which of the following questions would the auditor most likely ask the client in order to form your expectations? A. What is your credit policy? B. How have you adjusted your credit policy? C. Why is your AR balance decreasing? D. Why did your sales increase?
B
Mary is an employee and is learning about the information classification designations of her company. Which of the following is something that she would NOT expect to see? A) Most of her company's information falls into the Internal Use Only category. B) She will learn that information groupings tell her role and assignments in the company. C) She will learn that there will be security measures on information, even face-to-face conversation. D) She will receive access to information based on the need-to-know concept.
B
Mulberry Docs is a company that stores digital medical records for hospitals. Once the doctor inputs a client's information, the only fields that are visible to users of the system are the patient's name, DOB and address. All other fields are hidden unless users with a certain access level input their code to see more details. Every Friday a system admin looks over the list of users to remove anyone that should no longer have access the system and to check for suspicious access activity. What information security objective is Mulberry Docs trying to achieve? A) Integrity B) Confidentiality C) Availability D) None of the above
B
Ohana Company provides their employees with a PC for work that they are free to also use for personal reasons outside of work. Employees also gets a new PC every 3 to 4 years depending on the condition after they return the old one to the IT department. However, the IT department keeps track on the emails and any messages sent through the applications installed on the PC. If the system detects a frequent receiver or any possible sensitive confidential content, the IT department will immediately freeze your account and PC. According to the above scenario, what is the firm using to protect their information security in their current IT environment? A. Cloud computing B. Mobile Device Management C. Internet of Things D. Enterprise Resource Planning
B
Out of the following options, which one of them is the best (ie.e useful and efficient) way to make sure that the numbers coming out of data analysis are reasonable? A. calculate the numbers manually and reconcile the results with the results generated by the computer B. use industry comps' numbers for references C. check if the programming is still working on a daily basis D. Conduct risk assessment of the program annually
B
Subsequently after over 146 million Equifax customers had their identities stolen, Equifax attempted to promote a trusted ID monitoring service through their twitter account, which directed customers to a fake phishing site "securityequifax2017.com." This link however, was actually a fraudulent website that mimicked the actual website Equifax was trying to promote. Which common cybercrime is at play here? A) Spamming B) Spoofing C)Denial-of-Service Attack D)Trojan Horse
B
Suppose ABC company hired the analytic modelers. Which of the following is not expected to be performed by these experts? a. Constructing databases b. Establishing data standards and management procedures c. Designing visualization and dashboards for analytics consumers d. Developing analytics scrips and models
B
Suppose you are an IT auditor who was just recently hired by an international trading company. Your client has a few questions for you regarding information security on your first day there. Which of the descriptions regarding information security is false? A. Daily back-ups of data are required because data lost may happen at any time B. Information security is the sole responsibility of the IT department because it's their job to make sure our network and data is protected C. Contractors are required to get their one-time user ID and password information for work from the IT department when being onsite D. Department managers are required to approve the access request of sensitive record before the intern can view
B
The CEO of a company is trying to understand how improving the company's security will impact availability. How would you explain the relationship between availability and security? A) As the level of security increases, the level of availability increases. B) As the level of security increases, the level of availability decreases. C) As the level of security decreases, the level of availability decreases. D) There is no relationship between the level of security and availability.
B
The main challenge of information security control addressed with: A. Security risks and control risks B. Security tools and technologies C. Scarcity of available and qualified personnel D. Criminals can escape the most severe penalties for violating authorized access to a computer system
B
The majority of corporate fraud cases mostly involve A) Bribery and Theft of Cash B) Accounting Schemes and Self-dealing by executives and insiders C) Revenue recognition schemes and Concealed Liabilities D) Kickbacks and insider trading
B
To drive the better decision, it requires to ask right questions and seek answer in data. To ask right question for performing data analysis, you must understand - (Analytics Mindset- Getting Started EY PowerPoint, pg. 30) I. Need to develop an expectation II. Overall business contexts III. Conduct an interview A) Only option I is true B) Option I and II are true C) All of the options are true D) None of the options is true
B
Unauthorized access to corrupt information or misuse company systems/information will add more risk to which of the following fundamental objectives for information? A) Confidentiality B) Integrity C) Availability
B
What is the most common issue with IoT? a) IoT is unable to keep up with the rapid growth and changes in the technological industry. b) Security is not of the utmost importance during the design stage. c) When it comes to a large volume of a data set, IoT can defer the process of decision-making. d) Lack of routine updates and ensuring all aspects are working correctly.
