Chapter 31-Logical Access (Domain-5)
(5)Which of the following is the MOST important objective of data protection? A. current technology trend B. Ensuring the confidentiality & integrity of information C. Denying or authorizing access to the IS system D. internal processing efficiency.
Answer. B: Ensuring the confidentiality of information Explanation: Maintaining data confidentiality and integrity is the most important objective of data security. This is a basic requirement if an organization is to continue as a viable and successful enterprise.
(12)Auditor is reviewing wireless network security of the organization. Which of the following should be a concern to an IS auditor? A. 128-bit-static-key WEP (Wired Equivalent Privacy) encryption is enabled. B. SSID (Service Set IDentifier) broadcasting has been enabled. C. Antivirus software has been installed in all wireless clients. D. MAC (Media Access Control) access control filtering has been deployed.
Answer.B .SSID (Service Set IDentifier) broadcasting has been enabled. Explanation: Enabling SSID broadcasting reduces the security by making it easier for unauthorized users to find the name of the access point. Opting other options will strengthen the security of network.
(31)The most robust access control policy is the Default Deny Access Control Policy. This policy: A. Allows selected traffic and denies rest all traffic. B. Denies selected traffic and allows rest all traffic. C. Is frequently used for granting access from a trusted network to an external Systems. D. Traffic is allowed as per discretion of application owner.
Answer: A. Allows selected traffic and denies rest all traffic. Explanation: Default Deny Access Control Policy envisages denial of all traffic by default and selectively allowing certain traffic alone through the firewall. It is frequently used for granting access from an un-trusted source to a protected system. It is also called Mandatory Access Control Policy
(4)Which of the following BEST logical control mechanism to ensure that access allowed to users to only those functions needed to perform their duties? A. Application level access control B. Data encryption C. HTTPs protocol D. Network monitoring device
Answer: A. Application level access control Explanation: The use of application-level access control programs is a management control that restricts access by limiting users to only those functions needed to perform their duties.
(23)IS auditor is reviewing physical controls for data centre. For visitor access to data centre, most effective control he should recommend is that: A. Escort policy for every visitor. B. Issuance of visitor badge C. Proper sign in procedure for visitors. D. Security Checks procedure for every visitor.
Answer: A. Escort policy for every visitor. Explanation: Escorting visitors will provide the best assurance that visitors have permission to access the data processing facility. Other controls are not as reliable as escort policy.
(2)During review of critical application system, the IS auditor observes that user accounts are shared. The Major risk resulting from this situation is that: A. passwords are changed frequently. B. Outsider can gain access to the system. C. passwords are easily guessed. D. user accountability may not be established.
Answer: D. user accountability may not be established. Explanation: If same user accounts are shared with multiple employees, it will be difficult to trace the particular employee during audit trail. User accountability may not be established is such scenario.
(29)IS auditor is reviewing general IT controls of an organization. Which of the following should concern him? A. LAN connections are easily in the facility to connect laptops to the network. B. Two factor authentication is mandatory of access of critical applications. C. Stand-alone terminals with password protection are located in insecure locations. D. Terminals are located within the facility in small clusters under the supervision of an administrator.
Answer: A. LAN connections are easily in the facility to connect laptops to the network. Explanation: (1)Gaining access to network by an unauthorized person is the major risk in the given situation. Any person with wrongful intentions can connect a laptop to the network. The insecure connecting points make unauthorized access possible if the individual has knowledge of a valid user id and password. (2)Two factor authentication is a good IS policy. Intruders will find it difficult to access the applications. (3)Access to stand alone terminal is not as risky as access to full network. Hence in the given scenario, correct option would be easy availability of LAN connection.
(13)IS auditor is evaluating general operating system access control functions. Which of the following access control function will be in his scope? A. Logging user activities B. Logging data communication access activities C. Verifying user authorization at the field level D. Changing data files
Answer: A. Logging user activities Explanation: General operating system access control functions include log user activities, log events, etc. Choice B is a network control feature. Choices C and D are database- and/or application level access control functions
(20) Discretionary Access Control will be more effective if they: A. are placed in accordance with mandatory access controls. B. are placed independently of mandatory access controls. C. allow enable users to bypass mandatory access controls as and when required. D. are allowed by security policy.
