CISA
Parity bits are a control used to validate: A.Data authentication B.Data completeness C.Data source D.Data accuracy
B. Data completeness Explanation: Parity bits are a control used to validate data completeness.
Involvement of senior management is MOST important in the development of: A.Strategic plan B.IS policies C.IS procedures D.Standards and guidelines
A. Strategic plan Explanation: Strategic plans provide the basis for ensuring that the enterprise meets its goals and objectives. Involvement of senior management is critical to ensuring that the plan adequately addresses the established goals and objectives.
An IS auditor reviewing the key roles and responsibilities of the DBA is LEAST likely to expect the job description of the DBA to include: A.Defining the conceptual scheme B.Defining security and integrity check C.Liasing with users in developing data models D.Mapping data models with internal schema
D. Mapping data models with internal schema Explanation: Only very rare instances when the DBA should be mapping data elements from the data model to the internal schema (physical data storage definitions). To do so would eliminate data independence for application systems.
An IS auditor evaluating logical access controls should FIRST: A.Document the controls applied to the potential access paths to the system B.Test controls over the access paths to determine if they are functional C.Evaluate the security environment in relation to written policies and practices D.Obtain an understanding of the security risks to information processing
D. Obtain an understanding of the security risks to information processing Explanation: When evaluating logical access controls, an IS auditor should first obtain an understanding of the security risks facing information processing by reviewing relevant documentation, by inquiries, and by conducting a risk assessment.
Which of the following translates email formats from one network to another so that the message can travel through all networks? A.Gateway B.Protocol converter C.Front-end communication processor D.Concentrator/multiplexor
A. Gateway Explanation: A gateway performs the job of translating e-mail formats from one network to another so messages can make their way through all the networks.
If an IS auditor finds evidence of risk involved in not implementing proper segregation of duties, such as having the security administrator perform an operations function, what is the auditor's primary responsibility? A.To advise senior management B.To reassign job functions to eliminate potential fraud C.To implement compensating controls D.Segregation of duties is an administrative control not considered by an IS auditor
A. To advise senior management Explanation: An IS auditor's primary responsibility is to advise senior management of the risk involved in not implementing proper segregation of duties, such as having security administrator perform an operations function.
Atomicity enforces data integrity by ensuring that a transaction is either completed in its entirely or not at all. Atomicity is part of the ACID test reference for transaction processing. True or false? A.True B.False
A. True Explanation: Atomicity enforces data integrity by ensuring that a transaction is either completed in its entirely or not at all. Atomicity is part of the ACID test reference for transaction processing.
Network environments often add to the complexity of program-to-program communication, making the implementation and maintenance of application systems more difficult. True or false? A.True B.False
A. True Explanation: Network environments often add to the complexity of program-to-program communication, making application systems implementation and maintenance more difficult.
Who assumes ownership of a systems development project and the resulting system? A.User management B.Project steering committee C.IT management D.System developers
A. User management Explanation: User management assumes ownership of a systems development project and the resulting system.
Which of the following BEST characterizes a mantrap or deadman door, which is used as a deterrent control for the vulnerability of piggybacking? A.A monitored double-doorway entry system B.A monitored turnstile entry system C.A monitored doorway entry system D.A one-way door that does not allow exit after entry
A. A monitored double-doorway entry system Explanation: A monitored double-doorway entry system, also referred to as a mantrap or a deadman door, is used as a deterrent control for the vulnerability of piggybacking.
When an organization is outsourcing their information security function, which of the following should be kept in the organization? A.Accountability for the corporate security policy B.Defining the corporate security policy C.Implementing the corporate security policy D.Defining security procedures and guidelines
A. Accountability for the corporate security policy Explanation: Accountability cannot be transferred to external parties.
Which of the following do digital signatures provide? A.Authentication and integrity of data B.Authentication and confidentiality of data C.Confidentiality and integrity of data D.Authentication and availability of data
A. Authentication and integrity of data Explanation: The primary purpose of digital signatures is to provide authentication and integrity of data.
What type of approach to the development of organizational policies is often driven by risk assessment? A.Bottom-up B.Top-down C.Comprehensive D.Integrated
A. Bottom-Up Explanation: A bottom-up approach to the development of organizational policies is often driven by risk assessment.
A PRIMARY benefit derived from an organization employing control self-assessment (CSA) techniques is that it: A.Can identify high-risk areas that might need a detailed review later B.Allows IS auditors to independently assess risk C.Can be used as a replacement for a traditional audit D.Allows management to relinquish responsibility for the control
A. Can identify high-risk areas that might need a detailed review later Explanation: CSA is predicated on the review of high-risk areas that either need immediate attention or a more thorough review at a later date.
What is an edit check to determine whether a field contains valid data? A.Completeness check B.Accuracy check C.Redundancy check D.Reasonableness check
A. Completeness check Explanation: A completeness check is an edit check to determine whether a field contains valid data.
