MCQ 5-Protection of Information Assets
The greatest advantage of the SSO process is: A. Administrative convenience for password management. B. Helps to avoid a single point of failure scenario. C. Support of all major operating system environments is easy. D. Helps to control network traffic.
A. Administrative convenience for password management Example: SSO makes it easy and convenient for managing passwords. However, it acts as a single point of failure and it is difficult to support all major operating system environments. SSO does not impact or control network traffic.
The prime objective of installing mantrap controlling access is to: A. Prevent tailgating. B. Prevent water leakage. C. Control fire. D. Prevent computer damage.
A. Prevent tailgating. Explanation: A mantrap door is also known as a deadman door or an airlock door. It is also known as a mantrap or an airlock entrance. It uses two doors and for the second door to open, the first door must be closed and locked. Only one person is permitted in the gap between the first door and the second door. This reduces the risk of piggybacking or tailgating wherein an unauthorized person follows an authorized person through a secured entry.
Which of the following is most important when reviewing system controls? A. Security and performance parameters are considered. B. The capturing of changes in logs. C. The availability of a change authorization process. D. Access to system parameters is restricted.
A. Security and performance parameters are considered. Explanation: The most important aspect when reviewing system controls is the consideration of the security and performance parameters. This helps to ensure that the control objectives are aligned with the business objectives. The other options are not as significant as the alignment of the security and performance parameters.
Which of the following will be in the scope of an IS auditor reviewing general operating system access control functions? A. The process of logging and monitoring user activities B. The process of logging data communication access activities C. The process of authorization of a user at the field level D. The process of the modification of data files
A. The process of logging and monitoring user activities Explanation: General operating system access control functions include logging user activities, logging events, and so on. Choice B is a network control feature. Choices C and D are database- and/or application-level access control functions.
What is the risk associated with the use of an access card for entering a computer room? A. The risk of an unauthorized person entering behind the authorized person B. The risk of using duplicated access cards C. The risk of the absence of an audit trail D. The risk of delay in deactivating the access of a terminated employee
A. The risk of an unauthorized person entering behind the authorized person Explanation: The risk associated with the use of an access card for entering a computer room is the risk of tailgating or piggybacking. Duplicating an access card is not an easy task. Access logs can be captured as the audit trail. Proper access control life cycle management ensures that access rights are timely terminated.
The availability of printing options for all users increases: A. The risk of data confidentiality B. The risk of data integrity C. The risk of data availability D. The risk of reduced productivity
A. The risk of data confidentiality Explanation: It is difficult to control the printing of confidential documents. The availability of printing options increases the risk of confidentiality.
Which of the following is the most important concern for an access card entry system? A. The use of a shared access card by cleaning staff. B. The access card does not contain a label with the organization's name and address. C. Card issuance and card reconciliation are managed by different departments. D. Logs of access are not reviewed on a daily basis.
A. The use of a shared access card by cleaning staff Explanation: Accountability cannot be established in the case of the issuance of a non-personalized access card. This is the greatest concern. As good practice, access cards should not contain details of the organization to prevent unauthorized use by intruders. Segregation of duties for card issuance and reconciliation is a good practice. Logs may not be required to be reviewed on a daily basis.
Which of the following is regarded as the first step in installing a firewall in a large organization? A. To develop a security policy B. To develop an access control list C. To analyze firewall functionality D. To configure the firewall settings
A: To develop a security policy. Explanation: The first step in installing a firewall is to design and develop aninformation security policy. On the basis of approved information securitypolicy, other options can be considered.
Which of the following is the greatest concern for an IS auditor reviewing the fire safety arrangements of an organization? A. The use of a wet pipe-based fire extinguisher in the computer room B. The use of a carbon dioxide-based fire extinguisher in the processing facility C. The use of handheld fire extinguishers in the board room D. Smoke detector not tested every month
B. The use of a carbon dioxide-based fire extinguisher in the processing facility Explanation: Carbon dioxide-based extinguishers should not be used where people are present. CO2 reduces the oxygen level from the area and hence poses a risk to humans. The other options are not as significant as the use of CO .
Which of the following is a prime objective for an IS auditor reviewing logical access control? A. To ensure the effectiveness of access control software B. To ensure that access is granted as per an approved process C. To ensure the protection of computer software D. To ensure the protection of computer hardware
B. To ensure that access is granted as per an approved process Explanation: The objective of the IS auditor reviewing logical access control is to determine whether access is granted as per an approved process. The effectiveness of access control software and the protection of computer software relates to procedures of a logical access control review, rather than objectives. The protection of computer hardware is relevant to a physical access control review.
To determine whether an organization has complied with a privacy requirement, the IS auditor should first: A. Review the IT architecture. B. Review the standard operating procedure for IT processes. C. Review the legal and regulatory requirements. D. Review the risk register.
C. Review the legal and regulatory requirements. Explanation: The first step for an IS auditor is to review the legal and regulatory requirements applicable to the organization. On the basis of that, the IS auditor can determine compliance by reviewing the processes.
Which of the following best ensures compliance with a password policy? A. A simple version of a password policy B. A user-friendly password policy C. The implementation of an automated password management tool D. Security awareness training for the users
C. The implementation of an automated password management tool Explanation: An automated password management tool will ensure that password complexity is defined as per the approved policy. It will prevent the use of passwords that are not allowed as per the policy. It will also mandate compulsory password change at a defined frequency. The other options do not directly ensure compliance with the password policy.
