Professional Documents
Culture Documents
Manual – Module
i
© The Institute of Chartered Accountants of India
DISCLAIMER
The views expressed in this material are those of author(s). The Institute of
Chartered Accountants of India (ICAI) may not necessarily subscribe to the views
expressed by the author(s).
The information in this material has been contributed by various authors based
on their expertise and research. While every effort have been made to keep
the information cited in this material error free, the Institute or its officers do not
take the responsibility for any typographical or clerical error which may have
crept in while compiling the information provided in this material. There are no
warranties/claims for ready use of this material as this material is for educational
purpose. The information provided in this material are subject to changes in
technology, business and regulatory environment. Hence, members are advised
to apply this using professional judgement. Please visit CIT portal for the latest
updates. All copyrights are acknowledged. Use of specific hardware/software in
the material is not an endorsement by ICAI.
ii
Contents
DISA Review Questions, Answers Manual – Module Page Nos.
1. Module – 1 1-119
2. Module – 2 120-178
3. Module – 3 179-290
4. Module – 4 291-404
5. Module – 5 405-461
6. Module – 6 462-557
7. Module – 7 558-611
iii
viii
DISA Review Questions, Answers Manual – Module 1
Module 1 Questions
Q1. The primary function of the CPU is to take care of
A. Input, Output and arithmetic-logic activities
B. Control and Output activities
C. Control and arithmetic-logic activities
D. Input and Control activities
Q3. A major design consideration for local area networks that replaces stand
alone computing in an organisation include:
A. Ensuring sophisticated and state-of-the-art recovery mechanism
B. Ensuring concurrent access control
C. Ensuring seamless integration
D. Allowing distribution processing
1
DISA Review Questions, Answers Manual – Module 1
Q7. The most appropriate concurrent audit tool whose complexity is very
high and useful when regular processing cannot be interrupted is :
A. SCARF/EAM
B. ITF
C. Snapshot
D. Audit hooks
2
DISA Review Questions, Answers Manual – Module 1
Q9. Which of the following converts digital pulses from the computer into
frequencies within the audio signals
A. multiplexor
B. protocol converter
C. modem
D. concentrator
Q11. While conducting the audit, the auditor shall allocate the audit resources
to
A. Sequentially selected areas
B. Prioritised areas
C. Randomly selected areas
D. All areas subject to audit
Q12. In data processing, which of the following causes the maximum losses
A. poor computer centre design
B. theft of machine time
C. errors and omissions
D. machine room fires
3
DISA Review Questions, Answers Manual – Module 1
Q13. An MIS Manager has only enough resources to install either a new
payroll system or a new data security system, but not both. Which of
the following actions is most appropriate?
A. Giving priority to the security system
B. Leaving the decision to the MIS manager
C. Increasing MIS staff output in order for both systems to be
installed
D. Having the information systems steering committee set the priority
Q16. Which of the following utilities can be used to directly examine the
quality of data in the database:
A. Pointer validation utility
B. HIPO charter
C. Terminal simulator
D. Decision- table preprocessor
4
DISA Review Questions, Answers Manual – Module 1
Q17. Which one of the following controls would protect the production libraries
without compromising the efficiency of open access?
A. Restrict updating and read access to one position
B. Permit updating and read access for everyone in IS
C. Permit updating for everyone in IS but restrict read access to
source code to one position
D. Restrict updating to one position but permit read acccess to
source code for everyone in IS
5
DISA Review Questions, Answers Manual – Module 1
6
DISA Review Questions, Answers Manual – Module 1
7
DISA Review Questions, Answers Manual – Module 1
Q30. Of the following, the most critical component in a LAN is likely to be the:
A. LAN cables
B. parallel port
C. file server
D. user workstations
8
DISA Review Questions, Answers Manual – Module 1
Q34. The following message service provides the strongest protection about
the occurrence of a specific action:
A. delivery proof
B. submission proof
C. authentication messages origin
D. non-repudiation
Q36. The success of Control Self Assessment (CS depends on culture of the
organisation, project leader and the skills of the people involved in CSA.
While implementing, the pitfall to be avoided is
A. Generalisation of the planning process
B. Implementation on small projects
C. Management support
D. Broadening the focus of CSA s effectiveness
Q37. Which of the following requires the creation of a dummy entity for
Concurrent Auditing Techniques?
A. Snapshot/ Extended Record
B. Continuous and Intermittent Simulation (CIS)
C. Integrated Test Facility (ITF)
D. System Control Audit Review File (SCARF)
9
DISA Review Questions, Answers Manual – Module 1
Q39. Access may be filtered by a firewall access control list based on each
of the following EXCEPT:
A. network interface card (NIC)
B. port
C. service type
D. Internet Protocol (IP) address
Q40. The media that is rarely used in present day LANs is:
A. Fibre optics cable
B. Twisted-pair (shielded) cable
C. Twisted-pair (unshielded) cable
D. Coaxial cable
Q41. While appointing an auditor to conduct the IS audit the company need
not look into ________ of the auditor?
A. Legal capability
B. Experience
C. Proficiency in different computer languages
D. Secrecy bond, if penetration test is to be done
10
DISA Review Questions, Answers Manual – Module 1
Q42. You are planning to use monetary-unit sampling for testing the rupee
value of a large inventory population. The advantages of using
monetary-unit sampling include all of the following except
A. It is an efficient model for establishing that low error rate
population is not materially misstated
B. It does not require the normal distribution approximation required
by variable sampling
C. Since the sampling units are homogenous it can be applied to a
group of accounts
D. As errors increase, it results in a smaller sample size than that
required when using classical sampling.
Q44. An audit technique used to select items from a population for audit
testing purposes based on the characteristics is termed as
A. Continuous Sampling
B. Discrete Sampling
C. Attribute Sampling
D. Statistical Sampling
11
DISA Review Questions, Answers Manual – Module 1
Q47. Which one of the following standards is relevant for a company dealing
with inspection and final testing?-
A. ISO 9000
B. ISO 9001
C. ISO 9002
D. ISO 9003
12
DISA Review Questions, Answers Manual – Module 1
Q51. Which one of the following audit techniques would likely provide an
Systems Auditor assurance about the effectiveness and efficiency of a
system operators work?
A. Interviewing the system operator
B. Reading the operators manual
C. Observing the system operators work
D. Interviewing the system operators supervisor
13
DISA Review Questions, Answers Manual – Module 1
Q54. At what stage the risk assessment should be included in the security
program in event of new system additions or modification of the old
system?
A. When the new system is added or old system is modified
B. At the end of the year along with all other additions or
modifications during the year
C. Need not be done
D. After a defined period say every 3 months
14
DISA Review Questions, Answers Manual – Module 1
Q58. A LAN policy should define which of the following persons should be
made responsible for reporting maintenance problems or disk errors
A. Network administrator
B. Users
C. Security officer
D. Systems administrator
Q61. “In its truest sense, which of the following applications is a real time
application ?
A. Missile launching system
B. Railway Reservation System
C. Banking application
D. Financial Accounting system
15
DISA Review Questions, Answers Manual – Module 1
16
DISA Review Questions, Answers Manual – Module 1
Q67. “If a program is written using mnemonics and op-codes then the
program is in
A. Machine language
B. Assembly Level Language
C. Procedural Language
D. Non-procedural language
17
DISA Review Questions, Answers Manual – Module 1
C. Packet Switching
D. Junction Switching
Q73. Which of the following actions provides the IS Auditor with the greatest
assurance that certain weaknesses in internal control procedures have
been corrected by the management?
A. Discussing with the management the corrective procedures that
were implemented to strengthen the internal controls.
B. Obtaining a letter of representation from management stating that
the weakness has been corrected.
C. Performing compliance tests and evaluating the adequacy of
procedures that were implemented by the management to correct
the weaknesses.
D. Reviewing management’s response to the weaknesses in their
formal report to the Board of Director’s audit committee.
18
DISA Review Questions, Answers Manual – Module 1
C. CD-ROM
D. None of the above
19
DISA Review Questions, Answers Manual – Module 1
Q82. While reviewing the outsourcing agreement with an external agency, the
IS auditor would be LEAST interested in verifying the clause containing
:
A. Continuity of service by the agency in case of a happening of a
disaster.
B. Statement of due care and confidentiality.
C. Detailed specifications of the vendor’s hardware.
D. The ownership rights for the programs and files.
20
DISA Review Questions, Answers Manual – Module 1
Q84. An Invitation to Tender (ITT) does not address which of the following?
A. Availability of service personnel
B. Application portfolio and transaction volumes
C. Budget for the project
D. Compatibility of the new systems with the existing ones
21
DISA Review Questions, Answers Manual – Module 1
C. Star
D. Mesh
Q88. “Which of the following can a local area network (LAN) administrator
use to protect against exposure to illegal or unlicensed software usage
by the network user?
A. Software metering
B. Virus detection software
C. Software encryption
D. Software decryption
22
DISA Review Questions, Answers Manual – Module 1
C. Network model
D. Relational model
Q92. “Which of the following translates e-mail formats from one network to
another so that the message can travel through all the networks?
A. Gateway
B. Protocol converter
C. Front-end communication processor
D. Concentrator/multiplexer
Q93. “An IS auditor who intends to use penetration testing during an audit of
Internet connections would:
A. Evaluate configurations.
B. Examine security settings.
C. Censure virus-scanning software is in use.
D. Use tools and techniques that are available to a hacker
23
DISA Review Questions, Answers Manual – Module 1
Q98. The network of the company must be protected from remote access that
may damage the company’
A. All employees
B. Vendors
C. Contractors
D. All the above
24
DISA Review Questions, Answers Manual – Module 1
Q104. When a store uses a point of sale device to record the sale of an item,
which of the following sequences of activities best describes the input
process:
A. data preparation, data capture, data input
B. data capture, data preparation, data input
25
DISA Review Questions, Answers Manual – Module 1
Q105. Which of the following controls may not be associated with point-of-sale
equipment?
A. edit
B. data validation
C. batch
D. access
Q108. All of the following are true relating to the use of fiber optics EXCEPT:
A. Data is transmitted rapidly
B. Fiber optic cable is small and flexible
C. They are unaffected by electrical interference
D. They provide the highest level of signal attenuation
26
DISA Review Questions, Answers Manual – Module 1
27
DISA Review Questions, Answers Manual – Module 1
Q115. “Which of the following is the best option with regard to an Information
Processing Facility (IPF)?
A. High MTBF and Low MTTR
B. Low MTBF and High MTTR
C. Low MTBF and Low MTTR
D. High MTBF and High MTTR
28
DISA Review Questions, Answers Manual – Module 1
Q119. “In which of the following, tags are placed within text to accomplish
document formatting, visual features such as font size, italics and bold,
and the creation of links:
A. FTP
B. HTTP
C. Telnet
D. ActiveX
Q120. One main reason for using Redundant Array of Inexpensive Disks
(RAID) is :
A. all data can still be reconstructed even if one drive fails
B. all data are split evenly across pairs of drives
C. snap shots of all transactions are taken
D. write time is minimised to avoid concurrency conflicts
29
DISA Review Questions, Answers Manual – Module 1
Q121. Output controls ensure that output is accurate, complete and produced
when required. The auditor during the course of his audit of output
controls does not look into which of the following:
A. All pages of the report are numbered consecutively
B. Comparison between the actual data totals and totals of record
counts is done at regular interval
C. Proper procedure for classification of output exists
D. Output of test runs and procedure runs are kept separately
Q122. “Which of the following tool would be used when program coding has
to be done?
A. Compiler
B. Editor
C. Loader
D. Linker
Q124. “The database administrator is NOT responsible for which one of the
following functions?
A. Physical design of a database
B. Security of a database
C. Coordinate and resolve conflicting needs and desires of users Iin
their diverse application areas
D. Logical design of a database
30
DISA Review Questions, Answers Manual – Module 1
Q125. Which of the following OSI layers communicates with the user
programs?
A. Physical
B. Application
C. Presentation
D. Session
31
DISA Review Questions, Answers Manual – Module 1
Q130. Which of the following is not true with regard to the establishment of a
security management structure?
A. Security management should have authority in accordance with
the responsibility
B. Security management should have the overall responsibility of
security
C. Security management structure should be approved by all the
employees
D. Security management should have the required independence
Q131. “When the computer is switched on, the system performs some tasks
before loading the operating system. Such ROM chips can be classifed
as:
A. Hardware
B. Software
C. Firmware
D. None of the above
32
DISA Review Questions, Answers Manual – Module 1
Q134. “An electronic device that combines data from several low speed
communication lines into a single high speed line is called “
A. Modem
B. Multiplexer
C. Channel
D. Link Editor
33
DISA Review Questions, Answers Manual – Module 1
Q137. Which of the following actions should be undertaken when plastic debit/
credit cards are issued:
A. mail the cards in an envelope that identifies the name of the
issuing institution
B. make the same groups responsible for the mailing of cards and
the investigation of returned cards
C. communicate the PIN to the cardholder over phone
D. mail the card and PIN mailer separately in registered envelopes
Q138. “Which one of the following is the most essential activity for effective
computer capacity planning? “
A. “Doing the process of liaison with the management and hardware
suppliers “
B. “Talking to security administrator for incorporating security
procedures “
C. “To perform the process of Disaster Recovery Planning and
Business Continuity Planning “
D. Determining the workload of applications
34
DISA Review Questions, Answers Manual – Module 1
Q141. “Which of the following allow users on the Internet to communicate with
each other by typing text mode in real time:”
A. IM
B. RFC
C. FYI
D. FAQ
Q143. “A manufacturer has been purchasing materials and supplies for its
business through an e-commerce application. Which of the following
should this manufacturer rely on to prove that the transactions were
actually made? “
A. Reputation
B. Authentication
C. Encryption
D. Non-Repudiation
35
DISA Review Questions, Answers Manual – Module 1
Q147. Which of the following a company need not prepare or decide upon after
appointing an IS auditor?
A. Documents related to processes or procedures
B. Area of surprise audit
C. Letter foregoing legal course of action related to penetration
testing
D. Number of days the audit should be carried out
36
DISA Review Questions, Answers Manual – Module 1
D. It provides a means for assessing the risk that the sample results
will not accurately represent the population characteristics.
37
DISA Review Questions, Answers Manual – Module 1
C. Gray Code
D. Excess - 3 Code
Q154. “One feature provided by the OS is to store all the data and program in
the auxiliary memory and bring only selective and needed portions into
the main memory for processing. This feature is termed as:”
A. Spooling
B. Multiplexing
C. Caching
D. Paging
Q157. “With regard to a DSS, which of the following statements are TRUE: i) It
deals with semi-structured problems ii) It tackles problems dealing with
uncertainity iii) Permits ‘What-if” analysis “
A. i & ii
B. ii & iii
C. i & iii
D. i & ii & iii
38
DISA Review Questions, Answers Manual – Module 1
Q158. “The device primarily used to extend the network that must have the
ability to act as a storage and forwarding device is a: “
A. Router
B. Bridge
C. Repeater
D. Gateway
Q159. “All the following are phases in the establishment of a Switched Virtual
Circuit EXCEPT “
A. Circuit termination
B. Data transfer
C. Circuit expansion
D. Circuit establishment
39
DISA Review Questions, Answers Manual – Module 1
Q164. “A major problem in networking is the slow rate of data transfer. Which
of the following would help counter this problem? “
A. Data formatting
B. Allocating adequate bandwidth
C. Centralized control
D. All of the above
Q165. Which of the following is NOT a function of the kernel of the OS?
A. To determine which processes are to be executed
B. To prepare the access matrix for accessing resources.
C. To allocate quantum of main memory for each and every user.
D. To overcome the problem of deadlock
40
DISA Review Questions, Answers Manual – Module 1
Q169. “A firewall access control list may filter access based on each of the
following parameters EXCEPT: “
A. Port
B. Service type
C. Network interface card (NIC)
D. Internet protocol (IP) address
41
DISA Review Questions, Answers Manual – Module 1
Q172. Which of the following activities is NOT within the scope of a DBA?
A. Defining the conceptual schema
B. Performing the task of database tuning
C. Determining the storage capacity for applications
D. Granting and revoking rights of users
Q174. “Which of the following is most often used for collecting statistical
and configuration information about network devices such as
computers,hubs, switches, routers, etc.? “
A. Simple Network Management Protocol
B. Online reports
C. Downtime reports
D. Help desk reports
42
DISA Review Questions, Answers Manual – Module 1
Q179. Which sampling plan will be used to find evidence of at least one
improper transaction in the population?
A. Discovery sampling
B. Acceptance sampling
C. Dollar unit sampling
D. Attribute sampling
43
DISA Review Questions, Answers Manual – Module 1
Q181. Network performance monitoring tools will MOST affect which of the
following?
A. accuracy
B. completeness
C. secrecy
D. availability
44
DISA Review Questions, Answers Manual – Module 1
Q184. The auditor during the course of audit takes into consideration the
materiality of the transaction. Which of the following would not be
considered by the auditor to assess the materiality in case of non-
financial transaction
A. Cost of system or operations
B. Cost of errors
C. Activities supported by system or operations
D. Cost of providing physical access controls to the system
Q186. The first step the IS Internal Audit manager should take, when preparing
the Annual audit plan is to:
A. Meet the audit committee members to discuss the IS audit plan
B. Ensure that the audit staff is competent in the areas to audited
and wherever required to provide for appropriate training.
C. Priorities the audit area by performing risk analysis.
D. Begin with previous year‘s IS audit plan and carry over any IS
audit that had not been accomplishe
Q187. Due to an important work, the senior computer operator has gone on a
leave for ten days. In his place, the security officer has been asked to
officiate. In this scenario, as an IS auditor which of the following would
be the most appropriate.
A. Inform the top management of the complexities and risks in doing
so.
B. Develop a small program that will give a picture of what is
happening during the absence of the operator
45
DISA Review Questions, Answers Manual – Module 1
Q188. Internal controls are not designed to provide reasonable assurance that:
A. Irregularities will be eliminated
B. logical access is permitted only in accordance with authorization
C. Segregation of duties is maintained
D. IS operations are performed in accordance with appropriate
authorizations
Q190. The class of control used to overcome problems before they acquire
gigantic proportions is :
A. Preventive
B. Detective
C. Corrective
D. Suggestive
46
DISA Review Questions, Answers Manual – Module 1
Q194. Which of the following applet intrusion issues poses the GREATEST risk
of disruption to an organisation?
A. applets damaging machines on the network by opening
connections from the client machine
B. a program that deposits a virus on a client
C. applets recording keystrokes made by the client and, therefore
passwords
D. downloaded codes reading files on the client’s hard disk
47
DISA Review Questions, Answers Manual – Module 1
Q197. Which of the following steps provide the highest assurance in achieving
confidentiality, message integrity and non-repudiation by either sender
or recipient?