_____ should be implemented as early as data preparation to support data integrity at the earliest point possible. A.Control totals B.Authentication controls C.Parity bits D.Authorization controls
A. Control totals Explanation: Control totals should be implemented as early as data preparation to support data integrity at the earliest point possible.
A call-back system requires that a user with an ID and password call a remote server through a dial-up line, then the server disconnects and: A.Dials back to the user machine based on the user id and password using a telephone number from its database B.Dials back to the user machine based on the user id and password using a telephone number provided by the user during this connection C.Waits for a redial back from the user machine for reconfirmation and then verifies the user id and password using its database D.Waits for a redial back from the user machine for reconfirmation and then verifies the user id and password using the sender's database
A. Dials back to the user machine based on the user id and password using a telephone number from its database Explanation: A call-back system in a Net centric environment would mean that a user with an ID and password calls a remote server through a dial-up line first, and then the server disconnects and dials back to the user machine based on the user id and password using a telephone number from its database. Although the server can depend upon its own database, it cannot know the authenticity of the dialer when the user dials again. The server cannot depend upon the sender's database to dial back as the same could be manipulated.
An IS auditor usually places more reliance on evidence directly collected. What is an example of such evidence? A.Evidence collected through personal observation B.Evidence collected through systems logs provided by the organization's security administration C.Evidence collected through surveys collected from internal staff D.Evidence collected through transaction reports provided by the organization's IT administration
A. Evidence collected through personal observation Explanation: An IS auditor usually places more reliance on evidence directly collected, such as through personal observation.
When should plans for testing for user acceptance be prepared? Choose the BEST answer. A.In the requirements-definition phase of the systems development project B.In the feasibility phase of the systems development project C.In the design phase of the systems development project D.In the development phase of the systems development project
A. In the requirements definition phase of the systems development lifecycle project Explanation: Plans for user acceptance are usually prepared in the requirements definition phase of the systems development project.
What are used as the framework for developing logical access controls? A.Information systems security policies B.Organization security policies C.Access Control Lists (ACLs) D.Organizational charts for identifying roles and responsibilities
A. Information systems security policies Explanation: Information systems security policies are used as the framework for developing logical access controls.
A retail outlet has introduced radio frequency identification (RFI) tags to create unique serial numbers for all products. Which of the following is the PRIMARY concern associated with this initiative? A.Issues of privacy B.Wavelength can be absorbed by the human body C.RFID tags may not be removable D.RFID eliminates line-of-sight reading
A. Issues of privacy Explanation: The purchaser of an item will not necessarily be aware of the presence of the tag. If a tagged item is paid for by credit card, it would be possible to tie the unique ID of that item to the identity of the purchaser. Privacy violations are a significant concern when it comes to RFID because it carries unique serial numbers. If desired, it would be possible for a firm to track individuals who purchase an item containing an RFID.
What can be implemented to provide the highest level of protection from external attack? A.Layering perimeter network protection by configuring the firewall as a screened host in a screened subnet behind the bastion host B.Configuring the firewall as a screened host behind a router C.Configuring the firewall as the protecting bastion host D.Configuring two load-sharing firewalls facilitating VPN access from external hosts to internal hosts
A. Layering perimeter network protection by configuring the firewall as a screened host in a screened subnet behind the bastion host Explanation: Layering perimeter network protection by configuring the firewall as a screened host in a screened subnet behind the bastion host provides a higher level of protection from external attack than all other answers.
An IS auditor has imported data from a client's database. The next step confirming whether the imported data is complete is performed by: A.Matching control totals of the imported data to control totals of the original data B.Reviewing the data to confirm whether the data are in the same order as the original data C.Reviewing the printout of the first 100 records of original data with the first 100 records of the imported data D.Filtering data for different categories and matching them to original data
A. Matching control totals of the import data to control totals of the original data Explanation: Confirms the completeness of the imported data.
How do modems (modulation/demodulation) function to facilitate analog transmissions to enter a digital network? A.Modems convert analog transmissions to digital, and digital transmissions to analog B.Modems encapsulate analog transmissions within digital, and digital transmissions within analog C.Modems convert digital transmissions to analog, and analog transmissions to digital D.Modems encapsulate digital transmissions within analog, and analog transmissions within digital
A. Modems convert analog transmissions to digital, and convert digital transmissions to analog Explanation: Modems (modulation/demodulation) convert analog transmissions to digital, and digital transmissions to analog, and are required for analog transmissions to enter a digital network.
An IS auditor should be concerned when a telecommunications analyst: A.Monitors system performance and tracks problems resulting from program changes B.Reviews network load requirements in terms of current and future transaction volume C.Assesses the impact of the network load on terminal response times and network data transfer rates D.Recommends network balancing procedures and improvement
A. Monitors system performance and tracks problems resulting from program changes Explanation: Monitoring system performance and tracking problems as a result of program changes would put the analyst in a self-monitoring role.