Which of the following will not be in the scope of an IS auditor reviewing database-level access control functions? A. The monitoring of the database profile creation process B. The process for field-level authorization C. The process for determining individual accountability D. The process for logging and monitoring database-level activities
C. The process for determining individual accountability Explanation: Establishing individual accountability is the function of the general operating system. Creating database profiles, verifying user authorization at a field level, and logging database access activities for monitoring access violations are all database-level access control functions.
Which of the following is the most important concern for a badge entry access system? A. Security personnel is not monitoring the badge reader for any suspected tampering. B. Logs of access are not reviewed on a daily basis. C. The process for promptly disabling a lost or stolen badge is not followed. D. The backup frequency of logs is infrequent.
C. The process for promptly disabling a lost or stolen badge is not followed. Explanation: It is very important to immediately deactivate a badge that is lost or stolen. An unauthorized individual can enter the room using a stolen badge. The other options are not as significant as deactivating stolen or lost badges.
Which of the following firewalls provides the best protection to internet-based critical servers against hacking? A. A circuit gateway B. A packet filter C. An application gateway D. A stateful inspection
C: An application gateway. Explanation: An application-level firewall works on the concept of a bastion hostand proxy server. It operates at the application layer of the OSI. An applicationlevel firewall is regarded as the most secure type of firewall. It permits or deniesnetwork traffic by analyzing each packet in detail at the application level of theOSI.
4. A firewall system with an enhanced degree of control is: A. a stateful gateway B. a packet gateway C. an application gateway D. a circuit gateway
C: An application gateway. Explanation: An application-level firewall works on the concept of a bastion hostand proxy server. It operates at the application layer of the OSI. An applicationlevel firewall is regarded as the most secure type of firewall. Therefore, anapplication gateway works in a more detailed (granular) way than the others.
Which of the following firewalls will help in restricting the downloading of files through File Transfer Protocol? A. A router B. A packet filter C. An application gateway D. A stateful inspection
C: An application gateway. Explanation: An application-level firewall works on the concept of a bastion hostand proxy server. It operates at the application layer of the OSI. It controls theapplication such as FTP and HTTP. An application-level firewall is regarded asthe most secure type of firewall.
A firewall is primarily installed with the objective of: A. connecting different networks B. preventing authorized users from accessing the LAN C. connecting authorized users to trusted network resources D. acting as a proxy server for improving the speed of access to authorized users
C: Connecting authorized users to trusted network resources. Explanation: The primary objective of a firewall is to allow only authorized uses of the system and network and thereby restrict unauthorized access.
Which of the following is the most common error while implementing afirewall? A. Users are not trained in the rules of firewalls B. Improper due diligence for vendor selection C. Incorrect configuration of access lists D. Antivirus software is not updated on a frequent basis
C: Incorrect configuration of access lists. Explanation: It is very important to update the current access list. This aspect isgenerally neglected and therefore has the greatest scope for errors at the time ofinitial installation. Other options do not directly impact firewall implementation.
Which of the following is regarded as a major concern when installing a firewall in a large organization? A. The adoption of an SSL B. The frequent updating of firewall rules on the basis of changing requirements C. Firewall monitoring is outsourced to a third-party service provider D. A firewall is placed on top of the commercial operating system with all installation options
D: A firewall is placed on top of the commercial operating system with all installation options. Explanation: Keeping all installations open for a firewall is a major risk for the organization. Fire security can be compromised in such a situation. The adoptionof SSL is a good practice. Firewall rules should be changed as per businessrequirements
Which of the following is the most important consideration while reviewing the implementation of a firewall? A. A documented information security policy B. A vendor supporting firewall implementation C. The effectiveness of the firewall in enforcing security policy D. Firewall algorithms
The effectiveness of the firewall in enforcing security policy. Explanation: The effectiveness of firewalls in supporting information securitypolicy is the most important factor. If the firewall is not aligned in line with ISpolicy, the other factors will not have an impact. Documented IS policy isimportant, but if the firewall does not support its enforcement, then the policy isof little value.
The best auditing procedure for ascertaining correct firewall configuration is: A. to review logs of failed attempts B. to review the approved access control list C. to review firewall change management policy D. to review parameter settings
To review parameter settings. Explanation: The best audit procedure for ascertaining correct firewallconfiguration is to review parameter settings. This will help to determinewhether approved configurations as per security policy have actually beenimplemented. The other options do not provide strong auditing evidence ascompared with a review of parameter settings.
Which of the following is considered the most effective access control mechanism? A. A fingerprint scanner B. A password C. A cipher lock D. An electronic access card
A. A fingerprint scanner Explanation: Among all the options, the most reliable control can be considered the fingerprint scanner. The fingerprint is a biometric control that is very difficult to break. A fingerprint is hard to duplicate, easy to deactivate, and individually identifiable. Since no two fingerprints are alike (unless in very rare cases), identification and verification can be done with confidence. The other options are not as strong as a fingerprint scanner.
An attack in which the attacker attempts to reproduce the characteristics of a genuine biometric user is known as: A. A mimic attack B. A cryptographic attack C. A replay attack D. A brute-force attack
A. A mimic attack Explanation: In a mimic attack, the attacker attempts to reproduce fake biometric features of a genuine biometric user. For example, imitating the voice of an enrolled user.
The most effective method to prevent unauthorized access to an unattended end user PC is: A. A password-protected screensaver B. Automatically switching off the monitor when there is no activity C. CCTV surveillance D. To terminate a session at specified intervals.
A. A password-protected screensaver Explanation: A password-protected screensaver with a proper time interval is the best way to prevent the unauthorized access of unattended PCs. A user should lock their PC when it is not being used. Switching off the PC will not serve the same purpose as it can be switched on by anyone. CCTV cameras are a detectivecontrol and will not prevent unauthorized access. Terminating a session at a specified interval may not serve this purpose. If the screen is not locked, then anyone can access the system within a specified interval.
