Questions missed last time 12/9/2015

Which of the following would BEST prevent power outages? Incorrect A. A power transfer system B. Dual power leads C. A power generator D. An uninterruptible power supply

You answered A. The correct answer is B. A. It is not uncommon for a power transfer switch to fail during a power outage. A power transfer system would not prevent a power outage, but is used to handle the impact of such outages. B. The best way to prevent power outages is to install power leads from two different power substations. C. Power generators cannot prevent a power outage; they can only supplement power in the event of an outage. D. An uninterruptible power supply constantly monitors electrical power and is used during a power outage to provide a limited amount of battery power to keep systems running, but it will not prevent power outages.

Change control for business application systems being developed using prototyping could be complicated by the: Incorrect A. iterative nature of prototyping. B. rapid pace of modifications in requirements and design. C. emphasis on reports and screens. D. lack of integrated tools.

You answered A. The correct answer is B. A. A characteristic of prototyping is its iterative nature, but it does not have an adverse effect on change control. B. Changes in requirements and design happen so quickly that they are seldom documented or approved. C. A characteristic of prototyping is its emphasis on reports and screens, but it does not have an adverse effect on change control. D. Lack of integrated tools is a characteristic of prototyping, but it does not have an adverse effect on change control.

During an IS risk assessment of a healthcare organization regarding protected healthcare information (PHI), an IS auditor interviews IS management. Which of the following findings from the interviews would be of MOST concern to the IS auditor? Incorrect A. The organization does not encrypt all of its outgoing email messages. B. Staff have to type "[PHI]" in the subject field of email messages to be encrypted. C. An individual's computer screen saver function is disabled. D. Server configuration requires the user to change the password annually.

You answered A. The correct answer is B. A. Encrypting all outgoing email is expensive and is not common business practice. B. There will always be human-error risk that staff members forget to type certain words in the subject field. The organization should have automated encryption set up for outgoing email for employees working with protected health care information (PHI) to protect sensitive information. C. Disabling the screen saver function increases the risk that sensitive data can be exposed to other employees; however, the risk is not as great as exposing the data to unauthorized individuals outside the organization. D. While changing the password annually is a concern, the risk is not as great as exposing the data to unauthorized individuals outside the organization.

After reviewing its business processes, a large organization is deploying a new web application based on a Voice-over Internet Protocol (VoIP) technology. Which of the following is the MOST appropriate approach for implementing access control that will facilitate security management of the VoIP web application? Incorrect A. Fine-grained access control B. Role-based access control (RBAC) C. Access control lists D. Network/service access control

You answered A. The correct answer is B. A. Fine-grained access control on Voice-over Internet Protocol (VoIP) web applications does not scale to enterprisewide systems because it is primarily based on individual user identities and their specific technical privileges. B. Authorization in this case can best be addressed by role-based access control (RBAC) technology. RBAC controls access according to job roles or functions. RBAC is easy to manage and can enforce strong and efficient access controls in large-scale web environments including VoIP implementation. C. Access control lists on VoIP web applications do not scale to enterprisewide systems because they are primarily based on individual user identities and their specific technical privileges. D. Network/service addresses VoIP availability but does not address application-level access or authorization.

During an IS audit of a global organization, the IS auditor discovers that the organization uses Voice-over Internet Protocol (VoIP) over the Internet as the sole means of voice connectivity among all offices. Which of the following presents the MOST significant risk for the organization's VoIP infrastructure? Incorrect A. Network equipment failure B. Distributed denial-of-service (DDoS) attack C. Premium-rate fraud (toll fraud) D. Social engineering attack

You answered A. The correct answer is B. A. The use of VoIP does not introduce any unique risk with respect to equipment failure, and redundancy can be used to address network failure. B. A distributed denial-of-service (DDoS) attack would potentially disrupt the organization's ability to communicate among its offices and have the highest impact. In a traditional voice network, a DDoS attack would only affect the data network, not voice communications. C. Toll fraud occurs when someone compromises the phone system and makes unauthorized long-distance calls. While toll fraud may cost the business money, the more severe risk would be the disruption of service. D. Social engineering, which involves gathering sensitive information to launch an attack, can be exercised over any kind of telephony.

Which of the following is the GREATEST concern for an IS auditor reviewing the security controls of an online job-search application? Incorrect A. The web server is running an unsupported operating system (OS) and web server application. B. The web application has a Structured Query Language (SQL) injection vulnerability. C. The firewall has port 80 (HTTP), port 443 (HTTPS) and port 23 (Telnet) open. D. The access to the web server and its database have only minimal logging enabled.

You answered A. The correct answer is B. A. While outdated versions of the OS or web server can allow some vulnerabilities to exist, the more significant risk in this case is the SQL injection vulnerability. B. The biggest risk to any web application is security vulnerabilities that allow unvalidated input to be passed from the interface to the back-end system. An SQL injection vulnerability in a database-driven web application is a significant risk and is the greatest concern. C. While having unnecessary firewall ports open increases the security risk, the greater risk is that a vulnerability exists that can be accessed through the application. Therefore, the SQL injection vulnerability is the more significant risk. D. While maintaining audit logs is an important method to detect security intrusion attempts and application errors, having log configuration settings set to a high level may impact performance. Often, logging may be set to a minimal level for performance reasons. The more significant concern in this case is the SQL injection vulnerability.

Which of the following would BEST help to prioritize project activities and determine the time line for a project? Incorrect A. A Gantt chart B. Earned value analysis (EVA) C. Program evaluation review technique (PERT) D. Function point analysis (FPA)

You answered A. The correct answer is C. A. A Gantt chart is a simple project management tool and would help with the prioritization requirement, but it is not as effective as program evaluation review technique (PERT). B. Earned value analysis (EVA) is a technique to track project cost versus project deliverables, but does not assist in prioritizing tasks. C. The PERT method works on the principle of obtaining project time lines based on project events for three likely scenarios (worst, best, normal). The time line is calculated by a predefined formula and identifies the critical path, which identifies the key activities that must be prioritized. D. Function point analysis (FPA) measures the complexity of input and output, and does not help to prioritize project activities.

Which of the following provides the MOST relevant information for proactively strengthening security settings? Incorrect A. Bastion host B. Intrusion detection system (IDS) C. Honeypot D. Intrusion prevention system

You answered A. The correct answer is C. A. A bastion host is a hardened system used to host services. It does not provide information about an attack. B. Intrusion detection systems (IDSs) are designed to detect and address an attack in progress and stop it as soon as possible. C. The design of a honeypot is such that it lures the hacker and provides clues as to the hacker's methods and strategies, and the resources required to address such attacks. A honeypot allows the attack to continue, so as to obtain information about the hacker's strategy and methods. D. Intrusion prevention systems are designed to detect and address an attack in progress and stop it as soon as possible.

When auditing a proxy-based firewall, an IS auditor should: Incorrect A. verify that the firewall is not dropping any forwarded packets. B. review Address Resolution Protocol (ARP) tables for appropriate mapping between media access control (MAC) and Internet protocol (IP) addresses. C. verify that the filters applied to services such as hypertext transmission protocol (HTTP) are effective. D. test whether routing information is forwarded by the firewall.

You answered A. The correct answer is C. A. The firewall will permit or deny traffic according to its rules. It should drop unacceptable traffic. B. Address Resolution Protocol (ARP) tables are used by a switch to map media access control (MAC) addresses to IP addresses. This is not a proxy firewall function. C. A proxy-based firewall works as an intermediary (proxy) between the service or application and the client. It makes a connection with the client and opens a different connection with the server and, based on specific filters and rules, analyzes all the traffic between the two connections. Unlike a packet-filtering gateway, a proxy-based firewall does not forward any packets. Mapping between MAC and IP addresses is a task for protocols such as address resolution protocol (ARP)/reverse address resolution protocol (RARP). D. A proxy-based firewall is not used to forward routing information.

Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems? Incorrect A. User management coordination does not exist. B. Specific user accountability cannot be established. C. Unauthorized users may have access to originate, modify or delete data. D. Audit recommendations may not be implemented.

You answered A. The correct answer is C. A. The greatest risk is from unauthorized users being able to modify data. User management is important but not the greatest risk. B. User accountability is important, but not as great a risk as the actions of unauthorized users. C. Without a policy defining who has the responsibility for granting access to specific systems, there is an increased risk that individuals could gain (be given) system access when they should not have authorization. The ability of unauthorized users being able to modify data is greater than the risk of authorized user accounts not being controlled properly. D. The failure to implement audit recommendations is a management problem, but not as serious as the ability of unauthorized users making modifications.

The cryptographic hash sum of a message is recalculated by the receiver. This is to ensure: Incorrect A. the confidentiality of the message. B. nonrepudiation by the sender. C. the authenticity of the message. D. the integrity of data transmitted by the sender.

You answered A. The correct answer is D. A. A hash function ensures integrity of a message; encrypting with a secret key provides confidentiality. B. Signing the message with the private key of the sender ensures nonrepudiation and authenticity. C. Authenticity of the message is provided by the digital signature. D. If the hash sum is different from what is expected, it implies that the message has been altered. This is an integrity test.

An IS auditor reviewing the implementation of an intrusion detection system (IDS) should be MOST concerned if: Incorrect A. IDS sensors are placed outside of the firewall. B. a behavior-based IDS is causing many false alarms. C. a signature-based IDS is weak against new types of attacks. D. the IDS is used to detect encrypted traffic.

You answered A. The correct answer is D. A. An organization can place sensors outside of the firewall to detect attacks. These sensors are placed in highly sensitive areas and on extranets. B. Causing many false alarms is normal for a behavior-based intrusion detection system (IDS), and should not be a matter of concern. C. Being weak against new types of attacks is expected from a signature-based IDS because it can only recognize attacks that have been previously identified. D. An IDS cannot detect attacks within encrypted traffic, and it would be a concern if someone were misinformed and thought that the IDS could detect attacks in encrypted traffic.

