ISACA CISA SET
Which of the following is considered inappropriate when designing physical access controls at a facility? A. All employees can access all areas of the facility. B. The data center is located in the center of the physical facility. C. Work and visitor areas are physically separated. D. Teams that perform confidential functions are located in additionally secured areas.
A. All employees can access all areas of the facility. CORRECT The correct answer is "all employees can access all areas of the facility." Physical access should be granted based on job responsibilities, and access to highly sensitive areas should be restricted. INCORRECT The answer choice "work and visitor areas are physically separated" is incorrect; this is a required control to restrict visitors' access to the facility. An employee should always escort visitors. The answer choice "teams that perform confidential functions are located in additionally secured areas" is incorrect as this is a good security practice to ensure the protection of the organization's assets. The answer choice "the data center is located in the center of the physical facility" is incorrect. The data center contains important IT assets and should be strategically located to ensure unauthorized individuals cannot easily locate the facility.
Which of the following layers of the ISO/OSI Reference Model handles "error detection and correction"? A. Data link B. Physical C. Network D. Application
A. Data link The correct answer is data link. The data link layer addresses protocols, models, error detection and correction, etc. It provides reliable transfer of data across physical links, error and flow control, link-level encryption and decryption, and synchronization. The data link layer provides error detection and, optionally, correction (involving two computers directly connected) across a line between nodes of a subnetwork. The other answer choices are INCORRECT: - The physical layer provides for the transmission of unstructured bit streams over the communications channel. -The network layer addresses deadlocks, etc. It provides routing services to establish connections across communications networks. -The application layer addresses dataflow modeling, file management, etc. It provides services such as file transfer protocols directly to users.
A furniture manufacturer issues individual universal serial bus (USB) drives to each employee to transfer company data between different location. Employees are strictly advised to not use these devices for personal use. Which of the following is the MOST significant risk in this case? A. Employees may lose the USB drive. B. Employees may use the USB for personal purposes. C. The USB may introduce malware into the organization's network. D. Data may be lost due to the USB's nonfunctionality.
A. Employees may lose the USB drive. The correct answer is "employees may lose the USB drive." USB drives are small in size and therefore susceptible to loss or theft, resulting in unauthorized exposure of confidential company data. These are INCORRECT The answer choice "data may be lost due to the USB's nonfunctionality" is incorrect. While lost data may be hard to recover (especially if data does not exist on the network), the risk of data exposure to unauthorized parties is more significant. The answer choice "employees may use the USB for personal purposes" is incorrect. Personal use of USB drives will be noncompliance with the company policy but does not impose a more significant risk than unauthorized exposure of data. Personal use of USBs increases the risk of importing malware from personal computers; however, network security controls such as antivirus software can help to mitigate this risk. The answer choice "the USB may introduce malware into the organization's network" is incorrect. Network security controls such as antivirus scanners can detect and prevent the introduction of malware on the company network, and therefore risk can be reasonably mitigated.
Data diddling can be detected by which of the following? A. Exception reports B. Access controls C. Integrity checking D. Program change controls
A. Exception reports The correct answer is exception reports. Data diddling includes changing data with malicious intent before it is entered into the system. Data diddling can be detected using exception reports. Exception reports highlight exceptions or deviations from the anticipated situation. Rapid detection is needed—the sooner the better—because correction of data diddling is expensive. INCORRECT The other options are incorrect: Access controls, program change controls, and integrity checking are all preventive controls.
Which of the following network security tools is PRIMARILY used by the security team to enhance security in the IT environment? A. Honeypots B. Intrusion detection system C. Intrusion prevention system D. Vulnerability scanner
A. Honeypots Honeypots are computers that security administrators place as a trap for intruders. Hackers will scan and attack honeypots, giving administrators data on new trends and attack tools, particularly malicious code. The security team can use this knowledge to determine which areas of network require protection from such attacks. The other answer choices are incorrect: Intrusion prevention systems (IPS) are configured to both detect and prevent potential attacks on the IT environment and assets. The intrusion detection system (IDS) aims to identify and potentially stop unauthorized use, misuse, and abuse of information systems by both internal network users and external attackers in near real-time. A vulnerability scanner is designed to evaluate system, networks, and applications for existing weaknesses.
When testing program change requests, an IS auditor finds that the number of changes available for sampling does not provide a reasonable level of assurance. What is the MOST appropriate action for the IS auditor to take? Select an answer: A. Develop an alternate testing procedure. B. Report the finding to management. C. Perform a walk-through of the change management process. D. Create additional sample changes to programs.
A. If a sample size objective cannot be met with the given data, the IS auditor cannot provide assurance regarding the testing objective. In this instance, the IS auditor should develop, (with audit management approval) an alternate testing procedure. NOT C- A walkthrough should not be performed until an analysis is performed NOT D- It is not appropriate for an IS auditor to create sample data for the purpose of the audit.
Which of the following is the PRIMARY benefit of security awareness, training, and education programs? A. Improving employee behavior B. Reducing unauthorized actions C. Reducing errors and omissions D. Reducing fraud
A. Improving employee behavior The correct answer is "improving employee behavior." User behavior is a critical driver in implementing an effective security program in an organization. Altering users' existing behavior requires an organization to implement an environment where users are aware of and take responsibility for keeping a company's IT assets and data secure. The other answer choices are incorrect as a reduction in fraud, unauthorized actions, errors, and omissions happens due to a change in user behavior.
Regarding voice over Internet Protocol (VoIP), packet loss can result from which of the following? A. Latency B. Wireless C. Wide bandwidth D. Speed
A. Latency CORRECT The correct answer is latency. The latency often associated with tasks in data networks will not be tolerated in VoIP. INCORRECT Wireless is not a factor for packet loss, and VoIP works fine over a good wireless connection. Every facet of network traversal must be completed quickly in VoIP, so speed is not an issue. Wide bandwidth, like speed, will improve communication.
Which of the following is NOT a property of S/MIME? A. Least privilege access B. Nonrepudiation C. Authentication D. Message integrity
A. Least privilege access CORRECT The correct answer is "least privilege access." Least privilege access is an important security principle and means granting the minimum permission required for a user account to enable the account holder (user) to perform his/her duties. Least privilege, however, is not a property of Secure/Multipurpose Internet Mail Extensions (S/MIME), which is concerned with message authentication, integrity, nonrepudiation, and security/privacy.
which of the following is the key benefit of a control self-assessment? A. Management ownership of internal controls supporting business objectives is reinforced B. Audit expenses are reduced when assessment results are an input to external audit work C. Fraud detection is improved because internal business staff are engaged in testing controls D. Internal auditors can shift to a consultative approach by using the results of the assessment
A. Management ownership of internal controls supporting business objectives is reinforced REASON- The objective of control self assement (CSA) is to have business management become more aware of the importance of internal control and their responsibility in terms of corporate governance NOT B- Reducing audit expenses is not a key benefit of CSA NOT C- Improved fraud detection is important but not as important control ownership. It is not a principal objective of CSA. NOT D- CSA may give more insights to internal auditors, allowing them to take a more consultative role, however this is an additional benefit, not the key benefit
Which of the following is an example of an administrative measure to defend against computer damage? A. Passwords B. Least privilege principle C. Access controls D. Audit trails
A. Passwords Passwords are administrative controls that help to defend against computer damage. INCORRECT Access controls are technical controls. Access controls include discretionary access controls and mandatory access controls. An audit trail is the collection of data that provides a trace of user actions so that security events can be traced to the actions of a specific individual. To fully implement an audit trails program, audit reduction and analysis tools are also required. Least privilege is a concept that deals with limiting damage through the enforcement of separation of duties. It refers to the principle that users and processes should operate with no more privileges than those needed to perform the duties of the role they are currently assuming.
Which of the following is the weakest link in information security? A. People B. Software C. Hardware D. Networks
A. People The correct answer is "people." People are usually recognized as one of the weakest links in securing systems and data. People have emotions, memory loss, disinterest in work, low motivation levels to excel, or greed, which may adversely impact information security. User behavior is a critical driver in implementing an effective security program in an organization. Altering users' existing behavior requires an organization to implement an environment where users are aware of and take responsibility for keeping a company's IT assets and data secure.