Two-factor authentication is a combination of: A. A smart card and PIN B. Fingerprint scan and iris scan C. PIN and password D. Magnetic card and badge card
A. A smart card and PIN Explanation: Two-factor authentication means the use of two authentication methods from the following:Something you know (for example, a password, PIN, or some other personal information)Something you have (for example, a token, OTP, smart card, or badge card) Something you are (for example, biometric features, such as fingerprint, iris scan, or voice recognition)Except for a smart card and PIN, all the other options are of the same authentication method.
A default deny access control policy: A. Allows approved traffic and rejects all other traffic B. Denies specific traffic and allows all other traffic C. Is used for allowing access from a trusted network to a protected system D. Allows traffic as per the discretion of the network administrator
A. Allows approved traffic and rejects all other traffic Explanation: An organization can either have a default deny access control policy or an allow all access control policy. In a default deny policy, all the traffic is denied except predefined approved traffic. In an allow all policy, all traffic is allowed except predefined restricted traffic. Default deny is more prevalent where traffic is from an untrusted source to access a protected system. Allow all is more prevalent where traffic is from trusted sources to access an external system, such as the internet.
An organization proposes to use its existing client database to promote its new range of products. Which of the following is an area of concern for an IS auditor? A. Are there any data privacy concerns about this process? B. Whether the existing client database is updated C. Does this comply with the organization's promotional policy? D. Whether the client database is appropriately secured against unauthorized access
A. Are there any data privacy concerns about this process? Explanation: It is very important to ensure that the applicable data privacy laws are adhered to. For example, one of the privacy principles requires organizations to use client data only for the purpose for which it is collected. The IS should ensure that consent has been obtained from the clients for the use of their data for promotional activities.
The best method to provide access to a user is: A. Authorization for access from the data owner and implementation of user authorization tables by the administrator. B. Joint authorization by the data owner and system administrator. C. Joint creation and update of user authorization tables by the data owner and system administrator. D. The data owner creates and updates the user authorization tables.
A. Authorization for access from the data owner and implementation of user authorization tables by the administrator Explanation: It is the accountability and responsibility of the data owner for approving the access rights to the user. Once the user is approved, system administrators should then implement or update user authorization tables.
Which of the following increases the effectiveness of DAC? A. DAC is aligned in accordance with MAC. B. DAC is kept independent of MAC. C. DAC allows users to bypass MAC as per the requirements. D. DAC is approved by the IS policy.
A. DAC is aligned in accordance with MAC. Explanation: MAC rules are governed by an approved policy. Users or data owners cannot modify the access role, whereas DAC can be activated or modified by the data owner as per their discretion. For DACs to be more effective, they have to be designed in accordance with MACs.
The objective of raising the floor in a computer room is to prevent: A. Damage to the cables of computers and servers B. Power failure C. Damage from an earthquake D. Damage from a tsunami
A. Damage to the cables of computers and servers Explanation: The floor is raised to accommodate the ventilation system, power, and data cables underneath the floor. This provides the safety of the cables, which otherwise would pose a large risk if kept on an open floor. A raised floor may not directly address the other options.
Which of the following is considered the most secure method of removing confidential data from computer storage? A. Demagnetization of computer storage B. Formatting computer storage C. Deletion of data on computer storage D. Defragmentation of data on computer storage
A. Demagnetization of computer storage Explanation: The right kind of formatting is very critical to ensure that residual data from media cannot be recovered by an unauthorized person. To the greatest extent possible, the media should be physically destroyed in such a way that it cannot be reused. However, it may not be economical to destroy the media, and hence, for these cases, extreme care should be taken for the complete eraser of the data to make sure the data cannot be recoverable by any tool or technique. One of these methods is to demagnetize the media record. This process involves increasing the alternating current field gradually from 0 to some maximum value and back to 0, leaving a very low residue of magnetic induction on the media.This process of demagnetization is also known as degaussing.
Which of the following is considered a major risk of the absence of an authorization process? A. Difficult to control role-based access. B. Multiple users can log on as a specific user. C. User accounts can be shared. D. Need-to-know basis access can be assured.
A. Difficult to control role-based access Explanation: In the absence of an authorization process, it will be impossible to establish and provide role-based access. The risk where many users can claim to be a specific user can be better addressed by a proper authentication process, rather than authorization. This will not directly impact the sharing of user accounts. In the absence of a proper authorization process, the principle of need- to-know cannot be established.
Need-to-know access control can be best ensured by: A. Implementing application-level access control B. Encrypting databases C. Enabling HTTPS control D. Deploying network monitoring control
A. Implementing application-level access control Explanation: Application-level access control helps to limit access to an application as per the functionality required by users to perform their jobs. They will not be able to access any other functionality of the application. The other options will not serve this purpose.
Which of the following is a major risk of SSO? A. It has a single authentication point. B. It represents only a single point of failure. C. It causes administrative inconvenience. D. It causes user inconvenience.
A. It has a single authentication point. Explanation: SSO is a user authentication service that permits a user to use one set of login credentials (for example, a name and password) to access multiple applications. This increases the risk of a single point of failure due to having only one authentication for multiple systems. However, failure can also be due to any other reason. Failure can occur at multiple points in resources, such as the data, process, or network. So, a more specific answer to this question is it has only a single authentication point.