A. the recipient uses his/her private key to decrypt the secret key.
B. the recipient uses the senders public key, verified with a
certificate authority, to decrypt the pre-hash code
C. the encrypted pre-hash code and the message are encrypted
using a secret key
D. the encrypted pre-hash code is derived mathematically from the
message to be sent
Q198. Several risk are inherent in the evaluation of evidence that has been
obtained through the use of statistical sampling .A beta or type II error
related to sampling risk is the failure to :
A. Properly define the population
B. Draw a random sample from the population.
C. Reject the statistical hypothesis that value is not misstated when
the true value is materially misstated.
D. Accept the statistical hypothesis that value is not materially
misstated when the true value is not materially misstate
Q199. The following statement about controls over computer operators is true:
A. segregation of operator duties is not a very effective control
B. If operators are given access to the system documentation, they
may help in tracing the cause of a potential error
48
DISA Review Questions, Answers Manual – Module 1
Q202. The risk that the conclusion based on a sample might be different from
the conclusion based on examination of the entire population is called
A. Confidence risk
B. Sampling risk
C. Statistical sampling
D. Tolerable rate and the expected deviation rate.
49
DISA Review Questions, Answers Manual – Module 1
Q208. Which one of the following is ideally suited for multimedia applications?
A. Integrated services digital network (ISDN) and broadband ISDN
B. Broadband ISDN, fiber optics, and ATM
50
DISA Review Questions, Answers Manual – Module 1
51
DISA Review Questions, Answers Manual – Module 1
Q215. Which of the following are considered while determining the sensitivity
of information-
A. Availability and integrity
B. Integrity and Confidentiality
C. Availability and Confidentiality
D. Availability, Integrity and Confidentiality
52
DISA Review Questions, Answers Manual – Module 1
Q218. The initial validation control for a credit card transaction capture
application would MOST like be to:
A. check that the transaction is not invalid for that card type
B. ensure that the transaction amount entered is within the
cardholders credit limit
C. verify the format of the number entered and then locate it on the
database
D. confirm that the card is not listed as hot
Q219. Which of the following utilities can be used to directly examine the ability
of the program to maintain data integrity?
A. Data dictionary
B. Macro
C. Output analyser
D. Code optimiser
53
DISA Review Questions, Answers Manual – Module 1
Q220. Due diligence of third party service providers need not cover
A. Evaluation of testimonials
B. Evaluation of infrastructure
C. Evaluation of experience
D. Evaluation of ownership
Q222. “Which of the computer assisted audit techniques and tools help the
auditor to identify the impact of delays and rescheduling audit plans”
A. Planning and scheduling
B. Project management and audit tracking
C. Inventory of the audit universe
D. Risk analysis
Q223. Which of the following is NOT TRUE with regard to network reliability
enhancement:
A. Redundant switching equipment
B. Parallel physical circuits
C. Licensed software
D. Standby power supplies
54
DISA Review Questions, Answers Manual – Module 1
55
DISA Review Questions, Answers Manual – Module 1
Q230. Which of the following would NOT be a reason for IS Audit involvement
in information systems contractual negotiations?
A. Often hardware does not interface in an acceptable manner
B. Many information systems projects incur additional costs over the
contract cost
C. Vendors may go out of business and discontinue service support
on their products
D. Only the IS Auditor can determine whether the controls in the
system are adequate
56
DISA Review Questions, Answers Manual – Module 1
Q234. To examine the existence of the entities described by the data , which
of the functional capabilities in the generilise audit software would be
used:
A. File assess capabilities
B. Analytical review capability
C. Stratification and frequency analysis capability
D. Statistical sampling capabilities
57
DISA Review Questions, Answers Manual – Module 1
58
DISA Review Questions, Answers Manual – Module 1
Q242. In which phase of a system development life cycle would you perform
Mutation analysis?
A. Requirements
B. Design
C. Implementation
D. Maintenance
59
DISA Review Questions, Answers Manual – Module 1
Q245. The auditor should ensure that the policy has been formulated and
communicated by
A. Asks employees for related documents that they have in hand
B. Identifies areas where relevant information has not been
communicated
C. Assesses the commitment of the management
D. Identifies its misuse
Q246. To ensure the operating system integrity the web server configuration
should be monitored. Which of the following is not necessary to achieve
this objective?
A. Baseline for the configuration
B. Periodical review of the web configuration and where needed a
secondary review of the same
C. Internal web sites are inside the company
D. All internal communication must be digitally signed
60
DISA Review Questions, Answers Manual – Module 1
Q249. User controls are designed to ensure that data collected and entered
into the system is
A. Authorised
B. Accurate
C. Complete
D. All of the above
Q251. Echo Check belongs to hardware controls, which usually are those built
into the equipment. Echo Check is best described as:
A. a component that signals the control unit that an operation has
been performed
B. two units that provide read-after-write and dual-read capabilities
C. double wiring of the CPU and peripheral equipment to prevent
malfunctioning
D. validations logic to fields and records based o their
interrelationships with controls established for the batch.
61
DISA Review Questions, Answers Manual – Module 1
62
DISA Review Questions, Answers Manual – Module 1
Q258. In order to prevent the loss of data during the processing cycle, the First
point at which control totals should be implemented?
A. in transit to the computer
B. during the return of the data to the user department
C. during the data preparation
D. between related computer runs
Q259. In the System Development life Cycle (SDLC) the user should be
involved in (1) design (2) development (3) implementation of new
system and changes to the existing system. Which of the following is
true?
A. 1, 2
B. 2, 3
63
DISA Review Questions, Answers Manual – Module 1
C. 1, 3
D. 1, 2, 3
Q260. If fraud or errors are suspected in the population , the auditor would
use:
A. Attribute sampling
B. Discover sampling
C. Dollar – unit sampling
D. Ratio and difference estimation.
64
DISA Review Questions, Answers Manual – Module 1
Q264. The auditor during the course of his audit of IT steering committee
interviews the members of the committee. This process helps the
auditor to ascertain
A. Members of the committee are the persons who have more
number of years of experience in the company
B. Members are appointed by the IS project sponsor
C. Committee is in charge of allocation of resources and prioritising
the projects
D. The organisation culture is in no way influencing the committee
and its management practices
65
DISA Review Questions, Answers Manual – Module 1
Q267. When the Auditor uses generalised audit software to access a data
maintained by a database management system, which file structure is
most likely to be difficult to assess:
A. A tree structure
B. A sequential file structure
C. A random structured
D. A index sequential
Q268. Which is the primary reason for replacing cheques with Electronic Funds
Transfer (EFT) systems in the accounts payable area?
A. to ensure compliance with international EFT standard
B. to decrease the number of paper-based forms
C. to increase the efficiency of the payment process
D. to eliminate the risk that unauthorised changes may be made to
the payment transactions
66
DISA Review Questions, Answers Manual – Module 1
Q273. Which one of the following poses a major threat in using remote
workstations?
A. Standard software packages
B. Response time
C. Data transfer speed
D. Security
67
DISA Review Questions, Answers Manual – Module 1
68
DISA Review Questions, Answers Manual – Module 1
Q279 The best method to detect and correct errors is before the data are
entered into an application system. But this is not always possible. In
that case the best alternative approach for ensuring data integrity?
A. Test data generator
B. Having monitoring modules
C. Use of generalised audit software
D. Expert systems
Q282. In determining the sample size for a test of control using attribute
sampling, a System Auditor would be least concern with the
A. Expected rate of occurrence
B. Precision limit
C. Result of substantive audit procedure
D. Assessing control risk too high
69
DISA Review Questions, Answers Manual – Module 1
Q284. The IT auditor considers the controls that are present for the evaluation
of the internal controls. Which of the following controls cuts across the
hierarchical line and follow the data as it flows in the organisation?
A. Corrective controls
B. Management controls
C. Application controls
D. Detective controls
Q286. A decision table is used for testing the test data. The purpose of the
results stub in the decision table:
A. Exhibits the expected and actual results
B. Document the conditions that lead to a particular action.
C. Exhibits the rules for different conditional value
D. Indicates the action to be taken when a rules is saisfie
70
DISA Review Questions, Answers Manual – Module 1
Q289. The weakness that the IS auditor would be LEAST concerned with while
reviewing an access control review in an organisation is:
A. The application programmers have the access rights to the live
data environment.
B. There is no provision for enabling the audit trails in the package.
C. Initiating transactions and changing the related parameters could
be done by a single user.
D. Group login access is being used for accessing critical functions.
71
DISA Review Questions, Answers Manual – Module 1
Q291. To enforce the email policy, the management in order need not:
A. Educate employees
B. Educate third parties
C. Take prompt action in case of misuse or complaints
D. Prohibit subscription to e-newspapers and e-groups
Q294. When the company acquires custom made software it enters into a
custom software agreement with the vendor. What should company not
consider before entering into such agreement?
A. Present and future demands of the company
B. Contingency plan of the vendor
C. Frequency at which the vendor updates the software
D. Number of users of the software
72
DISA Review Questions, Answers Manual – Module 1
73
DISA Review Questions, Answers Manual – Module 1
Q302. An IS auditor came across instances where the users failed to review
the invoices prior to submitting them for processing since discounts
from vendors could be availed only within three business days of the
invoicing. Which of the following should the IS
A. Confirm that copies of invoices are compared with edit reports
with detail of invoice value and discount prior to releasing the
payment.
74
DISA Review Questions, Answers Manual – Module 1
75
DISA Review Questions, Answers Manual – Module 1
76
DISA Review Questions, Answers Manual – Module 1
77
DISA Review Questions, Answers Manual – Module 1
78
DISA Review Questions, Answers Manual – Module 1
Q317. Implementation and maintenance of new and existing systems with the
aid of programmers and analysts is the responsibility of the:
A. Database administrator.
B. Systems development manager.
C. Operations Manager.
D. Quality assurance manager.
79
DISA Review Questions, Answers Manual – Module 1
80
DISA Review Questions, Answers Manual – Module 1
C. Correcting
D. Recording
81
DISA Review Questions, Answers Manual – Module 1
82
DISA Review Questions, Answers Manual – Module 1
83
DISA Review Questions, Answers Manual – Module 1
Q338. Service level agreements ensure that effective and efficient computer
services are provided to users. Which of the following is correct with
respect to service level agreements:
A. They are limited to certain IT resources
B. They are static agreements
C. They are arrangements between users and computer operation
facilities
D. It is the responsibility of user department to provide a framework
for each service level agreement
84
DISA Review Questions, Answers Manual – Module 1
85
DISA Review Questions, Answers Manual – Module 1
86
DISA Review Questions, Answers Manual – Module 1
Q348. The BEST and reliable form of evidence that assists the IS auditor to
develop audit conclusions is :
A. Control Self Assessment assurance received on the working of
the application from a line management personnel.
B. A Letter of confirmation received from an outsider regarding the
account balance.
C. An analytical review of the ratios by the IS auditor from the
information received from the internal line management.
D. Internet trend analysis of the industry’s performance.
Q349. The BEST and the most reliable form of evidence that an IS auditor
would look for in audit of an IS environment is
A. The IS auditor’s test results
B. The auditee’s oral explanation / statement of the evidence
C. A confirmation letter received by the IS auditor directly from an
outside source
D. A report generated by the accountant from internal evidence
Q350. The BEST method of detecting the copying of illegal softwares onto a
network is by:
A. Periodically checking all the hard disks.
B. Using diskless workstations.
C. Framing policies for immediate termination of service of the
employee if he violates.
D. Always using an updated version of an anti-virus software
package.
Q351. The BEST set of attribute of Functionality in evaluating the quality of the
software product during its lifecycle is:
A. Relationship between the amount of resources used and the level
of performance of the software.
B. Ability of the software in maintaining its quality of performance
under various conditions.
87
DISA Review Questions, Answers Manual – Module 1
88
DISA Review Questions, Answers Manual – Module 1
Q359. The duty and responsibility of the security administrator without affecting
the interests of the organisation CAN be combined with that of the:
A. Computer operator
B. Systems Analyst
C. Systems programmer
D. Quality assurance
89
DISA Review Questions, Answers Manual – Module 1
Q361. The FIRST and preliminary step in the process of information security
program establishment is :
A. Acquisition of a software for the purpose of controlling the
security access.
B. Framing and adherence of a Corporate IS policy statement
C. Developing and implementing an IS security standards manual
D. The IS auditor conducting a comprehensive security control study.
Q363. The FIRST step in the review of an IT strategic plan is the review of
the:
A. Business plan of the organisation.
B. Information technology environment available at present.
C. Recent trends in the technology.
D. IT budget approved in the latest meeting of the Management.
90
DISA Review Questions, Answers Manual – Module 1
91
DISA Review Questions, Answers Manual – Module 1
Q368. The LAN policy describes the job of persons who work on the network.
The duties of a network administrator are
A. Monitoring security violations
B. Password administration
C. Configuring and optimising storage systems
D. Monitoring network environmental conditions
Q370. The main difference in terms of control between a manual system and
a computer system is:
A. there is a difference in the internal control principles
B. the methodology for implementing the controls is not the same in
both
C. there is a perceptible difference in the basic control objectives
D. the control objectives pose more problems for implementing
92
DISA Review Questions, Answers Manual – Module 1
Q372. The MOST critical situation that an IS auditor should report when he
observes a computer operator also performing the duties of a backup
tape librarian and security administrator is:
A. It is not necessary to report these situations to the senior
management.
B. Computer operators acting as a tape librarian and security
administrator.
C. Computer operators acting as security administrators.
D. Computer operators acting as tape librarians.
93
DISA Review Questions, Answers Manual – Module 1
Q375. The objective of using System Control Audit Review File (SCARF within
the application is for collecting following information except:
A. Statistical sampling
B. Policy and procedural variations
C. Application system errors
D. Lack of internal program documentation
Q377. The quality that should be determined by the IS auditor while reviewing
the functions of a Database administrator is
A. The database administrator has strong systems programming
capabilities.
B. The IS auditor’s audit software has the efficiency in accessing the
database.
C. The job responsibilities of the function are clearly defined.
D. The function reports to the data processing operations.
Q378. The quantification of the sample size depends on which of the following
criteria.
A. The sample size decreases as the precision amount decreases.
B. The expected population error rate does not affect the sample
size.
C. The sample size decreases with a decrease in the standard
deviation.
D. The confidence level increases as the sample size decreases.
94
DISA Review Questions, Answers Manual – Module 1
Q379. The reason for the IS auditor NOT preparing a formal audit program
is :
A. To structure the IS auditor’s own planning.
B. Guiding the assistants in performing planned procedures.
C. Overall risk assessment of operations in the organisation.
D. Providing audit documentation for review and reference.
95
DISA Review Questions, Answers Manual – Module 1
C. Non-Repudiation
D. Selection
Q386. System software that informs the computer how to use a particular
peripheral device is known as
A. Loader
B. Linker
C. Device Driver
D. Compiler
96
DISA Review Questions, Answers Manual – Module 1
Q388. Which of the following IP address class has maximum hosts in its
network?
A. Class A
B. Class B
C. Class C
D. Class D
Q392. The voice data is transformed from analog to digital mode or vice-versa
by:
A. Internet Service Provider
B. Internet Service Provider
97
DISA Review Questions, Answers Manual – Module 1
98
DISA Review Questions, Answers Manual – Module 1
Q398. A specialized network device that determines the next network point to
which a data packet is forwarded toward its destination is called:
A. Gateway
B. Router
C. Firewall
D. Hub
Q400. Switch is a:
A. Phyical Layer device
B. Data Link Layer device
C. Network Layer device
D. Transport Layer device
99
DISA Review Questions, Answers Manual – Module 1
Q403. Which of the following is not a protocol in the Application Layer of TCP/
IP suite?
A. SMTP
B. DNS
C. UDP
D. TELNET
Q407. Which one of the following is not true about DDR2 RAM?
A. It runs twice as fast as DDR
B. It is known as Dynamic Data Rate Two RAM
C. It is know as Double Data Rate Two RAM
D. It is volatile
100
DISA Review Questions, Answers Manual – Module 1
Q409. Property that does not permit any person who signed any document to
deny it later is called:
A. Integrity
B. Validation
C. Maintenance
D. Non-Repudiation
101
DISA Review Questions, Answers Manual – Module 1
C. Relational model
D. Object-oriented models
102
DISA Review Questions, Answers Manual – Module 1
Q417. The following device is used to connect one type of IEEE 802.x LAN to
another
A. Router
B. Repeater
C. Bridge
D. No device is necessary as they are all compatible and are hence
grouped under 802 series
Q418. The operating system is not responsible for which of the following
activities in connection with the process management
A. Creating and deleting both user and system processes.
B. Suspending and resuming processes.
C. Storage allocation.
D. Providing mechanism for deadlock handling
Q419. 127.0.0.1 is
A. Broadcase address
B. Loopback address
C. is default routing address
D. None of above
Q420. Which of the following is a feature of ActiveX controls that can both be
used as well as misused?
A. ActiveX controls can be reused
B. ActiveX controls can access system resources
C. Many pre-developed controls for performing many tasks are
available
D. Execution of ActiveX controls can be controlled using Internet
Explorer security settings
103
DISA Review Questions, Answers Manual – Module 1
Q422. When data is accessed through both sequential and direct access
methods the process is called:
A. Sequential storage and retrieval
B. Direct access and retrieval
C. Indexed sequential storage and retrieval
D. None of the above
Q423. A computer that is exeremly fast and used for specialized applications
requiring immense mathematical calculations is:
A. Mainframe computer
B. Mini Computer
C. Super Computer
D. Hand held Device
Q424. Which one of the following is not a key issues in data and capacity
management?
A. How to effectively manage rapidly growing volume of data?
B. How to leverage data and storage technology to support business
needs?
C. What is the best data and storage management framework for an
enterprising business environment?
D. How to maintain the performance of a sytem?
104
DISA Review Questions, Answers Manual – Module 1
Q425. What is not true about Open System Interconnection (OSI) model:
A. is a reference model
B. describes how information from a software application in one
computer moves through a network medium to a software
application in another computer
C. is a seven layered model
D. is a communication protocol.
105
DISA Review Questions, Answers Manual – Module 1
106
DISA Review Questions, Answers Manual – Module 1
Q435. When sending a signed message under a public key infrastructure, the
message is encrypted using the:
A. receiver’s private key
B. sender’s private key
C. receiver’s public key
D. sender’s public key and receiver’s private key
107
DISA Review Questions, Answers Manual – Module 1
Q440. Where are the additional data and programs not used by the processor
stored?