Which of the following is an example of a digital envelope? A. Pretty Good Privacy (PGP) B. Full disk encryption C. TCP/IP D. SSL
A. Pretty Good Privacy (PGP) A digital envelope uses both secret-key (symmetric) and public-key encryption (asymmetric) encryption. It is the electronic equivalent of putting your message/document in a sealed envelope for privacy and resistance to tampering. Symmetric (secret key) encryption is used for encrypting and decrypting the message. Asymmetric (Public key) encryption is used to send a secret key to the receiving end. The sender of a message randomly selects an asymmetric algorithm session key which is then encrypted by using the recipient's public key. WHY CHOICES are INCORRECT Full disk encryption protects the user data stored on a laptop hard drive, but it is only effective when the laptop is logged off or powered off. Transmission Control Protocol/Internet Protocol (TCP/IP) is a collection of data transmission protocols for internetwork communications. Secure Sockets Layer (SSL) is a security protocol that creates an encrypted link between a web server and a web browser.
An IS auditor is reviewing security controls for a critical web-based system prior to implementation. The results of penetration test are inconclusive, and results will not be finalized prior to implementation. Which of the following is the BEST option for the IS Auditor? A. Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing B. Publish a report omitting the areas where the evidence obtained from testing was inconclusive C. Request a delay of implementation date until additional security testing can be completed and evidence of appropriate controls can be obtained D. Inform mgmt that audit work cannot be completed prior to implementation and recommend that the audit be postponed
A. Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing REASON -If the IS Auditor cannot gain sufficient assurance for a critical system within the agreed-on time frame, this fact should be highlighted in the audit report and follow-up testing should be scheduled for a later date. Mgmt can then determine whether any of the potential weakness identified were significant enough to a delay the go-live date for the system
Which of the following use public-key (asymmetric) algorithms for data encryption? A. RSA and ECC B. RSA and DES C. MD5 and ECC D. DES and SHA
A. RSA and ECC The correct answer is "RSA and ECC," the only answer that correctly identifies two asymmetric algorithms. RSA (Rivest-Shamir-Adleman) is one of the oldest public-key and most popular cryptosystems to protect data transmission. Elliptic-curve cryptography (ECC) is a faster alternative to RSA because it uses shorter keys and requires less computing power. INCORRECT The other answer choices are incorrect. DES (Data Encryption Standard) and IDEA (International Data Encryption Algorithm) are examples of private-key (secret-key) algorithms that are based on the concept of a single, shared key. DES is used in secret-key (symmetric) encryption and SHA (Secure Hash Algorithm) and MD5 (Message Digest 5) are hashing algorithms.
Samuel, an IS auditor, is assessing a third-party arrangement with a new cloud-based service provider. Which of the following considerations is the MOST important with regards to the privacy of the data stored in the cloud? A. Return or destruction of information B. Network and intrusion detection C. Data retention, backup, and recovery D. A patch management process
A. Return or destruction of information CORRECT The correct answer is "return or destruction of information." When reviewing a third-party agreement, the most important consideration about the privacy of the data is the clause concerning the return or secure destruction of information at the end of the contract. INCORRECT Data retention, backup, and recovery are essential controls; however, they do not guarantee data privacy. Network and intrusion detection are helpful when securing the data, but on their own, they do not guarantee data privacy stored at a third-party provider. A patch management process helps secure servers and may prohibit unauthorized disclosure of data; however, it does not affect the privacy of the data.
What is the main drawback of the RSA algorithm? A. The complexity of the calculations involved and the time needed to complete them B. Key exchange is difficult. C. It is no longer supported by the creators of the algorithm. D. All of the answer choices are correct.
A. The complexity of the calculations involved and the time needed to complete them The correct answer is "the complexity of the calculations involved and the time needed to complete them." As malicious actors get better at tools and techniques used to break the encryption, longer keys should be used to strengthen the algorithm. When the key length is increased, the computation becomes more complex and takes longer to complete.
Which of the following items of information in the audit trail record would help determine if the user was a masquerader or the actual person specified? A. The date and time associated with the event B. The user identification associated with the event C. The command used to initiate the event D. The program used to initiate the event
A. The date and time associated with the event CORRECT The correct answer is "the date and time associated with the event." By knowing the dates and times the actual person specified could not be using the system (e.g., after hours, on vacation) and looking for those date and time stamps in the audit logs, the IS auditor can determine if that user is a masquerader or the actual person specified. INCORRECT The remaining answer choices are incorrect; the user identification, program used, and commands used would be the same as the legitimate user and therefore would not help to determine whether the user was legitimate or a masquerader.
Allan, an IS auditor, is reviewing an organization's data center facility. Which of the following is the MOST significant concern for Allan? A. The fire suppression system uses carbon dioxide. B. The use of dry pipe sprinkling systems C. The use of water-based sprinkler systems D. A team of security guards monitors the data center entrance and exit.
A. The fire suppression system uses carbon dioxide. CORRECT The correct answer is "the fire suppression system uses carbon dioxide." Carbon dioxide is hazardous to human life as it can cause suffocation when sprayed or leaked
Which of the following ISO/OSI layers provides access control services? A. Transport B. Presentation C. Session D. Data link
A. Transport The correct answer is "transport." The transport layer ensures error-free, in-sequence exchange of data between endpoints. It is responsible for transmitting a message between one network user and another. It is the only layer listed in the question that provides access control services. INCORRECT -The presentation layer provides authentication and confidentiality services, but not access control. The presentation layer defines and transforms the format of data to make it useful to the receiving application. The session layer does not provide access control services. It establishes, manages, and terminates connections between applications and provides checkpoint recovery services. It helps users interact with the system and other users. -The data link layer provides confidentiality service, but not access control. The data link layer provides reliable transfer of data across physical links, error flow control, link-level encryption and decryption, and synchronization. It handles the physical transmission of frames over a single data link.
The web server can best be authenticated by which of the following? A. Transport Layer Security (TLS) B. Transport Control Protocol (TCP) C. Internet Protocol (IP) D. Hypertext Transfer Protocol (HTTP)
A. Transport Layer Security (TLS) The correct answer is Transport Layer Security (TLS). The TLS protocol can be configured to authenticate the web server or to authenticate both the server and the client. Authentication in TLS is performed as part of the handshaking protocol. A digital certificate, issued by a third party, is involved here to indicate that both the web client and the web server can be trusted. INCORRECT "Transport Control Protocol (TCP)" and "Internet Protocol (IP)" are incorrect because TCP/IP is the standard internet protocol and is not used to authenticate the web server. "Hypertext Transfer Protocol (HTTP)" is incorrect because HTTP does not provide any secure properties such as authentication for web sessions.
An IS auditor is reviewing a software application that is built on the principle of service-oriented architecture. What is the INITIAL step? A. Understanding services and their allocation to business processes by reviewing the service repository documentation. B. Sampling the use of service security standards as represented by the Security Assertions Markup Language C. Reviewing the service level agreements established for all system providers D. Auditing the core service and its dependencies on other systems
A. Understanding services and their allocation to business processes by reviewing the service repository documentation. REASON A- A service-oriented architecture relies on the principles of a distributed environment in which services encapsulate business logic as a black box and might be deliberately combined to depict real0world business processes. Before reviewing services in detail, it is essential for the IS auditor to comprehend the mapping of business processes to services.
Modern "dry pipe" systems: A. are a substitute for water-based sprinkler systems. B. maximize chances of accidental discharge of water. C. are less sophisticated than water-based sprinkler systems. D. None of the answer choices are correct.
A. are a substitute for water-based sprinkler systems. CORRECT The correct answer is "are a substitute for water-based sprinkler systems." In a dry pipe sprinkling system, water is not present in the pipes and only flows when the system is activated. INCORRECT The other answer choices are incorrect. Dry pipe systems are more sophisticated compared to water-based sprinkler systems. Dry pipe systems reduce the likelihood of accidental water discharge because they discharge water only when needed.
which of the following sampling methods is MOST useful when testing for compliance? A. attribute sampling B. variable sampling C. stratified mean-per-unit sampling D. difference estimation sampling
A. attribute sampling REASON A- Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. For example, an attribute sample may check all transactions over a certain predefined dollar amount for proper approvals. NOT B- variable sampling is based on calculation of a mean from a sample extracted from the entire population and used to estimate the characteristic of entire population NOT C- stratified mean sampling- ensure population is represented in sample. Not effective way to measure compliance NOT D- Difference estimation - measures deviation and extradinatry items and is not a good way to measure compliance
Which of the following situations could impair the independence of an IS auditor? The IS auditor A. implemented specific functionality during the development of an application B. designed an embedded audit module for auditing an application C. participated as a member of an application project team and did not have operational responsibilities D. provided consulting advice concerning application good practices
A. implemented specific functionality during the development of an application REASON - Independece may be impaired if an IS auditor or has been, actively involved in the development, acquistion and implementaiton of the application system
An IS auditor finds a small number of user access requests that were not authorized by managers through the normal predefined workflow steps and escalation rules. The IS auditor should: A. perform an additional analysis B. report the problem to the audit committee C. conduct a security risk assessment D. recommend that the owner of the identity management system fix the workflow issues
A. perform an additional analysis REASON A- The IS auditor needs to perform substantive testing and additional analysis to determine why the approval and workflow processes are not working as intended. Before making any recommendation, the IS auditor should gain a good understanding of the scope of the problem and the factors that caused this incident. The IS auditor should identify whether the issue was caused by manager not following procedures, a problem with the workflow of the automated system or a combination of the two.