Which of the following is a major concern for an IS auditor reviewing the general IT controls of an organization? A. No restriction for connecting external laptops to the network. B. Multi-factor authentication for user access. C. Standalone terminals are placed at an insecure location. D. The organization takes more than 1 month to close the audit findings.
A. No restriction for connecting external laptops to the network Explanation: A major concern is about unrestricted LAN connection for external laptops. Intruders can connect to the network and, using various tools and techniques, may be able to create serious damage to the IS resources. The other options are not as significant as an unrestricted LAN connection.
The most effective control to protect against a high-voltage power burst is: A. Surge devices B. Alternative power supplies C. A power line conditioner D. An uninterruptible power supply
A. Surge devices Explanation: Surge and spike devices help to protect against high-voltage power bursts. An alternative power supply medium (such as a power generator) is most effective when there is long-term power unavailability. A power line conditioner is a device intended to improve the quality of power that is delivered to electric equipment. It compensates for the peaks and valleys in the power supply. When an electrical supply is low, it provides its own power and maintains a constant voltage.
Which of the following should be reviewed to determine the level of access available for different users? A. System file configuration B. Log files C. Job descriptions D. User access review
A. System file configuration Explanation: A review of the system configuration file will show the level of access available for different users. Both log files and user access reviews are detective in nature and may not reveal all the relevant details. Job descriptions of users will not provide details about the access level.
The effectiveness of a biometric system can be best measured by evaluating: A. The FAR B. The CER C. The staff enrolled rate D. The FRR
A. The FAR Explanations: FAR is the rate of acceptance of unauthorized persons; that is, the biometric control will allow unauthorized persons to access the system. In any given scenario, the most important performance indicator for a biometric system is the FAR. This is a fail-unsafe condition; that is, an unauthorized individual may be granted access. A low FAR is most desirable when it is used to protect highly sensitive data.
Responsibility of granting access to data with the help of security officer resides with: A. The data owners B. The system developer C. The library controller D. The system administrator
A. The data owners Explanation: It is the accountability and responsibility of the data owner for approving the access rights to the user.
Responsibility for reviewing users' access rights resides with: A. The data owners B. The IS auditor C. The library controller D. The security administrator
A. The data owners Explanation: It is the accountability and responsibility of the data owner for reviewing users' access rights.
The most effective control over visitor access to a data center is: A. To escort the visitors B. To issue a visitor's badge C. To frisk the visitor for storage media D. To maintain a visitor's register
A. To escort the visitors Explanation: It is best practice to escort visitors all the time in the data center. This will ensure that they strictly follow the rules of the data center. The other options are good practices but not as reliable as escorting the visitors.
Which of the following is the initial step for the classification of data? A. To establish data owners B. To conduct criticality analysis C. To determine an access control list D. To determine firewall rules
A. To establish data owners Explanation: Identification of the owner of data or an application is the first step in the classification of IS resources. The data owner is responsible fordetermining the criticality of the data and providing access control rules. Hence, the other options will be followed once the data owner is established.
Which of the following is the first step in data classification? A. To establish ownership B. To conduct critical analysis. C. To develop an access matrix D. To tag classification nomenclature on assets
A. To establish ownership Explanation: Without the owner being defined, it is difficult to conduct criticality analysis or to develop an access matrix. Hence, establishing ownership is the first step in data classification.
A packet filtering firewall works at: A. the network layer of the OSI B. the data layer of the OSI C. the application layer of the OSI D. the session layer of the OSI
A: The network layer of the OSI. Explanation: The diagram shown in the chapter illustrates the type of firewalland their corresponding OSI layer.
Which of the following is a major concern for the use of CO2 and Halon gas as fire extinguishers? A. Both of the extinguishers have a limited life span. B. Both of the extinguishers are not suitable for computer equipment. C. Both of the extinguishers have a risk of suffocation when used in a closed room. D. Both of the extinguishers have a high maintenance cost.
Answer: C. Both of the extinguishers have a risk of suffocation when used in a closed room. Explanation: The protection of human life is a major element in any disaster planning. Both carbon dioxide and Halon gas reduce the oxygen in the atmosphere and thus are very dangerous for use in a closed room with employees working. In many countries, the use of Halon is prohibited.
An attack in which numerous biometric samples are sent to a biometric device is known as: A. A mimic attack B. A brute-force attack C. A cryptographic attack D. A replay attack
B. A brute-force attack Explanation: In a brute-force attack, an attacker sends numerous biometric samples with the objective to malfunction the biometric device.
The most effective control to protect against the long-term unavailability of the electrical power is: A. Surge devices B. Alternative power supplies C. A power line conditioner D. Spike devices
B. Alternative power supplies Explanation: An alternative power supply medium (such as a power generator) is most effective when there is long-term power unavailability. Apower line conditioner is a device intended to improve the quality of power that is delivered to electrical equipment. It compensates for the peaks and valleys in the power supply. When an electrical supply is low, it provides its own power and maintains a constant voltage. Surge and spike devices help to protect against high-voltage power bursts.
The greatest concern for an IS auditor reviewing a media disposal procedure is: A. A disk is overwritten several times at a sector level. B. Data is deleted and the disk is formatted. C. A disk is destroyed by hole punching. D. A disk is shredded in the presence of in-charge security.
B. Data is deleted and the disk is formatted. Explanation: Disk formatting is not a secure way of erasing data. Data can be recovered with the use of various tools and techniques. The other options are a more secure way of data erasing and media disposal.
A default allow access control policy: A. Allows approved traffic and rejects all other traffic B. Denies specific traffic and allows all other traffic C. Is used for allowing access from untrusted networks to external systems. D. Allows traffic as per the discretion of the network administrator.