Answer: A. are placed in accordance with mandatory access controls. Explanation: Mandatory Access Controls (MACs) are logical access control that cannot be controlled or modified by normal users or data owners. Discretionary Access Controls (DACs) are logical access control that may be activated or modified by the data owners at their discretion. DACs to be more effective have to be designed in accordance with MACs. Mandatory access controls are prohibitive, anything that is not expressly permitted is forbidden. Only within this context do discretionary controls operate, prohibiting still more access with the same exclusionary principle
(21)Best method to remove confidential data from computer storage is: A. hard disk should be demagnetized. B. hard disk should be formatted. C. data on the hard disk should be deleted. D. data on the hard disk should be defragmented
Answer: A. hard disk should be demagnetized. Explanation: The hard disk should be demagnetized, since this will cause all of the bits to be set to zero, eliminating any chance of retrieving information that was previously stored on the disk. Other options may not be that effective.
(6) The FIRST step in data classification is to: A. identify data owners. B. perform a criticality analysis. C. define access rules. D. define firewall rules.
Answer: A. identify data owners. Explanation: Data classification is necessary to define access rules based on a need-to-do and need-to know basis. The data owner is responsible for defining the access rules; hence, establishing ownership is the first step in data classification.
(10) An IS auditor observes that default printing options are enabled for all users. In this situation, the IS auditor is MOST likely to conclude that: A. risk of data confidentially increases. B. risk if data integrity increases. C. it improvises the productivity of employees. D. it ensures smooth flow of information among users.
Answer: A. risk of data confidentially increases. Explanation: Risk of data confidentiality increases as any user can print documents. Print option will not impact data integrity as data integrity can be impacted by write/delete access for user.
(14)An IS auditor reviewing system controls should be most concerned that: A. security and performance requirements are considered. B. changes are recorded in log. C. process for change authorization is in place. D. restricted access for system parameters is in place.
Answer: A. security and performance requirements are considered. Explanation: The primary concern is to ensure that security as well as performance aspects have been considered. This helps to ensure that control objectives are aligned with business objectives. Log maintenance and change authorization are also important but in absence of proper security and performance requirements same may not be effective
(32)The Allow All Access Control Policy: A. Allows selected traffic and denies rest all traffic. B. Denies selected traffic and allows rest all traffic. C. Is frequently used for granting access from un- trusted network to an external System. D. Traffic is allowed as per discretion of application owner.
Answer: B. Denies selected traffic and allows rest all traffic. Explanation: The Allow All Access Control Policy envisages allowing of all traffic by default and selectively denying certain traffic alone through the firewall. It is frequently used for granting access from a trusted network to external systems like the Internet. It is also called Discretionary Access Control Policy.
(22)Appropriateness of router setting is to be reviewed during: A. Physical access review. B. Network security review. C. Data centre security review. D. Data back-up review.
Answer: B. Network security review. Explanation: Network security reviews include reviewing router access control lists, port scanning, internal and external connections to the system, etc
(7)IS auditor is reviewing an organization's logical access security. He should be most concerned if: A. Passwords are shared. B. Password files are not protected. C. Resigned employees' logon IDs are not deleted immediately. D. Logon IDs are issued centrally.
Answer: B. Password files are not protected. Explanation: Unprotected passwords files represent the greatest risk. Such files should be stored in an encrypted manner. Other options are also essential but they are less important than ensuring that the password files are encrypted.
(8)IS auditor is evaluating database-level access control functions. Which of the following access control function will not be in his scope? A. Creating database profiles for monitoring B. authorization user at field level. C. establishing individual accountability D. Logging database access activities for monitoring access violation
Answer:C establishing individual accountability Explanation: Establishing individual accountability is the function of the general operating system. Creating database profiles, verifying user authorization at a field level and logging database access activities for monitoring access violations are all database-level access control functions.
(25) An IS auditor has been asked to recommend effective control for providing temporary access rights to outsourced vendors. Which of the following is the MOST effective control? A. Penalty clause in service level agreement (SLA). B User accounts are created as per defined role (least privilege) with expiration dates. C. Full access is provided for a limited period. D. Vendor Management to be given right to delete Ids when work is completed.
