1. %. (. +. ..

6. 8.

<. @. 1C. 11.

1%. 1(.

1+. 1.. 16. 18.

1<. 1@. %C. %1. %%. %(. %+. %.. %6. %8. %<. %@.

Procedures to prevent scope creep should be baselined in which of the following systems development life cycle (SDLC) phases !. Development ". #mplementation C. Design D. $easibility &hich of the following groups should assume ownership of a systems development pro'ect and the resulting system A. User management ". Senior management C. Pro'ect steering committee D. Systems development management &hich of the following groups)individuals should assume overall direction and responsibility for costs and timetables of system development pro'ects !. *ser management B. Project steering committee C. Senior management D. Systems development management &hich of the following is often an advantage of using prototyping for systems development !. ,he finished system will have ade-uate controls. ". ,he system will have ade-uate security)audit trail. C. It reduces time to deployment. D. #t is easy to achieve change control. ! company has contracted with an e/ternal consulting firm to implement a commercial financial system to replace its e/isting in0house0developed system. #n reviewing the proposed development approach1 which of the following would be of 234!,4S, concern !. !cceptance testing is to be managed by users. B. A quality plan is not part of the contracted deliverables. C. 5ot all business functions will be available on initial implementation. D. Prototyping is being used to confirm that the system meets business re-uirements. !n #S steering committee should7 !. include a mi/ of members from different departments and staff levels. ". ensure that #S security policies and procedures have been e/ecuted properly. C. have formal terms of reference and maintain minutes of its meetings. D. be briefed about new trends and products at each meeting by a vendor. #s it appropriate for an #S auditor from a company that is considering outsourcing its #S processing to re-uest and review a copy of each vendor9s business continuity plan A. es! because the I" auditor #ill evaluate the adequacy of the service bureau$s plan and assist his%her company in implementing a complementary plan. ". :es1 because based on the plan1 the #S auditor will evaluate the financial stability of the service bureau and its ability to fulfill the contract. C. 5o1 because the bac;up to be provided should be specified ade-uately in the contract. D. 5o1 because the service bureau9s business continuity plan is proprietary information. &hen selecting software1 which of the following business and technical issues is the =>S, important to be considered !. ?endor reputation B. &equirements of the organi'ation C. Cost factors D. !n installed base !n organiAation planning to purchase a software pac;age as;s the #S auditor for a ris; assessment. &hich of the following is the =!B>3 ris; A. Unavailability of the source code ". Lac; of a vendor0-uality certification C. !bsence of vendor)client references D. Little vendor e/perience with the pac;age !n organiAation is negotiating a service level agreemet (SL!) with a vendor. &hich of the following should occur $#3S, !. Develop a feasibility study. ". Chec; for compliance with corporate policies. C. Draft the service level penalties. D. Draft the service level requirements. ! company has contracted with an e/ternal consulting firm to implement a commercial financial system to replace its e/isting in0house0developed system. #n reviewing the proposed development approach1 which of the following would be of 234!,4S, concern !. !cceptance testing is to be managed by users. B. A quality plan is not part of the contracted deliverables. C. 5ot all business functions will be available on initial implementation. D. Prototyping is being used to confirm that the system meets business re-uirements. Documentation of a business case used in an #, development pro'ect should be retained until7 A. the end of the system$s life cycle. ". the pro'ect is approved. C. user acceptance of the system. D. the system is in production. !n #S auditor reviewing a proposed application software ac-uisition should ensure that the7 !. operating system (>S) being used is compatible with the e/isting hardware platform. ". planned >S updates have been scheduled to minimiAe negative impacts on company needs. C. >S has the latest versions and updates. D. products are compatible #ith the current or planned (". ,he P3#=!3: role of an #S auditor during the system design phase of an application development pro'ect is to7 !. advise on specific and detailed control procedures. ". ensure the design accurately reflects the re-uirement. C. ensure all necessary controls are included in the initial design. D. advise the development manager on adherence to the schedule. During which of the following phases in system development would user acceptance test plans normally be prepared !. $easibility study ". 