B. Denies specific traffic and allows all other traffic Explanation: An organization can either have a default deny access control policy or an allow all access control policy. In a default deny policy, all the traffic is denied except predefined approved traffic. In an allow all policy, all traffic is allowed except predefined restricted traffic. Default deny is more prevalent where traffic is from an untrusted source to access a protected system. Allow all is more prevalent where traffic is from trusted sources to access an external system, such as the internet.
An IS auditor should be most concerned about which of the following biometric performance indicators? A. False rejection rate B. False acceptance rate C. Cross error rate D. Equal error rate
B. FAR Explanation: An IS auditor should be most concerned about the FAR as one of the critical performance indicators. The FAR shows the risk of unauthorized access to systems.
Which of the following is considered the most effective access control mechanism? A. A session-based password B. Iris scan C. Password D. Photo ID card
B. Iris scan Explanation: Among all the controls, an iris scan can be considered as the most reliable. Fraudsters find it very difficult to bypass biometric controls. Since no two irises are alike, identification and verification can be done with confidence. The other options are not as strong as an iris scan.
The most important benefit of proper naming conventions for IS resources is: A. It ensures that resource names are aligned as per their function. B. It helps with defining structured access rules. C. It helps with user management. D. It ensures that industry standardization is maintained.
B. It helps with defining structured access rules. Explanation: A naming convention is an agreed structure for naming assets. It helps with the effective and efficient management of access rules. Generally, assets that are critical in nature are grouped and named under sensitive categories. Rules are defined for access to sensitive categories that may be more stringent compared to other categories. This reduces the number of rules required to adequately protect resources, which in turn facilitates security administration and maintenance efforts.
The most effective safeguard for securing software and data within an information processing facility is: A. Training and awareness B. Logical access controls C. Physical controls D. The security committee
B. Logical access controls Explanation: Logical access controls are the most effective way to safeguard critical data within information processing facilities. Logical access controls are technical controls, such as authentication, encryption, firewall, IDS, and so on, which are very difficult to bypass by a layman. The security committee addresses the broader perspective of security. The other options are not as effective as logical access controls.
Which of the following is considered a major risk in an organization's logical access control procedure? A. The sharing of passwords. B. Password files are not protected. C. Delay in the deactivation of a resigned employee's login access. D. Centralized issuance of logon IDs.
B. Password files are not protected. Explanations: Unprotected password files pose a major risk as unauthorized access of these files can expose the organization to major risks. Password files should always be encrypted. The other options are not as significant as the protection of password files.
Which of the following is a major concern for an offshore operation? A. High cost of telecommunication setup B. Privacy law preventing the cross-border flow of information C. Timezone differences D. Software development complications
B. Privacy law preventing the cross-border flow of information Explanation: It is very important to ensure that the applicable data privacy laws are adhered to. Some privacy laws prohibit the cross-border flow of personally identifiable information. The other options are not as significant as adherence to privacy laws.
An organization is implementing biometric control for access to its critical server. This will: A. Help to completely eliminate false acceptance B. Require the enrollment of all the users that access a critical server C. Require a separate password for access to a biometric device D. Help to completely eliminate false rejection
B. Require the enrollment of all the users that access a critical server Explanation: For setting up a biometric control, relevant users need to enroll themselves by registration of their biometric feature. Choice A and D are incorrect, as the risk of false acceptance as well as the FRR cannot be eliminated completely. Choice C is incorrect as the biometric reader does not need to be protected in itself by a password.
With respect to the IT security baseline, the IS auditor should first ensure: A. The documentation B. Sufficiency C. Audit and compliance D. The process
B. Sufficiency Explanation: An IS auditor should first ensure the adequacy and sufficiency of the baseline to address the security requirements of the organization. Other aspects, such as the documentation, process, and compliance, can be determined once sufficiency is evaluated.
Which of the following is considered the best control for providing access rights to outsourced vendors? A. To include a penalty clause in the service level agreement B. Temporary user accounts created for a defined role with account expiration dates C. Temporary user accounts created for full access for a limited period D. Employees of the vendors should be asked to sign a non-disclosure agreement
B. Temporary user accounts created for a defined role with account expiration dates Explanation: The best control would be to create user accounts temporarilyonly for the required roles and accounts should be disabled on a given date. The other options may not be as effective as this one.
Who among the following should be made accountable for the appropriate maintenance of security controls over information assets? A. The network administrator B. The data and systems owners C. The system developer D. The systems operations group
B. The data and systems owners Explanation: It is the responsibility of the appointed owner to ensure that their data and systems have appropriate security arrangements. System owners may delegate routine security responsibilities to a security administrator. However, it is the owners who remain accountable for the maintenance of appropriate
The most important concern when conducting a post-implementation review of an organization's network is: A. Mobile devices can be accessed without a password. B. The default passwords of network devices are not changed. C. A proxy does not exist for internal communication. D. Email links are not encrypted.
B. The default passwords of network devices are not changed. Explanation: A major area of concern is that of the factory default password not being changed for critical network devices. Anyone can change the system configuration using a default password. The other areas are not as significant as default passwords not being changed.
An IS auditor should first review which of the following biometric life cycle stages? A. The termination process B. The enrollment stage C. The storage process D. The identification process
B. The enrollment stage Explanation: The process of biometric control starts with the enrollment of the users, which is followed by the storage, verification, identification, and termination processes. The users of a biometrics device must first be enrolled onto the device. This occurs through an iterative process of acquiring samples, extracting data from samples, validating the sample, and developing the final template, which is stored and subsequently used to authenticate the user.