The firewall is designed to: A. prevent outsiders from getting in. B. stop electronic mail. C. prevent insiders from getting out. D. stop generating a log file.
A. prevent outsiders from getting in. The correct answer is "prevent outsiders from getting in." The firewall is designed to prevent outsiders from getting in. Its purpose is to protect internal information systems from external attacks.
What must begin after a physical intrusion detection alarm is initiated and reported? A. Communication B. Assessment C. Deployment D. Interruption
B. Assessment Correct The correct answer is "assessment." Once a physical intrusion detection alarm is initiated and reported, assessment of the situation begins. One needs to know whether the alarm is valid or a nuisance alarm, as well as details about the cause of the alarm. INCORRECT Communication, interruption, and deployment are incorrect because they are part of a response to a physical intrusion detection alarm.
Which of the following is a simple networking device that interconnects two or more local area networks (LANs)? A. Brouter B. Bridge C. Router D. Gateway
B. Bridge CORRECT The correct answer is "bridge." Bridges are simple networking devices that interconnect two or more LANs. Bridges operate at the lowest network level such as the data link layer of the ISO/OSI Reference Model.
An employee has dropped an unencrypted USB in a parking lot containing a client's personal health information (PHI). Which of the following CIA triad principles will be impacted? A. Integrity B. Confidentiality C. Availability D. All of the answer choices are correct.
B. Confidentiality The correct answer is "confidentiality." PHI is sensitive data, and exposure to unauthorized parties will violate the confidentiality principle. INCORRECT The answer choice "integrity" is incorrect as the USB (universal serial bus) device will not allow the perpetrator to change the data in the company's systems; the USB will only allow exposure of PHI to the perpetrator. The answer choice "availability" is incorrect as the loss of the USB will not impact system availability. error_outline
The decisions and actions of an IS auditor are most likely to affect which of the following types of risk? A. Inherent B. Detection C. Control D. Business
B. Detection REASON B- Detection risk is affected by the IS Auditor's selection of audit procedures and techniques. Detection risk is the risk that a review will not detect or notice a material issue. NOT A- Inherent risk is risk that a material error could occur, if there are no related internal controls prevent or detect error. Inherent risk is not usually affected by an IS auditor NOT C- Control risk is the risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls. Control risk can be mitigated by the actions of organization's management NOT D- Business risk is the probable situation with uncertain frequency and magnitude of loss (or gain) Business risk is usually not directly affected by an IS auditor
Which of the following is an effective means of preventing and detecting computer viruses? A. Train all employees about potential risks B. Install an antivirus program on network servers C. Only company-certified portable storage devices should be used. D. Install an antivirus program on each personal computer
B. Install an antivirus program on network servers The correct answer is "install an antivirus program on each personal computer." Virus scanning programs are effective against viruses that have been reported, usually have additional features to protect the computer, and provide the best protection against viruses. Virus protection software does not provide 100% protection (for example, against new viruses or viruses written to attack a specific organization), so it is essential to also provide awareness training for employees. INCORRECT The answer choice "install an antivirus program on network servers" is incorrect. While installing an antivirus program on network servers is a good practice, employees' personal computers frequently connect directly to the network and can become infected with a virus. The server's antivirus program would not prevent this common method of infection. The answer choice "train all employees about potential risks" is incorrect. Trained employees alone cannot prevent or detect computer viruses. The answer choice "only company-certified portable storage devices should be used" is incorrect. Viruses are primarily downloaded through the internet nowadays and not only through portable storage media.
Which of the following is the PRIMARY objective of the incident response process? A. Preserve the integrity of evidence related to the incident. B. Minimize the impact of the incident on the organization C. Detect the incident at the earliest opportunity D. None of the answer choices are correct.
B. Minimize the impact of the incident on the organization The correct answer is "minimize the impact of the incident on the organization." The primary objective of the incident response plan is to minimize the incident impact on the organization. An incident is any event that adversely impacts the confidentiality, integrity, or availability of an organization's assets. The other answer choices are INCORRECT: -Preserving the integrity of evidence is essential if the incident relates to fraud; however, this is the responsibility of the forensic investigations team. -While detecting the incident at the earliest opportunity may help minimize the incident's impact on the organization, early detection is not the primary objective of the incident response process.
Which of the following is an example of a passive attack? A. Attempting to log into someone else's account B. Observing a user while they type a password C. Denying services to legitimate users D. Deploying a wiretap to generate false messages
B. Observing a user while they type a password The correct answer is "observing a user while they type a password." A passive attack is an attack in which the threat merely watches information move across the system. However, no attempt is made to introduce information in order to take advantage of and exploit a vulnerability. Observing a user while they type a password is an example of a passive attack. PASSIVE- NO DATA HAS BEEN ALTERED / MANIPULATED
Which of the following network security testing tools can be disruptive to the organization? A. War dialing B. Penetration testing C. Vulnerability scanning D. Network scanning
B. Penetration testing The correct answer is "penetration testing." Penetration testing's impacts include server crashes and exposure and corruption of sensitive data. In addition, penetration testing may aid the hackers in perpetrating a similar attack on the organization. INCORRECT The other answer choices are incorrect: Network scanning and vulnerability scanning are not disruptive as they do not penetrate the IT environment; these tools help to identify vulnerabilities in the environment. War dialing is a type of attack. The war dialing technique involves dialing all possible telephone numbers in a particular area code to locate active modems and computers. Perpetrators use war dialing for various reasons, including guessing user IDs by listening to voicemail greetings or finding modems that potentially help access an IT network.
Which of the following is an example of single point of failure when accessing an application? A. Multiple passwords B. Single sign-on C. Multifactor authentication D. Redundancy
B. Single sign-on The correct answer is "single sign-on." This is an example of single point of failure because if the sign-on system is compromised, the entire system is exposed to unauthorized parties. INCORRECT The other answer choices are incorrect: -Multifactor authentication and multiple passwords are examples of multiple points of failure since the perpetrator will require more than one password or a combination of a password and a second piece of authentication (such as mobile-generated code or an answer to a secret question) before getting access to the network. -Redundancy offers failover to avoid single point of failure.
Amanda, an IS auditor, is reviewing an organization's agreement with a cloud provider. Which of the following is the MOST significant concern for Amanda ? A. The contract prohibits site visits. B. The contract does not state the cloud provider's responsibility in the event of a data breach. C. Laws and regulations are different in the countries of the organization and the vendor. D. The organization uses an older web browser that is highly vulnerable to cyberattacks.
B. The contract does not state the cloud provider's responsibility in the event of a data breach. The correct answer is "the contract does not state the cloud provider's responsibility in the event of a data breach." Cloud computing involves more than one party, and each party is responsible for maintaining adequate security in their respective IT environments. In the event of a security breach, the party responsible for the breach should be held accountable. Therefore, the contract should state the responsibilities of each party in the case of a data incident. The answer choice "the contract prohibits site visits" is incorrect. While site visits act as a helpful oversight and monitoring control, there are alternative procedures to monitor cloud providers such as virtual meetings and performance monitoring reports. The answer choice "laws and regulations are different in the countries of the organization and the vendor" is incorrect. The IS auditor should ensure that the contract addresses the differing laws and regulations in the countries of the organization and the vendor, but having different laws and regulations is not a problem. The answer choice "the organization uses an older web browser that is highly vulnerable to cyberattacks" is incorrect. While highly vulnerable browsers pose a significant risk to the organization's security, the IS auditor can raise an audit issue for this problem, and IT can acquire and deploy a more secure browser.