Which of the following systems-based approaches would a financial processing company employ to identify abnormal patterns and report them? A.A neural network B.Database management software C.Management information systems D.Computer assisted audit techniques
A. Neural Network Explanation: A neural network will monitor and learn patterns, reporting exceptions for investigation.
Which of the following is normally a responsibility of the Chief Security Officer (CSO)? A.Periodically reviewing and evaluating the security policy B.Executing user application and software testing and evaluation C.Granting and revoking user access to IT resources D.Approving access to data and applications
A. Periodically reviewing and evaluating the security policy Explanation: The role of a CSO is to ensure that the corporate security policy and controls are adequate to prevent unauthorized access to the company assets, including data, programs, and equipment.
Which of the following is a benefit of using callback devices? A.Provide an audit trail B.Can be used in a switchboard environment C.Permit unlimited user mobility D.Allow call forwarding
A. Provide an audit trail Explanation: A callback feature hooks into the access control software and logs all authorized and unauthorized access attempts, permitting the follow-up and further review of potential breaches.
The PRIMARY objective of implementing corporate governance by an organization's management is to: A.Provide strategic direction B.Control business operations C.Align IT with business D.Implement best practices
A. Provide strategic direction Explanation: Corporate governance is a set of management practices to provide strategic direction, thereby ensuring that goals are achievable, risks are properly addressed, and organizational resources are properly utilized.
In a public key infrastructure (PKI), the authority responsible for the identification and authentication of an applicant for a digital certificate is the: A.Registration Authority (RA) B.Certification Authority (CA) C.Subject C D.Policy management authority
A. Registration Authority (RA) Explanation: A RA is an entity that is responsible for identification and authentication of certificate subjects, but the RA does not sign or issue certificates. The certificate subject usually interacts with the RA for completing the process of subscribing to the services of the certification authority in terms of getting identity validated with standard identification documents, as detailed in the certificate policies of the CA. In the context of a particular certificate, the issuing CA is the CA that issued the certificate. In the context of a particular CA certificate, the subject CA is the CA whose public key is certified in the certificate.
Who is ultimately accountable for the development of an IS security policy? A.The board of directors B.Middle management C.Security administrators D.Network administrators
A. The board of directors Explanation: The board of directors is ultimately accountable for the development of an IS security policy.
Who is ultimately responsible for providing requirement specifications to the software development team? A.The project sponsor B.The project members C.The project leader D.The project steering committee
A. The project sponsor Explanation: The project sponsor is ultimately responsible for providing requirement specifications to the software development team.
Which of the following tests is an IS auditor performing when a sample of programs is selected to determine if the source and object versions are the same? A.A substantive test of program library controls B.A compliance test of program library controls C.A compliance test of the program compiler controls D.A substantive test of the program compiler controls
B. A compliance test of program library controls Explanation: A compliance test determines if controls are operating as designed and are being applied in a manner that complies with management policies and procedures.
What topology provides the greatest redundancy of routes and the greatest network fault tolerance? A.A start network topology B.A mesh network technology with packet forwarding enabled at each host C.A bus network topology D.A ring network topology
B. A mesh network topology with packet forwarding enabled at each host Explanation: A mesh network topology provides a point-to-point link between every network host. If each host is configured to route and forward communication, this topology provides the greatest redundancy of routes and the greatest network fault tolerance.
What can be very helpful to an IS auditor when determining the efficacy of a systems maintenance program? Choose the BEST answer. A.Network-monitoring software B.A system downtime log C.Administration activity reports D.Help-desk utilization trend reports
B. A system downtime log Explanation: A system downtime log can be very helpful to an IS auditor when determining the efficacy of a systems maintenance program.
Which of the following is an effective method for controlling downloading of files via FTP? Choose the BEST answer. A.An application-layer gateway, or proxy firewall, but not stateful inspection firewalls B.An application-layer gateway, or proxy firewall C.A circuit-level gateway D.A first-generation packet-filtering firewall
B. An application-layer gateway, or proxy server Explanation: Application-layer gateways, or proxy firewalls, are an effective method for controlling downloading of files via FTP. Because FTP is an OSI application-layer protocol, the most effective firewall needs to be capable of inspecting through the application layer.
How does the process of systems auditing benefit from using a risk-based approach to audit planning? A.Controls testing starts earlier B.Auditing resources are allocated to the areas of highest concern C.Auditing risk is reduced D.Controls testing is more thorough
B. Auditing resources are allocated to the areas of highest concern Explanation: Allocation of auditing resources to the areas of highest concern is a benefit of a risk-based approach to audit planning.
Which of the following processes are performed during the design phase of the system development lifecycle (SDLC) model? A.Develop test plan B.Baseline procedures to prevent scope creep C.Define the need that requires resolution and map to the major requirements of the solution D.Program and test the new system
B. Baseline procedures to prevent scope creep Explanation: Procedures to prevent scope creep are baselined in the design phase of the SDLC model.