B
What is wrong with the following database? Total Revenue by Year 2019 2017 2018 New York $3m $1m $2m Sacramento $6m $2m $4m Las Vegas $9m $3m $6m A. Lack of Aggregation B. Lack of Sorting C. Lack of Forecasting D. Lack of Ratios
B
When Roger logged onto NYU Classes, he was prompted to confirm his identity by entering a generated secondary passcode from a text message he received on his cell phone. Which of the following encryptions best describes what NYU Classes using in this scenario? A. Authorization B. Authentication C. Identification D. Privacy
B
Which of the following about information security is not correct: A) Information is one of the most critical assets that the organization needs to pay attention to. B) Most companies are aware of the importance of info security and put enough money in to secure their information. C) Same as accounting security, information security need proper design and follow-up controls to manage the risk. D) The system should be designed with a model that specifies what services need to be addressed by technologies.
B
Which of the following best describes the fundamental objective of confidentiality for information? A) The company performs frequent maintenance to prevent any system disruption B) The company implements multi-factor authentication in order to access data C) The company conducts periodic user access reviews for their software programs D) The company makes it mandatory for IT personnel to undergo training programs regularly
B
Which of the following companies would most likely use data analytics by collecting data from their 151 million subscribers, and implementing data analytics models to discover customer behavior and buying patterns: A) Amazon B) Netflix C) Apple (Apple's Siri) D) Next Big Sound (NBS)
B
Which of the following do not accurately describe the difference between a business analyst and a business specialist? A) A business analyst is primarily a consumer of analytics B) Only specialists produce analytics. An analyst would never be expected to produce analytics. C) Business analysts are considered 'generalists' in terms of analytics D) A specialist may be producers or enablers of analytics.
B
Which of the following is NOT a complaint companies have related to the security risks of conducting business over the internet? (Video Lecture ~3:30) a. Never receiving payment/delivery for goods and services provided/purchased b. Identity theft c. Lack of business traffic over the internet d. Extortion
B
Which of the following is NOT a minimum security requirement included in the Federal Information Processing Standards (FIPS)? A) Physical and Environmental protection B) Segregation of duties C) Contingency planning D) Access Control
B
Which of the following is NOT correct about how to do the analytics process? A) The analyst should ask the right and relevant questions before getting started. B) For the process of extracting data, analysts do not need to worry about the integrity of the data since the process is automated. C) The analyst should apply appropriate techniques to analyze the data extracted. D) The analyst should seek a way to efficiently present the result from data analysis to the stakeholders and related parties.
B
Which of the following is a way to protect customers against spoofing? (Video lecture ~8:30) a. Do not have a website. Customers can't get spoofed if they're not looking for a website that doesn't exist. b. Purchase internet domains of common misspellings of your site and redirect them to your actual site. c. Give customers QR codes with every order that when scanned bring them to your website d. Interact with spoof websites to try and bring their owners to justice.
B
Which of the following is not true about "Enterprise Resource Planning (ERP)?" A) ERP systems enable multiple functions to access a common database. B) Although ERP systems can increase consistency and accuracy of data from a single source, ERP systems usually increase storage costs. C) ERP systems are similar to purchased and packaged systems, which can require extensive modifications to the business processes. D) ERP systems are offered by a single vendor, which may result in higher information security risks.
B
Which of the following statement regarding the purpose of information security policy is true? A. Provide adequate level statements of information security goals B. Guide organizations in making decisions about information security C. Defines the security practices that align to the control objectives of the organization D. Same as a standard or a guideline to make a specification for security requirements
B
Which of the following techniques is the most likely to use when a perpetrator seeks to gain control over multiple computers and use these computers to attack the target. A. Worm B. Distributed denial-of service C. Malware D. Viruses
B
Who is responsible for safeguarding the information, including implementing access control systems to prevent inappropriate disclosure and making backups to achieve information security? A. Information owner B. Information custodian C. The user D. Third party
B
You are an chief internal audit accountant at a Boeing, a major defense contractor. Your company has reported strong earnings for the past five years, and above both analyst predictions and industry averages. The CEO lately has been hosting "networking" events at the corporate office with government officials in a bid to run for political office. Which of teh following would be the BEST description for what the CEO is doing? A. Accounting schemes B. Self-dealing C. Corporate fraud D. White-collar crime
B
You are brand new associate at a Big 4 Accounting Firm and the company has given you the option to use your own personal mobile device to manage work and client's information. The catch is that the company now has permission to install a monitoring software onto your personal device so that the company can manage information security of PII and secure information. What would be the best way to mitigate loss of the company's secure information while still maintaining the privacy of your own mobile device? A) Having a Multi Factor Authentication tool installed on your phone every time you open it to ensure that it is you B) Keeping a separate phone device for work that is different than your personal mobile device, which allows all of the security measurements that the company wishes to install C) Signing an agreement with the company to allow a full scan of messages and web browsing activities at whatever time the company deems appropriate to protect company information D) Installing software patches to alleviate potential security loopholes on the private device, which are slowing down the phone but protecting client information.