An online stock trading firm is in the process of implementing a system to provide secure email exchange with its customers. What is the BEST option to ensure confidentiality, integrity and nonrepudiation? Incorrect A. Symmetric key encryption B. Digital signatures C. Message digest algorithms D. Digital certificates

You answered A. The correct answer is D. A. Symmetric key encryption uses a single pass phrase to encrypt and decrypt the message. While this type of encryption is strong, it suffers from the inherent problem of needing to share the pass phrase in a secure manner and does not address integrity and nonrepudiation. B. Digital signatures provide message integrity and nonrepudiation; however, confidentiality is not provided. C. Message digest algorithms are a way to design hashing functions to verify the integrity of the message/data. Message digest algorithms do not provide confidentiality or nonrepudiation. D. A digital certificate contains the public key and identifying information about the owner of the public key. The associated private key pair is kept secret with the owner. These certificates are generally verified by a trusted authority, with the purpose of associating a person's identity with the public key. Email confidentiality and integrity are obtained by following the public key-private key encryption. With the digital certificate verified by the trusted third party, nonrepudiation of the sender is obtained.

Responsibility for the governance of IT should rest with the: Incorrect A. IT strategy committee. B. chief information officer (CIO). C. audit committee. D. board of directors.

You answered A. The correct answer is D. A. The IT strategy committee plays a significant role in the successful implementation of IT governance within an organization, but the ultimate responsibility resides with the board of directors. B. The CIO plays a significant role in the successful implementation of IT governance within an organization, but the ultimate responsibility resides with the board of directors. C. The audit committee plays a significant role in monitoring and overseeing the successful implementation of IT governance within an organization, but the ultimate responsibility resides with the board of directors. D. Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk is managed appropriately and verifying that the enterprise's resources are used responsibly.

Which of the following can be used to help ensure confidentiality of transmitted data? Encrypting the: Incorrect A. message digest with the sender's private key. B. session key with the sender's public key. C. message with the receiver's private key. D. session key with the receiver's public key.

You answered A. The correct answer is D. A. This will ensure authentication and nonrepudiation. B. This will make the message accessible to only the sender. C. Ideally, a sender cannot have access to a receiver's private key. D. Access to the session key can only be obtained using the receiver's private key.

An employee has received a digital photo frame as a gift and has connected it to his/her work PC to transfer digital photos. The PRIMARY risk that this scenario introduces is that: Incorrect A. the photo frame storage media could be used to steal corporate data. B. the drivers for the photo frame may be incompatible and crash the user's PC. C. the employee may bring inappropriate photographs into the office. D. the photo frame could be infected with malware.

You answered A. The correct answer is D. A. While any storage device could be used to steal data, the damage caused by malware could be widespread and severe for the enterprise. B. While device drivers may be incompatible and crash the user's PC, the damage caused by malware could be widespread and severe for the enterprise. C. While inappropriate content could result, the damage caused by malware could be widespread and severe for the enterprise. D. Any storage device can be a vehicle for infecting other computers with malware. There are several examples where it has been discovered that some devices are infected in the factory during the manufacturing process and controls should exist to prohibit employees from connecting any storage media devices to their company-issued PCs.

The BEST filter rule for protecting a network from being used as an amplifier in a denial-of-service (DoS) attack is to deny all: A. outgoing traffic with IP source addresses external to the network. Incorrect B. incoming traffic with discernible spoofed IP source addresses. C. incoming traffic with IP options set. D. incoming traffic to critical hosts.

You answered B. The correct answer is A. A. Outgoing traffic with an IP source address different than the internal IP range in the network is invalid. In most of the cases, it signals a denial-of-service (DoS) attack originated by an internal user or by a previously compromised internal machine; in both cases, applying this filter will stop the infected machine from participating in the attack. B. Denying incoming traffic will not prevent an internal machine from participating in an attack on an outside target. C. Incoming traffic will have the IP options set according to the type of traffic. This is a normal condition. D. Denying incoming traffic to internal hosts will prevent legitimate traffic.

Facilitating telecommunications continuity by providing redundant combinations of local carrier T-1 lines (E-1 lines in Europe), microwaves and/or coaxial cables to access the local communication loop is: A. last-mile circuit protection. Incorrect B. long-haul network diversity. C. diverse routing. D. alternative routing.

You answered B. The correct answer is A. A. The method of providing telecommunication continuity through the use of many recovery facilities, providing redundant combinations of local carrier T-1s, microwave and/or coaxial cable to access the local communication loop in the event of a disaster, is called last-mile circuit protection. This protects the link from the organization to the telecommunication provider—often known as the last mile in the telecommunication service description. B. Providing diverse long-distance network availability utilizing T-1 circuits among major long-distance carriers is called long-haul network diversity. This ensures long-distance access should any one carrier experience a network failure. This does not apply to the local communication loop. C. The method of routing traffic through split-cable facilities or duplicate-cable facilities is called diverse routing. This is done by the telecommunication carriers and does not usually refer to diversity of the local loop. D. Alternative routing is the method of routing information via an alternative medium such as copper cable or fiber optics. Each of the options in the question is a form of alternate routing, but this question asked specifically about the local loop or last mile.

An IS auditor reviewing local area network (LAN) performance in an organization should FIRST examine: A. connection and connection-less services. Incorrect B. the network topology diagram. C. data, voice and video throughput requirements. D. the capacity of the wide area network (WAN) connection.

You answered B. The correct answer is C. A. Examining types of traffic would come after gaining an understanding of network requirements. B. The review of the network topology diagram is important, but that will be reviewed after understanding traffic needs. C. Data, voice and video throughput requirements for all users will define the business needs on which one can base the design of the appropriate LAN technology. D. Capacity of the wide area network (WAN) connection is secondary to the LAN throughput requirements.

An IS auditor notes that patches for the operating system used by an organization are deployed by the IT department as advised by the vendor. The MOST significant concern an IS auditor should have with this practice is that IT has NOT considered: A. the training needs for users after applying the patch. Incorrect B. any beneficial impact of the patch on the operational systems. C. delaying deployment until testing the impact of the patch. D. the necessity of advising end users of new patches.

You answered B. The correct answer is C. A. Normally, there is no need for training users when a new operating system patch has been installed. B. Any beneficial impact is less important than the risk of unavailability, which could be avoided with proper testing. C. Deploying patches without testing exposes an organization to the risk of system disruption or failure. D. Normally, there is no need for advising users when a new operating system patch has been installed except to ensure that the patch is applied at a time that will have minimal impact on operations.

The BEST overall quantitative measure of the performance of biometric control devices is: A. false-rejection rate (FRR). Incorrect B. false-acceptance rate (FAR). C. equal-error rate (EER). D. estimated-error rate.

You answered B. The correct answer is C. A. The false-rejection rate (FRR) only measures the number of times an authorized person is denied entry. B. The false-acceptance rate (FAR) only measures the number of times an unauthorized person may be accepted as authorized. C. A low equal-error rate (EER) is a combination of a low FRR and a low FAR. EER, expressed as a percentage, is a measure of the number of times that the FRR and FAR are equal. A low EER is the measure of the more effective biometrics control device. D. The estimated-error rate is not a valid biometric term.

While observing a full simulation of the business continuity plan, an IS auditor notices that the notification systems within the organizational facilities could be severely impacted by infrastructure damage. The BEST recommendation the IS auditor can provide to the organization is to ensure: A. the salvage team is trained to use the notification system. Incorrect B. the notification system provides for the recovery of the backup. C. redundancies are built into the notification system. D. the notification systems are stored in a vault.

You answered B. The correct answer is C. A. The salvage team would not be able to use a severely damaged notification system, even if they are trained to use it. B. The recovery of the backups has no bearing on the notification system. C. If the notification system has been severely impacted by the damage, redundancy would be the best control. D. Storing the notification system in a vault would be of little value if the building is damaged.

An internal audit function is reviewing an internally developed common gateway interface (CGI) script for a web application. The IS auditor discovers that the script was not reviewed and tested by the quality control function. Which of the following types of risk is of GREATEST concern? A. System unavailability Incorrect B. Exposure to malware C. Unauthorized access D. System integrity

You answered B. The correct answer is C. A. While untested common gateway interfaces (CGIs) can cause the end-user web application to be compromised, this is not likely to make the system unavailable to other users. B. Untested CGI scripts do not inherently lead to malware exposures. C. Untested CGIs can have security weaknesses that allow unauthorized access to private systems because CGIs are typically executed on publicly available Internet servers. D. While untested CGIs can cause the end-user web application to be compromised, this is not likely to significantly impact system integrity.

Which of the following is the MOST effective access control to help ensure confidentiality of a classified system? A. Network access control (NAC) Incorrect B. Public key infrastructure (PKI) C. Discretionary access control (DAC) D. Mandatory access control (MAC)

You answered B. The correct answer is D. A. Network access control (NAC) is at the network level and limits system access to a network. B. Public key infrastructure (PKI) is used for public key/private key encryption. While PKI can be stored in the authorization mechanism by itself, it is not an access control. C. Discretionary access control (DAC) is a protection that may be activated or modified by the data owner, at the owner's discretion. This is the most common form of access control but not the strongest. D. Mandatory access control (MAC) is an expensive but very strong form of access control based on the policies of the organization and strict procedures. This is a typically effective preventive access control.