A. Secondary storage
B. Input units
C. Output units
D. The CPU.
108
DISA Review Questions, Answers Manual – Module 1
C. FTP security
D. None of the mentioned
Q447. The term used to describe the placement of the data entry function at
the scattered locations where the transactions occur is:
A. Distributed data entry
B. Distributed database
C. Distributed computing
D. Distributed risk management
109
DISA Review Questions, Answers Manual – Module 1
Q448. In which way does the Combined Encryption combine symmetric and
assymmetric encryption?
A. The secret key is asymmetrically transmitted, the message itself
symmetrically.
B. First, the message is encrypted with symmetric encryption and
afterwards it is encrypted asymmetrically together with the key.
C. The secret key is symmetrically transmitted, the message itself
asymmetrically.
D. First, the message is encrypted with asymmetric encryption and
afterwards it is encrypted symmetrically together with the key.
110
DISA Review Questions, Answers Manual – Module 1
Q452. Where are the additional data and programs not used by the processor
stored?
A. Secondary storage
B. Input units
C. Output units
D. The CPU.
111
DISA Review Questions, Answers Manual – Module 1
C. Teleprocessing system
D. Centralized processing system
Q458. Microwave transmission, coaxial cables, and fiber optics are examples
of
A. Communication links
B. protocols
C. Internet working
D. Frames
Q459. The technique in shared programs that avoids interspersed printout from
several programe is:
A. Spooling
B. Queuing
C. Paging
D. Slicing
Q460. The term used to describe the placement of the data entry function at
the scattered locations where the transactions occur is:
A. Distributed data entry
B. Distributed database
C. Distributed computing
D. Distributed risk management
112
DISA Review Questions, Answers Manual – Module 1
Q461. The effective size of the primary storage available for programs may
appear to be unlimited when the following concept is used:
A. Virtual storage
B. Memory caches
C. Buffering
D. Mirroring
Q463. In which way does the Combined Encryption combine symmetric and
assymmetric encryption?
A. The secret key is asymmetrically transmitted, the message itself
symmetrically.
B. First, the message is encrypted with symmetric encryption and
afterwards it is encrypted asymmetrically together with the key.
C. The secret key is symmetrically transmitted, the message itself
asymmetrically.
D. First, the message is encrypted with asymmetric encryption and
afterwards it is encrypted symmetrically together with the key.
113
DISA Review Questions, Answers Manual – Module 1
Q465. The effective size of the primary storage available for programs may
appear to be unlimited when the following concept is used:
A. Virtual storage
B. Memory caches
C. Buffering
D. Mirroring
Q466. Microwave transmission, coaxial cables, and fiber optics are examples
of
A. Communication links
B. protocols
C. Internet working
D. Frames
Q467. The technique in shared programs that avoids interspersed printout from
several programe is:
A. Spooling
B. Queuing
C. Paging
D. Slicing
114
DISA Review Questions, Answers Manual – Module 1
115
DISA Review Questions, Answers Manual – Module 1
116
DISA Review Questions, Answers Manual – Module 1
117
DISA Review Questions, Answers Manual – Module 1
118
DISA Review Questions, Answers Manual – Module 1
119
DISA Review Questions, Answers Manual – Module 2
Module 2 Questions
Q470. Which one of the following requirements of Virtual reality is concerned
with synchronisation?
A. User input
B. Visual perception
C. Spatiotemporal realism
D. Sound perception
Q472. Which stage in the software lifecycle does not require any maintenance?
A. Development or pre-delivery phase
B. Early operational phase
C. Mature operational phase
D. Evolution/replacement phase
120
DISA Review Questions, Answers Manual – Module 2
Q478. While auditing the environment controls the auditor should confirm that
A. LAN file server facility has dust, smoke and other particulate
matters
B. Consumption of food, beverage and tobacco is allowed
121
DISA Review Questions, Answers Manual – Module 2
Q481. Which of these enable a super computer’s CPU to share operations for
enhanced performance?
A. Pipelining
B. Parallelism
C. RISC
D. SMP
Q482. Which term often means a piece of code left behind in the system that
will allow the original programmer back into the system?
A. Trap Door
B. Flap Jack
C. Unicode
D. Stealth Code
122
DISA Review Questions, Answers Manual – Module 2
Q483. Which of the following terms describes a form of dial-up access control
whereby the user dials the desired phone number, authenticates with
the server, hangs up, and then the server dials the client, establishing
the connection?
A. Dial Back
B. Redialing
C. Call Waiting
D. Call Forwarding
Q484. Which of the following gas-based fire suppression system would you
find in an unmanned computer facility?
A. Argon
B. Halon
C. Carbon-dioxide
D. Oxygen
Q485. In an ideally equipped data centre, the wall, ceiling, etc should be made
of fire resistant materials. For how long is it recommended that they
should resist a fire?
A. 2 Hours
B. 1 Hour
C. 30 Minutes
D. 3 Minutes
123
DISA Review Questions, Answers Manual – Module 2
Q490. Which of the following need NOT be considered before hosting a new
online privacy policy?
A. Business practices
B. Business partners
124
DISA Review Questions, Answers Manual – Module 2
C. Proposed users
D. Nature of the site
125
DISA Review Questions, Answers Manual – Module 2
126
DISA Review Questions, Answers Manual – Module 2
C. Password secrecy
D. Password storage
127
DISA Review Questions, Answers Manual – Module 2
Q504. Which of the following types of database access control is the most
difficult to enforce?
A. Name-dependent access control
B. History-dependent access control
C. Content-dependent access control
D. Context-dependent access control
Q505. For physical and environmental security, in which of the following areas
should policies and procedures be framed?
A. Independent (third-party) assurances
B. Layout of facilities
C. System Development Life Cycle (SDLC)
D. None of the above
Q507. “If a thief steals an ATM card and tries to break the PIN number by
trying all combinations, what type of attack will it be classified as? “
A. Keystroke logging
B. Man in the middle
C. Biometric
D. Bruteforce
128
DISA Review Questions, Answers Manual – Module 2
Q508. “Which of the following feature may seriously affect or nullify the utility
of audit trails? “
A. Passwords are not recorded in the audit trail.
B. Security administrator cannot amend the details in the audit trail.
C. Audit trail records can be amended by the users
D. Date and time stamps are recorded automatically.
129
DISA Review Questions, Answers Manual – Module 2
Q512. “Identify the correct statement with respect to guidelines for data-entry
screens? “
A. Both bright colours and automatic tabbing are to be avoided
B. Both bright colours and automatic tabbing should be used as
often as possible
C. Bright colours should be avoided and automatic tabbing should
be used as often as possible
D. Bright colours should be used as often as possible while
automatic tabbing should be avoided.
Q513. A check to ensure that the same data is not keyed twice is called:
A. Sequence checks
B. Limit check
C. Missing data check
D. Duplicate check
130
DISA Review Questions, Answers Manual – Module 2
Q516. In context of expert systems, moving down to the symptoms from a fault
is called as
A. Forward chaining
B. Forward integration
C. Backward chaining
D. Backward integration
Q517. “To prevent the unauthorized use of floppy drives, which of the following
controls is suitable? “
A. Switch controls
B. Cable locks
C. Port controls
D. Biometric mouse
131
DISA Review Questions, Answers Manual – Module 2
Q520. Which of the following provides error detection and error correction?
A. Cyclic Redundancy Check
B. Checksum
C. Parity check
D. Hamming code
132
DISA Review Questions, Answers Manual – Module 2
name is removed from the payroll, the program will activate another
piece of code to destroy vital files on the organi”
A. ActiveX
B. Logic Bomb
C. Virus
D. Denial of Service
133
DISA Review Questions, Answers Manual – Module 2
Q529. Viruses that can change their appearance are known as:
A. Polymorphic virus
B. Boot sector virus
C. Stealth virus
D. Macro virus.
Q530. “If the series of data bits, 11001011, is received as 11001000 then it is
called a: “
A. Single bit error
B. Multiple-bit error
C. Burst error
D. Parity error
134
DISA Review Questions, Answers Manual – Module 2
C. Intangible losses
D. All of the above
135
DISA Review Questions, Answers Manual – Module 2
Q540. “If the product number A5723 is coded as A5753, this is an example of
a: “
A. Truncation error
B. Double transposition error
C. Random error
D. Transcription error
136
DISA Review Questions, Answers Manual – Module 2
137
DISA Review Questions, Answers Manual – Module 2
138
DISA Review Questions, Answers Manual – Module 2
Q550. “Which of the following would NOT protect a system from computer
viruses? “
A. Write protect all diskettes once they have been virus checked
B. Scan any new software before it is installed
C. “Do not allow vendors to run demonstration on company owned
machines “
D. Boot only from diskettes that were initially checked for viruses
139
DISA Review Questions, Answers Manual – Module 2
140
DISA Review Questions, Answers Manual – Module 2
C. Physical design
D. Testing
141
DISA Review Questions, Answers Manual – Module 2
Q564. Which of the following does not fall under the category of operational
controls?
A. Personnel security
B. Logical access control
C. Physical protection
D. Environmental protection
142
DISA Review Questions, Answers Manual – Module 2
C. MPEG video
D. Virtual reality
Q570. Which of the following Embedded Operating Systems has a wide set of
features for networking?
A. Windows CE
B. Windows NT embedded
C. Embedded Linux
D. Palm OS
143
DISA Review Questions, Answers Manual – Module 2
Q574. Which of the following image formats is for the Apple Macintosh range
of Computers?
A. GIF
B. JPEG
C. PICT
D. TIFF
Q575. In a Mouse, there are three rollers that can rotate. How many rollers
are actually responsible for the movement of the curser?
A. One
B. Two
144
DISA Review Questions, Answers Manual – Module 2
C. Three
D. None
Q576. A brokerage firm is moving into new office premises already equipped
with extensive telephone wiring. The firm is planning to install a PBX to
connect computers and office devices such as photocopiers, printers,
and facsimile machines. A limitation of usi
A. the firm would be dependent on others for system maintenance
B. coaxial cabling would have to be installed throughout the building
C. the system cannot easily handle large volumes of data
D. relocating devices in the office is an expensive and difficult task
Q577. A company uses a wide area network (WAN) to allow salesmen in the
field to remotely log onto to the office server using notebook computers
and dial-in modems. Which of the following methods would provide best
data security in such a situation?
A. end to end data encryption
B. dedicated phone lines
C. call-back features
D. enforcing regular password changes
145
DISA Review Questions, Answers Manual – Module 2
146
DISA Review Questions, Answers Manual – Module 2
147
DISA Review Questions, Answers Manual – Module 2
Q589. Which of the following terms is commonly used for the agreement about
packaging and interpreting both data and control information, when two
devices in a data communications system are communicating?
A. Asynchronous communication
B. Synchronous communication
C. Communication protocol
D. Communication channel
148
DISA Review Questions, Answers Manual – Module 2
Q592. Which of the mail processing technologies given below affects message
storage at the client end?
A. POP (Post Office Protocol)
B. MAPI (Messaging Application Programming Interface)
C. IMAP (Internet Message Access Protocol)
D. SMTP Simple Mail Transfer Protocol)
149
DISA Review Questions, Answers Manual – Module 2
Q596. Artificial Intelligence is now being used in every sphere of life. Which of
the following options justifies the statement?
A. Ability to work in hazardous places
B. Ability to think like human beings
C. Ability to work in artificial environments
D. None of the above
Q598. Given below are major types of storage devices 1) Cache 2) Magnetic
disk 3) Flash 4) Main Memory 5) Tape Storage 6) Optical Storage Rank
them in the increasing order of their reading/writing capability.
A. 1,2,3,4,5,6
B. “5,6,2,3,4,1“
C. 6,5,4,3,2,1
D. 2,5,3,1,6,4
150
DISA Review Questions, Answers Manual – Module 2
Q602. Single copy of a software product installed on the server and used by
all the connected clients is an example of:
A. End user piracy
B. Industrial Piracy
C. Corporate Piracy
D. Copyright Infringement
151
DISA Review Questions, Answers Manual – Module 2
Q604. The Fibre Distributed Data Interface (FDDI) is a dual ring LAN that uses
a fibre optic cable. The ring is segmented when
A. One ring fails
B. One station fails
C. Two rings fail
D. Two rings fail
Q607. When planning a software audit, the management does not consider:
A. The timing of the audit
B. Persons who should conduct the audit
C. Keeping the audit objective secret
D. Providing access to the required facilities
152
DISA Review Questions, Answers Manual – Module 2
Q608. Which is the function that the audit software does not perform?
A. Scan each machine separately
B. Decide on the sampling method to be used
C. Report the program that it does not recognise
D. Identify software that is loaded, completely or partially
153
DISA Review Questions, Answers Manual – Module 2
154
DISA Review Questions, Answers Manual – Module 2
C. Inheritance
D. Polymorphism
Q619. Which of the following do not come under the Workload Operational
Policy?
A. Backup and disaster recovery systems
B. Naming conventions
C. Job specification design
D. Training and support functions
Q620. Which of the following data items is most likely to appear in the
operations audit trail and not the accounting audit trail for the
communication subsystem?
A. image of message received at each node traversed in the
network
B. unique identifier of the source node
C. message transit time between nodes and at nodes
D. unique identifier of the person/process authorising dispatch of the
message
155
DISA Review Questions, Answers Manual – Module 2
Q623. Which of the following is not a true statement, with respect to the
implementation of an automated job scheduling system in the computer
center?
A. it ensures that all jobs are run
B. it ensures that jobs run in sequence
C. it prevents jobs from being delayed
D. it ensures the elimination of job definition and job set-up errors
156
DISA Review Questions, Answers Manual – Module 2
Q625. Which of the following is not an important control step of the input/output
control group?
A. verifying input authorisation
B. identifying questionable data
C. verifying control totals
D. establishing control over output
Q626. Which of the following is not an objective in the analysis and planning
of storage management?
A. To store and manage large amounts of data efficiently
B. To speed up data retrieval
C. To decide on software that has to be loaded on the server
D. To bring down the cost of data storage, while keeping risk under
manageable limits
Q627. Which of the following is true with regard to a good Intrusion Detection
System Software?
A. It can investigate intrusions without human intervention
B. It can compensate for exploits based on errors in network
protocols
C. It is able to resist unauthorised modifications to itself
D. It is able to analyse all of the traffic on a busy network
157
DISA Review Questions, Answers Manual – Module 2
Q629. Which of the following is true with regards to system and application
software?
A. System software uses application software to interact with
computer hardware
B. Application software uses system software to interact with
computer hardware
C. Both system and application software independently interact with
computer hardware
D. None of the above
Q631. Which of the following risks is not greater in an electronic funds transfer
(EFT) environment than in a manual system using paper transactions?
A. higher cost per transaction
B. unauthorised access and activity
C. duplicate transaction processing
D. inadequate backup and recovery capabilities
Q632. Which of the following statements is (are) correct regarding the Internet
as a commercially viable network?
A. companies must apply to the Internet to gain permission to create
a home page to engage in electronic commerce
158
DISA Review Questions, Answers Manual – Module 2
159
DISA Review Questions, Answers Manual – Module 2
C. Password capturing
D. Password spoofing
160
DISA Review Questions, Answers Manual – Module 2
Q644. While classifying controls on the basis of the operations involved, input
control can be classified as -
A. Organisation control
B. General control
C. Processing control
D. Application control
Q645. Which of the following logical access exposures involves changing data
before, or as it is entered into the computer?
A. Data diddling
B. Trojan horse
161
DISA Review Questions, Answers Manual – Module 2
C. Worm
D. Salami technique
Q646. While reviewing firewall logs, the auditor does not attempt to keep track
of:
A. Unsuccessful logins
B. Successful logins
C. Unsuccessful logins
D. Unsuccessful logouts
162
DISA Review Questions, Answers Manual – Module 2
Q651. During a review of system access rules, an IS Auditor noted that the
System Administrator has unlimited access to all data and program files.
Such access authority is:
A. Appropriate, but all access should be logged.
B. Appropriate, because System Administrator has to back up all
data and program files.
C. Inappropriate, since access should be limited to a need-to-know
basis, regardless of position.
D. Inappropriate, because System Administrator has the capacity to
run the system.
163
DISA Review Questions, Answers Manual – Module 2
C. Trap doors
D. Trojan horses
Q654. Access to the work area restricted through a swipe card or only
through otherwise authorised process and when visitors enter the work
area they are issued a pass and escorted in and out by a concerned
employee. These type of controls are called -
A. Organisational controls
B. Physical access controls
C. Logical access controls
D. Operational controls
Q655. Which of the following concerns associated with the World Wide Web
would be addressed by a firewall?
A. Unauthorized access from outside the organization
B. Unauthorized access from within the organization
C. Delay in Internet connectivity
D. Delay in downloading using file transfer protocol
164
DISA Review Questions, Answers Manual – Module 2
Q659. For a high security installation the most effective physical access control
devices is:
A. User ID and password
B. Magnetic Card reader
C. Bio-metric devices
D. Laser activated photo identification.
Q660. A firewall access control list may filter access based on each of the
following parameters EXCEPT:
A. Port.
B. Service type.
C. Network interface card (NIC).
D. Internet protocol (IP) address.
165
DISA Review Questions, Answers Manual – Module 2
Q662. During a fire in a data center, an automatic fire suppression would First:
A. Cut power to data processing equipment
B. Sound an alarm and begin a timed countdown
C. Discharge the fire suppression gas
D. Disengage the uninterruptible power supply
166
DISA Review Questions, Answers Manual – Module 2
167
DISA Review Questions, Answers Manual – Module 2
Q670. The scope of a logical access controls review would include the
evaluation of:
A. effectiveness and efficiency of IT security and related controls.
B. confidentiality, integrity and availability of information to authorized
users.
C. access to systems software and application software to ensure
compliance with the access policy.
D. access to user authorization levels, parameters and operational
functions through application software.
168
DISA Review Questions, Answers Manual – Module 2
Q674. An IS auditor is assigned to help design the data security, data integrity
and business continuity aspects of an application under development.
Which of the following provides the MOST reasonable assurance that
corporate assets are protected when the appl
A. A certification review conducted by the internal auditor.
B. A certification review conducted by the assigned IS auditor.
C. Specifications by the user on the depth and content of the
certification review.
D. An independent review conducted by another equally experienced
IS auditor.
Q676. Tools used to identify risks include all of the following, except
A. Audit workflow software
B. Risk analysis questionnaire
C. Flowchart of operations
D. Insurance policy checklist
169
DISA Review Questions, Answers Manual – Module 2
Q678. Which IT audit area involves formal statements that describe a course
of action that should be implemented to restore or provide accuracy,
efficiency, or adequate control of audit subject?