Logical access controls are designed and developed on the basis of: A. The user requirements B. The information system security policy C. Industry practices D. System configuration files
B. The information system security policy Explanation: Logical access controls are designed and developed on the basis of the approved information system security policy of the organization. The user requirements and industry practices should be considered when developing a security policy. However, the implementation of logical controls should be done in accordance with the approved security policy of the organization.
Which of the following is considered the most effective biometric system? A. The highest equal error rate B. The lowest equal error rate C. The highest false acceptance rate D. The lowest false acceptance rate
B. The lowest EER Explanation: The EER is the rate at which the FAR and FRR are equal. A biometric system with the lowest CER or EER is the most effective system. A biometric system with the highest CER or EER is the most ineffective system.
Which of the following is a major aspect to be considered when reviewing telecommunication access control? A. The process for capturing and monitoring logs B. The process for the authorization and authentication of a user C. The process for encrypting databases D. The process to control remote access
B. The process for the authorization and authentication of a user Explanation: A major aspect is to review the process of authorization and authentication of users. This is a preventive control. Any loopholes in this process make the other controls irrelevant.
An IS auditor should review the router controls and settings during: A. The review of physical security B. The review of network security C. The review of the back -up process D. The review of the data center
B. The review of network security Explanation: The router is a part of networking. Network security reviews include reviewing router access control lists, port scanning, internal and external connections to the system, and so on.
Which of the following firewalls permits traffic from external sources only if itis in response to traffic from internal hosts? A. An application-level gateway firewall B. A stateful inspection firewall C. A packet filtering router D. A circuit-level gateway
B: A stateful inspection firewall. Explanation: A stateful inspection firewall monitors and tracks the destination ofeach packet that is being sent from the internal network. It ensures that theincoming message is in response to the request that went out of the organization.A stateful inspection operates at the network layer of the OSI.
Which of the following firewall settings is regarded as the most robust? A. To allow all traffic and reject specific traffic B. To deny all traffic and allow specific traffic C. To decide dynamically based on network availability D. To control traffic at the discretion of the network engineer
B: To deny all traffic and allow specific traffic. Explanation: The most stringent and robust configuration setting in firewall rulesis 'deny all traffic and allow specific traffic' (as against 'allow all traffic and denyspecific traffic'). This will restrict unknown traffic as regards entering criticalsystems and networks.
An attack in which the data transmitted between a biometric device and access control server is targeted is known as: A. A mimic attack B. A brute-force attack C. A cryptographic attack D. A replay attack
C. A cryptographic attack Explanation: In a cryptographic attack, the attacker attempts to obtain information by targeting algorithms or the encrypted information that transmit between biometric devices and access control systems.
The most effective control to protect against short-term reduction in electrical power is: A. Surge devices B. Spike devices C. A power line conditioner D. Alternative power supplies
C. A power line conditioner Explanation: A power line conditioner is a device intended to improve the quality of power that is delivered to electrical equipment. It compensates for the peaks and valleys in the power supply. When an electrical supply is low, it provides its own power and maintains a constant voltage. Surge and spike devices help to protect against high-voltage power bursts. An alternative power supply medium (such as a power generator) is most effective when there is long-term power unavailability.
The most effective method of removing data from a tape media during disposal is: A. Multiple overwriting B. Erasing the tapes C. Degaussing the tapes D. Removing the tape header
C. Degaussing the tapes Explanation: Degaussing is the best way to erase data from a disk. The process involves increasing the alternating current field gradually from 0 to some maximum value and back to 0, leaving a very low residue of magnetic induction on the media. This is known as demagnetization or degaussing. The other options are not as secure as degaussing the tapes.
The most effective, safe, and environment-friendly fire safety arrangement in a data centre is the use of: A. Halon gas B. Carbon dioxide C. Dry pipe sprinklers D. Wet pipe sprinklers
C. Dry pipe sprinklers Explanation: Carbon dioxide and Halon are not considered safe for humans. Both dry pipe and wet pipe are effective and environmentally friendly. However, sprinklers must be dry pipes to prevent the risk of leakage in the data center.
The prime objective of data protection is to: A. Comply with contractual requirements. B. Comply with legal requirements. C. Ensure the confidentiality and integrity of information. D. Improve operational efficiency.
C. Ensure the confidentiality and integrity of information. Explanation: The main objective to protect data is to ensure that the confidentiality and integrity of the data is maintained. The other options can be considered as secondary objectives.
The safest form of a fire extinguisher that can be used in the presence of humans is: A. Carbon dioxide B. Halon gas C. FM-200 D. Argonite gas
C. FM-200 Explanation: FM-200 is safe to be used when people are present. FM-200 is a colorless and odorless gas. FM-200 is also environmentally friendly. It is commonly used as a gaseous fire suppression agent. Other gases are not considered safe for humans.
In an SSO environment, the most effective method to prevent unauthorized access is: A. Log monitoring B. Deactivating a dormant account C. Implementing a strong password policy D. User access review
C. Implementing a strong password policy Explanation: SSO is a user authentication service that permits a user to use one set of login credentials (for example, a name and password) to access multiple applications. This increases the risk of a single point of failure. It is very important to implement strong password complexity for this kind of environment. The other options are not as significant as the implementation of a strong password policy.
Write edit access should always be prohibited for: A. Access control lists B. Logging criteria C. Log files for suspected transactions D. Access control analyzers
C. Log files for suspected transactions Explanation: As a best practice, log files should always be read-only. Edit access should not be enabled for them. The integrity of a log file is very important to treat log files as an audit trail. The other options may require modification and hence write access can also be provided.