Which of the following encryption mechanisms is performed at the application layer of the open systems interconnection (OSI) model? A. Secure Sockets Layer (SSL) Incorrect B. IP Security (IPSec) C. Secure Shell (SSH) D. Secure/Hypertext Transfer Protocol (S/HTTP)

You answered B. The correct answer is D. A. Secure Sockets Layer (SSL) provides encryption at the transport layer of the open systems interconnection (OSI) model. This is commonly used by the web to encrypt data sessions of information sent client-to-server or server-to-server. B. IP Security (IPSec) provides encryption at the network layer only. C. Secure Shell (SSH) is implemented at the transport layer. D. Secure/Hypertext Transfer Protocol (S/HTTP) redirects the user to a secure port, providing encrypted data packets at the application layer.

Which of the following is the BEST control to mitigate the risk of pharming attacks to an Internet banking application? A. User registration and password policies Incorrect B. User security awareness C. Use of intrusion detection/intrusion prevention systems (IDSs/IPSs) D. Domain name system (DNS) server security hardening

You answered B. The correct answer is D. A. User registration and password policies cannot mitigate pharming attacks because they do not prevent manipulation of domain name system (DNS) records. B. User security awareness cannot mitigate pharming attacks because it does not prevent manipulation of DNS records. C. The use of intrusion detection/intrusion prevention systems (IDSs/IPSs) cannot mitigate pharming attacks because they do not prevent manipulation of DNS records. D. The pharming attack redirects the traffic to an unauthorized web site by exploiting vulnerabilities of the DNS server. To avoid this kind of attack, it is necessary to eliminate any known vulnerability that could allow DNS poisoning. Older versions of DNS software are vulnerable to this kind of attack and should be patched.

Which of the following is the MOST efficient strategy for the backup of large quantities of mission-critical data when the systems need to be online to take sales orders 24 hours a day? A. Implementing a fault-tolerant disk-to-disk backup solution B. Making a full backup to tape weekly and an incremental backup nightly Incorrect C. Creating a duplicate storage area network (SAN) and replicating the data to a second SAN D. Creating identical server and storage infrastructure at a hot site

You answered C. The correct answer is A. A. Disk-to-disk backup, also called disk-to-disk-to-tape backup or tape cache, is when the primary backup is written to disk instead of tape. That backup can then be copied, cloned or migrated to tape at a later time (hence the term "disk-to-disk-to-tape"). This technology allows the backup of data to be performed without impacting system performance and allows a large quantity of data to be backed up in a very short backup window. In case of a failure, the fault-tolerant system can transfer immediately to the other disk set. B. While a backup strategy involving tape drives is valid, because many computer systems must be taken offline so that backups can be performed, there is the need to create a backup window, typically during each night. For a system that must remain online at all times, the only feasible way to back up the data is to either duplicate the data to a server that gets backed up to tape, or deploy a disk-to-disk solution, which is effectively the same thing. C. While creating a duplicate storage area network (SAN) and replicating the data to a second SAN provides some redundancy and data protection, this is not really a backup solution. If the two systems are at the same site, there is a risk that an incident such as a fire or flood in the data center could lead to data loss. D. While creating an identical server and storage infrastructure at a hot site provides a great deal of redundancy, there is still the need to create a backup of the data, and typically there is the need to archive certain data for long-term storage. A cutover to a hot site cannot usually be performed in a short enough time for a continuous availability system. Therefore, this is not the best strategy.

An IS auditor reviewing wireless network security determines that the Dynamic Host Configuration Protocol (DHCP) is disabled at all wireless access points. This practice: A. reduces the risk of unauthorized access to the network. B. is not suitable for small networks. Incorrect C. automatically provides an IP address to anyone. D. increases the risk associated with Wireless Encryption Protocol (WEP).

You answered C. The correct answer is A. A. Dynamic Host Configuration Protocol (DHCP) automatically assigns IP addresses to anyone connecting to the network. With DHCP disabled, static IP addresses must be used and this requires either administrator support or a higher level of technical skill to attach to the network and gain Internet access. B. DHCP is suitable for networks of all sizes from home networks to large complex organizations. C. DHCP does not provide IP addresses when disabled. D. Disabling of the DHCP makes it more difficult to exploit the well-known weaknesses in Wireless Encryption Protocol (WEP).

An IT executive of an insurance company asked an external auditor to evaluate the user IDs for emergency access (fire call ID). The IS auditor found that fire call accounts are granted without a predefined expiration date. What should the IS auditor recommend? A. Review of the access control privilege authorization process B. Implementation of an identity management system (IMS) Incorrect C. Enhancement of procedures to audit changes made to sensitive customer data D. Granting of fire call accounts only to managers

You answered C. The correct answer is A. A. In this case, the IS auditor should recommend reviewing the process of access control management. Emergency system administration-level access should only be granted on an as-needed basis and configured to a predefined expiration date. Accounts with temporary privileges require strong controls to limit the lifetime of the privileges and use of these accounts should be closely monitored. B. While implementing an identity management system (IMS) may solve the problem, it would be most cost-efficient to first review access privileges. C. Enhancing procedures to audit changes made to sensitive customer data does not prevent the misuse of these accounts and should be performed after reviewing the process. D. It is not realistic to grant fire call accounts only to managers.

An IS auditor is reviewing access for an accounting system and notices a segregation of duties issue; however, the business is small and additional workers are not available. What is the BEST recommended compensating control in this situation? A. Implementing role-based access B. Reviewing audit trails Incorrect C. Performing periodic access reviews D. Reviewing the error log

You answered C. The correct answer is B. A. Implementing role-based access would be beneficial; however, in this situation it would not be effective because resources are limited and the same person may need to fill multiple roles. B. Reviewing audit trails would be the best compensating control for a segregation of duties issue that cannot be eliminated by adding employees. C. Performing periodic access reviews will help to ensure that access is appropriate; however, reviewing audit trails would be a better choice. D. Error log review will only help to identify errors, whereas audit trails would monitor employee activities.

Reverse proxy technology for web servers should be deployed if: A. hypertext transmission protocol (HTTP) server addresses must be hidden. B. accelerated access to all published pages is required. Incorrect C. caching is needed for fault tolerance. D. bandwidth to the user is limited.

You answered C. The correct answer is A. A. Reverse proxies are primarily designed to hide physical and logical internal structures from outside access. Complete Uniform Resource Locators (URLs) or Uniform Resource Identifiers (URIs) can be partially or completely redirected without disclosing which internal or demilitarized zone (DMZ) server is providing the requested data. This technology might be used if a trade-off between security, performance and costs has to be achieved. Proxy servers cache some data but normally cannot cache all pages to be published because this depends on the kind of information the web servers provide. B. The ability to accelerate access depends on the speed of the back-end servers, i.e., those that are cached. Thus, without making further assumptions, a gain in speed cannot be assured, but virtualization and hiding of internal structures can. If speed is an issue, a scale-out approach (avoiding adding additional delays by passing firewalls, involving more servers, etc.) would be a better solution. C. Due to the limited caching option, reverse proxies are not suitable for enhancing fault tolerance. D. User requests that are handled by reverse proxy servers are using exactly the same bandwidth as direct requests to the hosts providing the data.

Which of the following would be the BEST access control procedure? A. The data owner formally authorizes access and an administrator implements the user authorization tables. B. Authorized staff implements the user authorization tables and the data owner sanctions them. Incorrect C. The data owner and an IS manager jointly create and update the user authorization tables. D. The data owner creates and updates the user authorization tables.

You answered C. The correct answer is A. A. The data owner holds the privilege and responsibility for formally establishing the access rights. An IS administrator should then implement or update user authorization tables at the direction of the owner. B. The owner sets the rules and conditions for access. It is best to obtain approval before implementing the tables. C. The data owner may consult with the IS manager to set out access control rules, but the responsibility for appropriate access remains with the data owner. The IS department should set up the access control tables at the direction of the owner. D. The data owner would not usually manage updates to the authorization tables.

An IS auditor who is auditing the software acquisition process will ensure that the: A. contract is reviewed and approved by the legal counsel before it is signed. B. requirements cannot be met with the systems already in place. Incorrect C. requirements are found to be critical for the business. D. user participation is adequate in the process.

You answered C. The correct answer is A. A. The process to review and approve the contract is one of the most important steps in the software acquisition process. An IS auditor should verify that legal counsel reviewed and approved the contract before management signs the contract. B. Existing systems may meet the requirements, but management may choose to acquire software for other reasons. C. Not all of the requirements in the contract need to support critical business needs; some requirements may be there for ease-of-use or other purposes. D. User participation is not necessarily required in the software acquisition process. Instead, users would most likely participate in requirements definition and user acceptance testing (UAT).

A company has implemented a new client-server enterprise resource planning (ERP) system. Local branches transmit customer orders to a central manufacturing facility. Which of the following would BEST ensure that the orders are processed accurately and the corresponding products are produced? A. Verifying production to customer orders B. Logging all customer orders in the ERP system Incorrect C. Using hash totals in the order transmitting process D. Approving (production supervisor) orders prior to production

You answered C. The correct answer is A. A. Verification will ensure that produced products match the orders in the customer order system. B. Logging can be used to detect inaccuracies but does not, in itself, guarantee accurate processing. C. Hash totals will ensure accurate order transmission, but not accurate processing centrally. D. Production supervisory approval is a time consuming, manual process that does not guarantee proper control.

The GREATEST benefit of having well-defined data classification policies and procedures is: A. a more accurate inventory of information assets. B. a decreased cost of controls. Incorrect C. a reduced risk of inappropriate system access. D. an improved regulatory compliance.

You answered C. The correct answer is B. A. A more accurate inventory of information assets is a benefit, but would not be the greatest benefit of the choices listed. B. An important benefit of a well-defined data classification process would be to lower the cost of protecting data by ensuring that the appropriate controls are applied with respect to the sensitivity of the data. Without a proper classification framework, some security controls may be greater and, therefore, more costly than is required based on the data classification. C. Classifying the data may assist in reducing the risk of inappropriate system access, but that would not be the greatest benefit. D. Improved regulatory compliance would be a benefit; however, achieving a cost reduction would be a greater benefit.