A. Recommendations an audit report
B. Conclusion of an audit report
C. Audit tests
D. Findings of the audit reports
Q680. Compliance with laws and regulations is a key business risk because
of
A. The sheet number of laws and regulations
B. The controls outlines in COBIT
C. The impact on security of an organization
D. The automation of financial processes
170
DISA Review Questions, Answers Manual – Module 2
Q682. Risk retention (self-insurance) methods should meet all the following
criteria, except
A. Develop an internal risk management group to monitor exposures
B. Risk should be spread physically to distribute exposure across
several locations
C. Determine whether a self-insurance reserve should be established
to cover a possible loss
D. Determine the maximum exposure to loss
171
DISA Review Questions, Answers Manual – Module 2
Q686. Cyberlaw is
A. Law governing use of the computer and the Internet
B. State law
C. Central law
D. International law
Q687. Which IT audit area involves formal statements that describe a course
of action that should be implemented to restore or provide accuracy,
efficiency, or adequate control of audit subject?
A. Recommendations an audit report
B. Conclusion of an audit report
C. Audit tests
D. Findings of the audit reports
172
DISA Review Questions, Answers Manual – Module 2
Q692. Compliance with laws and regulations is a key business risk because
of
A. The sheet number of laws and regulations
B. The controls outlines in COBIT
C. The impact on security of an organization
D. The automation of financial processes
173
DISA Review Questions, Answers Manual – Module 2
Q694. Risk retention (self-insurance) methods should meet all the following
criteria, except
A. Develop an internal risk management group to monitor exposures
B. Risk should be spread physically to distribute exposure across
several locations
C. Determine whether a self-insurance reserve should be established
to cover a possible loss
D. Determine the maximum exposure to loss
174
DISA Review Questions, Answers Manual – Module 2
Q700. Tools used to identify risks include all of the following, except
A. Audit workflow software
B. Risk analysis questionnaire
C. Flowchart of operations
D. Insurance policy checklist
Q702. Cyberlaw is
A. Law governing use of the computer and the Internet
B. State law
C. Central law
D. International law
175
DISA Review Questions, Answers Manual – Module 2
176
DISA Review Questions, Answers Manual – Module 2
177
DISA Review Questions, Answers Manual – Module 2
178
DISA Review Questions, Answers Manual – Module 3
Module 3 Questions
Q703. Which of these options is not a feature of VPN?
A. Uses Internet
B. Uses intranet
C. Uses extranet
D. Uses common standards
Q705. What are the categories under which X.25 devices fall?
A. DCE only
B. DTE and PSEs
C. DTE and DCE only
D. DTE, DCE and PSEs
179
DISA Review Questions, Answers Manual – Module 3
Q710. Which one of the following local area network devices functions as a
data regenerator?
A. Network interface card
B. Switch
C. Repeater
D. Modems
180
DISA Review Questions, Answers Manual – Module 3
C. Relational model
D. Object-oriented models
181
DISA Review Questions, Answers Manual – Module 3
Q717. A concept in geometry, that gives you the location of a point, given its
distance from three other points is-
A. GPS
B. Trilateration
C. Pseudo random code
D. Satellite Signals
182
DISA Review Questions, Answers Manual – Module 3
C. Error detection
D. Error correction
Q722. “The prototyping approach does not assume the existence of: “
A. Reusable software
B. Formal specifications languages
C. Detail requirements document
D. Fourth-generation programming languages
183
DISA Review Questions, Answers Manual – Module 3
184
DISA Review Questions, Answers Manual – Module 3
185
DISA Review Questions, Answers Manual – Module 3
Q734. “Which one of the following methodologies requires effi cient system
requirement analysis? “
A. Reverse engineering
B. The Delphi Design (JAD)
C. Joint application Design (JAD)
D. Traditional system development life cycle.
186
DISA Review Questions, Answers Manual – Module 3
187
DISA Review Questions, Answers Manual – Module 3
C. Implementation
D. Maintenance
Q744. Electronic methods of data transfer are involved in all of the following
except:
A. remote batch processing
B. stand alone data processing
C. message switching
D. time sharing
Q745 “An IS auditor who plans on testing the connection of two or more
system components that pass information from one area to another
would use: “
A. Pilot testing.
B. Parallel testing.
C. Interface testing.
D. Regression testing.
188
DISA Review Questions, Answers Manual – Module 3
Q748. Which among the following hacking techniques DOES NOT facilitate
impersonation?
A. Forging the signature
B. Packet replay
C. Interception
D. Relay
Q750. “In which of the following SDLC (System Development Life Cycle)
phases, is the IS auditoSection 1s participation unnecessary? “
A. Feasibility study
B. User requirements
C. Programming
D. Manual specifications
Q751. “In a system development project, the formal change control mechanism
is begun after: “
A. Completing the system planning document
189
DISA Review Questions, Answers Manual – Module 3
190
DISA Review Questions, Answers Manual – Module 3
Q756. Which of the following would NOT normally be part of a feasibility study?
A. Identifying the cost savings of a new system.
B. Defining the major requirements of the new system.
C. Determining the productivity gains of implementing a new system.
D. Estimating a pay-back schedule for cost incurred in implementing
the system.
191
DISA Review Questions, Answers Manual – Module 3
Q764. The least commonly used medium for local area network (LAN)
environment is:
A. Fiber optics cable
B. Twisted-pair (shielded) cable
C. Twisted-pair (unshielded) cable
D. Coaxial cable
192
DISA Review Questions, Answers Manual – Module 3
193
DISA Review Questions, Answers Manual – Module 3
194
DISA Review Questions, Answers Manual – Module 3
Q773. “ PC† based analysis and design tools are used along with mainframe
computer-based tools. Identify the CASE tool that is required in this
situation. “
A. Diagramming tools
B. Simulation tools
C. Export / import tools
D. Diagram checking tools
195
DISA Review Questions, Answers Manual – Module 3
Q779. “An auditor evaluating a software package purchase contract will NOT
expect the contract to include. “
A. License cost
B. Maintenance cost
C. Operational costs
D. Outage costs
196
DISA Review Questions, Answers Manual – Module 3
197
DISA Review Questions, Answers Manual – Module 3
Q787. “Which of the following project completion paths represents the critical
path? “
A. PUW
B. PTVW
C. RVW
D. QSVW
198
DISA Review Questions, Answers Manual – Module 3
199
DISA Review Questions, Answers Manual – Module 3
Q793. “For which of the following does the IS auditor NOT take part in the
development team deliberations? “
A. Ensuring adequacy of data integrity controls.
B. Ensuring adequacy of data security controls.
C. Ensuring that there are no cost and time overruns
D. Ensuring that documentation is accurate life cycle project?
Q794. “An IS auditor involved as a team member in the detailed system design
phase of a system under development would be MOST concerned with:
A. Internal control procedures.
B. user acceptance test schedules.
C. Adequacy of the user training program.
D. Clerical progress for resubmission of rejected items.
Q796. ____________ do not have an address table when they are first
installed
A. Simple bridges
B. Multiport bridges
C. Transparent bridges
D. None of the above
200
DISA Review Questions, Answers Manual – Module 3
201
DISA Review Questions, Answers Manual – Module 3
202
DISA Review Questions, Answers Manual – Module 3
C. Spoofing attack
D. Disabling of network.
203
DISA Review Questions, Answers Manual – Module 3
Q810 For ensuring adequate security of LAN, the auditor must exercise control
over
A. Password
B. Policies
C. Firewall
D. Applets
Q811 An electronic device that combines data from several low speed
communication lines into a single high-speed line is a :
A. modem
B. multiplexer
C. channel
D. Link editor
204
DISA Review Questions, Answers Manual – Module 3
Q815. While auditing the logical access control, the auditor need not review:
A. Authorisation of dial in access
B. Audit trail
C. Bugs in the firewall
D. Password management
205
DISA Review Questions, Answers Manual – Module 3
Q819. Which RAID (Redundant Array of Independent Disks) type makes use
of embedded operating systems?
A. RAID-3
B. RAID-6
C. RAID-53
D. RAID-7
206
DISA Review Questions, Answers Manual – Module 3
C. Coaxial cable
D. Ethernet
207
DISA Review Questions, Answers Manual – Module 3
C. Server control
D. All of the above
Q831. While reviewing firewall logs, the auditor does not attempt to keep track
of:
A. Unsuccessful logins
B. Successful logins
C. Unsuccessful logins
D. Unsuccessful logouts
208
DISA Review Questions, Answers Manual – Module 3
Q832. Normal Post Office Protocol (POP) session has three different stages:1)
Transaction state 2) Update state 3) Authorisation state.The correct
sequence is
A. 1,2,3
B. 3,2,1
C. 3,1,2
D. 2,3,1
Q833. Which of the following features is least likely to be found in a real time
application?
A. User manuals
B. Preformatted screens
C. Automatic error correction
D. Turnaround documents
Q834. The voice data is transformed from analog to digital mode or vice-versa
by:
A. Internet Service Provider
B. Gateway Server
C. VoIP Service Provider
D. PSTN Station
Q836. Security problem(s) that a PC can create in a Local Area Network are:
A. Multiplication Factor
B. Channel Factor
209
DISA Review Questions, Answers Manual – Module 3
C. Both and
D. Division Factor
Q840. Which SAN (Storage Area Network) architecture is most widely used?
A. Optical fibers
B. Fiber loop
C. Mainframes
D. Network attached storage
210
DISA Review Questions, Answers Manual – Module 3
Q841. Under normal conditions, which of the following offers the fastest
connection to the Internet?
A. Analog connections
B. ISDN
C. DSL
D. Cable
211
DISA Review Questions, Answers Manual – Module 3
C. The landscape
D. The subscriber’s conversation time
Q847. #NAME?
A. PGP (Privacy Good Policy)
B. S/MIME (Secure/Multipurpose Internet Mail Extension)
C. PEP (Privacy Enhance Mail)
D. MIME Object Security Services
212
DISA Review Questions, Answers Manual – Module 3
Q850. ________ are self replicating malicious code that bring down the speed
of the processor on entering a network, and are not dependent on the
action of the user
A. Viruses
B. Worms
C. Trojan Horse
D. Spoofing
Q851. __________ are Wireless LAN devices that act like the
“hubs” in traditional LANs and provide connectivity to
the user irrespective of his location.
A. Data carriers
B. Transmitters
C. Receivers
D. Access Points
Q852. A computer can call into primary storage only that portion of a program
and data needed immediately while storing the remaining portions in an
auxiliary storage device. This feature is commonly known as:
A. compiling
B. multiplexor channeling
C. virtual storage
D. on-line processing
213
DISA Review Questions, Answers Manual – Module 3
Q854 A major problem in networking is the slow rate of data transfer. Which
of the following would help counter this problem?
A. Data formatting
B. Decentralised control
C. Allocating adequate bandwidth
D. All of the above
Q855 A major way in which modern quality systems used to support the
information systems function differ from traditional quality systems is:
A. modern quality systems focus on customer satisfaction as the
primary goal
B. modern quality systems focus on the production of zero-defect
software as the primary goal
C. traditional quality systems fail to recognise the inherent conflict
that can exist among some goals established for an information
systems project
D. traditional quality systems do not take into account the need for
an independent QA group and independent testing
214
DISA Review Questions, Answers Manual – Module 3
215
DISA Review Questions, Answers Manual – Module 3
Q862. Which one of the following transmission media is unsuitable for handling
intrabuilding data or voice communications?
A. Unshielded Twisted pair
B. Microwave transmission
C. Shielded Twisted pair
D. Optical fiber
Q865 While down sizing a material inventory system, data center personnel
considered redundant array of inexpensive disks (RAID for the inventory
database. One reason to use RAID is to ensure that :
A. all data can still be reconstructed even if one drive fails
B. all data are split evenly across pairs of drives
C. snap shots of all transactions are taken
D. write time is minimised to avoid concurrency conflicts
216
DISA Review Questions, Answers Manual – Module 3
Q868. LDAP (Lightweight Directory Access Protocols) has an edge over X.500
in Directory Enabled Networks (DEN), because it supports:
A. Static routing
B. Dynamic routing
C. Both
D. None
Q869. Which of the following statements regarding security concerns for lap
top computers is NOT false?
A. Decentralised controls over the selection and acquisition of
hardware and software is a major concern
B. The primary methods of controls usually involves general controls
217
DISA Review Questions, Answers Manual – Module 3
Q870. Which of the following tool allots a specific amount of space to packets
to handle traffic effectively?
A. Priority Queuing
B. Custom Queuing
C. Weighted Flow Queuing
D. FIFO, Basic store and forward capability
Q872. Which of the following would not normally be considered a typical file
structure for a database management system:
A. Hierarchical structure
B. Batched sequential structure
C. Network structure
D. Relational structure
218
DISA Review Questions, Answers Manual – Module 3
Q875. Which of these wireless technologies deploys Radio Frequency (RF) for
a WLL (Wireless Local Loop)?
A. Analog Cellular
B. Digital Cellular
C. Personal Communication system (PCS)
D. Proprietary systems
Q877. Which one of the following computer systems is best to provide parallel
processing of documents in a business environment?
A. Network Management systems
B. Database Management systems
219
DISA Review Questions, Answers Manual – Module 3
C. Workflow systems
D. Imaging and Mirroring systems
220
DISA Review Questions, Answers Manual – Module 3
Q883. Which one of the following is NOT true relating to the use of fiber optics:
A. Data is transmitted rapidly
B. Fiber optic cable is small and flexible
C. They are unaffected by electrical interference
D. It has high risk of wire tapping
Q884. Which one of the following is the most essential activity for effective
computer capacity planning:
A. Scheduling of documents
B. Planning of adequate security and controls in the computer center
C. Estimating electrical load
D. Workload forecasting
221
DISA Review Questions, Answers Manual – Module 3
Q886. Which one of the following network types will play an important role in
implementing E-commerce?
A. Local area network
B. Wireless Local area network
C. Value-added network
D. Internet Servers Providers’ network
Q887. Which one of the following pair of items is a primary cause of signal
distortion in data communications?
A. Sudden change in weather and temperature
B. Attenuation and propagation delay
C. Phase hits and amplitude jitter
D. Number of concurrent users
Q888. Which one of the following pairs of protocols greatly conflict with
each other in the same pair of protocols? (TCP/IP is transmission
control protocol/Internet protocol, ISO/OSI is international standards
organization /open systems interconnection, SNA is
A. ISO/OSI and GOSIP
B. TCP/IP and ISO/OSI
C. ISO/OSI and SNA.
D. SNA and TCP/IP
Q889. Which one of the following statement is true with respect to VSAT?
A. Usage is restricted to geographical boundaries
B. Very high cost due to the usage of fibre optic cables
C. Though quality of data is high,it doesn’t support high bandwidth
D. It operates in two frequency bands namely Ku and C
222
DISA Review Questions, Answers Manual – Module 3
223
DISA Review Questions, Answers Manual – Module 3
C. Mbone
D. Backbone
Q895. All computers have a central processing unit (CPU) that works in
conjunction with peripheral devices. The function of the CPU are:
A. Input, Output and arithmetic-logic
B. Control and Output
C. Control and arithmetic-logic
D. Input and Control
Q896. An agreement between two computer systems on the ways in which the
data to be transmitted between them shall be packed and interpreted is
called
A. Communication channel
B. Communication protocol
C. Synchronous mode of transmission
D. Asynchronous mode of transmission
224
DISA Review Questions, Answers Manual – Module 3
Q898. Analyzing data protection requirements for installing a local area network
(LAN) does not include:
A. Uninterruptible power source
B. Fault tolerance
C. Operating systems
D. Destruction of the logging and auditing data
225
DISA Review Questions, Answers Manual – Module 3
226
DISA Review Questions, Answers Manual – Module 3
Q906. Which of the following statements is not a benefit for using the Voice-
over-Internet protocol?
A. High quality voice
B. Security
C. Use of vocoder
D. Use of TDMA
Q907. The IP address 135.0.0.2 (in decimal octet notation) belongs to which
IP addressing class?
A. Class A
B. Class B
C. Class C
D. Class E
227
DISA Review Questions, Answers Manual – Module 3
Q910. Different controls are required in the software whether they are re
purchased, customised or developed. The auditor while auditing the
LAN determines that
A. There exists a license agreement for purchased software
B. All the users have contact number of the vendor
C. Users can ask the vendor to customize the software as required
by them
D. All the software used by the company is accessible by everybody
on the LAN
228
DISA Review Questions, Answers Manual – Module 3
Q915. Extensible Markup Language or XML differs from HTML in the sense
that
A. It has predefined tags and semantics
B. It allows the applications to define its own tags and semantics
C. It has a larger set of predefined tags and semantics
D. None of the above
Q916. Hardware controls usually are those built into the equipment by the
manufacturer. One such control, an echo check , is best described as:
A. a component that signals the control unit that an operation has
been performed
B. two units that provide read-after-write and dual-read capabilities
C. double wiring of the CPU and peripheral equipment to prevent
malfunctioning
D. validations logic to fields and records based o their
interrelationships with controls established for the batch.
229
DISA Review Questions, Answers Manual – Module 3
Q918. If a web site using the Internet Information Server from Microsoft does
not run dynamic scripts, which of the following tools can harden the
Web Server?
A. IIS Lockdown
B. CGI
C. URLScan
D. Microsoft Management Console
Q919. If possible, the quality goals for specific information systems project
should be formulated by:
A. the sponsor of the project
B. the project’s quality control group
C. QA personnel
D. the project leader
230
DISA Review Questions, Answers Manual – Module 3
Q921. In 802.5 Token Ring LAN, when a data frame is in circulation, where is
the token?
A. At the receiving station
B. At the sending station
C. With a special station called Monitor station
D. Both the sending and receiving stations have a copy of the token
231
DISA Review Questions, Answers Manual – Module 3
Q928. In the audit of LAN, inventory control helps the auditor in determining
the effectiveness of IS operations. Which of the following is not correct
with respect to inventory control?
A. Identify the person responsible for disposing obsolete or badly
damaged LAN equipment
B. Inventory control is maintained of all LAN software
C. Hardware components are marked with identification number
which cannot be erased or removed
D. Virus checking software is in use
232
DISA Review Questions, Answers Manual – Module 3
Q929. In today’s business environment one can hardly find a company without
a computer. But an IPF (Information processing facility is typically a
large expense, in planning the physical location of the computer, the
primary consideration for selecting a site i
A. minimise the distance that data control personnel must travel to
deliver data and reports
B. provide security
C. be easily accessible by a majority of company personnel
D. be in the top floor
Q931. In which of the following services is Public Key Infrastructure (PKI) and
Digital certification not a useful feature.