B
You were recently hired as the Chief Security Officer (CSO) for a company. However, the CEO feels that the company should not waste money on improving their security system since their company has never had any security breaches. Which of the following statements would not be helpful in your argument to convince the CEO to improve security? A) A breach of the company's systems may allow hackers to gain access to sensitive information, which would damage the company's reputation. B) Since the company always updates their software as soon as an update is released, they are already protected. C) A lack of security may allow employees to misuse information to commit fraud. D) The company uses an ERP system from a single vendor which increases information security risks.
B
You're an information security consultant working for a bank. You've been tasked with evaluating the firm's business processes and their efficacy in fulfilling the 3 fundamental objectives for information. During your work you discover that the procedure for customer service representatives is to simply ask for a caller's name and date of birth as identity verification before discussing any sensitive account information, making account changes, or initiating transactions over the phone. What fundamental objective does this procedure fail to adequately meet? (Based on video lecture 12a-2 Time: 2:45) a. Confidentiality b. Integrity c. Availability d. All of the Above
B
A manager is trying to keep better track of users with administrative privileges. Which of the following would be the best way for the manager to keep track of who accessed or overrode certain administrative controls? A) Give specified users access to necessary administrative privileges. B) Give all users administrative privileges and keep a log of users who accessed the controls. C) Give users who need administrative privileges a separate user ID and keep a log of when these specific user ID's access the controls. D) Create one account with administrative privileges that multiple users can access.
C
A three-tiered provider assurance program of self-assessment, third party audit, and continuous monitoring is offered by: A. ITIL B. PCIDSS C. CSA D. NIST
C
A trust management provides: A. Regulatory compliance B. User awareness training C. Encryption and access controls D. Asset and change management processes
C
All of the four types of SOC reports (SOC 1, 2, 3, and cybersecurity) have both type 1 and type 2 reports except for: A. SOC 1 B. SOC 2 C. SOC 3 D. SOC for Cybersecurity
C
An analytics mindset is having the ability to; ask the right questions, extract, transform and load relevant data, apply appropriate data analytic techniques and interpret and share the results with stakeholders. Which part is the said to be the hardest part to implement? A) Extract, transform and load relevant data B) Apply appropriate data analytics technique C) Ask the right questions D) Interpret and share the results with stakeholders
C
An enterprise implements one technology that allows all business processes are integrated end to end across departments and business units, and the database enables data to be defined once for the enterprise with every department using the same definition. However, such technology lacks interoperability among different vendors, and it needs continual maintenance requirements. What technology is MOST LIKELY the enterprise used? A. Big Data B. Cloud computing C. ERP D. IoT
C
BOGO, Inc. managers were informed by their IT department that some of their clients' transactions may not be entering the system correctly. The IT department informs management that this may be due to a disruption in the information system and could hinder BOGO's ability to process business transactions. What primary objective is BOGO, Inc. lacking in their information system regarding information security? A) Their system is not integrating with the existing security architecture. B) Their system is lacking integrity. C) Their system is lacking availability. D) Their system does not have proper authorization.