Which of the following devices extends the network and has the capacity to store frames and act as a storage and forward device? A.Router B.Bridge C.Repeater D.Gateway
B. Bridge Explanation: A bridge connects two separate networks to form a logical network (e.g., joining an ethernet and token network) and has the storage capacity to store frames and act as a storage and forward device. Bridges operate at the OSI data link layer by examining the media access control header of a data packet
Any changes in system assets, such as replacement of hardware, should be immediately recorded within the assets inventory of which of the following? Choose the BEST answer. A.IT strategic plan B.Business continuity plan C.Business impact analysis D.Incident response plan
B. Business continuity plan Explanation: Any changes in system assets, such as replacement of hardware, should be immediately recorded within the assets inventory of a business continuity plan.
Which of the following data validation edits is effective in detecting transposition and transcription errors? A.Range check B.Check digit C.Validity check D.Duplicate check
B. Check digit Explanation: A check digit is a numeric value that's calculated mathematically and is appended to data to ensure the original data have not been altered.
If an IS auditor observes that individual modules of a system perform correctly in development project tests, the auditor should inform management of the positive results and recommend further: A.Documentation development B.Comprehensive integration testing C.Full unit testing D.Full regression testing
B. Comprehensive integration testing Explanation: If an IS auditor observes that individual modules of a system perform correctly in development project tests, the auditor should inform management of the positive results and recommend further comprehensive integration testing.
Which of the following provides near-immediate recoverability for time-sensitive systems and transaction processing? A.Automated electronic journaling and parallel processing B.Data mirroring and parallel processing C.Data mirroring D.Parallel processing
B. Data mirroring and parallel processing Explanation: Data mirroring and parallel processing are both used to provide near-immediate recoverability for time-sensitive systems and transaction processing.
What is the lowest level of the IT governance maturity model where an IT balanced scorecard exists? A.Repeatable but intuitive B.Defined C.Managed and measurable D.Optimized
B. Defined Explanation: Defined (level 3) is the lowest level at which an IT balanced scorecard is defined.
When developing a security architecture, which of the following steps should be executed FIRST? A.Developing security procedures B.Defining a security policy C.Specifying an access control methodology D.Defining roles and responsibilities
B. Defining a security policy Explanation: Defining a security policy for information and related technology is the first step towards building a security architecture. A security policy communicates a coherent security standard to users, management, and technical staff.
A data administrator is responsible for: A.Maintaining database system software B.Defining data elements, data names, and their relationships C.Developing physical database structures D.Developing data dictionary system software
B. Defining data elements, data names, and their relationships Explanation: A data administrator is responsible for defining data elements, data names, and data relationships. Choices A, C, and D are all functions of a database administrator (DBA)
A critical function of a Firewall is to act as a: A.Special router that connects the Internet to a LA B.Device for preventing authorized users from accessing the LA C.Server used to connect authorized users to private trusted network resources D.Proxy server to increase the speed of access to authorized users
B. Device for preventing authorized users from accessing the LA Explanation: A Firewall is a set of related programs, located at a network gateway server, that protects the resources of a private network from users of other networks. An enterprise with an Intranet that allows it workers access to the wider Internet installs a Firewall to prevent outsiders from accessing its own private data resources and for controlling the outside resources to which its own users have access. Basically, a Firewall, working closely with a router program, filters all network packets to determine whether or not to forward them toward their destination. A firewall includes or works with a proxy server that makes network requests on behalf of workstation users. A firewall is often installed in a specially designed computer that is separate from the rest of the network so no incoming request can get directed to private network resources.
Digital signatures require the sender to "sign" the data by encrypting the data with the sender's public key, to then be decrypted by the recipient using the recipient's private key. True or false? A.True B.False
B. False Explanation: Digital signatures require the sender to "sign" the data by encrypting the data with the sender's private key, to then be decrypted by the recipient using the sender's public key.
Proper segregation of duties normally does not prohibit a LAN administrator from also having programming responsibilities. True or false? A.True B.False
B. False Explanation: Proper segregation of duties normally prohibits a LAN administrator from also having programming responsibilities.
To minimize costs and improve service levels an outsourcer should seek which of the following contract clauses? A.O/S and hardware refresh frequencies B.Gain-sharing performance bonuses C.Penalties for non-compliance D.Charges tied to variable cost metrics
B. Gain-sharing performance bonuses Explanation: Because the outsourcer will share a percentage of the achieved savings, gain-sharing performance bonuses provide a financial incentive to go above and beyond the stated terms of the contract and can lead to cost savings for the client.