3e-uirements definition C. Implementation planning D. Postimplementation review &hen a systems development life cycle (SDLC) methodology is inade-uate1 the =>S, serious immediate ris; is that the new system will7 !. be completed late. ". e/ceed the cost estimates. C. not meet business and user needs. D. be incompatible with e/isting systems. !n #S auditor who is participating in a systems development pro'ect should7 !. recommend appropriate control mechanisms regardless of cost. ". obtain and read pro'ect team meeting minutes to determine the status of the pro'ect. C. ensure that adequate and complete documentation e)ists for all project phases. D. not worry about his)her own ability to meet target dates since wor; will progress regardless. ,he phases and deliverables of a systems development life cycle (SDLC) pro'ect should be determined7 A. during the initial planning stages of the project. ". after early planning has been completed1 but before wor; has begun. C. through out the wor; stages based on ris;s and e/posures. D. only after all ris;s and e/posures have been identified and the #S auditor has recommended appropriate controls. Large0scale systems development efforts7 !. are not affected by the use of prototyping tools. ". can be carried out independent of other organiAational practices. C. require that business requirements be defined before the project begins. D. re-uire that pro'ect phases and deliverables be defined during the duration of the pro'ect. &hich of the following audit procedures would =>S, li;ely be used in an audit of a systems development pro'ect !. Develop test transactions ". *se code comparison utilities C. Develop audit software programs D. &evie# functional requirements documentation &hich of the following devices e/tends the networ; and has the capacity to store frames and act as a storage and forward device !. 3outer B. Bridge C. 3epeater D. 2ateway !n offsite information processing facility having electrical wiring1 air conditioning and flooring1 but no computer or communications e-uipment is a7 A. cold site. ". warm site. C. dial0up site. D. duplicate processing facility. &hich of the following networ; configuration options contains a direct lin; between any two host machines !. "us ". 3ing C. Star D. Completely connected *mesh+ ! critical function of a firewall is to act as a7 !. special router that connects the #nternet to a L!5. B. device for preventing authori'ed users from accessing the ,A-. C. server used to connect authoriAed users to private trusted networ; resources. D. pro/y server to increase the speed of access to authoriAed users. &hich of the following hardware devices relieves the central computer from performing networ; control1 format conversion and message handling tas;s !. Spool ". Cluster controller C. Protocol converter D. .ront end processor &hich of the following translates e0mail formats from one networ; to another so that the message can travel through all the networ;s A. /ate#ay ". Protocol converter C. $ront0end communication processor D. Concentrator)multiple/or ! hub is a device that connects7 !. two L!5s using different protocols. ". a L!5 with a &!5. C. a L!5 with a metropolitan area networ; (=!5). D. t#o segments of a single ,A-. ! L!5 administrator normally would be restricted from7 !. having end0user responsibilities. ". reporting to the end0user manager. C. having programming responsibilities. D. being responsible for L!5 security administration. !n organiAation is considering installing a L!5 in a site under construction. #f system availability is the main concern1 which of the following topologies is =>S, appropriate A. &ing ". Line C. Star D. "us