A. Virtual Private Networks
B. Web Authentication
C. File Encryption
D. Circuit Switching
233
DISA Review Questions, Answers Manual – Module 3
234
DISA Review Questions, Answers Manual – Module 3
Q937. Most computer systems have hardware controls that are built in by the
computer manufacturer. Common hardware controls are :
A. duplicate circuitry, echo checks, tape file protection and internal
header labels
B. duplicate circuitry, echo check and internal header labels
C. tape file protection, cryptographic protection and limit checks
D. duplicate circuitry, echo checks and dual reading
Q939 To which of the following resource type are the most complex action
privileges assigned?
A. hardware
B. software
C. commodity
D. data
235
DISA Review Questions, Answers Manual – Module 3
236
DISA Review Questions, Answers Manual – Module 3
Q947. Organizations which are unable to create and maintain their own private
networks are more likely to use
A. a wide area network
B. vendor delivered electronic mail system
C. fast-packet switching
D. public switched network
237
DISA Review Questions, Answers Manual – Module 3
Q948. Out of the following pairs of services, which provides an access control
over a network of computers
A. Identification and authentication
B. Certification and accreditation
C. Access control lists and access control privileges
D. Accreditation and assurance
Q949. Personal Computers and Laptops have both a floppy disk drive and a
hard disk drive. The major difference between the two types of storage
is that a hard disk :
A. Has much larger storage capacity than a floppy disk and can also
access information much more quickly
B. is a direct access storage medium whereas a floppy disk is a
sequential access storage medium
C. provides an automatic audit trail, whereas a floppy disk does not
D. is suitable for an online system whereas a floppy disk is not
238
DISA Review Questions, Answers Manual – Module 3
239
DISA Review Questions, Answers Manual – Module 3
Q956. Short Message Service (SMS) cannot be used to provide which of the
following services?
A. Notify a user if new email comes to user’s email account
B. Inform a user about news headlines or weather
C. Provide transmission of short messages between two users
D. Display a graphic-rich web page
Q957. Simple Software has just purchased a minicomputer. The make and
module selected will allow the company to attach additional units as
its needs expand. The company has taken advantage of a concept in
hardware design known as :
A. Emulation
B. Networking
C. Modularity
D. Standardisation
240
DISA Review Questions, Answers Manual – Module 3
Q959. The auditor while reviewing the local area network (LAN) takes into
consideration the purpose and processing environment. In the pre-audit
phase the auditor
A. Considers LAN utilities which are used by the company and take
training on the same
B. Ensures whether the hardware inventory contains a unique
identification number
C. Ensures whether the procedure exists for operation staff to
manage change control
D. Review the problem resolution log to determine if the problems
are recurring
Q960. The best control to ensure that a customer uses a debit/credit card
carefully is:
A. to make the customer liable if the careless use of a card leads to
a fraud,
B. blocking a card if it is not used for a period of 3 months
C. to educate the customer about the importance of card security
D. enforced periodic change of the PINs
Q961. The database administrator is not responsible for which one of the
following functions?
A. Physical design of a database
B. Security of a database
C. Coordinate and resolve conflicting needs and desires of users in
their diverse application areas
D. Logical design of a database
Q962. The following device is used to connect one type of IEEE 802.x LAN to
another
A. Router
B. Repeater
241
DISA Review Questions, Answers Manual – Module 3
C. Bridge
D. No device is necessary as they are all compatible and are hence
grouped under 802 series
Q963. The following method of obtaining customer selected PINs does not
require the cryptographic generation of a reference number, to initially
associate the PIN with the customer’s account number?
A. entry via phone
B. PIN entry at the issuer’s premises
C. PIN entry via a secure terminal
D. PIN entry at acquirer’s premises
Q964. The following method of PIN validation seems to result in the fewest
control problems?
A. allow the customer to make a small number of PIN entry
attempts, close the account after the limit has been reached, and
retain the card
B. allow the customer to make a small number of PIN entry
attempts, do not close the account after the limit has been
reached, but retain the card
C. allow a reasonable number of PIN entry attempts, close the
account after the limit has been reached, but do not retain the
card
D. allow a reasonable number of PIN entry attempts, close the
account after the limit has been reached, and retain the card
242
DISA Review Questions, Answers Manual – Module 3
Q967. The internal auditor’s first job while trying to identify the components of
a telecommunication system posing the GREATEST threat, shall be
A. Identify the business objectives of the network
B. Review the network with reference to the ISO/OSI model of seven
layers
C. Identify the various layers of ISO/OSI model to which each
component belongs
D. Estimate the operating costs of the communication subsystem
243
DISA Review Questions, Answers Manual – Module 3
Q969. The major reason why quality metrics need to be chosen for a specific
information systems project is:
A. to alleviate conflict between stakeholders
B. to reduce the amount of monitoring of compliance with standards
that QA personnel will have to undertake
C. to clarify the basis on which QA personnel will evaluate whether
quality goals have been met
D. to alleviate conflict between the Statutory Auditors and Information
Systems Auditors
Q970. Which feature of the Interior Gateway Routing Protocol (IGRP) prevents
large loops of routers?
A. Poison-reverse updates
B. Split-horizon updates
C. Hold down
D. Composite metric
244
DISA Review Questions, Answers Manual – Module 3
245
DISA Review Questions, Answers Manual – Module 3
Q979. The relationship with vendors is important from the view of maintenance
of the systems and servicing. The auditor in his review of LAN ensures
that software meets the demand of the company and
A. The vendor reliability is not important
B. The license agreement exists
C. The vendor support for the installation,training need not exist
D. The software is purchased without approval of the senior officials
246
DISA Review Questions, Answers Manual – Module 3
Q982. The use of programming aids, data and instructions that are prepared
for one computer and can be used on another computer without
conversion or program modifications are examples of :
A. Modularity
B. Interfacing
C. Sequencing
D. Portability
Q983. To connect to an FTP site without being a registered user, one needs
to enter:
A. login name=anonymous : password=email address
B. login name=email address ; password=anonymous
C. login name=anonymous ; password=anonymous
D. cannot log on without being a registered user
247
DISA Review Questions, Answers Manual – Module 3
Q987. Use of a local area network has its own restrictions when compared to
a wide area network. Which one of the following is not a restriction?
A. The number of workstations that can be connected to a network
B. The length of cable to connect a workstation to the network
C. A single link failure, a repeater failure, or a break in the cable
could disable a large part or all of the network.
D. The ability of a personal computer to act as a data terminal
248
DISA Review Questions, Answers Manual – Module 3
Q990. What does NAT mean in the context of Firewalls and Security?
A. NAT (Network Attack Terminator) and is a program used to hunt
and destroy malicious packets.
B. NAT, Network Administration Terminal,is an application-proxy
firewall and inspects incoming packets
C. NAT, Network Address Translation, hides the internal addressing
scheme in the network
D. NAT, Network Authentication tool,identifies authorised users and
allows them remote access
249
DISA Review Questions, Answers Manual – Module 3
Q992. What happens when the Session Manager opts for a persistent session?
A. Session data is stored permanently in the database
B. Session data for each transaction is stored in the database
C. Session data is stored in the memory for a limited time
D. Session data is not related to a persistent session
Q995. “What is the similarity between a GSM (Global System for Mobile
Communication) network and EDGE (Enhanced Data for GSM
Environment)?“
A. Both use the TDMA frame structure
B. Both deliver a data rate of 384 Kbps
C. Both use the same transceiver unit
D. Both use phase shift modulation
250
DISA Review Questions, Answers Manual – Module 3
Q996. When three or more nodes are linked together through a single
communication medium it is termed as,
A. Ring Logical Topology
B. Point-to-Point Topology
C. Multipoint Topology
D. Bus Logical Topology
Q999. When data is accessed through both sequential and direct access
methods the process is called:
A. Sequential storage and retrieval
B. Direct access and retrieval
C. Indexed sequential storage and retrieval
D. None of the above
251
DISA Review Questions, Answers Manual – Module 3
Q1000. When emails are exchanged over the Internet, one server handles
incoming mails and the other outgoing. With respect to this, which of
the following options is true?
A. SMTP handles incoming mails and POP3 handles outgoing.
B. POP3 handles incoming mails and SMTP handles outgoing.
C. Microsoft Outlook handles incoming mails and Outlook Express
handles outgoing.
D. Outlook Express handles incoming mails and Microsoft Outlook
handles outgoing.
Q1001. When sending a signed message under a public key infrastructure, the
message is encrypted using the:
A. receiver’s private key
B. sender’s private key
C. receiver’s public key
D. sender’s public key and receiver’s private key
Q1002. When the exchange of information is the primary purpose for installing a
computer system, with an information repository accessible to its users,
the BEST system is:
A. Electronic Bullet Board System
B. Electronic Mail System
C. Private Branch Exchange (PBX)
D. Fax/modem software
252
DISA Review Questions, Answers Manual – Module 3
Q1004. When users of an information system are dispersed over a wide area
and are authorized to use dial-up lines for getting access to confidential
data, the BEST form of control for data security and confidentiality is
A. forced change of password after every day
B. end-to-end encryption
C. dial-disconnect-callback features
D. dedicated telephone lines
Q1006. Which among the following is a distinct benefit of installing a Local Area
Network (LAN ?
A. LANs enable sharing of resources like hardware, software and
data
B. LANs prevent virus attack
C. LANs provide better change management control
D. LANs provide greater confidentiality of data than other systems
Q1007. Which area of the ISO Network management Model is responsible for
identifying problems, logging reports and notifying the users, so that the
network runs effectively?
A. Performance Management
B. Accounting Management
C. Fault Management
D. Configuration Management
253
DISA Review Questions, Answers Manual – Module 3
Q1009. Which feature gives Time Division Multiple Access the edge over other
spread spectrum technologies?
A. Hierarchical cell structures
B. Extended TDMA
C. Elimination of interference
D. Reduced infrastructure costs
254
DISA Review Questions, Answers Manual – Module 3
Q1012. Which of the following activities should not be permitted when operators
use a communications network control terminal:
A. Monitoring network activity levels
B. down line loading a program
C. transmitting system warning and status messages
D. altering the audit trail to correct an error
Q1014. Which of the following requires two different keys for encryption and
decryption:
A. Symmetric Cryptography
B. Asymmetric Cryptography
C. Cryptanalysis
D. Cryptology
255
DISA Review Questions, Answers Manual – Module 3
Q1016. Which of the following best describes the role of QA management with
respect to the information systems function?
A. Carrying out a post implementation audit/review of the application
systems of a information systems function
B. monitoring IS activities for compliance with IS standards
C. advising information systems development staff on the quality of
the requirements specification an design specification that they
have prepared
D. working with internal auditors to devise a program of compliance
testing and substantive testing activities for the information
systems function
Q1017. Which of the following characteristics is not associated with a public key
cryptosystem?
A. the encryption key can be known to all communication users
B. the processing time required in private key cryptosystem is faster
than that of public key cryptosystem
C. the decryption key should be kept a secret
D. the decryption key is the same as the encryption key
Q1019. Which of the following decisions most likely cannot be made on the
basis of performance monitoring statistics that are calculated:
A. whether new hardware/system software resources are needed
B. whether unauthorised use is being made of hardware/system
software resources
256
DISA Review Questions, Answers Manual – Module 3
Q1020. Which of the following decisions most likely could not be made on the
basis of reports prepared from the maintenance log:
A. whether to move files from one storage medium to another to
reduce read/write errors
B. whether only valid and authorised transactions were processed
C. whether a storage medium should be retired
D. whether a master file should be stored on a particular storage
medium
Q1021. Which of the following does not reflect good control over use or
removable storage media?
A. Personnel at off-site locations should receive and issue backup
files only in accordance with an authorised schedule or a signed
requisition
B. project managers should maintain records of media use
associated with the application systems over which they have
responsibility
C. sensitive files and non sensitive files should be stored on the
same removable storage medium
D. backup for all media except diskettes should be kept off site and
access to them must be restricted
257
DISA Review Questions, Answers Manual – Module 3
C. resources provided/denied
D. modifications to private keys
Q1024. Which of the following features in Internet Information Server (IIS) 5.0
from Microsoft logs the CPU resources consumed by Web Services?
A. Application Protection feature
B. Centralised Administration
C. Kerberos
D. Process Accounting
Q1025. Which of the following features is not a part of DSL but of ADSL?
A. Use of Plain Old Telephone Service (POTS)
B. Use of copper wire as transmission medium
C. Facilitates more downstream rather than upstream transfer
D. Provides more bandwidth for voice
258
DISA Review Questions, Answers Manual – Module 3
Q1027. Which of the following incidents can seriously damage a digital signature
system?
A. compromise of a key server’s private key
B. compromise of a receiver’s private key
C. compromise of a sender’s private key
D. use of a fake public key
Q1030 Which of the following is considered the greatest threat to the corporate
network, as far as cyber theft is concerned:
A. Business partners who have authorised access to the network
B. External parties not having authorised access to the network
C. Suppliers and customers who have authorised access to the
network
D. Employees who are connected to the corporate network
259
DISA Review Questions, Answers Manual – Module 3
260
DISA Review Questions, Answers Manual – Module 3
261
DISA Review Questions, Answers Manual – Module 3
Q1038. Which of the following is not a part of the Global System for Mobile
Communication (GSM) network?
A. Telecommunication standard Institute (ETSI)
B. Switching System (SS)
C. Base Station System (BSS)
D. Operation and Support System (OSS)
262
DISA Review Questions, Answers Manual – Module 3
Q1042. Which of the following is not an audit objective in the review of hardware
acquisition?
A. ensuring that adequate information for sound management
decision making is available prior to contracting for the purchase,
rent or lease of new equipment
B. ensuring that the vendors are provided with appropriate and
uniform data for submission of bids according to management
approved specifications and guidelines
C. Ensuring that provisions are made to minimise damage or abuse
to hardware and to maintain the hardware in good operational
condition
D. Ensure that management’s hardware acquisition plan has taken
into consideration technological obsolescence.
263
DISA Review Questions, Answers Manual – Module 3
264
DISA Review Questions, Answers Manual – Module 3
Q1049. Which of the following provides mobile user network access over an air
interface in Wireless IP?
A. Core network
B. End-user Services Network
C. Radio Access Network
D. GSM
265
DISA Review Questions, Answers Manual – Module 3
Q1055. Which of the following principles should guide the ways in which QA
personnel monitor compliance with information systems standards?
A. QA personnel should use automated tools to ensure compliance
with information systems standards
B. QA personnel should seek to understand the reasons for a
compliance failure so that they can advise management
266
DISA Review Questions, Answers Manual – Module 3
Q1056. Which of the following principles should not guide the way in which QA
personnel report to management?
A. the recommendation that QA personnel make should be backed
up by concrete facts
B. stakeholders should be informed of the contents of reports before
they are released to management
C. the recipients of project based reports should be agreed upon at
the start of a project
D. QA report must degenerate into a long list of defects that have
been identified
Q1057. Which of the following security practices are supported by most remote
control program products when accessing a host workstation on a local
area network?
A. Matching user ID and name with password
B. Principle of highest privilege should be implemented to perform
the file backup function
C. Limiting access to local drives and directories
D. Controlling file-transfer rights
267
DISA Review Questions, Answers Manual – Module 3
268
DISA Review Questions, Answers Manual – Module 3
C. Design bugs
D. Data bugs
269
DISA Review Questions, Answers Manual – Module 3
Q1069. Identify the one that is NOT a key concept of object-oriented technology.
A. Encapsulation
B. Idempotence
C. Polymorphism
D. Inheritance
270
DISA Review Questions, Answers Manual – Module 3
Q1075. Feasibility study may not cover the ___________ aspects of a project:
A. Economic
B. Technical
C. Legal
D. Personal
271
DISA Review Questions, Answers Manual – Module 3
Q1076. Risk analysis is MOST useful when applied during which phase of the
system development process?
A. Project initiation
B. System Construction
C. Acceptance Testing
D. Implementation Planning
Q1080. A type of SDLC model where a time box can be used to limit the time
available for producing a working system.
A. Prototype
B. Spiral
272
DISA Review Questions, Answers Manual – Module 3
C. RAD
D. Waterfall
Q1082. Person responsible for overall cost and time lines of a project is:
A. Project Manager
B. Network Engineer
C. Team Leader
D. Systems Analysts
Q1085. Which of the following is true with regard to White Box Testing?
A. Output of the program code is not required before the beginning
of the code.
273
DISA Review Questions, Answers Manual – Module 3
Q1086. Artificial Intelligence is now being used in every sphere of life. Which of
the following options justifies the statement?
A. Ability to work in hazardous places
B. Ability to think like human beings
C. Ability to work in artificial environments
D. None of the above
Q1088. During the detailed design phase of SDLC, which one of the following
tasks performed?
A. Defining control, security, and audit requirements
B. Developing screen flows with specifications
C. Identifying major purpose(s) of the system
D. Developing system justification
274
DISA Review Questions, Answers Manual – Module 3
Q1092. In which testing is done by using the same test data in the new and old
system, and the output results are compared.
A. Unit Testing
B. Parallel Testing
C. Penetration Testing
D. All of the above
275
DISA Review Questions, Answers Manual – Module 3
Q1094. With respect to various phases in the SDLC which of the following is
least likely to vary ?
A. Conduct of each phase
B. Sequence in which phases are performed
C. Presence of each phase
D. Resources needed to perform each phase
Q1097. A project manager has asked that you advise him of the potential risk
associated with the use of timebox development techniques in a system
development project. Which of the following would NOT be good
advice?
A. That the timebox technique should only be applied to projects that
can be completed within a reasonable timeframe.
B. For the timebox approach to be effective, end-users and
management should have agreed to core functionality to be
developed in the timebox.
276
DISA Review Questions, Answers Manual – Module 3
Q1100. Which one of the following is not true about emergency changes?
A. They are Required to resolve system problems and enable critical
processing to continue
B. It Involves the use of special logon-IDs that grant temporary
access to production environment during emergency situation.
C. Emergency IDs used for making emergency changes have
special privileges hence their usage should be logged & carefully
monitored
D. Passwords of emergency IDs used for making emergency
changes should never expire.