Which of the following is NOT part of the TLS handshake? A. The server picks a cipher and hash function that it also supports from this list and notifies the client of the decision. B. The server always checks and confirms the validity of the client certificate. C. The client always checks and confirms the validity of the server certificate. D. The client requests a secure connection from the server and presents a list of supported cipher suites.
B. The server always checks and confirms the validity of the client certificate. The correct answer is "the server always checks and confirms the validity of the client certificate." Client certificate validation is an optional part of the Transport Layer Security (TLS) handshake and does not happen all the time. INCORRECT The other answer choices are part of the TLS handshake. The handshake begins when a client connects to a TLS-enabled server requesting a secure connection, and the client presents a list of supported cipher suites. The cipher suite consists of a code representing four parameters: the authentication algorithm, critical exchange method, encryption cipher and hashing algorithm.
elecommuting from home requires special considerations to ensure integrity and confidentiality of corporate data accessed by employees. Which of the following is an effective control? A. Logging and monitoring B. Virtual private network (VPN) C. Firewalls D. Browser encryption
B. Virtual private network (VPN) The correct answer is virtual private network (VPN). For a remote access VPN to be as secure as possible, the traffic should be both encrypted and integrity-protected. Without encryption, an unauthorized person could access the data, and without integrity protection, encrypted traffic is susceptible to attacks and modification of data. INCORRECT Logging and monitoring are the security services by which the use of all levels of access attempts are logged and reported, and therefore are not effective controls. A firewall can be turned off and is not an effective control for employees' remote access. Browser encryption does not provide a control for data used and stored at home. The web browser creates a session key, encrypts it with the server's public key, and sends the encrypted key to the server. The server uses its private key to decrypt the session key. The client and server use the session key to encrypt further communications. Browser encryption helps to capture and secure data entered into the website before it reaches the internal systems.
Which of the following is an example of a corrective control? A. Deadman doors B. Water sprinkler systems C. Smoke detectors D. Lock keys
B. Water sprinkler systems CORRECT The correct answer is "water sprinkler systems." A water sprinkler system is activated and sprays water on a fire to extinguish it, and hence is a corrective control. INCORRECT Lock keys and deadman doors are preventive controls as they are meant to prevent unauthorized personnel from entering the facility. Smoke detectors are a detective control as they detect smoke and activate fire suppression controls.
What is the PRIMARY requirement that a data mining and auditing software tool should meet? The software tool should: A. interface with various types of enterprise resource planning software and database B. accurately capture data from the org. system without causing excessive performance problems C. introduce audit hooks into the org. financial systems to support continuous auditing D. be customizable and support inclusion of custom programming to aid in investigative analysis
B. accurately capture data from the org. system without causing excessive performance problems REASON B- although all requirements that are listed as answer choices are desireable in a software tool evaluated for auditing and data mining purposes, the most critical requirement is that the tool works effectively on the systems of the org. being audited NOT A- the product must interface with the types of systems used by the org. and provide meaningful data for analysis NOT C- The tool should probably work on more than just financial systems and does not necessarily require implementation of audit hooks NOT D- The tool should be flexible not necessarily customizable. It should have built-in analysis software tools
The PRIMARY advantage of continuous audit approach is that it: A. does not require an IS auditor to collect evidence on system reliability while processing is taking place B. allows the IS auditor to review and follow up on audit issues in a timely manner C. places the responsibility for enforcement and monitoring of controls on the security department instead of audit D. simplifies the extraction and correlation of data from multiple and complex systems
B. allows the IS auditor to review and follow up on audit issues in a timely manner REASON -Continuous audit allows and response to audit issues and response to audit issues in a timely manner because audit findings are gathered in near real time
A digital envelope uses: A. neither symmetric encryption nor asymmetric encryption. B. both symmetric and asymmetric encryption. C. only asymmetric encryption. D. only symmetric encryption.
B. both symmetric and asymmetric encryption. The correct answer is "both symmetric and asymmetric encryption." A digital envelope uses both secret-key (symmetric) and public-key (asymmetric) encryption. It is the electronic equivalent of putting your message/document in a sealed envelope for privacy and resistance to tampering.
The construction and expansion of a local area network can be more restrictive than that of a wide area network because of the: A. speed of communication. B. number of workstations that can be connected to a network. C. limited number of operating systems that can be connected. D. ability of a personal computer to act as a data terminal
B. number of workstations that can be connected to a network. The correct answer is "number of workstations that can be connected to a network." The restrictions are caused by the variety of cabling restraints that apply to the installation of each type of local area network (LAN), such as Ethernet or token ring network. The constraints include the number of stations that can be connected to a network, the length of cable to connect a station to the network, and the physical spacing between cable connections.
Which of the following ISO/OSI layers provides both confidentiality and data integrity services? A. Presentation B. Data link C. Application D. Physical
C. Application The correct answer is "application." The application layer provides for internetworking between application processes in end systems The basis of all security work within the ISO (International Standards Organization) is the OSI (Open Systems Interconnection ) security architecture. This standard provides text and definitions that cover (1) security attacks relevant to open systems, (2) general architectural elements that can be used to thwart such attacks, and (3) circumstances under which the security elements can be used. The application layer is the only layer listed in the question that provides both confidentiality and data integrity services. The application layer provides services such as file transfer protocols (FTP) directly to users.
Which of the following open system interconnection (OSI) layers provides nonrepudiation services? A. Data link B. Transport C. Application D. Presentation
C. Application The correct answer is "application." The application layer provides nonrepudiation services, meaning that entities involved in a communication cannot deny having participated. It is a technique that ensures genuine communication and cannot subsequently be negated.
Which of the following is PRIMARILY a responsibility of the data owner? A. Ensuring appropriate physical and logical security for IS programs systems and data B. Investigating fraud C. Authorizing a new user access request D. Being accountable for the safe storage of information assets
C. Authorizing a new user access request CORRECT REASON The correct answer is "authorizing a new user access request." Typical security responsibilities for data owners include authorizing new user access and ensuring that access to data is updated upon user employment changes (e.g., termination, promotion, or transfers). INCORRECT REASON The answer choice "being accountable for the safe storage of information assets" is incorrect. Data custodians are accountable for the safe storage of information assets. The answer choice "ensuring appropriate physical and logical security for IS programs systems and data" is incorrect. Security administrators are responsible for ensuring appropriate physical and logical security of IS programs systems and data. The answer choice "investigating fraud" is incorrect as data owners are not primarily responsible for fraud investigation. Management assigns forensic investigation teams responsibilities to investigate fraud.
Digitally signing and publishing the public keys is primarily related to which PKI component? A. Public key attestation B. Publishing authority C. Certificate authority D. Registration authority
C. Certificate authority The correct answer is certificate authority (CA). The primary role of the CA is to digitally sign and publish the public key bound to a given organization. INCORRECT The other answer choices are incorrect: A registration authority is an organization that is responsible for receiving and validating requests for digital certificates and public/private key pairs. Publishing authority and public key attestation are made-up terms and therefore not relevant to the role of signing and publishing public keys in public key infrastructure (PKI).
Which of the following is a characteristic of an intrusion detection system (IDS)? A. Prevents access to specific internet websites B. Blocks users from accessing specific application servers C. Collects evidence on intrusive system activity D. None of the answer choices are correct.
C. Collects evidence on intrusive system activity The correct answer is "collects evidence on intrusive system activity." The intrusion detection system aims to identify and detect unauthorized use, misuse, and abuse of information systems by both internal network users and external attackers in near real-time. INCORRECT The other answer choices are incorrect. Preventing access to websites and blocking users' access to application servers are performed by a firewall.
Which of the following controls over telecommuting uses tokens and/or multifactor authentication? A. Intrusion detection system B. Encryption C. Combined authentication methods D. Firewalls
C. Combined authentication methods The correct answer is "combined authentication methods." Combined authentication methods increases security in two significant ways. They can require the user to possess a token in addition to a password or personal identification number (PIN). Tokens used with PINs provide significantly more security than passwords. For a hacker or other would-be impersonator to pretend to be someone else, the impersonator must have both a valid token and the corresponding PIN. This is much more difficult than obtaining a valid password and user ID combination. Combined authentication methods can also create multifactor authentication. Each time a user is authenticated to the computer, a different "one-time code" is used. The other answer choices are incorrect: -Firewalls use a secure gateway or series of gateways to block or filter access between two networks, often between a private network and a larger, more public network such as the internet or a public switched network (i.e., the telephone system). -The intrusion detection system (IDS) aims to identify unauthorized use, misuse, and abuse of information systems by both internal network users and external attackers in near real-time. -Encryption is more expensive than combined authentication methods. It is most useful if highly confidential data needs to be transmitted or if moderately confidential data is transmitted in a high-threat area. Encryption is most widely used to protect the confidentiality and integrity of data.