(C. (1. (%. ((. (+. (.. (6. (8. (<. (@. +C. +1. +%. +(. ++. +.. +6. +8. +<. +@. .C. .1. .%. .(. .+. ... .6.

.8. .<. .@. 6C. 61.

&hile copying files from a floppy dis; a user introduced a virus into the networ;. &hich of the following would =>S, effectively detect the e/istence of the virus !7 !. scan of all floppy dis;s before use ". virus monitor on the networ; file server C. scheduled daily scan of all net#or0 drives D. virus monitor on the user9s personal computer &hich of the following is a networ; architecture configuration that lin;s each station directly to a main hub !. "us ". 3ing C. "tar D. Completed connected &hich of the following would enable an enterprise to provide access to its intranet (i.e.1 e/tranet) across the #nternet to its business partners A. 1irtual private net#or0 ". Client0server C. Dial0in access D. 5etwor; service provider &hich of the following functions is performed by a virtual private networ; (?P5) A. 2iding information from sniffers on the net ". 4nforcing security policies C. Detecting misuse or mista;es D. 3egulating access 3econfiguring which of the following firewall types will prevent inward downloading of files through the file transfer protocol ($,P) !. Circuit gateway B. Application gate#ay C. Pac;et filter D. Screening router &hich of the following can identify attac;s and penetration attempts to a networ; !. $irewall ". Pac;et filters C. Stateful inspection D. Intrusion detection system *IDs+ #n a ,CP)#P0based networ;1 an #P address specifies a7 A. net#or0 connection. ". router)gateway. C. computer in the networ;. D. device on the networ;. ,he most li;ely error to occur when implementing a firewall is7 A. incorrectly configuring the access lists. ". compromising the passwords due to social engineering. C. connecting a modem to the computers in the networ;. D. inade-uately protecting the networ; and server from virus attac;s. !n installed 4thernet cable run in an unshielded twisted pair (*,P) networ; is more than 1CC meters long. &hich of the following could be caused by the length of the cable !. 4lectromagnetic interference (4=#) ". Cross tal; C. Dispersion D.Attenuation Connection0oriented protocols in the ,CP)#P suite are implemented in the7 A. transport layer. ". application layer. C. physical layer. D. networ; layer. &hen an organiAation9s networ; is connected to an e/ternal networ; in an #nternet client0server model not under that organiAation9s control1 security becomes a concern. #n providing ade-uate security in this environment1 which of the following assurance levels is L4!S, important !. Server and client authentication ". Data integrity C. Data recovery D. Data confidentiality &hich of the following line media would provide the "4S, security for a telecommunication networ; !. "road band networ; digital transmission ". "aseband networ; C. Dial0up D. Dedicated lines &hich of the following methods of providing telecommunication continuity involves routing traffic through split0 or duplicate0cable facilities A. Diverse routing ". !lternative routing C. 3edundancy D. Long haul networ; diversity ,he method of routing traffic through split cable facilities or duplicate cable facilities is called7 !. alternative routing. B. diverse routing. C. redundancy. D. circular routing. ,here are several methods of providing telecommunications continuity. ,he method of routing traffic through split cable or duplicate cable facilities is7 !. alternative routing. B. diverse routing. C. long0haul networ; diversity. D. last mile circuit protection. 40cash is a form of electronic money that7 A. can be used over any computer net#or0. ". utiliAes reusable e0cash coins to ma;e payments. C. does not re-uire the use of an #nternet digital ban;. D. contains uni-ue serial numbering to trac; the identity of the buyer. ,he techni-ue used to ensure security in virtual private networ;s (?P5s) is7 A. encapsulation. ". wrapping. C. transform. D. encryption. ,he "4S, defense against networ; eavesdropping is7 A. encryption. ". moving the defense perimeter outward. C. reducing the amplitude of the communication signal. D. mas;ing the signal with noise. &hich of the following is the initial step in creating a firewall policy !. ! cost0benefits analysis of methods for securing the applications B. Identification of net#or0 applications to be e)ternally accessed C. #dentification of vulnerabilities associated with networ; applications to be e/ternally accessed D. Creation of an applications traffic matri/ showing protection methods &hich of the following is =>S, directly affected by networ; performance monitoring tools !. #ntegrity B. Availability C. Completeness D. Confidentiality #S auditors1 in performing detailed networ; assessments and access control reviews should $#3S,7 A. determine the points of entry. ". evaluate users access authoriAation. C. assess users identification and authoriAation. D. evaluate the domain0controlling server configuration. &hich of the following #nternet security threats could compromise integrity !. ,heft of data from the client ". 4/posure of networ; configuration information C. A trojan horse bro#ser D. 4avesdropping on the net !n #S auditor is performing an audit of a networ; operating system. &hich of the following is a user feature the #S auditor should review A. Availability of online net#or0 documentation ". Support of terminal access to remote hosts C. Dandling file transfer between hosts and inter0user communications D. Performance management1 audit and control ,he review of router access control lists should be conducted during a)an7 !. environmental review. B. net#or0 security revie#. C. business continuity review. D. data integrity review. &hich of the following should be of =>S, concern to an #S auditor A. ,ac0 of reporting of a successful attac0 on the net#or0 ". $ailure to notify police of an attempted intrusion C. Lac; of periodic e/amination of access rights D. Lac; of notification to the public of an intrusion &hich of the following would be of =>S, concern to an #S auditor reviewing a ?P5 implementation Computers on the networ; that are located7 !. on the enterprise9s facilities. ". at the bac;up site. C. in employees$ homes. D. at the enterprise9s remote offices. &hen using public ;ey encryption to secure data being transmitted across a networ;7 !. both the ;ey used to encrypt and decrypt the data are public. ". the ;ey used to encrypt is private1 but the ;ey used to decrypt the data is public. C. the 0ey used to encrypt is public! but the 0ey used to decrypt the data is private. D. both the ;ey used to encrypt and decrypt the data are private. >f the following who is =>S, li;ely to be responsible for networ; security operations !. *sers B. "ecurity administrators C. Line managers D. Security officers &hich of the following is a techni-ue that could be used to capture networ; user passwords !. 4ncryption B. "niffing C. Spoofing D. ! signed document cannot be altered. &hich of the following controls would be the =>S, comprehensive in a remote access networ; with multiple and diverse subsystems !. Pro/y server ". $irewall installation C. 5etwor; administrator D. Pass#ord implementation and administration #n which of the following networ; configurations would problem resolution be the easiest !. "us ". 3ing C."tar D. =esh !pplying a digital signature to data traveling in a networ; provides7 !. confidentiality and integrity. ". security and nonrepudiation. C. integrity and nonrepudiation . D. confidentiality and nonrepudiation.