C
Brian is a registered user on Legitimate Realties' website, www.legitimaterealities.com. Legitimate Realties sends weekly emails to Brian with new listings of houses and apartments that cater to his interest. One day, Brian receives a suspicious email from "Legitimate Realties" claiming that he is receiving an exclusive offer to beta-test a "Virtual Tour" program by visiting their website and downloading it to his computer. Which of the following potential cybercrimes could Brian fall victim to in this scenario should he choose to download the software? I. Virus II. Trojan Horse III. Spyware IV. Phishing A. I, II, IV B. I, III C. I, II, III D. II, III, IV
C
Company YHC has been facing numerous data breaches and other security threats from unknown hackers. Due to the industry nature, YHC uses federal computer systems for most of its operations and management. In addition, YHC is expected to have interacting businesses with the federal government for the coming years. Given the situation, which of the following information security standards should YHC implement to the company? A. COBIT B. ISO/IEC 27002 C. NIST D. FBI
C
For the following scenarios, please determine the corresponding CIA element that suits the best. 1. Hackers getting information on clients' personal names, addresses and SSNs. 2. Patient records getting send to businesses that focus on medical researches without the consent of patients 3. Viruses cased disruption in company's operating system, deterring the process of normal business transactions 4. A company's employee getting access to incomplete records that he should not have accessed for committing fraud to benefit himself A. Integrity, confidentiality, availability, integrity B. Confidentiality, integrity, availability, confidentiality C. Confidentiality, confidentiality, availability, integrity D. Availability, confidentiality, integrity, availability
C
In IT audit perspective, which of the following is a major risk of shared user accounts? A. Change of passwords B. Unauthorized access C. User accountability D. Security thread
C
Karli Morgenthau, leader of the Flag-Smashers, had planned several attacks at political events and on numerous civilians. To gain confidential information about the events, she installed malware on several government devices. She also created a fake website called "SecurityUS.com", a near copy of well known website "SecurityUSA.com" in order to get her followers to infiltrate the event as pretend security guards. On the day of the conference when everything was in place, Karli launched an attack that completely disabled the governments network and cut off all communication to outside the building. Which of the following cybercrime technique was NOT employed by Karli and the Flag-Smashers? A) Denial-of-Service attack B) Spoofing C) Pharming D) Spyware
C
Patrick enjoys reading webtoons whenever he has some free time. One day, he accidentally typed the wrong webtoon site address with missing one letter, which led him to a fake website similar to the webtoon site he usually visits. Since he didn't notice something special, he gave his personal information. What kind of cybercrime was he involved with? a. Trojan horse b. Malware c. Pharming d. Spamming
C
Suppose that hackers broke into ABC company database and intentionally changed one of the data. Due to this change, management could not make proper business decisions. Which of the following is the most appropriate object of information that is violated? a. Availability b. Confidentially c. Integrity d. Accessibility
C
Suppose you are the Dean of a specific program at NYU. Which of the following scenarios does NOT demonstrate the risk of unauthorized access and lack of confidentiality? A: A student volunteer in your office shares a list of the MSA student names, addresses, and GPAs from the fall semester with their friends. B: A hacker has been able to access your computer and collects 100 student emails and passwords. C: Your assistant creates a visualization in Tableau showing the trends in student GPA for you to bring to your next meeting. D: A student volunteer has access to the file of student GPAs on the shared drive of their work computer, but is told to never open or look at the file. The student never opens the file.
C
The CEO of a company would like a SOC report that tests the company's security, integrity, and confidentiality over their data. However, the CEO does not want to issue a report that would provide too much detail because she fears that hackers will take advantage. What type of SOC report would best fit the company's requirements? A) SOC 1 Type 2 B) SOC 2 Type 1 C) SOC 3 Type 2 D) SOC for Cybersecurity Type 1
C
The CFO of a mid-sized corporation is meeting with an official in Ecuador to potentially expand their exotic fruit business. While in Ecuador, the CFO meets with many political officials to understand the regulatory environment. He also takes a spontaneous trip to the neighboring town on the corporate jet to see local sights. Finally, on his way out of the country he advises the plane pilot to purchase the company's stock as it will skyrocket from this deal. Did the CFO commit any fraud? A: Yes, insider trading B: Yes, misuse of corporate property C: Yes, Both insider trading and misuse of corporate property D: No, he did not do anything wrong
C
The University of California has been a recent victim of a cybersecurity attack, which involved hackers exploiting a vulnerability in a file transfer service. Hackers were able to obtaining information like student and employee Social Security numbers and financial information. Which fundamental information security objective was not met in this situation? A) Integrity B) Availability C) Confidentiality D) None of the above
C
What are the three fundamental objectives for the information? (Chapter 12, Information security, slide 9) A) Objectivity, availability and confidentiality B) Integrity, reliability and availability C) Confidentiality, availability and integrity D) Comparability, reliability and objectivity
C
What consists of the CIA triangle? A) Confidentiality, Intelligence, Adaptability B) Cybersecurity, Intelligence, Adaptability C) Confidentiality, Integrity, Availability D) Cybersecurity, Information, Availability
C
What is not a benefit of using visualization of data? A: present results in a sophisticated planner B: leverage a dashboard to provide many snapshots C: throw off audience by creating different charts D: learn new technology such as Tableau
C
What is not a way in which technology could be circumvented? A) Developed by Manufacturing B) Improperly configured C) Patches are updated frequently D) Patches are updated infrequently
C
What is the weakness of cloud computing in terms of information security? A) Cloud computing cannot be used without internet access. B) Cloud computing is expensive for small businesses. C) Cloud computing exposes organizations' sensitive information to risk of unauthorized access. D) Cloud computing, when malfunctioned, can cause loss of information.