Which of the following describes a software as a service (SaaS) cloud-based service shared by a limited number of organizations? A. Hybrid B. Private C. Community D. Public
C. Community The correct answer is "community." A community cloud provides a cloud computing solution to a limited number of organizations. This deployment model is a multi-tenant platform that enables multiple entities to work on the same platform.
Which of the following activities cause most security vulnerabilities in web servers? A. Acquisition B. Usage C. Configuration D. Maintenance
C. Configuration The correct answer is configuration. The web server that an organization acquires is generic and must be customized during its configuration. Unnecessary software services and user accounts in the web server should be removed or redefined. The web server configuration scenarios should fit its established security policy. The other answer choices are incorrect: The acquisition, usage, and maintenance of a web server are not as important as that of its configuration.
An IS auditor is developing an audit plan for an environment that includes new systems. The org. mgmt wants the IS auditor to focus on recently implemented systems. How should the IS auditor respond? A. Audit the new systems as requested by mgmt B. Audit systems not included in last year' scope C. Determine the highest-risk systems and plan accordingly D. Audit both the systems not in last year's scope and new systems
C. Determine the highest-risk systems and plan accordingly REASON- The best action is to conduct a risk assessment and design the audit plan to cover the areas of highest risk. IS audit shall use appropriate risk assessment approach and supporting methodology to develop overall IS audit plan and determine priorites for the effective allocation of IS audit resources
A global financial services company is introducing a new security governance framework across different countries. What should management do FIRST? A. Review existing security policies. B. Interview security employees in each country to determine local security practices. C. Evaluate the regulatory requirements in each country. D. Interview local security experts in each country to determine the best practices in each country.
C. Evaluate the regulatory requirements in each country. The correct answer is "evaluate the regulatory requirements in each country." The security governance framework should include regulatory requirements for all countries where the company has located its operations to ensure that all such requirements are met in the framework.
An IS auditor is recommending the use of raised flooring in the data center. Which of the following risks is PRIMARILY mitigated by raised flooring? A. Protection from electrical surges B. Guarding the equipment from lightning C. Flood damage D. Employees can step on the raised floor in the event of a fire.
C. Flood damage CORRECT The correct answer is "flood damage." Data center facilities are usually built a certain height above the ground level to prevent floodwater on the ground from coming in contact with the IT hardware assets such as servers. INCORRECT The other answer choices are incorrect as raised flooring does not protect against electrical surges and lightning. In case of a fire, employees should exit the facility instead of stepping on the raised floor.
Which of the following is used to create webpages on the internet? A. HTTP B. FTP C. HTML D. TCP/IP
C. HTML The correct answer is HTML. Hypertext markup language (HTML) is used to describe webpages in terms of color, font size, and graphics. INCORRECT: HTTP (Hypertext Transfer Protocol) is used to carry web traffic between a web browser computer and the web server being accessed. TCP/IP (Transmission Control Protocol/Internet Protocol is available for most operating systems and is well suited to providing communications between dissimilar computer systems. FTP (File Transfer Protocol) is used on TCP/IP networks that require users to log into a remote computer.
Which of the following statements about intrusion detection systems (IDS) is FALSE? A. IDS is a detective control. B. IDS can be network-based or host-based. C. IDS is meant to be a replacement for firewalls. D. An IDS may be placed between the firewall and the internet.
C. IDS is meant to be a replacement for firewalls.
Which of the following open system interconnection (OSI) layers establishes, manages, and terminates connections between applications? A. Transport B. Presentation C. Session D. Network
C. Session The correct answer is "session." The session layer establishes, manages, and terminates connections between applications, and provides checkpoint recovery services. It helps users interact with the system and other users. INCORRECT The presentation layer provides authentication and confidentiality services. It defines and transforms the format of data to make it useful to the receiving application. It provides a common means of representing a data structure in transit from one end system to another. The transport layer provides confidentiality, authentication, data integrity, and access control services. It ensures error-free, in-sequence exchange of data between endpoints. It is responsible for transmitting a message between one network user and another. The network layer provides confidentiality, authentication, data integrity, and access control services. It is responsible for transmitting a message from its source to a destination. It provides routing (path control) services to establish connections across communications networks.
Which of the following is an advantage of asymmetric key cryptography? A. Its execution is very fast. B. It is an out-of-band exchange. C. It is relatively easy to distribute keys. D. Both keys are the same.
C. It is relatively easy to distribute keys. The correct answer is "it is relatively easy to distribute keys." Asymmetric encryption is a type of encryption that uses two separate yet mathematically related keys: the "public key" and the "private key." Typically, the public key is used to encrypt data, and its corresponding private key is used to decrypt it. Thus, this encryption method is also known as public‐key encryption, public‐key cryptography, and asymmetric‐key encryption. The public key is typically available to everyone and can be used to encrypt data. INCORRECT The answer choice "both keys are the same" is incorrect as asymmetric encryption is a type of encryption that uses two separate yet mathematically related keys: the "public key" and the "private key." -Typically, the public key is used to encrypt data, and its corresponding private key is used to decrypt it. The answer choice "it is an out-of-band exchange" is incorrect as asymmetric encryption is an in-band exchange. -The answer choice "its execution is very fast" is incorrect as the execution of asymmetric encryption is slow.
Which of the following controls provides a first line of defense against potential threats, risks, or losses? A. Software testing B. Transaction logs C. Passwords and user IDs D. Dial-back modem
C. Passwords and user IDs The correct answer is "passwords and user IDs." These provide the first line of defense against breach of a network's security. Several restrictions can be placed on passwords to improve their effectiveness. These restrictions may include minimum length and format and forced periodic password changes. The other answer choices are INCORRECT: -Switched ports are among the most vulnerable security points on a network. These allow dial-in and dial-out access. They are security risks because they allow users with telephone terminals to access systems. Although callback or dial-back is a potential control as a first line of defense, it is not necessarily the most effective because of the call-forwarding capability of telephone circuits. -Software testing is the last line of defense to ensure data integrity and security. Therefore, the software must be tested thoroughly by end users, information systems staff, and computer operations staff. -For online applications, the logging of all transactions processed or reflected by input programs provides a complete audit trail of actual and attempted entries, thus providing a last line of defense. The log can be stored on tape or disk files for subsequent analysis. The logging control should include the date, time, user ID and password used, location, and number of unsuccessful attempts made.
An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take? A. Delete all copies of the unauthorize software B. Recommend an automated process to monitor for compliance with software licensing C. Report the use of the unauthorized software and the need to prevent recurrence D. Warn the end users about the risk of using illegal software
C. Report the use of the unauthorized software and the need to prevent recurrence Reason C -The use of unauthorized or illegal software, should be prohibited by an organization. An IS auditor must convince the user and management of the risk and need to eliminate the risk. For example, software piracy can result in exposure and severe fines. NOT A- an IS auditor should not assume the role of the enforcing officer and take on any personal involvement in removing the unauthorized software. NOT B- This would detect compliance with software licensing. However, an automated solution might not be the best option in all cases NOT D- Auditors must report material findings to management for action. Informing the users of risk is not the primary responsibility of the IS auditor
The business owner of a new application has requested that the different types of reports be viewed on a "need to know" basis. Which of the following access control methods would be the MOST effective to achieve this request? A. Discretionary B. Rule-based C. Role-based (RBAC) D. Single sign-on
C. Role-based (RBAC) The correct answer is "role-based." Role-based access control (RBAC) restricts access according to job roles and responsibilities. RBAC would be the best method to view reports on a need-to-know basis for authorized users. Access control decisions are based on the roles individual users are taking in an organization. These include the specification of duties, responsibilities, obligations, and qualifications (e.g., a teller or loan officer associated with a banking system).
Ronald, a forensic investigator, is reviewing fraudulent electronic transactions. The suspect has worked with Ronald in the past at another company. What is the MOST important consideration for Ronald in this situation? A. Ronald should not conduct informal meetings with the suspect during the investigation. B. Ronald should maintain independence during the engagement. C. Ronald should ensure that the evidence is preserved in its original state. D. Ronald should assess other electronic transactions carried out by the suspect.