Naming conventions for system resources are important for access control because they: A. ensure that resource names are not ambiguous. B. reduce the number of rules required to adequately protect resources. Incorrect C. ensure that user access to resources is clearly and uniquely identified. D. ensure that internationally recognized names are used to protect resources.

You answered C. The correct answer is B. A. Ensuring that resource names are not ambiguous cannot be achieved through the use of naming conventions. B. Naming conventions for system resources are important for the efficient administration of security controls. The conventions can be structured so resources beginning with the same high-level qualifier can be governed by one or more generic rules. This reduces the number of rules required to adequately protect resources which, in turn, facilitates security administration and maintenance efforts. Reducing the number of rules required to protect resources allows for the grouping of resources and files by application, which makes it easier to provide access. C. Ensuring the clear and unique identification of user access to resources is handled by access control rules, not naming conventions. D. Internationally recognized names are not required to control access to resources. Naming conventions tend to be based on how each organization wants to identify its resources.

An IS auditor discovers that, in many cases, a username and password are the same, which is contrary to policy. What is the BEST recommendation? A. Modify the enterprise's security policy. B. Educate users about the risk of weak passwords. Incorrect C. Require a periodic review of matching user IDs and passwords for detection and correction. D. Change the system configuration to enforce strong passwords.

You answered C. The correct answer is D. A. Changing the enterprise's security policy provides information to users, but does little to enforce this control. B. Educating users about the risk of weak passwords will not enforce the policy. C. Requiring a periodic review of matching user IDs and passwords for detection and ensuring correction is a detective control. D. The best control is a preventive control through validation at the time the password is created or changed.

IS management recently replaced its existing wired local area network (LAN) with a wireless infrastructure to accommodate the increased use of mobile devices within the organization. This will increase the risk of which of the following attacks? A. Port scanning B. Back door Incorrect C. Man-in-the-middle D. War driving

You answered C. The correct answer is D. A. Port scanning will often target the external firewall of the organization. Use of wireless will not affect this. B. A back door is an opening implanted into or left in software that enables an unauthorized entry into a system. C. Man-in-the-middle attacks intercept a message and can read, replace or modify it. D. A war driving attack uses a wireless Ethernet card, set in promiscuous mode, and a powerful antenna to penetrate wireless systems from outside.

A sales organization determines that, due to IT resource constraints, the IT disaster recovery plan (DRP) may not be able to restore IT functionality quickly enough to meet business requirements. The BEST solution would be to: A. invest in more fault-tolerant IT systems to meet business requirements. B. adjust the business continuity plan (BCP) to align with IT disaster recovery (DR) capabilities. Incorrect C. adjust the DRP to ensure that the most critical business processes are recovered first. D. ensure that the DRP includes the development and testing of manual or alternate procedures.

You answered C. The correct answer is D. A. While it would be ideal if the business could implement more fault-tolerant systems to ensure minimal IT system downtime, the cost of such an investment may be excessive, and the business needs could be met by performing certain processes manually until IT systems are back online. Therefore, this is not the correct answer. B. The business continuity plan (BCP) is required if the business wants to continue to operate, while the disaster recovery plan (DRP) exists to ensure that IT systems are available to automate business processes. Therefore, the requirements of the business would not normally be changed to meet the disaster recovery (DR) capabilities. C. It would be a given that the DRP would assign priority to critical business processes; in this case, the important consideration would be to be prepared to perform all critical business processes manually. D. An important consideration for any BCP and DRP is that there are instances when manual processing of transactions may need to be performed. A critical component of the DRP and BCP would be to prepare for, and test, the manual procedures so that they could be performed if needed.

An IS auditor is reviewing a company's process to email a URL to users for logging in to the employee health benefits system. To achieve nonrepudiation, the auditor should expect to see the message: A. encrypted with the sender's private key and decrypted with the sender's public key. B. sent with a message digest containing a hash value of the message. C. encrypted and the key sent via a separate communications channel (e.g., short message service [SMS] message). Incorrect D. encrypted with the receiver's private key and decrypted with the receiver's public key.

You answered D. The correct answer is A. A. Encrypting the message with the sender's private key and decrypting it with the sender's public key will achieve nonrepudiation. B. A message digest may ensure that the message contents are valid, but without the proper key exchange, the sender could be uncertain. C. While sending the encryption key out of band can be a valid method to help ensure that the information has not been intercepted, any technology that does not rely on cryptographic key exchange could be spoofed. D. If the sender had access to the receiver's private key, it would no longer be a private key and therefore would be of limited value in terms of nonrepudiation.

During an audit of a telecommunications system, an IS auditor finds that the risk of intercepting data transmitted to and from remote sites is very high. The MOST effective control for reducing this exposure is: A. encryption. B. callback modems. C. message authentication. Incorrect D. dedicated leased lines.

You answered D. The correct answer is A. A. Encryption of data is the most secure method of protecting confidential data from exposure. B. A callback system is used to ensure that a user is only logging in from a known location. It is not effective to protect the transmitted data from interception. C. Message authentication is used to prove message integrity and source, but not confidentiality. D. It is more difficult to intercept traffic traversing a dedicated leased line than it is to intercept data on a shared network, but the only way to really protect the confidentiality of data is to encrypt it.

Which of the following is a prevalent risk in the development of end-user computing (EUC) applications? A. Applications may not be subject to testing and IT general controls. B. Development and maintenance costs may be increased. C. Application development time may be increased. Incorrect D. Decision-making may be impaired due to diminished responsiveness to requests for information.

You answered D. The correct answer is A. A. End-user computing (EUC) is defined as the ability of end users to design and implement their own information system utilizing computer software products. End-user developed applications may not be subjected to an independent outside review by systems analysts and frequently are not created in the context of a formal development methodology. These applications may lack appropriate standards, controls, quality assurance procedures, and documentation. A risk of end-user applications is that management may rely on them as much as traditional applications. B. EUC systems typically result in reduced application development and maintenance costs. C. EUC systems typically result in a reduced development cycle time. D. EUC systems normally increase flexibility and responsiveness to management's information requests because the system is being developed directly by the user community.

An IS auditor discovers that uniform resource locators (URLs) for online control self-assessment questionnaires are sent using URL shortening services. The use of URL shortening services would MOST likely increase the risk of which of the following attacks? A. Internet protocol (IP) spoofing B. Phishing C. Structured query language (SQL) injection Incorrect D. Denial-of-service (DoS)

You answered D. The correct answer is B. A. The URL is based on hypertext transmission protocol (HTTP); IP spoofing is used to change the source IP address in a transmission control protocol/Internet protocol (TCP/IP) packet, not in the HTTP protocol. B. URL shortening services have been adopted by hackers to fool users and spread malware, i.e., phishing. C. Although URL shortening services can be used to perform structured query language (SQL) injections, their primary risk is being used for phishing. D. Denial-of-service (DoS) attacks are not affected by URL shortening services.

Which of the following choices BEST helps information owners to properly classify data? A. Understanding of technical controls that protect data B. Training on organizational policies and standards C. Use of an automated data leak prevention (DLP) tool Incorrect D. Understanding which people need to access the data

You answered D. The correct answer is B. A. While understanding how the data are protected is important, these controls might not be applied properly if the data classification schema is not well understood. B. While implementing data classification, it is most essential that organizational policies and standards, including the data classification schema, are understood by the owner or custodian of the data so they can be properly classified. C. While an automated data leak prevention (DLP) tool may enhance productivity, the users of the application would still need to understand what classification schema was in place. D. In terms of protecting the data, the data requirements of end users are critical, but if the data owner does not understand what data classification schema is in place, it would be likely that inappropriate access to sensitive data might be granted by the data owner.

An IS auditor is evaluating the effectiveness of the organization's change management process. What is the MOST important control that the IS auditor should look for to ensure system availability? A. That changes are authorized by IT managers at all times B. That user acceptance testing (UAT) is performed and properly documented C. That test plans and procedures exist and are closely followed Incorrect D. That capacity planning is performed as part of each development project

You answered D. The correct answer is C. A. Changes are usually required to be signed off by a business analyst, member of the change control board or other authorized representative, not necessarily by IT management. B. User acceptance testing (UAT) is important but not a critical element of change control and would not usually address the topic of availability as asked in the question. C. The most important control for ensuring system availability is to implement a sound test plan and procedures that are followed consistently. D. While capacity planning should be considered in each development project, it will not ensure system availability, nor is it part of the change control process.

An IS auditor is reviewing changes to a company's disaster recovery (DR) strategy. The IS auditor notices that the recovery point objective (RPO) has been shortened for the company's mission-critical application. What is the MOST significant risk of this change? A. The existing DR plan is not updated to achieve the new RPO. B. The DR team has not been trained on the new RPO. C. Backups are not done frequently enough to achieve the new RPO. Incorrect D. The plan has not been tested with the new RPO.

You answered D. The correct answer is C. A. If the plan is not updated to reflect the new strategic goals of recovery time objective (RTO) and recovery point objective (RPO), then the plan may not achieve those new goals. This is a less significant problem than not having the appropriate data available. B. The lack of training on the new disaster recovery (DR) strategy creates risk in the team's ability to execute the plan; but, this risk is not as significant as not having data available due to the frequency of backups. C. The RPO is defined in the ISACA glossary as "the earliest point in time to which it is acceptable to recover the data." If backups are not performed frequently enough to meet the new RPO, a risk is created that the company will not have adequate backup data in the event of a disaster. This is the most significant risk because, without availability of the necessary data, all other DR considerations are not useful. D. The lack of testing of the revised plan creates risk in the team's ability to execute the plan; but, this risk is not as significant as not having data available due to the frequency of backups.