Answer: B. User accounts are created as per defined role (least privilege) with expiration dates. Explanation: (1)Creation of need based user ID and automated revocation of IDs as per expiration date will serve as most effective control under the given scenario and options. (2)Penalty clause in SLA may act as a deterrent control but automated revocations of Ids are more effective method of control. (3)Providing full access is a risky affair. (4)Control in terms of providing rights to vendor management for deletion of IDs may not be reliable
(26)For effective access control, proper naming conventions for system resources are essential because they: A. ensures that resource names are as per their utility. B. access rules can be structured and better managed. C. ensures that user access to resources is clearly identified. D. ensures that international standard for naming is maintained.
Answer: B. access rules can be structured and better managed. Explanation: (1)Naming conventions helps for efficient management of access rules. It helps for defining structured access rules. The conventions can be structured, so resources beginning with the same high level qualifier can be governed by one or more generic rules. This reduces the number of rules required to adequately protect resources, which in turn facilitates security administration and maintenance efforts. (2)Though as a generic rule, naming conventions ensures that names represent the utility, it will not impact access controls. (3) Naming convention in itself do not ensure that user access to resource is clearly identified. Ensuring the clear and unique identification of user access to resources is handled by access control rules and not naming conventions. (4)Each organization has its own standard for naming convention. Internationally recognized names are not required to control access to resources
(19) An IS auditor performing a telecommunication access control review should be concerned PRIMARILY with the: A. regular updation of logs files of usage of various system resources. B. authorization and authentication mechanism for allowing access only to authorized user. C. Encryption mechanism for data protection. D. mechanism to control remote access.
Answer: B. authorization and authentication mechanism for allowing access only to authorized user. Explanation: Unless and until proper authorization and authentication process is not established, other controls may not serve the purpose. This is a preventive control. The authorization and authentication of users is the most significant aspect. Other options will serve the purpose only if authorized users are allowed the access.
(1)The IS auditor reviews logical access control with a primary objective to: A. Access control software is working properly. B. ensures access is granted as per the approved structure. C. to protect computer software. D. to protect computer hardware.
Answer: B. ensures access is granted as per the approved structure. Explanation: The scope of a logical access control review is primarily to determine whether or not access is granted per the organization's authorizations. Choices A and C relate to procedures of a logical access control review, rather than objectives. Choice D is relevant to a physical access control review.
(18) Read Only option is always recommended for: A. access control matrix/rule. B. log files for suspected transactions. C. logging rules D. user profiles.
Answer: B. log files for suspected transactions. . Explanation: Security administration procedures require read-only access to security log files to ensure that, once generated, the logs are not modified. Logs provide evidence and track suspicious transactions and activities. Other options may require modification and hence write access can also be provided.
(24) The major risk for lack of an authorization process for users of an application would be: A. many users can claim to be a specific user. B. there is no way to limit role based access. C. Sharing of user accounts. D. principle of least privilege can be assured.
Answer: B. there is no way to limit role based access. Explanation: (1) Without an appropriate authorization process, it will be impossible to establish functional limits and accountability. Hence correct option is option B i.e. there is no way to limit role based access. (2) The risk that many users can claim to be a specific user can be better addressed by proper authentication process rather than authorization. (3)Authorization process will not directly impact sharing user accounts. Other controls are required to prevent sharing of user accounts. (4)In absence of proper authorization process principle of least privilege cannot be assured
(15)Most effective transmission media in terms of security against unauthorized access is: A. Copper wire B. Twisted pair C. Fiber-optic cables D. Coaxial cables
Answer: C. Fiber-optic cables Explanation: Fiber-optic cables are more secure than the other media. Other media can be compromised easily as compared to fiber-optic.
(16)Mechanism that checks each request by a subject to access and use an object is as per security policy is known as: A. Address Resolution Protocol B. Access control analyzer C. Reference monitor D. Reverse Address Resolution Protocol
Answer: C. Reference monitor Explanation: (1)In operating systems architecture a reference monitor concept defines a set of design requirements on a reference validation mechanism, which enforces an access control policy over subjects' (e.g., processes and users) ability to perform operations (e.g., read and write) on objects (e.g., files and sockets) on a system. A reference monitor is implemented via a security kernel, which is a hardware/software/firmware mechanism. (2)Address Resolution Protocol is a network layer protocol used to convert an IP address into a physical address such as an Ethernet address. A host wishing to obtain a physical address broadcasts an ARP request onto the TCP/IP network. The host on the network that has the IP address in the request then replies with its physical hardware address. (3) An access control analyzer is an audit utility for analyzing how well access controls have been implemented and maintained within an access control package. (4) Reverse ARP (RARP) can be used by a host to discover its IP address. In this case, the host broadcasts its physical address and a RARP server replies with the host's IP address.