A number of system failures are occurring when corrections to previously detected errors are resubmitted for acceptance testing. This would indicate that the maintenance team is probably not adequately performing which of the following types of testing? A.Unit testing B.Integration testing C.Design walk-throughs D.Configuration management
B. Integration testing Explanation: A common system maintenance problem is that errors are often corrected quickly (especially when deadlines are tight), units are tested by the programmer, and then transferred to the acceptance test area. This often results in system problems that should've been detected during integration or system testing. Integration testing aims at ensuring that the major components of the system interface correctly.
What can be used to gather evidence of network attacks? A.Access control lists (ACL) B.Intrusion Detection System (IDS) C.Syslog reporting D.Antivirus programs
B. Intrusion detection system (IDS) Explanation: Intrusion detection systems (IDS) are used to gather evidence of network attacks.
Which of the following is a data validation edit and control? A.Hash totals B.Reasonableness checks C.Online access controls D.Before and after image reporting
B. Reasonableness check Explanation: A reasonableness check is a data validation edit and control, used to ensure that data conforms to predetermined criteria.
Structured programming is BEST described as a technique that: A.Provides knowledge of program functions to other programmers via peer review B.Reduces the maintenance time of programs by the use of small-scale program modules C.Makes the readable coding reflect as closely as possible the dynamic execution of the program D.Controls the coding and testing of high-level functions of the program in the development process
B. Reduces the maintenance time of programs by the use of small-scale program modules Explanation: A characteristic of structured programming is smaller, workable units. Structured programming has evolved because smaller, workable units are easier to maintain. Structured programming is a style of programming that which restricts the kinds of control structures. This limitation is not crippling. Any program can be written with allowed control structures.
Who should be responsible for network security operations? A.Business unit managers B.Security administrators C.Network administrators D.IS auditors
B. Security Administrators Explanation: Security administrators are usually responsible for network security operations.
What would an IS auditor expect to find in the console log? Choose the BEST answer. A.Evidence of password spoofing B.System errors C.Evidence of data copy activities D.Evidence of password sharing
B. System errors Explanation: An IS auditor can expect to find system errors to be detailed in the console log.
_____ is/are ultimately accountable for the functionality, reliability, and security within IT governance. Choose the BEST answer. A.Data custodians B.The board of directors and executive officers C.IT security administration D.Business unit managers
B. The board of directors and executive officers Explanation: The board of directors and executive officers are ultimately accountable for the functionality, reliability, and security within IT governance.
Whenever an application is modified, what should be tested to determine the full impact of the change? A.Interface systems with other applications or systems B.The entire program, including any interface systems with other applications or systems C.All programs, including interface systems with other applications or systems D.Missions-critical functions and any interface systems with other applications or systems
B. The entire program, including any interface systems with other applications or systems Explanation: Whenever an application is modified, the entire program, including any interface systems with other applications or systems, should be tested to determine the full impact of the change.
The directory system of a database-management system describes: A.The access method to data B.The location of data AND the access method C.The location of data D.Neither the location of data NOR the access method.
B. The location of data AND the access method Explanation: The directory system of a database management system describes the location of data and the access method.
Who is responsible for the overall direction, costs, and timetables for systems development projects? A.The project sponsor B.The project steering committee C.Senior management D.The project team leader
B. The project steering committee Explanation: The project steering committee is responsible for the overall direction, costs, and timetables for systems development projects
What type of cryptosystem is characterized by data being encrypted by the sender using the recipient's public key, and the data then being decrypted using the recipient's private key? A.With public-key encryption, or symmetric encryption B.With public-key encryption, or asymmetric encryption C.With shared-key encryption, or symmetric encryption D.With shared-key encryption, or asymmetric encryption
B. With public-key encryption, or asymmetric encryption Explanation: With public key encryption or asymmetric encryption, data is encrypted by the sender using the recipient's public key; the data is then decrypted using the recipient's private key.
What can ISPs use to implement inbound traffic filtering as a control to identify IP packets from unauthorized sources? Choose the BEST answer. A.OSI layer 2 switches with packet filtering enabled B.Virtual Private Networks C.Access Control Lists (ACL) D.Point-to-point tunneling protocol
C. Access Control Lists (ACL) Explanation: ISPs can use access control lists to implement inbound traffic filtering as a control to identify IP packets transmitted from unauthorized sources.
The INITIAL step in establishing an information security program is the: A.Development and implementation of an information security standards manual B.Performance of comprehensive security control review by the IS auditor C.Adoption of corporate information security policy statement D.Purchase of security access control software
C. Adoption of corporate information security policy statement Explanation: a policy statement reflects the intent and support provided by executive management for proper security and establishes a starting point for developing the security program.
Which of the following types of data validation editing checks is used to determine if a field contains data, and not zeros or blanks? A.Check digit B.Existence check C.Completeness check D.Reasonableness check
C. Completeness check Explanation: A completeness check is used to determine if a field contains data and not zeros or blanks
A database administrator is responsible for: A.Defining data ownership B.Establishing operational standards for the data dictionary C.Creating the logical and physical database D.Establishing ground rules for ensuring data integrity and security
C. Creating the logical and physical database Explanation: A database administrator is responsible for creating and controlling the logical and physical database. Defining data ownership resides with the head of the user department or top management if data is common to the organization. IS management and the data administrator are responsible for establishing operational standards for the data dictionary. Establishing ground rules for ensuring data integrity and security in-line with the corporate security policy is a function of the security administrator.