C. Ronald should ensure that the evidence is preserved in its original state. CORRECT The correct answer is "Ronald should ensure that the evidence is preserved in its original state." Evidence from the crime scene must be securely retained and preserved to present in a legal proceeding. The chain of custody must also be documented and preserved for presentation in the court of law. INCORRECT The answer choice "Ronald should maintain independence during the engagement" is incorrect. Maintaining independence is essential; however, preserving the integrity of the evidence is more essential to ensure the evidence is admissible in the court of law. The answer choice "Ronald should not conduct informal meetings with the suspect during the investigation" is incorrect. While this is important, preserving the integrity of the evidence is more essential to ensure the evidence is admissible in the court of law. The answer choice "Ronald should assess other electronic transactions carried out by the suspect" is incorrect. While it is a good idea to investigate further transactions to uncover the possibility of more fraudulent transactions, preserving the integrity of the evidence is more essential to ensure the evidence is admissible in the court of law.
Denial of service (DOS) can be prevented by which of the following? A. Security awareness training B. Policies and procedures C. Server redundancy D. None of the answer choices are correct.
C. Server redundancy The correct answer is "server redundancy." Server redundancy allows extra bandwidth to handle large traffic volumes, hence preventing a server from crashing due to overwhelming traffic volume. INCORRECT The other answer choices are incorrect. Policies and procedures can provide guidelines to prevent DoS attacks; however, they would not prevent DoS attacks. Security awareness training and education help to alter users' behaviors and do not prevent DoS attacks.
The internal audit department wrote some scripts that are used for continuous auditing for some information systems. The IT department asked for copies of the scripts so that they can use them for setting up a conintuous monitoring process on key systems. Does the sharing these scripts with IT affect the ability of the IS auditors to independently and objectively audit the IT function? A. Sharing the scripts is not permitted because it gives IT the ability to pre-audit systems and avoid an accurate, comprehensive audit B. Sharing the scripts is required because IT must have the ability to review all programs and software that run on IS systems regardless of audit independence C. Sharing the scripts is permissible if IT recognizes that audits may still be conducted in areas not covered in scripts D. Sharing the scripts is not permitted because the IS auditors who wrote the scripts would not be permitted to audit a
C. Sharing the scripts is permissible if IT recognizes that audits may still be conducted in areas not covered in scripts Reason: IS audit can still review all aspects of the systems. They may not be able to review the effectiveness of the scripts, but they can still audit the systems. NOT REASON: D. An audit of IS encompasses more than just controls covered in scripts B. Sharing scripts may be required by policy for quality assurance and configuration mgmt but that does not impair the ability to audit A. Ability of IT to continuously monitor and address any issues on IT systems does not affect the ability of IS audit to perform a audit
Which of the following is a control used to respond to the risk of power failure? A. Smoke/fire detectors B. Water sprinklers C. Uninterruptible power supply (UPS) D. Fire or evacuation drills
C. Uninterruptible power supply (UPS) The correct answer is "uninterruptible power supply (UPS)." A UPS system contains a battery or gas-powered generator that connects with the electricity entering the building/facility and the electrical power entering the IT hardware. The other answer choices are INCORRECT as smoke/fire detectors, water sprinklers, and fire or evacuation drills respond to the RISK OF FIRE, NOT POWER FAILURE.
Which of the following is a primary control against network attacks? A. End point encryption B. Boundary routers C. Virtual private networks (VPNs) D. Access controls
C. Virtual private networks (VPNs)
An IS Auditor is reviewing access to an application to determine whether recently added accounts were appropriately authorized. This is an example of: A. variable sampling B. substantive testing C. compliance testing D. stop-or-go sampling
C. compliance testing REASON- Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized. NOT A- Variable sampling is used to estimate numerical values as dollar values NOT B- substantive sampling often dependent on outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized NOT D- Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed
Which of the following would impair the independence of a quality assurance team? A. ensuring compliance with development methods B. checking test assumptions C. correcting coding errors during the testing process D. checking the code to ensure proper documentation
C. correcting coding errors during the testing process Correction of code should not be a responsibility of quality assurance team, because not ensure segregation of duties and would impair the team's independence
The greatest threat to any computer system is: A. untrained or negligent users. B. hackers and crackers. C. employees. D. vendors and contractors.
C. employees. The correct answer is "employees." Employees of all categories are the greatest threat to any computer system because they are trusted the most. They have access to the computer system, they know the physical layout of the area, and they could misuse the power and authority. Most trusted employees have an opportunity to perpetrate fraud if the controls in the system are weak.
An example of the drawbacks of smart cards includes a means of: A. storing user data. B. access control and data storage. C. gaining unauthorized access. D. access control.
C. gaining unauthorized access. CORRECT The correct answer is "gaining unauthorized access." An unauthorized person can gain access to a computer system in the absence of other strong controls. A smart card is a credit card-sized device, containing one or more integrated circuit chips, which performs the functions of a microprocessor, memory, and an input/output interface. Smart cards can be used (1) as a means of access control, (2) as a medium for storing and carrying the appropriate data, and (3) a combination of 1 and 2. INCORRECT The other answer choices (access control and storing user data) are incorrect as they are advantages of using smart cards. Since valuable data is stored on a smart card, the card is useless if lost, damaged, or forgotten.
Which of the following can provide a false sense of security? 1. Encryption protocols 2. Digital signatures 3. Firewalls 4. Certified authorities A. 2 and 3 B. 2 and 4 C. 1 and 2 D. 1 and 3
D. 1 and 3 CORRECT REASON The correct answer is items 1 and 3. Both encryption protocols and firewalls can provide a false sense of security. Encryption is used to provide confidentiality of data from the point of leaving the end user's software client to the point of being decrypted on the server system. Once the data is stored "in the clear" on the server, data confidentiality is no longer ensured. Data confidentiality aside, encryption will not prevent malicious attackers from breaking into the server systems and destroying data and transaction records. Firewalls have been used to protect internal computer systems from outside attacks as well as unauthorized inside users. The effectiveness of a firewall is usually in providing a deterrent for would-be attackers. However, most determined attackers can breach a firewall through web requests, which should be controlled. INCORRECT REASON Items 2 and 4 provide a good sense of security because digital signatures and certified authorities working together form a trusted relationship. A digital signature stamped by the certifying authority will certify that both the client and server can be trusted.
What is a cryptographic system? A. Hardware used in data encryption B. A prerequisite to data classification C. A type of anti-malware D. A collection of software and hardware that can encrypt or decrypt information
D. A collection of software and hardware that can encrypt or decrypt information The correct answer is "a collection of software and hardware that can encrypt or decrypt information." This process generally involves finding weaknesses in implementation, enabling an attacker to find the secret key or an equivalent algorithm for encryption and decryption that does not require knowing the secret key used. The other answer choices are not related to a cryptographic system.
Jack wanted to send an encrypted message to Alice. What key should Jack use to encrypt the message in public cryptography? A. Jack's private key B. Jack's public key C. Alice's private key D. Alice's public key
D. Alice's public key The correct answer is Alice's public key. Asymmetric encryption is a type of encryption that uses two separate yet mathematically related keys: the "public key" and the "private key." Typically, the public key is used to encrypt data, and its corresponding private key is used to decrypt it. Thus, this encryption method is also known as public‐key encryption, public‐key cryptography, and asymmetric‐key encryption. INCORRECT REASONS The other answer choices are incorrect. If Jack uses his own private key, anyone can unencrypt the message with his public key. If Jack uses his own public key, only he can unencrypt it with his own private key. If Jack has access to Alice's private key, that key is no longer private, and anyone with Alice's public key can unencrypt the message.
In public key infrastructure (PKI), the registration authority is responsible for: A. receiving and validating requests for digital certificates and public/private key pairs. B. performing other certificate lifecycle management functions (certificate revocation). C. securely storing all the certificates that are requested, received, and revoked by both the certificate authority and the registration authority. D. All of the answer choices are correct.
D. All of the answer choices are correct. All of the answer choices are correct. A registration authority (RA) is an organization that is responsible for receiving and validating requests for digital certificates and public/private key pairs. The RA is authorized by the certificate authority (CA). It is also responsible for performing other certificate lifecycle management functions (certificate revocation). All the certificates that are requested, received, and revoked by both the certificate authority and registration authority are stored in an encrypted certificate database.
Which of the following cryptographic security services for email and electronic messaging applications is provided by S/MIME? A. Nonrepudiation B. Authentication and message integrity C. Data encryption D. All of the answer choices are correct.