(27)IS auditor is reviewing security of a payroll application. Which of the following should concern him? A. Role-based access to users. B. Hardening of systems where application runs. C. The ability of users to access and modify the database directly. D. Two factor authentication for access.
Answer: C. The ability of users to access and modify the database directly. Explanation: The ability of users to directly modify the database can affect the integrity of the data. Only DBA should be allowed for any backend changes to database. Other factors like role-based access, hardening of system and two factor authentication are good practices for IT security. Hardening of system involves disabling all functions such as disk driver, USB and other ports which can affect data security.
(9)IS auditor observed that even though password policy requires passwords to be a combination of letters, numbers and special characters, users are not following the same rigorously. To ensure compliance within security policy, the IS auditor should recommend that: A. password policy to be simplified. B. password policy to be sent to all users every month. C. usage of automated password management tool D. monthly security awareness training to be delivered.
Answer: C. usage of automated password management tool Explanation: Among the choices given, use of an automated password management tool is a best preventive control measure. The software would prevent usage of passwords which are not allowed as per policy. It would also provide a method for ensuring frequent changes and would prevent the same user from reusing his/her old password for a designated period of time. Choices A, B and D do not enforce compliance.
(11)IS Auditor is reviewing wireless network security policy of the organization. Which of the following action would make the wireless network more secure? A. Disabling MAC (Media Access Control) address filtering B. Disabling WPA (Wi-Fi Protected Access Protocol) C. Enabling SSID (service set identifier) broadcasting D. Disabling SSID (service set identifier) broadcasting
Answer: D. Disabling SSID (service set identifier) broadcasting Explanation: Disabling SSID broadcasting adds security by making it more difficult for unauthorized users to find the name of the access point. Opting other options will infact reduces the security of network.
(3)Which of the following is the best technique for protecting critical data inside the server? A. Security awareness B. Reading the security policy C. Security committee D. Logical access controls
Answer: D. Logical access controls Explanation: (1) In any given scenario, preference to be given to preventive controls as compared to detective or deterrent controls. Logical access controls are best preventive controls to ensure data integrity and confidentiality. (2) Awareness itself does not protect against unauthorized access or disclosure of information. (3)Knowledge of an information systems security policy which should be known by the organizations employees, would help to protect information, but would not prevent the unauthorized access of information. (4)A security committee is key to the protection of information assets, but would address security issues within a broader perspective
(17) IS auditor is reviewing level of access available for different user. To determine the same, which of the following should an IS auditor review? A. Log file maintained for system access B. Job descriptions of users. C. Logs maintained for access control violation. D. System configuration files for control options used
Answer: D. System configuration files for control options used. Explanation: A review of system configuration files for control options used would show level of access available for different user. Both log files are detective in nature. Job descriptions of users will not provide details about access level.
(28)Which among the below is the First step in implementation of access control list: A. a categorization of IS resources. B. the grouping of IS resources. C. implementation of access control rules D. creating inventory of available IS resources.
Answer: D. creating inventory of available IS resources. Explanation: In any given scenario, following are the steps for implementing logical access controls: (a) Inventory of IS resources. (b) Classification of IS resources. (c) Grouping/labelling of IS resources. (d) Creation of an access control list. Thus the first step in implementing access controls is an inventory of IS resources, which is the basis for classification. Grouping of resources cannot be done without first determining the resources' classifications.
(30)To prevent unauthorized entry to database of critical application, an IS auditor should recommend: A. Online terminals are placed in restricted areas. B. CCTV camera to be placed above terminals. C. ID cards are required to gain access to online terminals. D. Online access to be blocked after a specified number of unsuccessful attempts
Answer: D. online access to be blocked after a specified number of unsuccessful attempts. Explanation: (1) In any given scenario, preference to be given to preventive controls as compared to detective or deterrent controls. The most appropriate control to prevent unauthorized entry is to terminate connection after a specified number of attempts. This will deter access through the guessing of ids and passwords. (2)Other controls cannot prevent remote access by intruders. The other choices are physical controls, which are desirable but less effective as compared to blocking of access.