What is the first step in a business process re-engineering project? A.Identifying current business processes B.Forming a BPR steering committee C.Defining the scope of areas to be reviewed D.Reviewing the organizational strategic plan
C. Defining the scope of the areas to be reviewed Explanation: Defining the scope of the areas to be reviewed is the first step in the business process re-engineering project.
To ensure that audit resources deliver the best value to the organization, the FIRST step would be to: A.Schedule the audits and monitor the time spent on each audit B.Train the IS audit staff on current technology used in the company C.Develop the audit plan on the basis of a detailed risk assessment D.Monitor progress of audits and initiate cost control measures
C. Develop the audit plan on the basis of a detailed risk assessment Explanation: Monitoring the time (choice A) and audit programs (choice D), as well as adequate training (choice B), will improve the IS audit staff's productivity (efficiency and performance), but that which delivers value to the organization are the resources and efforts being dedicated to, and focused on, the higher-risk areas.
A sequence of bits appended to a digital document that is used to secure an email sent through the Internet is called a: A.Digest signature B.Electronic signature C.Digital signature D.Hash signature
C. Digital Signature Explanation: A digital signature through the private cryptographic key authenticates a transmission from a sender through the private cryptographic key. It is a string of bits that uniquely represent another string of bits, a digital document. An electronic signature refers to the string of bits that digitally represents a handwritten signature captured by a computer system when a human applies it on an electronic pen pad, connected to the system.
When developing a formal enterprise security plan, the MOST critical success factor (CSF) would be the: A.Establishment of a review board B.Creation of a security unit C.Effective support of an executive sponsor D.Selection of a security process owner
C. Effective support of an executive sponsor Explanation: The executive sponsor would be in charge of supporting the organization's strategic security program and would aid in directing the organization's overall security management activities.
Which of the following is a good control for protecting confidential data residing on a PC? A.Personal firewall B.File encapsulation C.File encryption D.Host-based intrusion detection system
C. File encryption Explanation: File encryption is a good control for protecting confidential data residing on a PC.
During a review of a customer master file, an IS auditor discovered numerous customer name duplications resulting from variations in the customer first names. To determine the extent of the duplication, the IS auditor would use: A.Test data to validate data input B.Test data to determine system sort capabilities C.Generalized audit software to search for address field duplication D.Generalized audit software to search for account field duplication
C. Generalized audit software to search for address field duplication Explanation: Since the name is similar, but not the exact same, one method to detect duplications would be to compare other common fields, such as address.
What process allows IS management to determine whether the activities of the organization differ from the planned or expected levels? Choose the BEST answer. A.Business impact assessment B.Risk assessment C.IS assessment methods D.Key performance indicators (KPIs)
C. IS Assessment Methods Explanation: IS assessment methods allow management to determine whether the activities of the organization differ from the planned or expected levels.
What is an initial step in creating a proper firewall policy? A.Assigning access to users according to the principle of least privilege B.Determining appropriate firewall hardware and software C.Identifying network applications such as mail, web, or FTP servers D.Configuring firewall access rules
C. Identifying network applications such as mail, web, or FTP servers Explanation: Identifying network applications such as mail, web, or FTP servers to be externally accessed is an initial step in creating a proper firewall policy.
An IS auditor reviewing an outsourcing contract of IT facilities would expect it to define the: A.Hardware configuration B.Access control software C.Ownership of intellectual property D.Application development methodology
C. Ownership of intellectual property Explanation: Ownership of intellectual property will have a significant cost and is a key aspect to be defined in an outsourcing contract.
Which of the following would MOST likely indicate that a customer data warehouse should remain in-house rather than be outsourced to an offshore operation? A.Time zone differences could impede communications between IT teams B.Telecommunications cost could be much higher in the first year C.Privacy laws could prevent cross-border flow of information D.Software development may require more detailed specification
C. Privacy laws could prevent cross-border flow of information Explanation: Privacy laws prohibiting the cross-border flow of information would make it impossible to locate a data warehouse containing customer information in another country.
What is a data validation edit control that matches input data to an occurrence rate? A.Accuracy check B.Completeness check C.Reasonableness check D.Redundancy check
C. Reasonableness check Explanation: A reasonableness check is a data validation edit control that matches input data to an occurrence rate.