277
DISA Review Questions, Answers Manual – Module 3
Q1104. The desire for more accountability of public sector organizations has
resulted in:
A. An increased proportion of independent members on governing
bodies
B. Pressure on all public sector organizations to be operated on a
profit making basis
C. Public sector managers to become more professional
D. Public sector organizations to develop plans for their strategic
development
278
DISA Review Questions, Answers Manual – Module 3
279
DISA Review Questions, Answers Manual – Module 3
Q1110. Ethical issues concerning business and public sector organizations exist
at three levels:
A. Macro; Corporate: Individual
B. Corporate; Business; Functional
C. Corporate; Functional; Individual
D. Business; Family; Individual
280
DISA Review Questions, Answers Manual – Module 3
281
DISA Review Questions, Answers Manual – Module 3
Q1119. The desire for more accountability of public sector organizations has
resulted in:
A. An increased proportion of independent members on governing
bodies
B. Pressure on all public sector organizations to be operated on a
profit making basis
C. Public sector managers to become more professional
D. Public sector organizations to develop plans for their strategic
development
282
DISA Review Questions, Answers Manual – Module 3
283
DISA Review Questions, Answers Manual – Module 3
Q1125. Ethical issues concerning business and public sector organizations exist
at three levels:
A. Macro; Corporate: Individual
B. Corporate; Business; Functional
C. Corporate; Functional; Individual
D. Business; Family; Individual
284
DISA Review Questions, Answers Manual – Module 3
285
DISA Review Questions, Answers Manual – Module 3
286
DISA Review Questions, Answers Manual – Module 3
287
DISA Review Questions, Answers Manual – Module 3
288
DISA Review Questions, Answers Manual – Module 3
289
DISA Review Questions, Answers Manual – Module 3
290
DISA Review Questions, Answers Manual – Module 4
Module 4 Questions
Q1131. “Insurance cover that reimburses a company for expenses incurred to
avoid or minimize the suspension of business is called: “
A. Business Interruption Insurance
B. Equipment and Facility Insurance
C. Data Reconstruction
D. Extra expense insurance
Q1132. “The IS auditor should ensure that insurance coverage is adequate and
reflects the actual cost of recovery. It is important that the organisation
not only covers the loss of property but also: “
A. Covers the health of the employees
B. Covers the cost of data reconstruction.
C. Covers employee fidelity
D. Covers the loss of revenue stream arising from that property
Q1133. “Insurance that protects the company in the case of a claim against
the company for negligence, errors, omissions, or wrongful acts in the
performance of the compan⁹Section 1s duties is called: “
A. Business Interruption Insurance
B. Equipment and Facility Insurance
C. Professional Liability Insurance
D. Extra expense insurance
Q1134. Which of the following terms best define a computer program looking
“normal” but containing harmful code?
A. Trojan horse
B. Trapdoor
291
DISA Review Questions, Answers Manual – Module 4
C. Worm
D. Time bomb
Q1135. At which stage of the data process flow, from source to warehouse, is
detective controls implemented?
A. Data migration
B. Transformation
C. Loading
D. Reconciliation
292
DISA Review Questions, Answers Manual – Module 4
Q1139. Which one of the following is not an application control to assure data
accuracy?
A. Crossfooting
B. Control total
C. Limit and reasonableness test
D. Echo checking
Q1142. Which of the following will least important basis for access control
A. What the user knows
B. What the user wants
C. What the user is
D. What the user has
293
DISA Review Questions, Answers Manual – Module 4
Q1146. The BEST transmission control that can be employed to protect data
during data transfer is –
A. Applying parity check
B. Data encryption
C. File header encryption
D. Use of standard protocol
Q1148. Which of the following worms does the friendly “Cheese worm”
counteract?
A. Adore worm
B. Sadmind/ IIS worm
294
DISA Review Questions, Answers Manual – Module 4
C. Ramen worm
D. 1i0n worm
Q1151. The feature of Linux that allows changing password without altering or
recompiling any utility is:
A. Shadow password
B. Pluggable Authentication Module (PAM)
C. LILO
D. Dual booting
Q1152. The BEST method to verify the data values through the various stages
of processing
A. Check digits
B. Hash totals
C. Run-to-run totals
D. Automated controls
295
DISA Review Questions, Answers Manual – Module 4
Q1153. “Which of the following media has the least backup capacity? “
A. Removable Cartridges
B. Floppy Diskettes
C. Compact Disk
D. Tape Drives
296
DISA Review Questions, Answers Manual – Module 4
Q1158. “Data or documentation that must be retained for legal reasons, for use
in key business processes, or for restoration of minimum acceptable
work levels in the event of a disaster is classified as: “
A. Desirable
B. Vital
C. Essential
D. Critical
Q1160. “With respect to a BCP, the auditor should test check contact information
(of vendors, employees) to ensure: “
A. They will honour their contractual agreements.
B. That they are current.
C. They are physically close by.
D. They are registered with tax authorities.
297
DISA Review Questions, Answers Manual – Module 4
298
DISA Review Questions, Answers Manual – Module 4
Q1166. “Any force or phenomenon that could degrade the availability, integrity
or confidentiality of an Information Systems resource, system or network
is called a: “
A. Threat
B. Risk
C. Vulnerability
D. Threat-source
Q1167. “With respect to BCP testing, which of the following type of test will
involve considerable expenditure of time, effort and resources? “
A. Checklist
B. Structured walk-through
C. Full-interruption
D. Simulation
299
DISA Review Questions, Answers Manual – Module 4
300
DISA Review Questions, Answers Manual – Module 4
Q1173. “Which of the following is the MOST reliable strategy for centralized
systems? “
A. Cold site
B. Reciprocal Agreement
C. Hot Site
D. Mirror site/Active Recovery Site
Q1174. “ Which of the following is the LEAST reliable strategy for centralized
systems? “
A. Mobile Site
B. Hot Site
C. Reciprocal Agreement
D. Mirror site/Active Recovery Site
Q1175. “Data that can be reconstructed fairly readily but at some cost is
classified as: “
A. Critical
B. Essential
C. Sensitive
D. Essential
301
DISA Review Questions, Answers Manual – Module 4
Q1178. “The auditor should evaluate the security of an offsite facility to ensure
that it has logical, physical and environmental controls. Ideally,these
controls should be: “
A. On par with that provided at the primary facility.
B. Less than that provided at the primary facility.
C. More than that provided at the primary facility.
D. Different from that provided at the primary facility.
Q1179. “With respect to BCP testing which is the most rigorous way to test a
business continuity plan? “
A. Full-interruption
B. Parallel
C. Simulation
D. Structured walk-through
Q1180. Business functions that can be performed manually but only for a brief
period of time are usually classified as:
A. Vital
B. Essential
C. Desirable
D. Critical
302
DISA Review Questions, Answers Manual – Module 4
Q1181. “Banks must demonstrate that they have an overall data architecture
that integrates the various business functions from operations to finance
to risk management if they are to achieve compliance with: “
A. ISO/IEC 17799:2000
B. SAS 70
C. Basel Committee’s principles for electronic banking
D. Basel II Capital Accord
Q1183 “With respect to BCP testing, in which type of test is processing done
at both the primary and alternate location? “
A. Full-interruption
B. Parallel
C. Simulation
D. Structured walk-through
Q1184. “Which of the following technical methods for Backup does not require
restoration? “
A. Electronic Vaulting
B. Networked Disk
C. Tape Drives
D. Remote Mirroring
303
DISA Review Questions, Answers Manual – Module 4
Q1185. “Which of the following type of system backup would require the
maximum storage? “
A. Incremental
B. Sequential
C. Full
D. Differential
Q1186 Auditor should verify that the recovery strategies adopted by the
company are:
A. In line with audit objectives
B. In line with costs
C. In line with the priorities
D. In line with that of major competitors
304
DISA Review Questions, Answers Manual – Module 4
Q1192 “Within any complex system, there are usually components or processes
that, if not replicated or otherwise backed up by redundant capabilities,
represent points of failure for the entire system. These are called “
A. Multiple points of failure
B. Cascading points of failure
C. Linear points of failure
D. Single points of failure
305
DISA Review Questions, Answers Manual – Module 4
Q1193. “When backups of data and system files are taken together, they are
often called: “
A. Systems backup
B. Data backup
C. Incremental backup
D. Differential backup
306
DISA Review Questions, Answers Manual – Module 4
Q1197. “The plan that addresses the restoration of business processes after an
emergency, but which lacks procedures to ensure continuity of critical
processes throughout an emergency or disruption is called a: “
A. Business Continuity Plan
B. Crisis Communication Plan
C. Business Resumption Plan
D. Continuity of Operations Plan
Q1199. “An IT-focused plan designed to restore operability of the target system,
application, or computer facility at an alternate site after an emergency
is called a: “
A. Disaster Recovery Plan
B. B. Business Resumption Plan
C. C. Continuity of Operations Plan
D. D. Cyber Incident Response Plan
Q1200. A malicious user can change an application to get the full database. This
is a pitfall in which type of database security measure ?
A. Passwords
B. User Accounts
C. Isolation
D. Backup
307
DISA Review Questions, Answers Manual – Module 4
Q1202. “ The order of steps in the process of risk assessment for the purpose
of BCP is: “
A. “Asset identification and prioritization, Threat identification,
Exposure assessment, Objective formulation. “
B. “Objective formulation, Threat identification, Exposure
assessment, Asset identification and prioritization. “
C. “ Asset identification and prioritization, Exposure assessment,
Threat identification, Objective formulation. “
D. “Objective formulation, Asset identification and prioritization,
Threat identification, Exposure assessment. “
Q1203. “The maximum amount of time allowed for the recovery of the of the
business function is called the “
A. Maximum Recovery Time Period
B. Critical Recovery Time Period
C. Minimum Recovery Time Period
D. Vital Recovery Time Period
308
DISA Review Questions, Answers Manual – Module 4
Q1206. Which of the following data items is MOST LIKELY to have its integrity
protected by controls over standing data?
A. Pay rate
B. Raw material receipts
C. Customer’s address
D. Quantity sold
Q1209. All the following application system controls are considered preventive
in nature except:
A. Batch control totals
B. Authorization
309
DISA Review Questions, Answers Manual – Module 4
C. Preprinted forms
D. Passwords
310
DISA Review Questions, Answers Manual – Module 4
Q1214. Which access control mechanism does security label fit into?
A. Logical access control
B. Discretionary access control
C. Physical access control
D. Mandatory access control
Q1215 A data unit 01000101 sent from the source was received as 01111101.
What is the type of error?
A. Single-bit error
B. Byte error
C. Burst error
D. Spike error
Q1216. Which of these biometric tools use thermal sensors along with infrared
rays for identification?
A. Key stroke dynamics
B. Iris/Retinal scan
C. Speech recognition
D. Fingerprint scanning
Q1218. Hackers cover their tracks by masking their IP address. This is done
through:
A. Proxy Chaining
B. Denial of Service
311
DISA Review Questions, Answers Manual – Module 4
Q1219. The control procedure of installing the anti-virus software in the system
is called -
A. Preventive control
B. Compensating control
C. Detective control
D. Corrective control
Q1221. The logical access exposure involving data changing before and/or while
being entered into the computer is called -
A. Virus
B. Logical bombs
C. Trojan Horse
D. Data Diddling
Q1222. The general control that concern the proper segregation of duties and
responsibilities is called -
A. An output control
B. An access control
C. Organisation control
D. A Processing control
312
DISA Review Questions, Answers Manual – Module 4
Q1225. The following are the checks used to determine if a field contains data
and not zeros and blanks, EXCEPT -
A. Parity bits
B. Check digits
C. Batch headers
D. Trailer records
Q1226. Physical access control does not depend upon which of these factors?
A. Working environment
B. Hiring procedure
C. Public key infrastructure
D. Access privileges
313
DISA Review Questions, Answers Manual – Module 4
Q1228. Viruses that can change their appearance and use encryption are known
as:
A. Boot sector virus
B. Polymorphic virus
C. Stealth virus
D. Multipartite virus
314
DISA Review Questions, Answers Manual – Module 4
Q1233. Which of the following is NOT a security concern while using Java?
A. Intrusion of Privacy
B. Message digests
C. Denial of Service
D. Irritations
Q1234. What is the methodology used in the Novell Netware Operating System
to implement the concept of Access control Lists?
A. File Rights
B. Trusteeship
C. Authentication
D. Property Rights
Q1235. The unauthorised use of data files can be best prevented by using -
A. hardware lock
B. library control software
C. tape librarian
D. access control software & procedures
Q1236. Which of the following primarily assists in detecting real memory errors?
A. Valid character checks
B. Parity-based hamming code check
315
DISA Review Questions, Answers Manual – Module 4
Q1238. The best way to delete a highly confidential file from a microcomputer
would be by using which of the following:
A. Security card
B. Encryption routine
C. Disk utility
D. Multiplexor
Q1240. Dial back modem uses which of the following feature for external access
control?
A. SLIP protocol
B. “Port protection“
C. Point-to-Point Protocol
D. Blue boxes
316
DISA Review Questions, Answers Manual – Module 4
Q1243. Which is the most important step that can save a company from social
engineering attacks?
A. Creation of helpdesk rules
B. Making people accountable for jobs
C. Including social engineering in the social policy
D. Using Id cards
317
DISA Review Questions, Answers Manual – Module 4
318
DISA Review Questions, Answers Manual – Module 4
Q1251. A control procedure that checks that data was entered and does not
contain blank or zeros is called -
A. A mathematically calculated check digit
B. Control check to verify the data existence agrees to a
predetermined criteria
C. Completeness check
D. Reasonableness check
Q1252. A Data Base Management System locks out a record used by one user,
when it is simultaneously accessed by another user for updating. This
control is primarily intended to prevent:
A. Duplicate processing of transactions
B. LAN Server Overload
319
DISA Review Questions, Answers Manual – Module 4
Q1254. A fraud involving accessing data by using other’s password and altering
the same for gain, was detected and investigated. The IS Auditor, during
investigation will be in a position to provide information about all the
following except –
A. details of access control procedures in use
B. administration of password security
C. the hurdles crossed by the perpetrator of the fraud
D. preventive methods to avoid similar attempts/
Q1255. A hacker changes data stored in hidden form fields to reduce the price
in online shopping. This type of attack is called:
A. Denial of Service
B. Dynamic Scripting
C. Data Manipulation
D. Identity Spoofing
320
DISA Review Questions, Answers Manual – Module 4
Q1260. A newly released virus was enabled into LAN, from a floppy drive in one
of the workstations connected to the LAN. The existence of such virus
in the LAN will be revealed effectively by which of the following?
A. ensuring compulsory scanning of all floppy disks before use
321
DISA Review Questions, Answers Manual – Module 4
Q1261. Access control list of a firewall can have the following parameters, on
the basis of which it may filter access, EXCEPT one.
A. IP address
B. Activity/service type
C. Port
D. Network interface card
322
DISA Review Questions, Answers Manual – Module 4
Q1264. A remote dial up order entry system using portable computers for sales
man to place order should have the following control system to prevent
it from misuse.
A. Modem equalisation
B. A call back procedure
C. An error-correcting code
D. Frequent access code revalidation
Q1265. A risk associated with the use of laptop computers is their loss or theft
and consequent disclosure of confidential information stored on them.
Which one of the following control measures is most effective and
inexpensive to protect the information stored
A. Briefings of users
B. Removable data storage media
C. Screen saver passwords
D. Encryption of data files on stored media
323
DISA Review Questions, Answers Manual – Module 4
324
DISA Review Questions, Answers Manual – Module 4
Q1272. Which one of the following threats would cause the greatest concern to
an auditor auditing the data centre of a client organization?
A. Gun powder is stored in the basement of the building where the
data centre is also located
B. The data centre is located near airport.
C. The data centre is in close proximity (i.e., between one and
two miles) to one engaged in the refinement of highly explosive
chemicals or combustible and volatile products
D. The data centre is five to ten miles away from a nuclear power
plant
Q1273. The control and the procedure used in a program before data is
processed in a program is called -
A. Edit controls
B. Detective controls
C. Corrective controls
D. Compensating controls
Q1274. While classifying controls on the basis of the operations involved, input
control can be classified as -
A. Organisation control
B. General control
C. Processing control
D. Application control
325
DISA Review Questions, Answers Manual – Module 4
Q1276. While carrying out an IS security review, the IS auditor observed the
following controls present in the client’s IS security system. Which of
these controls may detect that an IS security violation has occurred?
A. Terminals are disabled after three failed login attempts
B. Passwords are changed periodically
C. Log book are reviewed by security personnel
D. Employee ID cards are in use
Q1277. While carrying out IS Audit, you have discovered a Trojan Horse
program in the computer system. Which of the following actions you will
take FIRST?
A. Start an investigation to find its author
B. Immediately remove the code containing the portion of “ TROJAN
HORSE”
C. Investigate the underlying threat if any
D. Install a compensating control
326
DISA Review Questions, Answers Manual – Module 4
Q1282. While reviewing the file identification standards in a client, the IS auditor
may not be concerned with which of the following:
A. Retention period standards
327
DISA Review Questions, Answers Manual – Module 4
Q1284. Within an EDI system which of the following is used to determine non-
repudiation?, Only Digital signautres can ensure non-repudiation of
messages, since the messages are signed by the private key of the
sender which is known only to the sender.
A. Private key cryptosystem.
B. Digital Signatures.
C. Spoofing.
D. Terminal ID and passwor
328
DISA Review Questions, Answers Manual – Module 4
Q1286. Which of the following terms best describes the purpose of control
practice over the input -
A. Authorisation of access to data files
B. Authorisation of access to program files
C. Completeness, accuracy and validity of update
D. Completeness, accuracy and validity of input
329
DISA Review Questions, Answers Manual – Module 4
Q1290. Which of the following, is the BEST procedure to find out whether
program documentation access is restricted only to authorized persons?
A. Back up and recovery procedure evaluation
B. Interview the programmers about the procedures currently
followed and if possible conduct a physical inspection of actual
access procedures
C. Programme library utilisation record verification
D. Review the detective control logs
330
DISA Review Questions, Answers Manual – Module 4
Q1295. Which one of the following computer fraud methods relates to obtaining
information that may be left in or around a computer system after the
execution of a job.
A. Scavenging
B. Data diddling
C. Salami technique
D. Piggybacking
Q1297. Which one of the following statement is not true with regard to physical
security?
A. Examining the age of the cabling is not significant
B. Lack of proper cooling facility may cause hardware failure
C. Locked gates, entrances, parking places are properly lit
D. Employees have to undergo training in physical security
331
DISA Review Questions, Answers Manual – Module 4
Q1299. Which one of the following statements is not true about audit trails?
A. If a user is impersonated, the audit trail will establish events and
the identity of the impersonator.
B. There is an interdependency between audit trails and security
policy.
C. Audit trails may assist in recovery in case of certain types of
processing failure.
D. Audit trails can be used to identify breakdowns in logical access
controls.
332
DISA Review Questions, Answers Manual – Module 4
Q1302. Access to the work area restricted through a swipe card or only
through otherwise authorised process and when visitors enter the work
area they are issued a pass and escorted in and out by a concerned
employee. These type of controls are called -
A. Organisational controls
B. Physical access controls
C. Logical access controls
D. Operational controls
Q1305. After you enter a purchase order in an on-line system, you get the
message, “The request could not be processed due to lack of funds in
your budget”. This is an example of error
A. Detection
B. Correction
333
DISA Review Questions, Answers Manual – Module 4
C. Prevention
D. Recovery
Q1307. All the following features help discover a valid password, EXCEPT -
A. the nature and character of the password content
B. the No. of letters in a password
C. the no. of times attempts are allowed before disconnection due
to incorrect password.