Which of the following is considered the best method to prevent unauthorized access to critical databases? A. Servers are placed in a restricted area. B. Servers to be placed under CCTV surveillance. C. Online access to be blocked after a specified number of unsuccessful login attempts. D. An access card is required to access online terminals.
C. Online access to be blocked after a specified number of unsuccessful login attempts. Explanation: The most important control to prevent unauthorized access to databases is to block access after a specified number of unsuccessful login attempts. This is a preventive control. Preventive control is better than detective or deterrent controls. This will deter access through the guessing of IDs and passwords. The other options are physical controls, which may not be able to address the risk of remote attack.
When transmitting PII data to a third-party service provider through the internet, an organization must ensure: A. The encryption of the PII data. B. They obtain consent from the client. C. Privacy principles are adhered to. D. Proper change management.
C. Privacy principles are adhered to Explanation: It is very important to ensure that the applicable data privacy laws are adhered to. Encryption and consent are part of the privacy requirements, but they do not address other privacy principles, such as the governance of third- party service providers, the prohibition of cross-border information, and so on. Privacy protection is necessary to ensure that the receiving party has the appropriate level of protection of personal data.
The greatest concern for an IS auditor reviewing a user authentication procedure is: A. Automatic lockout not enabled B. Maximum password age not defined C. The use of a shared account by system administrators D. Password history control not implemented
C. The use of a shared account by system administrators Explanation: The use of a shared account will not help to establish accountability for the transaction. System administrator accounts are privileged accounts and should be named and allocated to each individual. The other options are not as significant as the use of generic accounts by system administrators
An IS auditor is reviewing the biometric controls for an organization's data center. The area of most concern is: 0/1 A. The use of a virtual private network for biometric access. B. All restricted areas are not protected through biometric control. C. Transit data between the biometric device and the control server is not encrypted D. The biometric controls were last reviewed over a year ago.
C. Transit data between the biometric device and the control server is not encrypted. Explanation: Data transmitted between the biometric device and the access control system should use a securely encrypted tunnel to protect the confidentiality of the biometric data. The other options are not as significant as the transmission of unencrypted data.
The most effective method to ensure that only authorized users can connect to the system is: A. A complex password requirement B. SSO C. Two-factor authentication D. IP restrictions
C. Two-factor authentication Explanation: Two-factor authentication means the use of two authentication methods from the following:i. Something you know (for example, a password, PIN, or some other personal information)ii. Something you have (for example, a token, OTP, or smart card)iii. Something you are (for example, biometric features, such as fingerprint, iris scan, or voice recognition)This provides added security and intruders need to break two levels of access. An IP address can be spoofed and cannot be considered secure. SSO increases the risk of a single point of failure.
Which of the following is a major concern for an IS auditor reviewing a critical application? A. Access is provisioned on the basis of a user role. B. Systems are hardened. C. Users can access and modify the database directly. D. Multi-factor authentication for user access
C. Users can access and modify the database directly. Explanation: If users are allowed to modify the data directly without any authorization, it may impact the integrity of the data. Only DBA should be allowed for any backend changes to the database. The other options are not as significant as the ability of users to change the database.
A wet pipe sprinkler contains: A. FM-200 gas. B. Nitrogen. C. Water resides in the pipe with special water-tight sealants. D. Water, but it enters the pipe only when a fire has been detected.
C. Water resides in the pipe with special water-tight sealants. Explanation: Wet pipe systems are the most common fire sprinkler systems. A wet pipe system is one in which water is constantly maintained within the sprinkler piping.
Which of the following firewall structures will provide the best protection to a network from an internet attack? A. A packet filtering router B. A circuit-level gateway C. A screened subnet firewall D. A screened host firewall
C: A screened subnet firewall. Explanation: A screened subnet firewall is regarded as the most robust structurethat provides a stringent security environment. A screened subnet firewallconsists of two packet filtering routers. It also has one bastion host. It acts as aproxy and a direct connection between the internal and external networks is notallowed. A screened subnet firewall is also used as a demilitarized zone (DMZ).
The most robust and stringent firewall system implementation is: A. a screened host firewall B. a dual-homed firewall C. a screened subnet firewall D. a stateful inspection firewall
C: A screened subnet firewall. Explanation: Of the preceding firewall implementations, a screened subnetfirewall (demilitarized zone) is regarded as the most secure type of firewallimplementation. A screened subnet firewall consists of two packet filteringrouters. It also has one bastion host. It provides the greatest securityenvironment. A screened subnet firewall is also used as a demilitarized zone(DMZ).
An attack with the unauthorized use of residual biometric information is known as: A. A brute-force attack B. An encrypted attack C. A mimic attack D. A replay attack
D. A replay attack Explanation: In a replay attack, the attacker makes use of residual biometric characteristics (such as fingerprints left on a biometric device) to get unauthorized access.
Which of the following is the greatest risk of using SSO? A. Administrative inconvenience B. Increase in administration cost C. Increase in authentication time D. Greater impact of password leakage
D. Greater impact of password leakage Explanation: SSO is a user authentication service that permits a user to use one set of login credentials (for example, a name and password) to access multiple applications. This increases the risk of a single point of failure. The impact of password compromise will be much greater since the intruder needs to know only one password to gain access to all the related applications and, therefore, cause greater problems. It is very important to implement strong password complexity for this kind of environment.
The best method to protect sensitive data inside the server is to: A. Create awareness on information security aspects. B. Make security policies available to all the users. C. Establish a security committee. D. Implement logical access controls.