An IS auditor assesses the project management process for an internal software development project. In respect to the software functionality, the IS auditor should look for sign-off by: A. the project manager. B. systems development management. C. business unit management. Incorrect D. the quality assurance (QA) team.

You answered D. The correct answer is C. A. The project manager provides day-to-day management and leadership of the project and ensures that project activities remain in line with the overall direction. The project manager cannot sign off on project requirements; that would be a violation of separation of duties. B. Systems development management provides technical support for hardware and software environments. C. Business unit management assumes ownership of the project and the resulting system. It is responsible for acceptance testing and confirming that the required functions are available in the software. D. The quality assurance (QA) team ensures the quality of the project by measuring adherence to the organization's system development life cycle (SDLC). They will conduct testing but not sign off on the project requirements.

A failure discovered in which of the following testing stages would have the GREATEST impact on the implementation of new application software? A. System testing Correct B. Acceptance testing C. Integration testing D. Unit testing

You are correct, the answer is B. A. System testing is undertaken by the development team to determine if the combined units of software work together and that the software meets user requirements per specifications. A failure here would be expensive but easier to fix than a failure found later in the testing process. B. Acceptance testing is the final stage before the software is installed and is available for use. The greatest impact would occur if the software fails at the acceptance testing level because this could result in delays and cost overruns. C. Integration testing examines the units/modules as one integrated system and unit testing examines the individual units or components of the software. A failure here would be expensive and require re-work of the modules, but would not be as expensive as a problem found just prior to implementation. D. System, integration and unit testing are all performed by the developers at various stages of development; the impact of failure is comparatively less for each than failure at the acceptance testing stage.

An IS auditor is reviewing a software application that is built on the principles of service-oriented architecture (SOA). What is the INITIAL step? Correct A. Understanding services and their allocation to business processes by reviewing the service repository documentation. B. Sampling the use of service security standards as represented by the Security Assertions Markup Language (SAML). C. Reviewing the service level agreements (SLAs) established for all system providers. D. Auditing the core service and its dependencies on other systems.

You are correct, the answer is A. A. A service-oriented architecture (SOA) relies on the principles of a distributed environment in which services encapsulate business logic as a black box and might be deliberately combined to depict real-world business processes. Before reviewing services in detail, it is essential for the IS auditor to comprehend the mapping of business processes to services. B. Sampling the use of service security standards as represented by the Security Assertions Markup Language (SAML) is an essential follow-up step to understanding services and their allocation to business, but is not the initial step. C. Reviewing the service level agreements (SLAs) is an essential follow-up step to understanding services and their allocation to business, but is not the initial step. D. Auditing the core service and its dependencies with others would most likely be a part of the audit, but the IS auditor must first gain an understanding of the business processes and how the systems support those processes.

Which of the following controls would be MOST effective to reduce the risk of loss due to fraudulent online payment requests? Correct A. Transaction monitoring B. Protecting web sessions using Secure Sockets Layer (SSL) C. Enforcing password complexity for authentication D. Inputting validation checks on web forms

You are correct, the answer is A. A. An electronic payment system could be the target of fraudulent activities. An unauthorized user could potentially enter false transactions. By monitoring transactions, the payment processor could identify potentially fraudulent transactions based on the typical usage patterns, monetary amounts, physical location of purchases, and other data that are part of the transaction process. B. Using Secure Sockets Layer (SSL) would help to ensure the secure transmission of data to and from the user's web browser, and help to ensure that the end user has reached the correct web site, but this would not prevent fraudulent transactions. C. Online transactions are not necessarily protected by passwords; for example, credit card transactions are not necessarily protected. The use of strong authentication would help to protect users of the system from fraud by attackers guessing passwords, but transaction monitoring would be the better control. D. Inputting validation checks on web forms is important to ensure that attackers do not compromise the web site, but transaction monitoring would be the best control.

The potential for unauthorized system access by way of terminals or workstations within an organization's facility is increased when: Correct A. connecting points are available in the facility to connect laptops to the network. B. users take precautions to keep their passwords confidential. C. terminals with password protection are located in insecure locations. D. terminals are located within the facility in small clusters under the supervision of an administrator.

You are correct, the answer is A. A. Any person with wrongful intentions can connect a laptop to the network. The insecure connecting points make unauthorized access possible if the individual has knowledge of a valid user ID and password. The other choices are controls for preventing unauthorized network access. B. If system passwords are not readily available for intruders to use, they must guess, introducing an additional factor and requires time. C. System passwords provide protection against unauthorized use of terminals located in insecure locations. D. Supervision is a very effective control when used to monitor access to a small operating unit or production resources.

Which of the following should be an IS auditor's PRIMARY concern after discovering that the scope of an IS project has changed and an impact study has not been performed? Correct A. The time and cost implications caused by the change B. The risk that regression tests will fail C. Users not agreeing with the change D. The project team not having the skills to make the necessary change

You are correct, the answer is A. A. Any scope change might have an impact on duration and cost of the project; that is the reason why an impact study is conducted and the client is informed of the potential impact on the schedule and cost. B. A change in scope does not necessarily impact the risk that regression tests will fail. C. An impact study will not determine whether users will agree with a change in scope. D. Conducting an impact study could identify a lack of resources such as the project team lacking the skills necessary to make the change; however, this is only part of the impact on the overall time lines and cost to the project due to the change.

A top-down approach to the development of operational policies helps ensure: Correct A. that they are consistent across the organization. B. that they are implemented as a part of risk assessment. C. compliance with all policies. D. that they are reviewed periodically.

You are correct, the answer is A. A. Deriving lower level policies from corporate policies (a top-down approach) aids in ensuring consistency across the organization and consistency with other policies. B. Policies should be influenced by risk assessment, but the primary reason for a top-down approach is to ensure that the policies are consistent across the organization. C. A top-down approach, of itself, does not ensure compliance. D. A top-down approach, of itself, does not ensure that policies are reviewed.

What is the BEST way to verify that a digital signature is valid? Correct A. Verify that the sender's public key certificate is from a trusted certificate authority (CA). B. Use a hash algorithm from the CA to determine whether the message has been tampered with. C. Verify the digital signature through a manual comparison of the hash value. D. Obtain the public key from the sender, and verify the digital signature.

You are correct, the answer is A. A. Digital signatures are enabled by using the sender's private key. The certificate authority (CA) binds the identity of the public key with the sender's private key to enable the identification of the sender. B. Hashes will only check whether the message has been tampered with, but will not verify that the digital signature is valid. Again, if no CA is involved, it is not possible to ensure that the public key is valid. C. Verifying the digital signature and obtaining the public key from the sender are possible answers, but they are not the best ways to verify that the digital signature is valid. D. Obtaining a public key from a trusted CA is a much better method of verification.

An IS auditor has been asked to review the security controls for a critical web-based order system shortly before the scheduled go-live date. The IS auditor conducts a penetration test which produces inconclusive results and additional testing cannot be concluded by the completion date agreed on for the audit. Which of the following is the BEST option for the IS auditor? Correct A. Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing. B. Publish a report omitting the areas where the evidence obtained from testing was inconclusive. C. Request a delay of the go-live date until additional security testing can be completed and evidence of appropriate controls can be obtained. D. Inform management that audit work cannot be completed within the agreed time frame and recommend that the audit be postponed.

You are correct, the answer is A. A. If the IS auditor cannot gain sufficient assurance for a critical system within the agreed-on time frame, this fact should be highlighted in the audit report and follow-up testing should be scheduled for a later date. Management could then determine whether any of the potential weaknesses identified were significant enough to delay the go-live date for the system. B. It is not acceptable for the IS auditor to ignore areas of potential weakness because conclusive evidence could not be obtained within the agreed-on audit time frame. ISACA IS Audit and Assurance Standards would be violated if these areas were omitted from the audit report. C. Extending the time frame for the audit and delaying the go-live date is unlikely to be acceptable in this scenario where the system involved is business-critical. In any case, a delay to the go-live date must be the decision of business management, not the IS auditor. In this scenario, the IS auditor should present business management with all available information by the agreed-on date. D. Failure to obtain sufficient evidence in one part of an audit engagement does not justify cancelling or postponing the audit; this would violate the audit guideline concerning due professional care.

An IS auditor is performing a review of a network, and users report that the network is slow and web pages periodically time out. The IS auditor confirms the users' feedback and reports the findings to the network manager. The most appropriate action for the network management team should be to FIRST: Correct A. use a protocol analyzer to perform network analysis and review error logs of local area network (LAN) equipment. B. take steps to increase the bandwidth of the connection to the Internet. C. create a baseline using a protocol analyzer and implement quality of service (QoS) to ensure that critical business applications work as intended. D. implement virtual LANs (VLANs) to segment the network and ensure performance.

You are correct, the answer is A. A. In this case, the first step is to identify the problem through review and analysis of network traffic. Using a protocol analyzer and reviewing the log files of the related switches or routers will determine whether there is a configuration issue or hardware malfunction. B. While increasing Internet bandwidth may be required, this may not be needed if the performance issue is due to a different problem or error condition. C. While creating a baseline and implementing quality of service (QoS) will ensure that critical applications have the appropriate bandwidth, in this case the performance issue could be related to misconfiguration or equipment malfunction. D. While implementing virtual local area networks (VLANs) may be a best practice for ensuring adequate performance, in this case the issue could be related to misconfigurations or equipment malfunction.