D. The complexity of construction and special characters used for
construction.
Q1308 All the following statements are true regarding a water-based fire
extinguishing system except:
A. Water cools the equipment relatively quickly
B. The release of water can be localized to where it is needed
C. Water and Halon gas systems cannot co-exist
D. Jet sprayers can be an alternative to water sprinklers
334
DISA Review Questions, Answers Manual – Module 4
335
DISA Review Questions, Answers Manual – Module 4
Q1316. An IS auditor carrying out review of logical access control, shall have
the PRIMARY OBJECTIVE of
A. ensuring that access is given in accordance with the
organisations authorities
B. reviewing the software based access controls
C. carrying out personal examination of the existing physical access
environment
D. using CAAT techniques to know the access provided in the
software
336
DISA Review Questions, Answers Manual – Module 4
Q1317. The most common concern regarding physical access to a data centre
is:
A. Piggybacking
B. Locks and keys
C. Fire suppression system
D. Electronic access control system
337
DISA Review Questions, Answers Manual – Module 4
Q1322. An on-line data entry program is used for original entry of vendor
invoices. Subsequently a batch cheque-writing program is used to
prepare cheques; occasionally it is found that a cheque for a vendor
not yet included in the vendor file is prepared with n
A. A record lookup for vendors during data entry of vendor invoices
B. A batch control total check on vendor payments
C. A completeness test on fields in the cheque-writing program
D. A verification of vendors in the cheque-writing program
Q1323. An on-line teller application abruptly shuts down while some transactions
are in process. The best control to ensure that each unfinished
transaction is completed successfully when the system resumes
operation is:
A. Automatic restart that prompts tellers to complete in-process
B. Manual reconstruction of in-process transactions by tellers
C. Computer reconciliation of accepted-item totals
D. Manual reconciliation of accepted-item totals
338
DISA Review Questions, Answers Manual – Module 4
Q1326. Because of the sensitivity of its data, a database system for business
forecasting was implemented with access control at different levels.
Users’ initial log-in would be controlled by
A. Integrated Test Facility
B. Database authorizations
C. Application software
D. Operating System
Q1327. Before disposing off the PC used for storing confidential data the most
important precautionary measure to be taken is -
A. mid-level formatting of hard disk
B. deleting all the files in the hard disk
C. deleting all the data on the hard disk
D. demagnetising the hard disk
339
DISA Review Questions, Answers Manual – Module 4
Q1328. Changes made on line to important master records will not be noticed
by which of the following controls ?
A. proper authorisation of updates before the actual entry of the
update in the system
B. the complete listing of all updates made are daily taken and
verified by independent supervisor
C. data entry operators are not authorised to operate the update
command, which shall be executed by an independent supervisor
after verification
D. access to master records denied to data entry operators, but
given only to independent supervisor
340
DISA Review Questions, Answers Manual – Module 4
Q1332. Data once input into the computer system cannot be changed in an
unauthorised manner. The controls established to achieve the above
objective is called –
A. data security controls
B. detective controls
C. compensating controls
D. operations controls
Q1333. Data security function review examines the following areas EXCEPT –
A. Security policy and responsibility for implementation
B. Application controls
C. Access controls
D. Password administration controls
341
DISA Review Questions, Answers Manual – Module 4
Q1337. During a review of system access rules, an IS Auditor noted that the
System Administrator has unlimited access to all data and program files.
Such access authority is:
A. Appropriate, but all access should be logged.
B. Appropriate, because System Administrator has to back up all
data and program files.
C. Inappropriate, since access should be limited to a need-to-know
basis, regardless of position.
D. Inappropriate, because System Administrator has the capacity to
run the system.
342
DISA Review Questions, Answers Manual – Module 4
Q1339. Which of the following is a special signal sent by the different hardware
devices to the Operating System (OS)?
A. Process
B. Threads
C. Interrupts
D. Applications
343
DISA Review Questions, Answers Manual – Module 4
Q1344. Exposure that could have been caused by the line - grabbing technique
is -
A. excessive usage of the hard disk space
B. blocking of CPU functions
C. transmission delay
D. unauthorised access to data
344
DISA Review Questions, Answers Manual – Module 4
Q1347. For a high security installation the most effective physical access control
devices is
A. User ID and password
B. Magnetic Card reader
C. Bio-metric devices
D. Laser activated photo identification.
Q1348. For a stand alone system, the best security control is to have -
A. User ID and passwords
B. Detailed logical access control procedures
C. Restricted physical access
D. Regular back ups taken at periodical intervals
345
DISA Review Questions, Answers Manual – Module 4
Q1350. The malicious program which put a constraint on server’s activities over
Network is:
A. Virus
B. Trojan horses
C. LOgic bombs
D. Worms
Q1351. For reviewing the physical security of the IPF facility, the necessity of
the following document is the LEAST -
A. Complete details of the IPF floor plans
B. SDLC procedure statement
C. List of all authorised users of IPF
D. Detailed organisation chart
Q1352. For secure exchange of data, database has to ensure ACID properties.
A property of database that avoids conflict between two or more
transactions running simultaneously is:
A. Atomicity
B. Consistency
C. Integrity
D. Durability
346
DISA Review Questions, Answers Manual – Module 4
Q1354. For which of the following audit tests, parallel simulation would be an
appropriate approach:
A. Testing for the presence of authorized signatures on documents
B. Summarizing the results of accounts receivable confirmation work
C. Scanning the general ledger file for unusual transactions
D. Re-calculating amounts for declining balance depreciation charges
Q1355. For which of the following options does the Demilitarised Zone (DMZ)
Security in e-commerce work as a protection technique?
A. Network protection
B. “Application-level protection“
C. Platform protection
D. Database protection
Q1356. Hackers avoid detection of attacks by changing the URL such that it is
difficult to write programs to detect the attacks. This is done through:
A. Spoofing
B. Physical attacks
C. Smurfing
D. Hexadecimal encoding of URLs
Q1357. Host 1 wants to prove its identity to Host 2. Host 2 is also authenticating
Host 3, but by mistake uses Host 1’s credentials. This is possible in
which type of authentication?
A. Zero Knowledge Proofs
B. Message Digests
C. Kerberos
D. Token Authentication
347
DISA Review Questions, Answers Manual – Module 4
Q1358. How the control in a loan processing edit program which ensures a
logical relationship between the amount advanced, the number of
repayments and the installments could be classified:
A. A format check
B. An existence check
C. A dependency check
D. A sequence check
Q1361. Implementing a firewalls is not the best solution for Virtual Private
Networks because:
A. Firewalls cannot detect spoofing attacks.
B. “Firewalls cannot be installed on VPNs“
C. Firewalls cannot alter data over a network
D. All of the above
348
DISA Review Questions, Answers Manual – Module 4
Q1363. In a central computer system users specify where their output is printed,
but some users give the wrong destination code and tie up other
departments’ printers. The best approach to ensure that printing occurs
on an appropriate device is to:
A. Centrally monitor the print queues for correct destinations
B. Create destination defaults for printing based on each employee’s
departmental affiliation.
C. Centrally print and distribute the outputs.
D. Train current users in how to specify the right destination codes
for their printing.
349
DISA Review Questions, Answers Manual – Module 4
Q1366. In a Denial of Service attack, a TCP SYN flood attack is an example of:
A. Network Resource exhaustion
B. Memory consumption
C. Exploiting of the targets own resources
D. Configuration information alteration
Q1368. In a network using Novell Netware, a user has full rights to a directory.
The user, however, must not access one file in that directory. What
feature of Netware can be used to achieve this?
A. Inheritance
B. Inherited Restriction Filter
C. Attributes
D. Security Equal To
350
DISA Review Questions, Answers Manual – Module 4
Q1370. In an accounting audit trail for online output, which of the following
information is LEAST LIKELY to be stored?
A. The time at which the output was received
B. The contents of the output
C. The persons who received the output
D. The resources consumed to produce the output
Q1372. In an accounts payable system, clerks who enter invoices for payment
also maintain the file containing valid vendor codes. This practice
increases the risk that:
A. The vendor table will not contain current information.
B. Clerks will enter an incorrect but valid code for payment.
C. Vendors not in the table file will be paid.
D. Unauthorized vendors’ invoices will be pai
351
DISA Review Questions, Answers Manual – Module 4
352
DISA Review Questions, Answers Manual – Module 4
Q1378. In deciding about the “ need to know “ basis access for the following,
the data classification plays an important role :
A. Test programs and data
B. Production programs and data
C. Test and production programs
D. Production and test data and programs
Q1380. In general, output controls over reports of batch systems would be more
compared with that of online systems because:
A. Batch output is more detailed than online output.
B. There are more intermediaries involved in producing and
distributing batch output.
C. Only managers typically receive online reports so less misuse is
likely.
D. The only way to breach the privacy of online reports is to wiretap
the communications line
353
DISA Review Questions, Answers Manual – Module 4
Q1383. In relation to an out put recovery process, which of the following factors
makes the recovery process EASIER?
A. In-place update rather than batch update is used
B. Avoidance of use of checkpoint facilities
C. Transaction data to be recovered instead of status data
D. Lack of use of spooling or printer files
354
DISA Review Questions, Answers Manual – Module 4
Q1387. In the case of online output, which of the following is LEAST LIKELY to
be an exposure covered by disposition controls?
A. Unauthorised copying of online output to diskettes
B. Unauthorised viewing of confidential data displayed on a screen
by a passerby
C. Failure to forward e-mail received in a general mailbox to persons
responsible for addressing the matters mentioned in the e-mail
D. Forwarding of confidential e-mail to unauthorised parties
Q1389. Inaccurate data input can NOT be detected by the employment of which
of the following controls ?
A. Reasonableness checks
B. Validity checks
355
DISA Review Questions, Answers Manual – Module 4
C. Completeness checks
D. Hash totals, and run to run totals.
Q1391. IS Auditor performing a security review will perform all the following
steps. However he will begin with -
A. Test of evidence of physical access at suspected locations
B. An overview understanding of the functions being audited and
evaluate the audit and business risk
C. Determine the risks/threats to thedata center site
D. Interviewing people at the site for the specific tasks performed by
them.
Q1392. IS security policy of an organisation will not contain details about the
following:
A. the overall security philosophy of the organisation
B. the authorisation procedure for accessing data
C. security awareness programme
D. highlights and identity of the sensitive security features
356
DISA Review Questions, Answers Manual – Module 4
357
DISA Review Questions, Answers Manual – Module 4
Q1399. Many users on a network want to use a single Operating System (OS)
to perform their tasks. Which of the following operating systems can be
used in this situation?
A. Real-time Operating System (RTOS)
B. Single-User Operating System
C. Multi-tasking Operating System
D. Multi-user Operating System
358
DISA Review Questions, Answers Manual – Module 4
Q1403. Notebook computers are portable and used to access the company’s
database while the executives are on travel. Which of the following
would provide the least security for sensitive data stored on a notebook
computer?
A. Encryption of data files on the notebook computer.
B. Setting up a password for the screensaver program on the
notebook computer.
C. Installing an access control software.
D. Using a locking device that can secure the notebook computer to
an immovable object.
Q1405. On June 23, 2000, an accounting clerk prepared an invoice dated June
33, 2000 and sent it to data entry as part of a batch of invoices. The
input control most likely to detect this error is:
A. Completeness (field) test
359
DISA Review Questions, Answers Manual – Module 4
B. Size check
C. Hash total
D. Range check
Q1406. One of the advantages of using naming convention for access control
is that -
A. ambiguity in the resource name is avoided
B. rules for protecting resources can be minimised
C. naming convention gives a unique identity to the resources
D. fancy and international names can be used
360
DISA Review Questions, Answers Manual – Module 4
Q1410. One of the production supervisors who has got access to the corporate
database sold sensitive product pricing information to a competitor.
Which of the following controls would best prevent such a situation?
A. Software configuration management is established and enforced
B. User access to the corporate database is controlled by passwords
C. Data ownership resides with the most appropriate users
D. Access privileges are established on a need-to-know basis
Q1412. Overall responsibility to protect and control the database and monitor
and improve the efficiency of the database are the job of -
A. Security administrator
B. Data owner
C. Data custodian
D. Database administrator
361
DISA Review Questions, Answers Manual – Module 4
362
DISA Review Questions, Answers Manual – Module 4
Q1418. Select the BEST control to mitigate the risk of creation of duplicate user
name and password during sign on procedures, if encountered during
an audit of an IS configuration.
A. security policy should be modified
B. users should be educated about weak password
C. proper validation procedures to be built in during user creation
and password change
D. require a periodic review of matching of user ID and passwords
for detection and correction
Q1420. Specify the IS application control in the following, while others are
general controls -
A. the security policy of the company and the organisaiton and
control of security activity
B. all the physical access control routines
C. control over the systems installed
D. Hash totals and batch totals
363
DISA Review Questions, Answers Manual – Module 4
Q1424. “The auditor before commencing audit of access controls should obtain
the following information by interviewing the organisation’s staff“
A. IT organisation structure
B. Key business activities
C. Significant changes to network
D. Method of authorising access
364
DISA Review Questions, Answers Manual – Module 4
Q1425. The Best information about Unauthorized input from a terminal can be
derived from which of the following?
A. Printout of the Console log
B. Transaction journal
C. Error report
D. Listing of all suspence file generated automatically
Q1426. Which of the following is a passive measure for securing the Linux
Operating System?
A. Restricting administrator access
B. Logging
C. Running only necessary services
D. Application auditing
365
DISA Review Questions, Answers Manual – Module 4
366
DISA Review Questions, Answers Manual – Module 4
Q1435. The following control procedure helps us verify data values through
various stages of application processing, ensuring that data read into
the computer was accepted and then applied to the updating process
A. Edit checks
B. Run-to- run totals
C. Completeness checks
D. Reasonableness checks
367
DISA Review Questions, Answers Manual – Module 4
Q1437. The following measures will protect the computer systems from virus
attack EXCEPT:
A. once the diskettes are checked for virus and cleaned, write
protect them
B. all new software before loaded should be scanned for viruses and
cleaned
C. no demonstration packages should be allowed to be run on the
company owned machines
D. always boot from the diskettes
368
DISA Review Questions, Answers Manual – Module 4
Q1442. The management must take various security measures to mitigate the
risk. Which of the following measure aims to minimise the damage and
prevent the reoccurrence of incident?
A. Reductive measure
B. Detective measure
C. Repressive measure
D. Corrective measure
Q1443. The most appropriate audit strategy for a large organisation which relies
on comprehensive user controls over the micro computer usage is -
A. Tests of user controls
B. Edit checks of data entered
C. Tests of general controls
D. Substantive tests of executed program logic
369
DISA Review Questions, Answers Manual – Module 4
Q1446. The person responsible for providing access rights to each of the user
and access profile for each data element stored in the computer system
is -
A. Data Custodian
B. Security administrator
C. Data owner
D. The database administrator
370
DISA Review Questions, Answers Manual – Module 4
B. Random sampling
C. Use of a test deck
D. Parallel simulation
Q1449. The public audit trail of a Digital Signature system will not contain which
of the following?
A. Public Key registrations
B. Signature registrations
C. Key compromise notifications
D. Private key modifications
Q1450. The salient features of the data file access control shall address the
following EXCEPT –
A. Access by computer data entry operators
B. Access through terminals
C. Access by production programs
D. Access to physical resources
Q1451. The technical support personnel should have unlimited access to all
data and program files to do their job. Which of the following is the right
prescription for proper access authority devolution.
A. Such access authority is appropriate, if they are logged
completely.
B. Such access authority is appropriate because they have the full
knowledge and understanding about the entire system.
C. Such access authority is inappropriate because it violates the
principle of “access on need - to - know basis, irrespective of
position
D. Such access authority is inappropriate because they have the full
knowledge and understanding about the system
371
DISA Review Questions, Answers Manual – Module 4
Q1452. The test of access control, over a distributed database, can be carried
out by -
A. Reconciliation of batch control totals
B. Examination of logged activity
C. Prohibition of random access
D. Analysis of system generated core dumps
372
DISA Review Questions, Answers Manual – Module 4
Q1457. To prevent virus attack effectively in an IS environment, the first and the
foremost step to be taken is -
A. formulating and adopting a detailed anti-virus policy for the
organisation as a whole and appraising all users about the same
and implementing it.
B. Installing the latest anti-virus software regularly
C. Prohibiting the usage of disk drives in workstations
D. Have a proper and highly secured physical access control
environment
Q1459. To protect computer systems from short term power fluctuations, the
best environmental control is -
A. an alternative source of power
B. a dedicated power generator
373
DISA Review Questions, Answers Manual – Module 4
374
DISA Review Questions, Answers Manual – Module 4
Q1466. What does the Automated Security Access Tool (ASET) (provided by
Solaris) in Medium setting, do?
A. Checks for file permissions and makes sure standard permissions
are set
B. It modifies permissions of certain system files such as ttytab etc)
and restricts access
375
DISA Review Questions, Answers Manual – Module 4
Q1467. What feature of Linux allows a secure connection between client and
server for generally insecure services such as Telnet?
A. Password Protection
B. Logging
C. Secure Sockets Layer (SSL)
D. Secure Shell (SSH)
Q1469. What feature of the Windows 2000 Operating System provides a single,
centralised security administration capability?
A. Active Directory Integration
B. Flexibility in Authentication
C. Consistently enforcing Authorisation
D. Public Key Infrastructure
Q1470. When the account number is entered into an online banking system, the
computer responds with a message that reads: “Account number that
you entered is not assigned to an active number. Please reenter”. What
technique is the computer using.
A. Existence check
B. Dependency check
376
DISA Review Questions, Answers Manual – Module 4
C. Format check
D. Check digit
Q1471. When the results of production data files processing with a generalized
audit software do not agree with the total balance according to the
inventory application reports, what should the IS Auditor do first?
A. Tell data processing that the inventory application has a bug in it.
B. Review the data field definitions and logic in the audit software.
C. Rerun the audit software against a backup of the inventory
master file.
D. Process the data using a different generalized audit software.
Q1473. When transmitting online output through Internet, which of the following
controls is likely to offer MOST protection?
A. Symmetric cryptography
B. Asymmetric cryptography
C. File compression algorithms
D. Message routing protocols
377
DISA Review Questions, Answers Manual – Module 4
following control is used to ensure that transactions are not lost during
processing.