C
When Roger first entered NYU Classes, he was prompted to enter his username and password. Which of the following encryptions best describes what NYU Classes is using in this scenario? A. Authorization B. Authentication C. Identification D. Privacy
C
Where is the use of the physical security of information most beneficial? [Reference ITCA Textbook pg 315-316] a. prevention of verbal communication between colleagues b. getting past a firewall c. ID key to access company computer room d. getting log in access to technology
C
Which of the following is NOT an analytics mindset task? A) Asking the right questions B) Apply appropriate data analytics techniques C) Convincing management your decisions D) Extract, transform and load relevant data
C
Which of the following is NOT an area of concern for the objective of Confidentiality? A) Protection of Information from unauthorized access B) Unauthorized Internal Person being able to access sensitive information C) Correctness and completeness of information D) All of the above are concerns
C
Which of the following is an example of corporate fraud relating to accounting schemes? A) False accounting entries of financial condition B) Insider trading C) Kickbacks D) Individual tax violations related to self-dealing
C
Which of the following is most likely to be a problem with big data? A. You cannot process all the data in the population, and should use sampling. B. It contains too much data. C. The data itself may be inaccurate, contain duplicates, or come from an untrusted source. D. Due to the vast amount of data, big data is not able to help you analyze trends.
C
Which of the following is not a major security area under ISO/IEC 27002 Security Standard? A. Communication and operations management B. Asset management C. Organizational structure and decision making D. Compliance
C
Which of the following is not a major thing that data analytics tools can provide help with? A. Analytical procedures in performing a final review of the financial statements B. Risk analysis in the beginning of an audit engagement C. Data security testing of the business software D. Transaction and control testing during audit engagements
C
Which of the following is not one of the 3 fundamentals that helps ensure that the organization's strategic business objectives are met? A) Confidentiality B) Availability C) Flexibility D) Integrity
C
Which of the following methods has become increasingly popular to hinder the efforts of hackers? A: Requiring employees to change their passwords monthly. B: Prohibiting the use of personal mobile devices. C: Implementing multi-factor authentication. D: Creating a phishing email test to determine if employees are well versed in reporting incidents.
C
Which of the following risk is associated with availability, one of the fundamental objectives for information? A. Information security breaches B. Unauthorized access to information systems C. Failure of information systems D. None of the above
C
Which of the following statement is part of the process of data transformation? I. To convert a Microsoft Word file to a PDF II. To perform data cleansing III. Validate data that makes sure the data meets requirements IV. To pack up the data and move it to a designed data warehouse A. I, IV B. II, III C. I, II D. I, II, III
C
Which of the following statement regarding the ETL process is true? A) The ETL process means extract, transform and label relevant data B. In the stage of extraction of data, you have to know what data to ask for, who to ask for data and what format the data needs to be in C. Data transforming or cleansing needs to be performed both before and after the data loading process D. All of the steps in capturing data can be automated
C
Which of the following statements are true? I. Information owners are responsible for the acquisition and development of production applications that process information II. Custodians are responsible for familiarizing themselves with all policies, procedures, and standards, and for safeguarding the information III. Third-Parties are responsible for signing a non-disclosure agreement in order to gain access to an organization's information A) I B) I and II C) I and III D) I, II, and III
C
Which one of the options describes what spoofing is? A) Disruptive online messages, especially commercial messages posted on a computer network or sent as email. B) Attack designed to disable a network by flooding it with useless traffic. C) Creating a fraudulent Website to mimic an actual, well-known Website run by another party. D) Piece of program code that contains self-reproducing logic, which piggybacks onto other programs and cannot survive by itself.
C
YHC company wants to analyze the movement in its inventory associated with purchases and existing sales. Which of the following is the most appropriate data analytics technique for YHC? A. Ratios Analysis B. Aggregation Analysis C. Trends Analysis D. Forecasting Analysis
C
You're a business analyst considering running a data mining program commonly used in your industry on a data set that is supposed to contain customer personal data, products purchased by those customers, dates of purchase, payment delinquencies, etc. What's the first thing you should do when trying to execute this program and use its analysis? (What is Analytics EY PowerPoint; Analytics Mindset-Getting Started EY PowerPoint) a. Check data mining source code for any irregularities or deficiencies. b. Check that the data set's file format is compatible with the program. c. Check that the data set is complete and accurate. d. Determine the question you want to answer through your query.