D. All of the answer choices are correct. All of the answer choices are correct. S/MIME provides the following cryptographic security services for email and electronic messaging applications: Authentication Message integrity Nonrepudiation of origin (using digital signatures) Privacy Data security (using encryption)
Which of the following attacks violates the principle of confidentiality? A. Email spamming B. Man-in-the-middle (MITM) attack C. Juice jacking attack D. All of the answer choices are correct.
D. All of the answer choices are correct. All of the answer choices are correct: - Email spamming involves sending junk email messages to several users to receive a response (which may disclose sensitive company information). -In a MITM attack, a perpetrator inserts themselves in the middle of a communication link or data transfer and pretends to be both of the legitimate parties. This way, the perpetrator intercepts data from both parties while also transmitting malicious links to the legitimate parties. -In a juice jacking attack, an infected USB (universal serial bus) charging station/port can be used to compromise devices connected to that port. This attack is common at public places such as airports and public transit where users may connect their devices to charge a device battery. When the device is plugged into a USB port, a perpetrator may have
Who is responsible for the classification of information assets? A. Business managers B. Security administrators C. Data custodian D. Asset owners
D. Asset owners CORRECT The correct answer is asset owners. Each information asset should be assigned an owner. The owner is an official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal. The asset owner should determine the appropriate classification according to the organization's data classification policy. INCORRECT The other answer choices are incorrect. Business managers and security administrators can use data classification in their risk assessment process to determine the appropriate level of access to the information asset. A data custodian provides physical and logical access procedures, and implements security controls, and access safeguards.
The principle of least privilege refers to the security objective of granting users only those accesses they need to perform their job duties. Which of the following is a result of employees maintaining access rights for previously held positions? A. Users have little access to systems B. Users have significant access to systems C. Reauthorization when employees change positions D. Authorization creep
D. Authorization creep CORRECT The correct answer is "authorization creep." This occurs when employees continue to maintain access rights for previously held positions within an organization. This practice is inconsistent with the principle of least privilege. INCORRECT The other options are incorrect. Reauthorization when employees change positions, users having little access to systems, and users having significant access to systems are consistent with the principle of least privilege. -Reauthorization will eliminate authorization creep, and it does not matter how much users have access to the system if their access is based on the need to know. When users have little access to systems, it means granting access is based on a need-to-know basis. -Users have significant access to systems means that users have privileged (superuser) access to the system.
Which of the following types of penetration testing is the MOST expensive? A. Targeted testing B. Internal testing C. External testing D. Blind testing
D. Blind testing CORRECT The correct answer is "blind testing" In blind testing, the tester has very limited or no knowledge at all about the target system. Testing is usually expensive as the tester has to perform research on the target system based on publicly available information. INCORRECT The other answer choices are incorrect as targeted, internal, and external testing are less expensive than penetration testing.
Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated? A. Overlapping controls B. Boundary controls C. Access controls D. Compensating controls
D. Compensating controls REASON: D- Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated. NOT A- Overlapping controls are two controls addressing the same control objective or exposure. Because primary controls cannot be achieved when duties cannot or are not segregated, it is difficult to install overlapping controls NOT B- Boundary controls establish the interface between the would-be user of a computer system and the computer system itself and are individual-based, not role-based controls NOT C- Access controls for resources are based on individuals and not on roles. For lack of segregation of duties, the IS auditor expects to find a person has higher levels of access than are ideal. The IS auditor wants to find compensating controls to address this risk.
For a retail business with a large volume of transactions, which of the following audit techniques is the MOST appropriate for addressing emerging risk? Select an answer: A. Use of computer-assisted audit techniques (CAATs) B. Quarterly risk assessments C. Sampling of transaction logs D. Continuous auditing
D. Continuous auditing REASON- The implementation of continuious auditing enables real-time feed of information to management through automated reporting processes so that mgmt may implement corrective actions more quickly
Which of the following is most effective for encrypting data on mobile devices? A. Blowfish algorithm B. Data encryption standard C. Advanced encryption standard D. Elliptic curve cryptography
D. Elliptic curve cryptography Elliptic-curve cryptography (ECC) is correct. The elliptic curve requires significantly shorter keys and limited bandwidth resources and is suitable for encrypting mobile devices. INCORRECT -The data encryption standard (DES) uses less processing power compared to the advanced encryption standard (AES), but the elliptic curve is an asymmetric algorithm and is most effective for a mobile device. -The advanced encryption standard (AEA) is a symmetric algorithm and has the problem of key management and distribution. -The blowfish algorithm consumes too much processing power. Blowfish is an encryption algorithm that can be used as a replacement for the DES algorithm or IDEA (International Data Encryption Algorithm). The elliptic curve is an asymmetric algorithm and is most effective for a mobile device.
Sally, an accounting analyst, has just received an email from the IT team requesting her user credentials. What is this attack technique called? A. Email spamming B. Man-in-the-middle attack (MITM) C. Eavesdropping D. Email spoofing
D. Email spoofing The correct answer is "email spoofing." Spoofing is when a perpetrator pretends to be someone else. Perpetrators spoof the email address in the "From" field of the message to make an email appear as coming from another source. INCORRECT Email spamming involves sending junk email messages to several users to receive a response (which may disclose sensitive company information).
Ian, an IS auditor, is reviewing the results of a recent fire drill. Which of the following is the MOST significant concern regarding physical and environmental security controls? A. Elevators were not operating during the drill. B. Employees on vacations were not involved in the drill. C. Fire extinguishers were not placed in all sections of the building. D. Emergency exits were not appropriately marked across the facility.
D. Emergency exits were not appropriately marked across the facility. The correct answer is "emergency exits were not appropriately marked across the facility." The most important concern is with saving human life during an evacuation, and therefore emergency exits should be marked across the facility to facilitate swift evacuation from the facility.
Which of the following login procedures provides the strongest security control when using a smart card with a template? A. Transmitting a positive response to the workstation in place of the cryptographic handshake B. Cryptographic handshake after successful comparison with the workstation C. Transmitting a negative response to the workstation in place of the cryptographic handshake D. Encrypting the current date and time and transmitting this value to the workstation
D. Encrypting the current date and time and transmitting this value to the workstation The correct answer is "encrypting the current date and time and transmitting this value to the workstation." No two encryptions contain the same date and time, so playback attempts could be easily detected. When a user wishes to log onto the system, they insert their smart card into a reader/writer attached to a workstation. The user then provides a live fingerprint scan through the scanning mechanism built into the reader/writer. The reader/writer sends the live scan to the smart card, which compares it to the template stored during enrollment. If the comparison is successful, the smart card engages the workstation in a cryptographic handshake, using its key shares with the workstation. INCORRECT The other answer choices are incorrect: The cryptographic handshake occurs after successful comparison with the template. An alternative to the cryptographic handshake would be for the card to transmit a straightforward positive signal to the workstation. However, suppose the smart card transmitted a simple positive/negative response to the workstation in place of the cryptographic handshake. In that case, an attacker might be able to duplicate the positive response and gain unauthorized access to the system.
A server administrator noticed an IP address transmitting suspicious data into the network and contacted the incident response team. The incident response team immediately rebooted the web server to stop the attack. What should the incident response team have done before they rebooted the web server? A. Contact the local regulatory body to inform them of the attack. B. Notify potentially impacted customers. C. Loop in key stakeholders in the organization. D. Gather the required evidence.
D. Gather the required evidence. The correct answer is "gather the required evidence." Gathering evidence and storing it in a secure place is critical to prosecuting the perpetrator. As a result of rebooting the server, crucial evidence was lost, and hence it will be difficult to prosecute the perpetrator in a court of law. The other answer choices are INCORRECT. -The local regulatory authority, customers, and stakeholders can be informed of the incident once the incident has been contained, evidence has been gathered, and the incident does not pose any further threat to the organization.
which of the following is the MOST critical step when planning an IS audit? A. Review findings from prior audits B. Executive managements approval of the audit plan C. Review information security policies and procedures D. Perform a risk assessment
D. Perform a risk assessment REASON D- Of all steps listed, performing a risk assessment is the most critical.
Jack is a college dropout who is looking for passwords without the assistance of a software program or tool. Which of the following techniques should Jack use? A. War dialing B. Eavesdropping C. Alteration attack D. Social engineering
D. Social engineering The correct answer is "social engineering." Social engineering uses persuasion and/or deception to gain access to IT systems. It is typically implemented through human interaction over the phone or by email. Examples of social engineering include impersonation through a telephone call or email, dumpster diving, and shoulder surfing. The best way to prevent and defend against social engineering attacks is to implement a robust security awareness program to ensure staff are educated about social engineering attacks. INCORRECT The other answer choices are incorrect as they require the use of a computer software or tool: Eavesdropping is a passive attack whereby an intruder taps into communication traffic to acquire sensitive data (e.g., credit card numbers). An alteration attack occurs when a program code is altered without authorization, hence impacting the code integrity. The war dialing technique involves dialing all possible telephone numbers in a particular area code to locate active modems and computers. Perpetrators use war dialing for various reasons, including guessing user IDs by listening to voicemail greetings or finding modems that potentially help access an IT network.