During an implementation review of a multiuser distributed application, an IS auditor finds minor weaknesses in three areas - the initial setting of parameters is improperly installed, weak passwords are being used and some vital reports are not being checked properly. While preparing the audit report, the IS auditor should: A.Record the observations separately with the impact of each of them marked against the respective finding B.Advise the manager of probable risks without recording the observations, as the control weaknesses are minor ones C.Record the observations and the risk arising from the collective weaknesses D.Apprise the departmental heads concerned with each observation and properly document it in the report
C. Record the observations and the risks arising from the collective weaknesses Explanation: individually the weaknesses are minor; however, together they have the potential to substantially weaken the overall control structure.
A control that detects transmission errors by appending calculated bits onto the end of each segment of data is known as a: A.Reasonableness check B.Parity check C.Redundancy check D.Check digit
C. Redundancy check Explanation: A redundancy check detects transmission errors by appending calculated bits onto the end of each segment of data.
What is a callback system? A.Remote access system whereby the remote access server immediately calls the user back at the predetermined number if the dial-in connection fails B.Remote access system whereby the user's application automatically redials the remote access server if the initial connection attempt fails C.Remote access control whereby the user initially connects to network systems via dial-up access, only to have the initial connection terminated by the server, which then subsequently dials the user back at a predetermined number stored in the server's configuration database D.Remote access control whereby the user initially connects to network systems via dial-up access, only to have the initial connection terminated by the server, which then subsequently allows the user to call back at an approved number for a limited period of time.
C. Remote access control whereby the user initially connects to network systems via dial-up access, only to have the initial connection terminated by the server, which then subsequently dials the user back at a predetermined number stored in the server's configuration database Explanation: A callback system is a remote access control whereby the user initially connects to network systems via dial-up access, only to have the initial connection terminated by the server, which then subsequently dials the user back at a predetermined number stored in the server's configuration database.
Which of the following should an IS auditor recommend to BEST enforce alignment of an IT project portfolio with strategic organizational priorities? A.Define a balanced scorecard (BSC) for measuring performance B.Consider user satisfaction in the key performance indicators (KPIs) C.Select projects according to business benefits and risks D.Modify the yearly process of defining the project portfolio
C. Select projects according to business benefits and risks Explanation: Prioritization of projects on the basis of their expected benefit(s) to business, and the related risks, is the best measure for achieving alignment of the project portfolio to an organization's strategic priorities.
Using the OSI reference model, what layer(s) is/are used to encrypt data? A.Transport layer B.Session layer C.Session and transport layers D.Data link layer
C. Session and transport layers Explanation: User applications often encrypt and encapsulate data using protocols within the OSI session layer or farther down in the transport layer.
What influences decisions regarding criticality of assets? A.The business criticality of the data to be protected B.Internal corporate politics C.The business criticality of the data to be protected, and the scope of the impact upon the organization as a whole D.The business impact analysis
C. The business criticality of the data to be protected, and the scope of the impact on the organization as a whole Explanation: Criticality of assets is often influenced by the business criticality of the data to be protected and the scope of the impact on the organization as a whole. For example, the loss of a network backbone creates a much greater impact on the organization as a whole than the loss of data on a typical user's workstation.
Which of the following are effective controls for detecting duplicate transactions such as payments made or received? A.Concurrency controls B.Reasonableness checks C.Time stamps D.Referential integrity controls
C. Time Stamps Explanation: Time stamps are an effective control for detecting duplicate transactions such as payments made or received.
Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems? A.User management coordination does not exist B.Specific user accountability cannot be established C.Unauthorized users may have access to originate, modify, or delete data D.Audit recommendations may not be implemented
C. Unauthorized users may have access to originate, modify, or delete data Explanation: Without a policy defining who has the responsibility for granting access to specific systems, there's an increased risk that one could gain (or be given) system access when they should not have authorization. By assigning authority to grant access to specific users, there is a better chance that business objectives will be properly supported.
What is used to provide authentication of the website and can also be used to successfully authenticate keys used for data encryption? A.An organizational certificate B.A user certificate C.A website certificate D.Authenticode
C. Website certificate Explanation: A website certificate is used to provide authentication of the website and can also be used to successfully authenticate keys used for data encryption.
Which of the following would be the BEST method for ensuring that critical fields in a master record have been updated properly? A.Field Checks B.Control Totals C.Reasonableness checks D.A before-and-after maintenance report
D. A before-and-after maintenance report Explanation: A before-and-after maintenance report is the best answer here because a visual review would provide the most positive verification that updating was proper.
When should an application-level edit check to verify that availability of funds was completed at the electronic funds transfer (EFT) interface? A.Before transaction completion B.Immediately after an EFT is initiated C.During run-to-run total testing D.Before an EFT is initiated
D. Before an EFT is initiated Explanation: An application-level edit check to verify availability of funds should be completed at the EFT interface before the EFT is initiated.
Batch control reconciliation is a _____________________ (fill in the blank) control for mitigating risk of inadequate segregation of duties. A.Detective B.Corrective C.Preventative D.Compensatory
D. Compensatory Explanation: Batch control reconciliations is a compensatory control for mitigating risk of inadequate segregation of duties.