C
You, as the CEO of Company YHC, are seriously considering implementing use of mobile devices, such as smartphones, laptops, tablets, and mobile printers, to the organization . In other words, employees can bring their own mobile devices or utilize company-provided mobile devices to perform their work. As a result, an accurate analysis about mobile device management is needed for decisional purposes. Which of the following is not true about mobile device management? A. Organizations should monitor and control the tasks performed by employees when using mobile devices, and ensure employees remain focused and productive. B. Allowing direct access to corporate information via mobile devices represents an ongoing risk to the firm's security and distraction to employees. C. Mobile device management is usually implemented by using internally developed softwares that have management features for mobile devices. D. Closely related to enterprise mobility management, mobile device management ensures the mobile devices integrate well within the organization and are implemented to comply with organization policies and procedures.
C
which of the following is most effective for managing and monitoring employees? A: Cloud computing infrastructure B: BYOD (bring your own device) C: Mobile device management with corporate device D: Wearables such as smartwatches
C
BOGO, Inc. wants to incorporate encryption and access controls into their system to ensure that their employees are who they say they are. Which of the following is NOT an example of some of the security components encryption may include: A) Authentication B) Authorization C) Integrity D) All of the above.
D
Company YHC recently experienced a major cyber attack by a group of hackers who entirely disabled the company's network for two days by coordinating a tremendous amount of unknown, useless traffic. Which of the following is a correct technique used by the hackers in the given situation? A. Phishing B. Spoofing C. Botnet D. Denial of service attack
D
Which of the following is a confirmatory data analytics technique? A. The auditor pulls out the general ledger and get a sense of how the company records its misc. transactions B. The auditor dives into the company data and looks for anomalies C. The auditor builds a model to conduct data mining D. The auditor follows an audit trial that has an error and documents it
D
Which of the following is not a characteristic of big data? A) Volume of big data is terabytes, petabytes and zettabytes B) Variety of big data is unstructured C) Velocity of big data is in motion D) Veracity of big data is trusted
D
ABC company needs to transform or cleanse data from one format to another to load it into an analytics tool. Which of the following should you NOT perform? A. Make sure that only the data needed is extracted that this data is complete and accurate. B. Make sure that the data cleansing is performed before and after the data loading process. C. Make sure that the tool where the data should be loaded into is most efficient and effective. D. Make sure that when capturing data no automation is involved.
D
According to the Equifax House Report, Equifax failed to modernize its technology, failed to patch its systems when vulnerabilities were detected and stored sensitive data on out-of-date and sub-par systems. Which of the following is NOT a "FIPS 200 minimum security requirement" area that could have prevented this hack from occurring? A) Access Control B) Awareness and Training C) Risk Assessment D) Using Resources
D
Assume you are performing the data analytics. Which of the following is not necessary to understand the flow of data in an accounting information system? a. Type of accounting information systems b. Routine vs Non-routine flows of data c. Capabilities and limitations of the data d. The processing speed of data
D
Assume you are the head of the information security team at Halo Corporation. For the trust management process, your department uses encryption technology to protect sensitive electronic information. Which of the following is not the best example of the information? a. Privacy b. Authorization c. Integrity d. Incident
D
Corporate fraud continues to be one of the FBI's highest criminal priorities since it results in significant financial loses to companies and investors as well as continue to cause immeasurable damage to the U.S. economy. Which of the following is NOT an accounting schemes used in committing corporate fraud? a) False journal entries and misrepresentation of financial condition b) Fraudulent trades designed to inflate profits or hide losses c) Illicit transactions designed to mislead and evade regulatory oversight d) Insider trading based on non-public information
D
Effective implementation of information security helps ensure that the organization's strategic business objective are met. Which of the following is NOT one of the fundamental objectives for information security? a) Confidentiality b) Integrity c) Availability d) Authenticity
D
How does COBIT help organization as it relates to information security? A. Realize benefits B. Optimize risk levels C. Optimize resource use D. All the above
D
Information security policy involved - (Information security, Part 2, Pg.19) A) Providing high-level information statement B) Defining security practices C) Describing the ways to respond or prevent variety of threats D) All of the above
D
Information security revolves around the three key principles: confidentiality, integrity, availability (CIA). Depending upon the environment, application, context or use case, one of these principles might be more important than the others. Which of the following examples most likely would ensure integrity: A) Data encryption B) Required account number or routing number C) 2FA (two-factor authentication) D) Digital signature
D
It is important to understand the purpose of different types of the data analytics technique and which technique is most appropriate for analysis purpose. However, there are many ways to analyze the data. Which of the following is applicable as data analytics techniques? (Making it happen, pg.4) A) Aggregation B) Ratios C) Trends D) All of the above
D
PrimeGreen Corporation wants to implement a new infrastructure platform. The management is most concerned about keeping a balance between availability and security. After some consideration, the company settles on two choices: ERP and Cloud Computing. What is one possible benefit associated with implementing cloud computing, but not over an ERP system? A. Information is less accessible to unauthorized users B. Dependence on one vendor for support and maintenance C. The platform might be specifically designed for the company's industry D. The platform is easily accessible at anytime and is low cost
D
Suppose you operate a small family business. Which of the following groups is LEAST likely to commit a cybercrime against your business? A: Trusted employees B: Family members C: Hackers D: Each of these groups is equally likely to commit a cybercrime against the business.