An IS auditor has found time constraints and expanded needs to be the root causes for recent violations of corporate data definition standards in a new business intelligence project. Which of the following is the MOST appropriate suggestion for an auditor to make? Correct A. Achieve standards alignment through an increase of resources devoted to the project. B. Align the data definition standards after completion of the project. C. Delay the project until compliance with standards can be achieved. D. Enforce standard compliance by adopting punitive measures against violators.

You are correct, the answer is A. A. Provided that data architecture, technical and operational requirements are sufficiently documented, the alignment to standards could be treated as a specific work package assigned to new project resources. B. The usage of nonstandard data definitions would lower the efficiency of the new development, and increase the risk of errors in critical business decisions. To change data definition standards after project conclusion is risky and is not a viable solution. C. Delaying the project would be an inappropriate suggestion because of business requirements or the likely damage to entire project profitability. D. Punishing the violators would be outside the authority of the auditor and inappropriate until the reason for the violations have be determined.

Which of the following would be the BEST approach to ensure that sufficient test coverage will be achieved for a project with a strict end date and a fixed time to perform testing? Correct A. Requirements should be tested in terms of importance and frequency of use. B. Test coverage should be restricted to functional requirements. C. Automated tests should be performed through the use of scripting. D. The number of required test runs should be reduced by retesting only defect fixes.

You are correct, the answer is A. A. The idea is to maximize the usefulness of testing by concentrating on the most important aspects of the system and, therefore, on the areas where defects represent the greatest risk to user acceptance. A further extension of this approach is to also consider the technical complexity of requirements because complexity tends to increase the likelihood of defects. B. The problem with testing only functional requirements is that nonfunctional requirement areas, such as usability and security, which are important to the overall quality of the system, are ignored. C. Increasing the efficiency of testing by automating test execution is a good idea. However, by itself, this approach does not ensure the appropriate targeting of test coverage and so is not as effective an alternative. D. Retesting only defect fixes has a considerable risk that it will not detect instances in which defect fixes may have caused the system to regress, i.e., introduced errors in parts of the system that were previously working correctly. For this reason, it is a best practice to undertake formal regression testing after defect fixes have been implemented.

Which of the following is the BEST control to prevent the deletion of audit logs by unauthorized individuals in an organization? A. Actions on log files should be tracked in another log. B. Write access to audit logs should be disabled. Correct C. Only select personnel should have rights to view or delete audit logs. D. Backups of audit logs should be performed periodically.

You are correct, the answer is C. A. Having additional copies of log file activity would not prevent the original log files from being deleted. B. For servers and applications to operate correctly, write access cannot be disabled. C. Granting access to audit logs to only system administrators and security administrators would reduce the possibility of these files being deleted. D. Frequent backups of audit logs would not prevent the logs from being deleted.

Web application developers sometimes use hidden fields on web pages to save information about a client session. This technique is used, in some cases, to store session variables that enable persistence across web pages, such as maintaining the contents of a shopping cart on a retail web site application. The MOST likely web-based attack due to this practice is: Correct A. parameter tampering. B. cross-site scripting. C. cookie poisoning. D. stealth commanding.

You are correct, the answer is A. A. Web application developers sometimes use hidden fields to save information about a client session or to submit hidden parameters, such as the language of the end user, to the underlying application. Because hidden form fields do not display in the browser, developers may feel safe passing unvalidated data in the hidden fields (to be validated later). This practice is not safe because an attacker can intercept, modify and submit requests, which can discover information or perform functions that the web developer never intended. The malicious modification of web application parameters is known as parameter tampering. B. Cross-site scripting involves the compromise of the web page to redirect users to content on the attacker web site. The use of hidden fields has no impact on the likelihood of a cross-site scripting attack because these fields are static content that cannot ordinarily be modified to create this type of attack. Web applications use cookies to save session state information on the client machine so that the user does not need to log on every time a page is visited. C. Cookie poisoning refers to the interception and modification of session cookies to impersonate the user or steal logon credentials. The use of hidden fields has no relation to cookie poisoning. D. Stealth commanding is the hijacking of a web server by the installation of unauthorized code. While the use of hidden forms may increase the risk of server compromise, the most common server exploits involve vulnerabilities of the server operating system or web server.

Which of the following is a feature of Wi-Fi Protected Access (WPA) in wireless networks? Correct A. Session keys are dynamic. B. Private symmetric keys are used. C. Keys are static and shared. D. Source addresses are not encrypted or authenticated.

You are correct, the answer is A. A. Wi-Fi Protected Access (WPA) uses dynamic session keys, achieving stronger encryption than wireless encryption privacy (WEP), which operates with static keys (same key is used for everyone in the wireless network). B. WPA uses session keys, but they are generated dynamically instead of being static keys. C. WPA does not use static shared keys. D. The keys for WPA are related to the source address.

Which of the following would be the MOST secure firewall system? A. Screened-host firewall Correct B. Screened-subnet firewall C. Dual-homed firewall D. Stateful-inspection firewall

You are correct, the answer is B. A. A screened-host firewall utilizes a packet filtering router and a bastion host. This approach implements basic network layer security (packet filtering) and application server security (proxy services). B. A screened-subnet firewall, also used as a demilitarized zone (DMZ), utilizes two packet filtering routers and a bastion host. This provides the most secure firewall system because it supports both network- and application-level security while defining a separate DMZ network. C. A dual-homed firewall system is a more restrictive form of a screened-host firewall system, configuring one interface for information servers and another for private network host computers. D. A stateful inspection firewall working at the transport layer keeps track of the destination Internet protocol (IP) address of each packet that leaves the organization's internal network and allows a reply from the recorded IP addresses.

An organization has created a policy that defines the types of web sites that users are forbidden to access. What is the MOST effective technology to enforce this policy? A. Stateful inspection firewall Correct B. Web content filter C. Web cache server D. Proxy server

You are correct, the answer is B. A. A stateful inspection firewall is of little help in filtering web traffic because it does not review the content of the web site, nor does it take into consideration the site's classification. B. A web content filter accepts or denies web communications according to the configured rules. To help the administrator properly configure the tool, organizations and vendors have made available URL blacklists and classifications for millions of web sites. C. A web cache server is designed to improve the speed of retrieving the most common or recently visited web pages. D. A proxy server is incorrect because a proxy server services the request of its clients by forwarding requests to other servers. Many people incorrectly use proxy server as a synonym of web proxy server even though not all web proxy servers have content filtering capabilities.

An IS auditor discovers that some users have installed personal software on their PCs. This is not explicitly forbidden by the security policy. Of the following, the BEST approach for an IS auditor is to recommend that the: A. IS department implement control mechanisms to prevent unauthorized software installation. Correct B. security policy be updated to include specific language regarding unauthorized software. C. IS department prohibit the download of unauthorized software. D. users obtain approval from an IS manager before installing nonstandard software.

You are correct, the answer is B. A. An IS auditor's obligation is to report on observations noted and make the best recommendation, which is to address the situation through policy. The IS department cannot implement controls in the absence of the authority provided through policy. B. Lack of specific language addressing unauthorized software in the acceptable use policy is a weakness in administrative controls. The policy should be reviewed and updated to address the issue—and provide authority for the IS department to implement technical controls. C. Preventing downloads of unauthorized software is not the complete solution. Unauthorized software can be also introduced through compact discs (CDs) and universal serial bus (USB) drives. D. Requiring approval from the IS manager before installation of the nonstandard software is an exception handling control. It would not be effective unless a preventive control to prohibit user installation of unauthorized software is established first.

Which of the following systems or tools can recognize that a credit card transaction is more likely to have resulted from a stolen credit card than from the holder of the credit card? A. Intrusion detection systems (IDSs) Correct B. Data mining techniques C. Firewalls D. Packet filtering routers

You are correct, the answer is B. A. An intrusion detection system (IDS) is effective in detecting network or host-based errors, but not effective in measuring fraudulent transactions. B. Data mining is a technique used to detect trends or patterns of transactions or data. If the historical pattern of charges against a credit card account is changed, then it is a flag that the transaction may have resulted from a fraudulent use of the card. C. A firewall is an excellent tool for protecting networks and systems, but not effective in detecting fraudulent transactions. D. A packet filtering router operates at a network level and cannot see a transaction.

In a client-server architecture, a domain name service (DNS) is MOST important because it provides the: A. address of the domain server. Correct B. resolution service for the name/address. C. IP addresses for the Internet. D. domain name system.

You are correct, the answer is B. A. The domain name service (DNS) enables users to access the Internet using URLs based on words instead of needing to know the IP addresses of a website. B. DNS is utilized primarily on the Internet for resolution of the name/address of the web site. It is an Internet service that translates domain names into IP addresses. Because names are alphabetic, they are easier to remember. However, the Internet is based on IP addresses. Every time a domain name is used, a DNS service must translate the name into the corresponding IP address. The DNS system has its own network. If one DNS server does not know how to translate a particular domain name, it asks another one, and so on, until the correct IP address is returned. C. The DNS is a translation or cross-reference tool; it does not provide the IP addresses for the Internet. D. The DNS within an organization is part of the global Domain Name System; it does not provide the name system, it supports it.

An IS auditor recommends that an initial validation control be programmed into a credit card transaction capture application. The initial validation process would MOST likely: A. check to ensure that the type of transaction is valid for the card type. Correct B. verify the format of the number entered, then locate it on the database. C. ensure that the transaction entered is within the cardholder's credit limit. D. confirm that the card is not shown as lost or stolen on the master file.