What should regression testing use to obtain accurate conclusions regarding the effects of changes or corrections to a program, and ensuring that those changes and corrections have not introduced new errors? A.Contrived data B.Independently created data C.Live data D.Data from previous tests
D. Data from previous tests Explanation: Regression testing should use data from previous tests to obtain accurate conclusions regarding the effects of changes or corrections to a program and ensuring that those changes and corrections have not introduced new errors.
Which of the following typically focuses on making alternative processes and resources available for transaction processing? A.Cold-site facilities B.Disaster recovery for networks C.Diverse processing D.Disaster recovery for systems
D. Disaster recovery for systems Explanation: Disaster recovery for systems typically focuses on making alternative processes and resources available for transaction processing.
The MOST significant level of effort for business continuity planning (BCP) generally is required during the: A.Testing stage B.Evaluation stage C.Maintenance stage D.Early stages of planning
D. Early stages of planning Explanation: The early stages of BCP will be the most significant level of effort, which will level out as the BCP moves into maintenance, testing, and evaluation stages.
Which of the following hardware devices relieves the central computer from performing network control, format conversion, and message-handling tasks? A.Spool B.Cluster Controller C.Protocol Converter D.Front End Processor
D. Front end processor Explanation: A front-end processor is a hardware device that connects all communication lines to a central computer
IS management has decided to re-write a legacy CRM application using fourth generation languages (4GLs). Which of the following risks is MOST often associated with system development using 4GLs? A.Inadequate screen/report design facilities B.Complex programming language subsets C.Lack of portability across operating systems D.Inability to perform data intensive operations
D. Inability to perform data intensive operations Explanation: 4GLs are not suitable for data intensive operations. Instead, they are used mainly for graphic user interface (GUI) design or as simple query/report generators
An example of a direct benefit to be derived from a proposed IT-related business investment is: A.Enhanced reputation B.Enhanced staff morale C.The use of new technology D.Increased market penetration
D. Increased market penetration Explanation: A comprehensive business case for any proposed IT-related business investment should have clearly defined business benefits to enable the expected return to be calculated. These benefits usually fall into 2 categories - direct and indirect. Direct benefits usually comprise the quantifiable financial benefits the new system is expected to generate. Direct benefit will hold priority.
What type of risk is associated with authorized program exits (trap doors)? Choose the BEST answer. A.Business risk B.Audit risk C.Detective risk D.Inherent risk
D. Inherent Risk Explanation: Inherent risk is associated with authorized program exits (trap doors).
An IS auditor reviewing the key roles and responsibilities of the database administrator (DBA) is LEAST likely to expect the job description of the DBA to include: A.Defining the conceptual scheme B.Defining security and integrity check C.Liaison with users in developing data mode D.Mapping data model with the internal schema
D. Mapping data model with the internal schema Explanation: A DBA only in rare instances should be mapping data elements from the data model to the internal schema (physical data storage definitions). To do so would eliminate data independence for application systems. Mapping of the data model occurs with the conceptual schema since the conceptual schema represents the enterprise-wide view of data within an organization and is the basis for deriving an end-user department data model.
Which of the following is a program evaluation review technique that considers different scenarios for planning and control projects? A.Function Point Analysis (FPA) B.GANTT C.Rapid Application Development (RAD) D.PERT
D. PERT Explanation: PERT is a program evaluation review technique that considers different scenarios for planning and control projects.
A hardware control that helps detect errors when data are communicated from one computer to another is known as a: A.Duplicate check B.Table lookup C.Validity check D.Parity check
D. Parity Check Explanation: A parity check will help to detect data errors when data are read from memory or communicated from one computer to another. A one-bit digit (either 0 or 1) is added to a data item to indicate whether the sum of that data item's bit is odd or even. When the parity bit disagrees with the sum of the other bits, an error report is generated.
Data edits are implemented before processing and are considered which of the following? Choose the BEST answer. A.Deterrent integrity controls B.Detective integrity controls C.Corrective integrity controls D.Preventative integrity controls
D. Preventative integrity controls Explanation: Data edits are implemented before processing and are considered preventive integrity controls.
An IS auditor is evaluating management's risk assessment of information systems. The auditor should FIRST review the: A.Controls already in place B.Effectiveness of the controls in place C.Mechanism for monitoring the risks related to the asset D.The threats/vulnerabilities affecting the asset
D. The threats/vulnerabilities affecting the asset Explanation: One of the key factors to be considered while assessing the risks related to the use of various information systems is the threats and vulnerabilities affecting the assets. The risks related to the use of information assets should be evaluated in isolation from the installed controls. Similarly, the effectiveness of the controls should be considered during the risk mitigation stage and not during the risk assessment phase. A mechanism to continuously monitor the risks related to assets should be put in place during the risk monitoring function that follows the risk assessment phase.