D
The Audit Committee of BOGO, Inc. is looking at potential cybersecurity challenges. Which of the following is NOT an issue that the audit committee may face when governing cybersecurity? A) Availability vs. security B) Acquisition and merger due diligence C) Vendor oversight D) All of the above
D
The CIO of the Company YHC recently detected that there is an increasing number of unauthorized log-in attempts to the computer system and unauthorized modification attempts to the company's project applications. The company doesn't want to make major investments or integrations on the existing security systems, but wants to implement an effective information security control to lower the unauthorized attempts. Which of the following information security controls is most appropriate in the given scenario? A. Vulnerability Management B. Threat Management C. Security Architecture Design D. Security Monitoring
D
The information security group of ABC company recently performed the testing of patches. They reviewed the new version of the patch through this procedure to verify that the current system would continue to work as intended before the implementation. This is a part of ________. a. Identity management b. Trust management c. Threat management d. Vulnerability management
D
What are some of the risks associated with BYOD (Bring Your Own Device) policies? (Based on video lecture 12a-3 Time: 5:49) a. A cyberattack on the company could result in your personal device being compromised b. All activity on your personal device may be subject to company monitoring c. Your personal device's storage may be completely filled by your employer d. All of the above
D
What must you know or understand in order to ask the right question before performing data analysis? (Analytics Mindset- Getting Started EY PowerPoint) a. Who are the relevant stakeholders and their objectives b. The business and its underlying processes c. If problem exists or could exist d. All of the above
D
When Sara completed her work, she began to save some of the data as directed by her supervisor. In the process of saving the data Sara realized that the memory on the computer was almost full. Sara was confused because she didn't use any of the memory on her computer. Sara is most likely experiencing which type of cybercrime technique? A) Denial of Service Attach B) Spamming C) Malware D) Worm
D
Which of the following descriptions of data analytics is incorrect A. Data analytics requires a great deal of sensitivity when using it as a tool for substantive testing B. Data analytics can cause problems if not handled carefully C. Data analytics are helpful with improving audit quality D. Data analytics allows auditors to test the entire population given accurately and without exceptions
D
Which of the following is NOT the correct description about techniques used to commit cybercrimes? A) Spamming is to use disruptive online messages posted on a computer network or sent an email. B) Pharming is a method used by phishers to deceive users into believing that they are communicating with a legitimate website. C) Spoofing is to create a fraudulent website to mimic an actual, well-known website run by another party. D) Viruses is to install infiltrate without the user's knowledge to surreptitiously track or transmit data to an unauthorized third party.
D
Which of the following is NOT true about Data Analytics? A) Analytics is a means of extracting value from data. B) Analystics needs to use technology tools. C) The most important aspect of data analytics is human elements. D) Management should focus the most on technology and analytics skills in terms of data analytics.