You are correct, the answer is B. A. The initial validation would not be used to check the transaction type—just the validity of the card number. B. The initial validation should confirm whether the card is valid. This validity is established through the card number and personal identification number (PIN) entered by the user. Based on this initial validation, all other validations will proceed. A validation control in data capture will ensure that the data entered are valid (i.e., can be processed by the system). If the data captured in the initial validation are not valid (if the card number or PIN do not match with the database), then the card will be rejected or captured per the controls in place. Once initial validation is completed, other validations specific to the card and cardholder would be performed. C. The initial validation is to prove the card number entered is valid—only then can the transaction amount be checked for approval from the bank. D. The verification that the card has not been reported as lost or stolen is only done after the card number has been validated as correctly entered.

When reviewing an organization's logical access security, which of the following should be of MOST concern to an IS auditor? A. Passwords are not shared. Correct B. Transmission of unencrypted passwords. C. Redundant logon IDs are deleted. D. The allocation of logon IDs is controlled.

You are correct, the answer is B. A. The passwords should not be shared, but this is less important than ensuring that the password files are encrypted. B. When evaluating the technical aspects of logical security, unencrypted passwords represent the greatest risk. C. Checking for the redundancy of logon IDs is essential, but is less important than ensuring that the passwords are encrypted. D. Proper allocation of logon IDs is essential, but less important than ensuring that the passwords are encrypted.

Upon receipt of the initial signed digital certificate the user will decrypt the certificate with the public key of the: A. registration authority (RA). Correct B. certificate authority (CA). C. certificate repository. D. receiver.

You are correct, the answer is B. A. The registration authority (RA) authenticates applicants for a certificate but does not issue or validate the certificates. B. A certificate authority (CA) is a trusted authority that issues and manages security credentials and public keys for message encryption. As a part of the public key infrastructure, a CA checks with a RA to verify information provided by the requestor of a digital certificate. If the RA verifies the requestor's information, the CA can issue a certificate. The CA signs the certificate with its private key for distribution to the user. Upon receipt, the user will decrypt the certificate with the CA's public key. C. The certificate repository is a commonly available directory of all the public keys issued by a CA. D. The digital certificate is signed using the private key of the CA; therefore, the CA's public key is the only key that will validate the certificate.

Which of the following is BEST suited for secure communications within a small group? A. Key distribution center B. Certificate authority (CA) Correct C. Web of trust D. Kerberos Authentication System

You are correct, the answer is C. A. A key distribution center is a part of a Kerberos implementation suitable for internal communication for a large group within an institution, and it will distribute symmetric keys for each session. B. Certificate authority (CA) is a trusted third party that ensures the authenticity of the owner of the certificate. This is necessary for large groups and formal communication. C. Web of trust is a key distribution method suitable for communication in a small group. It is used by tools such as pretty good privacy (PGP) and distributes the public keys of users within a group. D. A Kerberos Authentication System extends the function of a key distribution center by generating "tickets" to define the facilities on networked machines, which are accessible to each user.

An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take? A. Delete all copies of the unauthorized software. B. Inform the auditee of the unauthorized software, and follow up to confirm deletion. Correct C. Report the use of the unauthorized software and the need to prevent recurrence to auditee management. D. Warn the end users about the risk of using illegal software.

You are correct, the answer is C. A. An IS auditor should not assume the role of the enforcing officer and take on any personal involvement in removing the unauthorized software. B. The IS auditor should report the violation and request a response, but the nature of the response—whether to delete the software or not (perhaps license it instead)—is a decision of management. C. The use of unauthorized or illegal software should be prohibited by an organization. An IS auditor must convince the user and user management of the risk and the need to eliminate the risk. For example, software piracy can result in exposure and severe fines. D. Auditors must report material findings to management for action. Informing the users of risk is not the primary responsibility of the IS auditor.

Transmitting redundant information with each character or frame to facilitate detection and correction of errors is called a: A. feedback error control. B. block sum check. Correct C. forward error control. D. cyclic redundancy check.

You are correct, the answer is C. A. In feedback error control, only enough additional information is transmitted so the receiver can identify that an error has occurred. B. Block sum check is an extension of parity check wherein an additional set of parity bits is computed for a block of characters. This is a detection method, not an error correction method. C. Forward error control involves transmitting additional redundant information with each character or frame to facilitate detection and correction of errors. D. A cyclic redundancy check is a technique wherein a single set of check digits is generated, based on the contents of the frame, for each frame transmitted. This is a detection method, not an error correction method.

During an audit of a small company that provides medical transcription services, an IS auditor observes several issues related to the backup and restore process. Which of the following should be the auditor's GREATEST concern? A. Restoration testing for backup media is not performed; however, all data restore requests have been successful. B. The policy for data backup and retention has not been reviewed by the business owner for the past three years. Correct C. The company stores transcription backup tapes offsite using a third-party service provider, which inventories backup tapes annually. D. Failed backup alerts for the marketing department data files are not followed up on or resolved by the IT administrator.

You are correct, the answer is C. A. Lack of restoration testing does not increase the risk of unauthorized leakage of information. Not performing restoration tests on backup tapes poses a risk; however, this risk is somewhat mitigated because past data restore requests have been successful. B. Lack of review of the data backup and retention policy may be of a concern if systems and business processes have changed in the past three years. The IS auditor should perform additional procedures to verify the validity of existing procedures. In addition, lack of this control does not introduce a risk of unauthorized leakage of information. C. For a company working with confidential patient data, the loss of a backup tape is a significant incident. Privacy laws specify severe penalties for such an event, and the company's reputation could be damaged due to mandated reporting requirements. To gain assurance that tapes are being handled properly, the organization should perform audit tests that include frequent physical inventories and an evaluation of the controls in place at the third-party provider. D. Failed backup alerts that are not followed up on and resolved imply that certain data or files are not backed up. This is a concern if the files/data being backed up are critical in nature, but, typically, marketing data files are not regulated in the same way as medical transcription files. Lack of this control does not introduce a risk of unauthorized leakage of sensitive information.

A benefit of quality of service (QoS) is that the: A. entire network's availability and performance will be significantly improved. B. telecom carrier will provide the company with accurate service-level compliance reports. Correct C. participating applications will have bandwidth guaranteed. D. communications link will be supported by security controls to perform secure online transactions.

You are correct, the answer is C. A. Quality of service (QoS) will not guarantee that the communication itself will be improved. While the speed of data exchange for specific applications could be faster, availability will not be improved. B. The QoS tools that many carriers are using do not provide reports of service levels; however, there are other tools that will generate service-level reports. C. The main function of QoS is to optimize network performance by assigning priority to business applications and end users through the allocation of dedicated parts of the bandwidth to specific traffic. D. Even when QoS is integrated with firewalls, virtual private networks (VPNs), encryption tools and others, the tool itself is not intended to provide security controls.

At the end of the testing phase of software development, an IS auditor observes that an intermittent software error has not been corrected. No action has been taken to resolve the error. The IS auditor should: A. report the error as a finding and leave further exploration to the auditee's discretion. B. attempt to resolve the error. Correct C. recommend that problem resolution be escalated. D. ignore the error because it is not possible to get objective evidence for the software error.

You are correct, the answer is C. A. Recording it as a minor error and leaving it to the auditee's discretion would be inappropriate. Action should be taken before the application goes into production. B. The IS auditor is not authorized to resolve the error. C. When an IS auditor observes such conditions, it is best to fully apprise the auditee and suggest that further problem resolutions be attempted including escalation if necessary. D. Neglecting the error would indicate that the IS auditor has not taken steps to further probe the issue to its logical end.

A risk assessment is being performed on an application that is beginning to be developed. What is MOST important to determine prior to recommending security controls? A. Role-based access controls (RBACs) B. Current privacy laws Correct C. Data classification D. The data hosting location

You are correct, the answer is C. A. Role-based access controls (RBACs) would be determined after the data have been classified to ensure that the data are protected appropriately. B. Understanding current privacy laws is important, but understanding the type of data is most important because privacy laws may not apply. To ensure that appropriate controls are applied, a data classification structure needs to be in place first. C. Data classification is most important because without a good understanding of the type of data contained within the application, security controls may not be appropriate. Data classification is the assignment of a level of sensitivity to data (or information) that results in the specification of controls for each level of classification. Levels of sensitivity of data are assigned according to predefined categories as data are created, amended, enhanced, stored or transmitted. The classification level is an indication of the value or importance of the data to the enterprise. D. Determining the data location, such as a cloud service provider or an offshore vendor, may increase or decrease the needed security controls, but this would be reliant on the type of data.

Which of the following line media would provide the BEST security for a telecommunication network? A. Broadband network digital transmission B. Baseband network C. Dial-up Correct D. Dedicated lines

You are correct, the answer is D. A. The secure use of broadband communications is subject to whether the network is shared with other users, the data are encrypted and the risk of network interruption. B. A baseband network is one that is usually shared with many other users and requires encryption of traffic, but still may allow some traffic analysis by an attacker. C. A dial-up line is fairly secure because it is a private connection, but it is too slow to be considered for most commercial applications today. D. Dedicated lines are set apart for a particular user or organization. Because there is no sharing of lines or intermediate entry points, the risk of interception or disruption of telecommunications messages is lower.

While performing an audit of an accounting application's internal data integrity controls, an IS auditor identifies a major control deficiency in the change management software that supports the accounting application. The MOST appropriate action for the IS auditor to take is to: A. continue to test the accounting application controls, verbally inform the IT manager about the change management software control deficiency and offer consultation on possible solutions. B. complete the application controls audit, but not report the control deficiency in the change management software because it is not part of the audit scope. Correct C. continue to test the accounting application controls and include mention of the change management software control deficiency in the final report. D. cease all audit activity until the control deficiency in the change management software is resolved.

You are correct, the answer is C. A. The IS auditor should not assume that the IT manager will follow through on a verbal notification toward resolving the change management control deficiency, and it is inappropriate to offer consulting services on issues discovered during an audit. B. While not technically within the audit scope, it is the responsibility of the IS auditor to report findings discovered during an audit that could have a material impact on the effectiveness of controls. C. It is the responsibility of the IS auditor to report on findings that could have a material impact on the effectiveness of controls—whether or not they are within the scope of the audit. D. It is not the role of the IS auditor to demand that IT work be completed before performing or completing an audit.