Which of the following statements does NOT correctly describe the certificate authority (CA)? A. The CA is used to authenticate the digital identities of the users and/or machines. B. The CA uses its own private key to sign the public keys. C. The primary role of the CA is to digitally sign and publish the public key bound to a given organization. D. The CA uses its own public key to sign the private keys.
D. The CA uses its own public key to sign the private keys. The correct answer is "the CA uses its own public key to sign the private keys." The CA uses its own private key to sign the public keys.
A financial services company grants individual access cards to its employees to enter and exit the office facility. Which of the following is the MAJOR risk with this control? A. Unauthorized individuals may duplicate the access card and gain access to the facility. B. Employees may lose their access cards. C. In case of a fire hazard, the evacuation process will be very slow as each employee needs to tap their card to exit the door. D. Unauthorized individuals may follow behind the employee and gain access to the facility.
D. Unauthorized individuals may follow behind the employee and gain access to the facility. CORRECT ANSWER: The correct answer is "unauthorized individuals may follow behind the employee and gain access to the facility." Physical piggybacking is a significant problem when access cards are used to enter the building. Employees should be educated from time to time to be alert to individual piggybacking into the facility. INCORRECT ANSWER: The answer choice "in case of a fire hazard, the evacuation process will be prolonged as each employee needs to tap their card to exit the door" is incorrect. In cases of emergency, all doors must be set to open without the need for an access card. The answer choice "unauthorized individuals may duplicate the access card and gain access to the facility" is incorrect. Usually, duplicating access cards is incredibly challenging and therefore is not a significant risk associated with the use of access cards. The answer choice "employees may lose their access cards" is incorrect. While this may be an inconvenience to employees, a replacement card can be provided to the employee. Employees must be educated to protect their access cards and that, in the event of a lost access card, they should immediately report to the appropriate team so that the lost access card be deactivated
Which of the following is the PRIMARY risk when a "backdoor" is installed in a software vendor product? A. The vendor may disconnect software, leaving the client unable to use the software. B. Remote maintenance C. Remote monitoring D. Unauthorized user entry
D. Unauthorized user entry The correct answer is "unauthorized user entry." Some vendors may install a "backdoor" or "trapdoor" entry for remote monitoring and maintenance purposes. The backdoor provides a convenient approach to the vendor to solve operational problems. However, the backdoor is a wide-open door for hackers. Additionally, the vendor may modify the software without the client organization's knowledge or permission. INCORRECT -Remote monitoring and remote maintenance are part of the vendor's activities to help the client operate the software smoothly and resolve software issues. -The vendor may disconnect software, leaving the client unable to use the software: While this is a concern for the client using the software, this may be required as a penalty for nonpayment or disputes in payment.
Which of the following controls is best suited for a user to establish a secure intranet connection over the internet? A. Install encrypted routers B. Implement password controls to the private web server C. Install encrypted firewalls D. Use virtual private network (VPN) software
D. Use virtual private network (VPN) software The correct answer is "use virtual private network (VPN) software." VPN software provides an encrypted connection across the internet and can also provide other controls such as preventing other connections while VPN is active. VPNs can also provide flexible solutions, such as securing communications between remote telecommuters and the organizations' servers, regardless of where the telecommuters are located. A VPN can even be established within a single network to protect particularly sensitive communications from other parties on the same network. INCORRECT The other answer choices are incorrect: Encrypted firewalls and encrypted routers are effective controls, but these are not the best controls to establish a secure internet connection. Private tunnels can be created over the internet using encryption devices, encrypting firewalls, or encrypting routers. Implementing password controls to the private web server for each user is a weak control because password administration would be difficult, if not an impossible task. Group passwords would not be effective either.
When granting temporary access to a third party, which of the following is the MOST effective control? A. Once the services are delivered, user IDs are deleted. B. Third-party access commensurate to the service-level agreement C Administrator access is granted for a temporary period. D. User accounts are based on requested services and created with expiration dates.
D. User accounts are based on requested services and created with expiration dates. The correct answer is "user accounts are based on requested services and created with expiration dates." Ensuring the granting of temporary access is based on services to be provided. An expiration date associated with each unique ID would be the most effective control.
David is an IS auditor who discovers that the password control configuration is more rigorous for business users than IT administrators. Which of the following is the IMMEDIATE action for David to take? A. Document the discovery as an exception in the audit report. B. Recommend that all password configuration settings be identical. C. Recommend that logs of IT administrator access are reviewed regularly. D. Validate whether this is a policy violation.
D. Validate whether this is a policy violation. The correct answer is to validate whether this is a policy violation. David needs to validate whether the approved policy was followed and appropriate approvals were granted in this situation, and he should also document his observation.
A long-term IT employee with strong technical background and broad managerial experience has applied for a vacant position in the IS audit dept. Determining whether to hire this individual for this position should be PRIMARILY based on the individual's experience and: A. length of service, because this will help ensure technical competence B. age, because traning in audit technique may be impractical C. IT knowledge, because this will bring enhanced credibility to audit function D. ability, as an IS auditor, to be independent of existing IT relationship
D. ability, as an IS auditor, to be independent of existing IT relationship REASON D- Independence should be assessed by the auditor and mgmt. This assessment should consider such factors as changes in personal relationships, financial interests, and prior job assignments and responsibilities
An audit charter should: A. be dynamic and change often to coincide with the changing nature of technology and the audit profession. B. clearly state audit objectives for, and the delegation of, authority to the maintenance and review of internal controls. C. document the audit procedures designed to achieve the planned audit objectives. D. outline the overall authority, scope and responsibilities of the audit function.
D. outline the overall authority, scope and responsibilities of the audit function. REASON D- An audit charter should state mgmt objective for and delegate of authority to IS auditor NOT A- Audit charter is not subject to changes NOT B- Charter not include maintenance and review of internal controls NOT C- Charter not include specific audit procedures
Which of the following is a prerequisite to data classification? a. Having in-house data classification experts b. Notifying affected customers c. Identifying all information assets and creating a complete inventory of such assets d. None of the answer choices are correct.
c. Identifying all information assets and creating a complete inventory of such assets The correct answer is "identifying all information assets and creating a complete inventory of such assets." Before an organization can begin the data classification process, an inventory of all assets needs to be created.
which of the following is the BEST factor for determining the required extent of data collection during the planning phase of an IS compliance audit? a. Complexity of the org. operation b. Findings and issues noted from prior year c. Purpose, objective and scope of audit d. Auditor's familiarity with the org.
c. Purpose, objective and scope of audit Reason: The extent to which data will be collected during an I audit is related directly to the purpose, objective and scope of the audit. An audit with a narrow purpose and limited objective and scope is most likely to result in less data collection than an audit with a wider purpose and scope. Statistical analysis may also determine the extent of data collection, such as sample size or means of data collection NOT REASON: Complexity of org. is a factor of planning but not affect determiniation of how much data to collect Prior findings and issues are factors but not affect how data is collected Auditor familiarity with org. is a factor in planning but not affect how much data is collected.
The internal audit dept. wrote some scripts that are sued for continuous auditing of some information systems. The IT dept. asked for compies of the scripts so that they can use them for setting up a continuous monitoring process on key systems. Does sharing these scripts with IT affect the ability of the IS auditors to independently and objectively audit the IT functions? a. sharing scripts is not permitted because it gives IT ability to pre-audit systems and avoid an accurate comprehensive audit. b. sharing scripts is required because IT must have ability to review all programs and software that run on IS system regardless of audit independence c. sharing the scrips is permissable of IT recognizes that audit may still be conducted in areas not covered in scripts d. sharing scripts is not permitted because the IS auditors who wrote scripts would not be permitted to audit any IS systems where the scripts are being u
c. sharing the scrips is permissable of IT recognizes that audit may still be conducted in areas not covered in scripts IS audit can still review all aspects of the system. They may not be able to review the effectiveness of the scripts but they can still audit the systems.