D. Implement logical access controls. Explanation: Logical access controls are the best preventive controls to ensure data integrity and confidentiality. The other options are not as effective as the implementation of logical access controls.
Which of the following is a major risk of shared user accounts? A. The frequent change of passwords. B. Unauthorized access to the system. C. The use of an easily guessable password. D. It is difficult to establish user accountability.
D. It is difficult to establish user accountability. Explanation: A major risk of shared user accounts is that user accountability cannot be determined. Logs will capture shared IDs but individual employees or people cannot be traced. The other options are not as significant as the difficulty of establishing user accountability.
Which of the following is a major risk of electromagnetic emission from a computer room? A. It may damage the storage device. B. It may disrupt the processor functionality. C. It may impact the health of employees. D. It may be detected and displayed.
D. It may be detected and displayed. Explanation: A major risk of electromagnet emission is that it may be detected and displayed by the use of sophisticated devices and thus there is the possibility of unauthorized data. Most of the electromagnetic emissions are of low frequency, so there is no impact on the health of the storage device or processor.
The IS auditor noted a weakness through which an intruder can update the server database containing a biographic template. Auditors should recommend which of the following controls? A. Before-image/after-image logging B. Reduced sign-on C. Multimodal biometrics D. Kerberos
D. Kerberos Explanation: Kerberos is an authentication service used to validate services and users in DCEs. In a client-server environment, only users are authenticated; however, in DCEs, both users and servers authenticate themselves. At the initial logon time, the Kerberos third-party application is used to verify the identity of the client. Multimodal biometrics are controlled against the mimicry attacks.Before-image/after-image logging is more of a detective control compared to Kerberos, which is a preventative control.
Which of the following is considered the most accurate and reliable identifier with the lowest FAR? A. Voice wave B. Face identification C. Hand geometry D. Retina scan
D. Retina scan Explanation: Among the current biometric identifiers, a retina scan is considered the most accurate and reliable identifier with the lowest FAR.
Which of the following is considered the most important overall quantitative performance indicator for a biometric system? A. The percentage of employees enrolled B. The false rejection rate C. The false acceptance rate D. The equal error rate
D. The EER Explanation: To evaluate the overall quantitative performance of a biometric system, it is important to consider the CER or EER.
The accuracy of a biometric system is evaluated by: A. The server utilization rate B. The network connection rate C. The system response rate D. The FAR
D. The FAR Explanation: The FAR, FRR, and CER are three main accuracy measures for a biometric control. The other options are more closely related to performance measures.
An organization has implemented two-factor authentication that involves a token and a PIN. Which of the following is an important rule to be included in the security policy? A. The token should not be taken out of the workplace. B. The token should be kept separate from the user's laptop. C. The PIN should be random. D. The PIN should not be written down anywhere.
D. The PIN should not be written down anywhere. Explanation: A PIN is something that only the user should know. If it is written down and is compromised, the intruder can gain unauthorized access. A PIN does not necessarily need to be random. Access to a token is of no value if the PIN is kept secret.
Which of the following are the areas of most concern? A. The installation of an FM-200 gas fire extinguisher in a manned data center B. The installation of dry pipe sprinklers in an expensive data center facility C. The installation of wet pipe sprinklers in an expensive data center facility D. The installation of a carbon dioxide gas fire extinguisher in a manned data center
D. The installation of a carbon dioxide gas fire extinguisher in a manned data center Explanation: Carbon dioxide-based extinguishers should not be used where people are present. CO2 reduces the oxygen level from the area and hence poses a risk for humans. The other options are not as significant as the use of CO .FM-200 is safe to use where people are present. Both dry pipe and wet pipe are effective and environmentally friendly. Generally, sprinklers must be dry pipes to prevent the risk of leakage in the data center. However, a major risk is the use of CO2 where humans are present.
To implement access control, which of the following is the first step? A. To categorize the IS resources B. To group the IS resources C. To implement access control rules D. To create an inventory of the IS resources
D. To create an inventory of the IS resources Explanation: To implement logical access controls, the following chronological steps are to be followed:(i) Prepare an inventory of the IS resources (ii) Classify the IS resources (iii) Perform grouping/labeling of the IS resources (iv) Create an access control list.
The most effective method to prevent unauthorized access to a system administration account is: A. The installation of IDS B. To enable system lockout after three failed attempt C. To define password complexity rules D. Two-factor authentication
D. Two-factor authentication Explanation: Two-factor authentication means the use of two authentication methods from the following:i. Something you know (for example, a password, PIN, or some other personal information)ii. Something you have (for example, a token, OTP, or smart card)iii. Something you are (for example, biometric features, such as fingerprint, iris scan, or voice recognition)For critical systems, it is advisable to use more than one factor of authentication for granting access. IDS is a detective control and not a preventive control. The other options will not be effective if the password is compromised.
The most effective method to protect the organization from identity theft is: A. SSO B. User-specific terminals C. User access review D. Two-factor authentication
D. Two-factor authentication Explanation: Two-factor authentication provides added security as intruders need to break two levels of access. SSO requires only one set of passwords, which increases the risk of a single point of failure. A user-specific terminal is not a practical solution when the user works from multiple devices. User access review will not help to protect from identity theft.
A dry pipe fire extinguisher contains: A. FM-200 gas. B. Nitrogen. C. Water resides in the pipe with special water-tight sealants. D. Water, but it enters the pipe only when a fire has been detected.
D. Water, but it enters the pipe only when a fire has been detected. Explanation: Dry pipe sprinklers do not have water in the pipes until an electronic fire alarm activates the water pump to send water into the system.