The initial step in establishing an information security program is the: A. development and implementation of an information security standards manual. B. performance of a comprehensive security control review by the IS auditor. Correct C. adoption of a corporate information security policy statement. D. purchase of security access control software.

You are correct, the answer is C. A. The security program is driven by policy and the standards are driven by the program. The initial step is to have a policy and ensure that the program is based on the policy. B. Audit and monitoring of controls related to the program can only come after the program is set up. C. A policy statement reflects the intent and support provided by executive management for proper security and establishes a starting point for developing the security program. D. Access control software is an important security control, but only after the policy and program are defined.

The specific advantage of white box testing is that it: A. verifies a program can operate successfully with other parts of the system. B. ensures a program's functional operating effectiveness without regard to the internal program structure. Correct C. determines procedural accuracy or conditions of a program's specific logic paths. D. examines a program's functionality by executing it in a tightly controlled or virtual environment with restricted access to the host system.

You are correct, the answer is C. A. Verifying the program can operate successfully with other parts of the system is sociability testing. B. Testing the program's functionality without knowledge of internal structures is black box testing. C. White box testing assesses the effectiveness of software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program's logic paths. D. Controlled testing of programs in a semi-debugged environment, either heavily controlled step-by-step or via monitoring in virtual machines, is sand box testing.

Among the following controls, what is the BEST method to prevent inappropriate access to private and sensitive information through a business application? A. Two-factor authentication access control B. Encryption of authentication data Correct C. Role-based access control (RBAC) D. Effective segregation of duties (SoD)

You are correct, the answer is C. A. While two-factor authentication is a valid security measure, it does not eliminate the risk that authorized users can view or modify data that are not appropriate for their job roles. B. While encryption is a valid security measure, it does not eliminate the risk that authorized users can view or modify data that are not appropriate for their job roles. C. Role-based access control (RBAC) is an approach to restrict access rights and privileges on a need-to-know basis. Roles or profiles are designed and approved according to what is required for the job and assigned tasks. D. Segregation of duties (SoD) is a requirement in any access control scenario, but RBAC provides more fine-grained control over resources than SoD.

Event log entries related to failed local administrator logon attempts are observed by the IS auditor. Which of the following is the MOST likely cause of multiple failed login attempts? A. Synchronize (SYN) flood attacks B. Social engineering C. Buffer overflow attacks Correct D. Malicious code attacks

You are correct, the answer is D. A. A synchronize (SYN) attack is a denial-of-service (DoS) attack on a particular network service and does not attempt to log on to administrator accounts. B. Social engineering will help in discovering passwords, but it is separate from brute force attacks. C. A buffer overflow attack is an attack on application coding errors, but will not directly result in multiple logon failures. D. Malicious code, including brute force, password cracking and Trojans, commonly attempts to log on to administrator accounts.

An enterprise uses privileged accounts to process configuration changes for mission-critical applications. Which of the following would be the BEST and appropriate control to limit the risk in such a situation? A. Ensure that audit trails are accurate and specific. B. Ensure that personnel have adequate training. C. Ensure that personnel background checks are performed for critical personnel. Correct D. Ensure that supervisory approval and review are performed for critical changes.

You are correct, the answer is D. A. Audit trails are a detective control and, in many cases, can be altered by those with privileged access. B. Staff proficiency is important and good training may be somewhat of a deterrent, but supervisory approval and review is the best choice. C. Performing background checks is a very basic control and will not effectively prevent or detect errors or malfeasance. D. Supervisory approval and review of critical changes by the accountable managers in the enterprise are required to avoid and detect any unauthorized change. In addition to authorization, supervision enforces a separation of duties and prevents an unauthorized attempt by any single employee.

An IS auditor conducting a review of disaster recovery planning (DRP) at a financial processing organization has discovered the following: --The existing DRP was compiled two years earlier by a systems analyst in the organization's IT department using transaction flow projections from the operations department. --The DRP was presented to the deputy chief executive officer (CEO) for approval and formal issue, but it is still awaiting their attention. --The DRP has never been updated, tested or circulated to key management and staff, though interviews show that each would know what action to take for its area in the event of a disruptive incident. The IS auditor's report should recommend that: A. the deputy CEO be censured for failure to approve the plan. B. a board of senior managers is set up to review the existing plan. C. the existing plan is approved and circulated to all key management and staff. Correct D. a manager coordinates the creation of a new or revised plan within a defined time limit.

You are correct, the answer is D. A. Censuring the deputy CEO will not improve the current situation and is generally not within the scope of an IS auditor to recommend. B. Establishing a board to review the DRP (which is two years out of date) may achieve an updated DRP, but is not likely to be a speedy operation; issuing the existing DRP would be folly without first ensuring that it is workable. C. The current DRP may be unacceptable or ineffective and recommending the approval of the DRP may be unwise. The best way to develop a DRP in a short time is to make an experienced manager responsible for coordinating the knowledge of other managers into a single, formal document within a defined time limit. D. The primary concern is to establish a workable DRP, which reflects current processing volumes to protect the organization from any disruptive incident.

An IS auditor reviewing digital rights management (DRM) applications should expect to find an extensive use for which of the following technologies? A. Digitalized signatures B. Hashing C. Parsing Correct D. Steganography

You are correct, the answer is D. A. Digitalized signatures are the scans of a signature (not the same as a digital signature) and not related to digital rights management. B. Hashing creates a message hash or digest, which is used to ensure the integrity of the message; it is usually considered a part of cryptography. C. Parsing is the process of splitting up a continuous stream of characters for analytical purposes, and is widely applied in the design of programming languages or in data entry editing. D. Steganography is a technique for concealing the existence of messages or information. An increasingly important steganographical technique is digital watermarking, which hides data within data, e.g., by encoding rights information in a picture or music file without altering the picture or music's perceivable aesthetic qualities.

An installed Ethernet cable run in an unshielded twisted pair (UTP) network is more than 100 meters long. Which of the following could be caused by the length of the cable? A. Electromagnetic interference (EMI) B. Crosstalk C. Dispersion Correct D. Attenuation

You are correct, the answer is D. A. Electromagnetic interference (EMI) is caused by outside electromagnetic waves affecting the desired signals, which is not the case here. B. Crosstalk has nothing to do with the length of the unshielded twisted pair (UTP) cable. C. Dispersion affects microwave and radio signals and is not a factor with UTP. D. Attenuation is the weakening of signals during transmission. When the signal becomes weak, it begins to generate errors, and the user may experience communication problems. UTP faces unacceptable levels of attenuation around 100 meters.

Which of the following antispam filtering techniques would BEST prevent a valid, variable-length email message containing a heavily-weighted spam keyword from being labeled as spam? A. Heuristic (rule-based) B. Signature-based C. Pattern matching Correct D. Bayesian (statistical)

You are correct, the answer is D. A. Heuristic filtering is less effective because new exception rules may need to be defined when a valid message is labeled as spam. B. Signature-based filtering is useless against variable-length messages because the calculated message-digest algorithm 5 (MD5) hash changes all the time. C. Pattern matching is actually a degraded rule-based technique where the rules operate at the word level using wildcards, and not at higher levels. D. Bayesian filtering applies statistical modeling to messages by performing a frequency analysis on each word within the message and then evaluating the message as a whole. Therefore, it can ignore a suspicious keyword if the entire message is within normal bounds.

In an organization where an IT security baseline has been defined, an IS auditor should FIRST ensure: A. implementation. B. compliance. C. documentation. Correct D. sufficiency.

You are correct, the answer is D. A. The first step is to review the baseline to ensure that it is adequate or sufficient to meet the security requirements of the organization. Then the IS auditor will ensure that it is implemented and measure compliance. B. Compliance cannot be measured until the baseline has been implemented, but the IS auditor must first ensure that the correct baseline is being implemented. C. After the baseline has been defined, it must be documented, and the IS auditor will check that the baseline is appropriate before checking for implementation. D. An IS auditor should first evaluate the definition of the minimum baseline level by ensuring the sufficiency of the control baseline to meet security requirements.

An organization implemented a distributed accounting system, and the IS auditor is conducting a postimplementation review to provide assurance of the data integrity controls. Which of the following choices should the auditor perform FIRST? A. Review user access. B. Evaluate the change request process. C. Evaluate the reconciliation controls. Correct D. Review the data flow diagram.

You are correct, the answer is D. A. The review of user access would be important; however, in terms of data integrity it would be better to review the data flow diagram. B. The lack of an adequate change control process could impact the integrity of the data; however, the system should be documented first to determine whether the transactions flow to other systems. C. Evaluating the reconciliation controls would help to ensure data integrity; however, it is more important to understand the data flows of the application to ensure that the reconciliation controls are located in the correct place. D. The IS auditor should review the application data flow diagram to understand the flow of data within the application and to other systems. This will enable the IS auditor to evaluate the design and effectiveness of the data integrity controls.

Regression testing is undertaken PRIMARILY to ensure that: A. system functionality meets customer requirements. B. a new system can operate in the target environment. C. applicable development standards have been maintained. Correct D. applied changes have not introduced new errors.

You are correct, the answer is D. A. Validation testing is used to test the functionality of the system against detailed requirements to ensure that software construction is traceable to customer requirements. B. Sociability testing is used to see whether the system can operate in the target environment without adverse impacts on the existing systems. C. Software quality assurance and code reviews are used to determine whether development standards are maintained. D. Regression testing is used to test for the introduction of new errors in the system after changes have been applied.