D
Which of the following is not an example of "white collar fraud"? A. Insider trading by accessing restricted information and giving away them B. Inflating revenue through manipulating the inventory records in the system C. Arranging "Bill and Hold" scheme at end of year when the target of the year has not been achieved D. The depreciation life of a property is re-evaluated due to the change in business
D
Which of the following is not technique to commit cybercrimes? A. Spamming B. Denial-of-service attack C. Viruses D. Counterfeit money
D
Which of the following is true for both an analytic modeler and an analytic architect? A) They are both thought of as producers of analytics B) They are both thought of as enablers of analytics C) They both construct databases D) They are both business analysts
D
Which of the following statement about information security is wrong? A) Information is one of the most valuable assets for companies B) Corporate fraud continues to be one of the FBI's highest criminal priorities C) Insider trading is one kind of corporate fraud D) None of the above
D
Which of the following statement is NOT part of the fundamental objectives that addresses a different aspect of providing protection for information? A. The organization is used to making regular off-site backups that limit the damage caused to hard drives by server failure. B. Data must not be changed in transit, and precautionary steps should be taken to ensure that data cannot be altered by unauthorized people. C. The organization implements safeguards to prevent a data breach. D. None of above
D
Which of the following statements below is incorrect? a) Out of the 4 A's, agility is not one of the objectives of SOC 2. b) SOC 1 has two types: design and testing c) SOC 3 is the only one where Type 1 and Type 2 are not used. d) None of the above.
D
Which of the followings is not a data analytics routine commonly performed by auditors? A) Analysis of inventory ageing and days of inventory B) Analysis of revenue trends split by region C) Analysis of capital expenditure vs. repairs and maintenance D) Analysis of customer profile sorted by demography
D
Which of the number is not so useful in data analytics? A) Total of an account balance B) Sales by month C) Budgeted expenses D) None of the above
D
Which of these attacks on information are the least preventable? [Reference ITCA Textbook pg 315-316] a. white-collar crime b. hackers c. public WIFI d. computer viruses
D
Which one of the following industries least likely at Risk from Cyber Threats? A) Government Agencies B) Healthcare Institutions C) Energy companies D) Retail companies
D
Which one of the options is not a Behavioral alignment? A) Culture and mental models B) Organization and process design C) Learning and development D) Infrastructure and tools
D
Which one of the options is not a Visualization tool? A) Tableau B) Spotfire C) Qlik D) Access
D
Which one of the statements regarding to Information Security Roles and Responsibilities is incorrect? 1. Information owners are the department managers, senior management, or their designees within the organization who bear the responsibility for the acquisition, development, and maintenance of production applications that process information. 2. Custodians are in physical or logical possession of either organization information or information that has been entrusted to the organization. 3. Users are responsible for familiarizing themselves (and complying) with all policies, procedures, and standards dealing with information security. 4. Access to information from third parties needs to be formally controlled. With the use of contractors and outsourcing, third parties will have the need to access the organization's information. A) 1, 2, 3 B) 2,4 C) 1,3 D) None
D
Why would a for profit professional care about NIST guidance that needs to be followed by governmental agencies? A. It would remove the risk of lawsuits when breaches of security happen B. If its good enough for a government, its more than likely good enough for your client. C. Industries when writing regulations usually reference government best practices D. B &C
D
YHC company recently acquired DC company. YHC needs to integrate the data from XYZ into the data system of YHC company. You are in charge of this integration project and you feel the need of the ETL process. Which of the following steps should you NOT perform? A. Make sure the only data needed is extracted in its right format. B. Perform data cleansing both before and after the data loading process. C. Identify the tool the data should be loaded into for the most effective analysis. D. Strictly avoid automating the data capturing process due to the need of human judgement for the needed data identification.
D
You are a information security officer at a retail bank chain, charged to asses the confidentiality, availability and integrity of the systems and policies. You take note that new accounts are created by bankers using the system and relatively easy to obtain information from current clients from pre-existing products the bank offers. Which of the following information security objectives are under threat? A. Confidentiality B. Availability C. Integrity D. A and C
D
You are in a charge of CIS control for implementing an effective defense system for cyber security. What are/ is critical tenets for the effective cyber defense system under CIS control? (CIS- controls-version-7-1, Pg.6) A) Prioritization B) Automation C) Continuous diagnostics and mitigations D) All of the above
D
Your supervisor notifies you that the company you are currently auditing switched from LIFO to FIFO. Which of the following questions would you ask yourself in regards to this new information? A. What day did the company switch to FIFO? B. Has the spreadsheet with the data already taken into account the change? C. Why has the company switched from LIFO to FIFO? D. All of the above
D
A general use report that is freely distributed to the public and is intended for users that are only interested in a broad overview of the service being provided most likely would be: A) SOC 1 Type II B) SOC 2 Type I C) SOC 2 Type II D) SOC 3 Type II
D