A. controls for validating data
B. checking of internal credibility
C. manual control procedures
D. balancing procedures through the system itself automatically
Q1475. Which component in the Java Virtual Machine checks the compiled
code to see if it matches all the rules and specifications of the Java
language?
A. Class Loader
B. Security Manager
C. Byte code Verifier
D. Garbage collector
Q1477. Which of the following allows the most granular access control
mechanism for database security ?
A. System and Object Privileges
B. Database Integrity mechanisms
C. Data Encryption
D. Row-Level Security
378
DISA Review Questions, Answers Manual – Module 4
Q1480. Which of the following control objectives is violated when the theft of
proprietary software or corporate data is stolen:
A. preserving data integrity
B. ensuring system efficiency
C. achieving system effectiveness
D. safeguarding the assets
Q1481. Which of the following controls is the most basic and simple login
control?
A. Logging unsuccessful login attempts
B. Validating user-name and password
C. Sending alerts to the Security Administrator
D. Disabling accounts when a break-in occurs
379
DISA Review Questions, Answers Manual – Module 4
Q1482. Which of the following controls would address the concern that data
uploaded from a microcomputer to the company’s mainframe system in
batch processing may be erroneous.
A. The mainframe computer should be backed-up on a regular basis.
B. Two persons should be present at the microcomputer when it is
uploading data.
C. The mainframe computer should subject the data to the same
edits and validation routines that on-line data entry would require.
D. The users should be required to review a random sample of
processed data.
Q1484. Which of the following data base environment controls enforces access
rules in addition to maintaining standardized definitions?
A. Active data dictionary system
B. Passive data dictionary system
C. Deadlock resolution
D. Record locking
380
DISA Review Questions, Answers Manual – Module 4
Q1486. Which of the following feature may seriously affect or nullify the utility
of audit trails for an application system ?
A. User ids are not recorded in the audit trail
B. Security administrator can amend the details in the audit trail
C. Date and time stamps are not recorded automatically but only
with manual interferance
D. Audit trail records can be amended by the users.
Q1487. Which of the following is a feature of ActiveX controls that can both be
used as well as misused?
A. ActiveX controls can be reused
B. ActiveX controls can access system resources
C. Many pre-developed controls for performing many tasks are
available
D. Execution of ActiveX controls can be controlled using Internet
Explorer security settings
381
DISA Review Questions, Answers Manual – Module 4
382
DISA Review Questions, Answers Manual – Module 4
Q1494. Which of the following is the most common type of input validation to
verify the length of a number entered by a user in a numeric field?
A. Form-Level
B. Validation lists
C. Field-Level
D. Filtering Keyboard Input
Q1495. Which of the following is the most objective and relevant evidence in a
computer system related fraud investigation?
A. Physical examination
B. Computer logs
C. Physical observation
D. Inquiries of people
383
DISA Review Questions, Answers Manual – Module 4
Q1498. Which of the following may be the least important factor for
implementing a password control system?
A. Encrypting the password file
B. Purchasing computers with boot level password facilities
C. Limiting the distribution of passwords
D. Not writing down the password
Q1499. Which of the following methods can detect burst errors only if the
number of errors is in each data unit is odd?
A. Vertical Redundancy check (VRC) - even parity
B. Vertical Redundancy check (VRC) - odd parity
C. Longitudinal Redundancy Check (LRC)
D. Checksum
Q1500. Which of the following pairs of items which are related to each other?
A. The segregation of duties principle, the “least privilege” principle
B. The parity check, the reasonableness check
C. The single-key system, the Rivest-Shamir-Adleman (RS) algorithm
D. The two-key system, the Data Encryption Standard DES)
algorithm
384
DISA Review Questions, Answers Manual – Module 4
Q1501. Which of the following physical access control devices would be most
effective for a high security installation?
A. Proximity sensing card reader
B. Retina scanner
C. Photo identification card
D. Magnetic card reader
Q1502. Which of the following risks is not associated with utility programs?
A. Unauthorized manipulation of data
B. Incorrect batch totals
C. Override of password checking
D. Bypassing of system controls
Q1504. Which of the following should be the least important criteria for selecting
a security software package
A. The memory and hard disk space used by the package
B. Compatibility with the in-house database management system
C. The financial stability of the software supplier
D. The number of personnel on the software supplier’s staff
385
DISA Review Questions, Answers Manual – Module 4
C. It is an anti-virus package
D. It is a powerful supercomputer
Q1506. Which one of the following recovery strategy has the GREATEST
chance of failure due to systems and personnel changes?
A. Hot site
B. Cold site
C. Reciprocal agreement
D. Redundant site
Q1507. The business impact analysis should critically examine the business
processes looking MOST at their:
A. Composition
B. Priorities
C. Dependencies
D. Service levels
386
DISA Review Questions, Answers Manual – Module 4
387
DISA Review Questions, Answers Manual – Module 4
Q1516. Which of the following methods would best ensure the adequacy of a
disaster recovery plan?
A. Regular reviews of timeliness of information detailed in the plan
B. Unannounced shut down of the primary installation during quiet
periods
C. Regular recovery exercises using expert personnel
D. Unannounced recovery exercises at regular intervals
388
DISA Review Questions, Answers Manual – Module 4
Q1519. Which of the following would best describe a cold backup site?
A. A computer facility with electrical power and HVAC, all needed
applications installed and configured on the file/print servers, and
enough workstations present to begin processing
B. A computer facility with electrical power and HVAC but with
no workstations or servers on site prior to the event and no
applications installed.
C. A computer facility with no electrical power or HVAC
D. A computer facility with electrical power and HVAC and some
file/print servers, although the applications are not installed or
configured and all of the workstations may not be on site or ready
to begin processing
389
DISA Review Questions, Answers Manual – Module 4
Q1522. Which of the following pair of phrases is the BEST example of operating
watch words to remember in developing disaster recovery plans:
A. No policy, No procedure
B. No ring, No write
C. No backup, No recovery
D. No security, No protection
390
DISA Review Questions, Answers Manual – Module 4
concluded that the recovery was more than the critical time frame that
was necessary. Which of the following actions w
A. Widen the physical capacity to accomplish better mobility in a
shorter time.
B. Shorten the distance to reach the hot site.
C. Perform an integral review of the recovery tasks
D. Increase the number of human resources involved in the recovery
process
Q1527. Which of the following is a continuity plan test that uses actual
resources to simulate a system crash to cost effectively obtain evidence
about the plan’s effectiveness?
A. Paper test
B. Post test
391
DISA Review Questions, Answers Manual – Module 4
C. Preparedness test
D. Walkthrough
Q1530. Secured waste, audit checks, and applicant screening all act:
A. Data security
B. Software protection
C. Privacy detection
D. License protection
392
DISA Review Questions, Answers Manual – Module 4
Q1532. Which device can limit traffic on a network and allow access onto
specific TCP/IP port numbers when security is a concern?
A. Firewall
B. Hub
C. DNS
D. Modem
Q1536. Both data integrity and system security are required to:
A. Protect a person’s right to privacy
B. Increase the speed of processing
393
DISA Review Questions, Answers Manual – Module 4
Q1537. Internal controls are the rules and procedures that are followed to
maintain the integrity and security of:
A. The data, records and financial assets of an organization
B. The hardware and networks in an organization
C. Policies
D. The Internet
Q1538. You have a remote user who can connect to the internet but not to the
office via their VPN client. After determining the problem, which should
be your next step?
A. Make sure the user has the correct VPN address and password
B. Have the client reboot their host
C. Have the client reinstall their VPN software
D. Reboot the router at the corporate office.
394
DISA Review Questions, Answers Manual – Module 4
Q1541. Which of the following govern how the network is configured and
operated as well as how people are expected to behave on the
network?
A. Policies
B. Baselines
C. Laws
D. Procedure
Q1542. The “what you are” criteria for computer system access involve:
A. Bio metrics
B. A badge
C. A swipe card
D. A password
Q1543. Secured waste, audit checks, and applicant screening all act:
A. Data security
B. Software protection
C. Privacy detection
D. License protection
Q1545. Both data integrity and system security are required to:
A. Protect a person’s right to privacy
B. Increase the speed of processing
395
DISA Review Questions, Answers Manual – Module 4
Q1546. Internal controls are the rules and procedures that are followed to
maintain the integrity and security of:
A. The data, records and financial assets of an organization
B. The hardware and networks in an organization
C. Policies
D. The Internet
Q1548. You have a remote user who can connect to the internet but not to the
office via their VPN client. After determining the problem, which should
be your next step?
A. Make sure the user has the correct VPN address and password
B. Have the client reboot their host
C. Have the client reinstall their VPN software
D. Reboot the router at the corporate office.
Q1549. Which device can limit traffic on a network and allow access onto
specific TCP/IP port numbers when security is a concern?
A. Firewall
B. Hub
C. DNS
D. Modem
396
DISA Review Questions, Answers Manual – Module 4
397
DISA Review Questions, Answers Manual – Module 4
Q1555. The “what you are” criteria for computer system access involve:
A. Bio metrics
B. A badge
C. A swipe card
D. A password
Q1557. Which of the following govern how the network is configured and
operated as well as how people are expected to behave on the
network?
A. Policies
B. Baselines
C. Laws
D. Procedure
398
DISA Review Questions, Answers Manual – Module 4
399
DISA Review Questions, Answers Manual – Module 4
400
DISA Review Questions, Answers Manual – Module 4
401
DISA Review Questions, Answers Manual – Module 4
402
DISA Review Questions, Answers Manual – Module 4
403
DISA Review Questions, Answers Manual – Module 4
404
DISA Review Questions, Answers Manual – Module 5
Module 5 Questions
Q1558. “The primary objectives for auditing IT change management is to ensure
that: “
A. Only approved changes were made
B. All changes are documented
C. Change control procedure variances are recorded and accounted.
D. Latest version of software is used
405
DISA Review Questions, Answers Manual – Module 5
406
DISA Review Questions, Answers Manual – Module 5
Q1567. “Which of the following is the basis for providing authorization and
access to employees in an enterprise? “
A. Organization Structure
B. Nature of Business process
C. Type of technology
D. Style of management
407
DISA Review Questions, Answers Manual – Module 5
408
DISA Review Questions, Answers Manual – Module 5
Q1577. Which one of the following forms a part of transmission control in EDI
control layers?
A. Interchange
B. Functional group
C. Transaction set
D. None of the above
409
DISA Review Questions, Answers Manual – Module 5
Q1581. “Which among the following combination of roles results has maximum
risk “
A. Data entry and Operations
B. Librarian and Help Desk
C. Systems Analysis and Quality Assurance
D. Database Administration and Data entry
Q1582. “In auditing outsourcing, which of the following is the IS Auditor most
likely to consider for formulating the audit scope and objectives: “
A. Benefits of outsourcing
410
DISA Review Questions, Answers Manual – Module 5
411
DISA Review Questions, Answers Manual – Module 5
Q1590. “At the preliminary review stage of IT strategic plan; the most critical
audit procedure involves verification of: “
A. Short-range plan, which has been prepared outlining the specific
project.
412
DISA Review Questions, Answers Manual – Module 5
413
DISA Review Questions, Answers Manual – Module 5
Q1597. Rapid recovery is MOST crucial in the case of which of the following
applications?
A. Departmental chargeback
B. Corporate planning
C. Point-of-sale
D. Regulatory reporting
414
DISA Review Questions, Answers Manual – Module 5
Q1600. Internal controls of EDI should address which of the following risks?
A. Storage errors
B. Transmission errors
C. File errors
D. Accounting errors
415
DISA Review Questions, Answers Manual – Module 5
Q1605. Which step comes just before the final approval of the BCP?
A. Collecting data
B. Organising and documenting the plan
C. Testing the plan
D. Writing policies and procedures
Q1607. Which of the following alternate facilities has the GREATEST chance of
failure due to change in systems and personnel?
A. Reciprocal agreement
B. Hot site
416
DISA Review Questions, Answers Manual – Module 5
C. Warm site
D. Cold site
Q1608. Which of the following is not a measurement criterion for the Personal
Software Process?
A. Defects
B. Time
C. Task
D. Lines of codes
Q1610. For getting high speed access in telecommuting, which of the following
connection is used?
A. Internet Connection
B. Ethernet Connection
C. Modem connection
D. None of the above
417
DISA Review Questions, Answers Manual – Module 5
Q1613. In the case of a bank teller the access control policy is an example of:
A. User directed policy
B. Role based policy
C. Rule based policy
D. Identity based policy
Q1616. Which of the following systems are MOST important for business
resumption following a disaster?
A. Vital systems
B. Sensitive systems
418
DISA Review Questions, Answers Manual – Module 5
C. Critical systems
D. Non-critical systems
Q1617. Which one of the following is TRUE about Pretty Good Privacy (PGP ,
an electronic mail security program?
A. PGP is a protocol
B. PGP is a standard
C. PGP is a product
D. PGP is not portable
Q1619. A bank performs a backup of its online deposit files each day after all
processing is over and retains it for 7 days. The bank does not retain a
copies of each days transaction. This approach is:
A. Valid, since it minimises the complexity of backup/recovery
procedures if the online file has to be restored
B. Valid, since having a weeks worth of backups permits recovery
even if one backup could not be restored.
C. Risky, since restoring from the most recent backup file would omit
subsequent transactions
D. Risky, since no checkpoint/restart information is kept with the
backup files
419
DISA Review Questions, Answers Manual – Module 5
420
DISA Review Questions, Answers Manual – Module 5
421
DISA Review Questions, Answers Manual – Module 5
Q1629. Which of the following would BEST ensure continuity of a Wide Area
Network (WAN ?
A. A maintenance contract with a service provider
B. Full system back-up taken on a daily basis
C. A duplicate machine alongside each server
D. Built-in alternative routing
Q1630. Which one of the following in NOT true statement about encryption used
in an electronic data interchange (EDI transaction?
A. Encryption ensures data integrity
B. Encryption ensures data availability
C. Encryption ensures data confidentiality
D. Encryption prevents unauthorised viewing of data
Q1632. Which one of the following is NOT true about an electronic data
interchange (EDI) system?
A. Direct or dedicated transmission channels with trading partners
B. Elimination of paper records
422
DISA Review Questions, Answers Manual – Module 5
423
DISA Review Questions, Answers Manual – Module 5
424
DISA Review Questions, Answers Manual – Module 5
Q1639. Audit of LAN disaster backup and recovery plan ensures that business
is restored after a system failure or disaster. Which of the following is
FALSE with respect to such plans
A. Plan identifies the critical hardware and equipments
B. Confidential information is not disclosed in the plan
C. Plan is reviewed and accepted by the management
D. Plan is communicated to the employees
425
DISA Review Questions, Answers Manual – Module 5
426
DISA Review Questions, Answers Manual – Module 5
427
DISA Review Questions, Answers Manual – Module 5
C. 4,3,1,2
D. 4,3,2,1
Q1652. If outsourcing a hot site is a feasible solution, then which of the following
should be considered while interacting with the vendor?
A. Hardware, software and networking requirements
B. “Location and testing requirements“
C. “Staff expertise“
D. All the above
428
DISA Review Questions, Answers Manual – Module 5
Q1656. In residual dumping technique for backup, the records that are backed
up are those that have not undergone any change since
A. the last full dump
B. the last residual dump
C. the second-last full dump
D. the second-last residual dump
Q1658. In the case of electronic funds transfer (EFT) , which one of the
following is MOST vulnerable to fraud and physical attacks?
A. Point-of-sale system
B. Home banking system
C. Automated teller machine system
D. Telephone bill paying system
429
DISA Review Questions, Answers Manual – Module 5
Q1659. In the event of a disaster, the crisis management team should first:
A. Inform the stakeholders
B. Assess the impact of disaster on the company
C. Take care of personnel and their dear ones
D. Form an emergency response team
Q1662. It was observed that there is no fire detection and control equipment in
an organisations computer processing area. Which of the following is
MOST important in such circumstances?
A. Offsite storage of transaction and master backup files
B. Adequate fire insurance
C. Fully tested backup processing facility
D. Regular hardware maintenance
430
DISA Review Questions, Answers Manual – Module 5
431
DISA Review Questions, Answers Manual – Module 5
C. dynamic equalization
D. attenuation amplification
Q1668. Operations audit trail rather than the accounting audit trail is likely to
show
A. message sequence number
B. queue length at each network node the message traverses before
reaching the destination
C. time and date of dispatch of the message
D. the unique identifier of the sender’s node from which it was sent
Q1669. OSI model of ISO presents a model of seven layers through which data
communication across computers passes. Encryption is NOT done in
any form in
A. Presentation
B. Physical
C. Data Link
D. Transport
432
DISA Review Questions, Answers Manual – Module 5
Q1672. Ring topologies have an edge over bus topologies. Which of the
following statements is FALSE?
A. In ring topology, nodes are connected on a point to point basis
whereas it is a multipoint connection in a bus network
B. The connectors in a bus topology attenuate the signals and
distort them, whereas repeaters in a ring topology are relatively
harmless
C. If a connector in bus topology is malfunctioning, the whole
network will not be brought down, whereas malfunctioning
repeaters will bring the network down
D. Encryption is resorted to as a control technique more in bus
topology than ring topology
433
DISA Review Questions, Answers Manual – Module 5
Q1675. Rollforward and rollback are two important techniques for backup. Which
among the following should be logged for facilitating rollforward?
A. Afterimages
B. Beforeimages
C. All valid transactions
D. All input transactions
434
DISA Review Questions, Answers Manual – Module 5
Q1680. The time required for recovery of information processing facility in the
case of a disaster is based on which of following?
A. Nature of disaster
B. Criticality of the operations affected
C. Mainframe based applications
D. Quality of the data to be processed
435
DISA Review Questions, Answers Manual – Module 5
Q1683. Which among the following is NOT a serious problem in a ring topology
based LAN?
A. Corruption of tokens during transmission may occur
B. Collision of tokens during transmission may occur
C. Tokens may be captured by a node and before releasing it the
node may fail
D. The receiver might not have captured the token but it might have
passed the addressee node
436
DISA Review Questions, Answers Manual – Module 5
Q1686. Which of the following approach is ideal in order to test the electronic
data interchange (EDI) system for a value added network (VAN) user?
A. Test mailbox
B. System programmer mailbox
C. Production mailbox
D. Application programmer mailbox
Q1687. Which of the following are NOT true about electronic data interchange
(EDI) ?
A. EDIs data is processed by computer application systems without
human intervention
B. Standardisation is not key to EDI transaction
C. EDI concept is different from electronic commerce
D. EDI promotes a paperless environment
437
DISA Review Questions, Answers Manual – Module 5
Q1692. Which of the following controls should be introduced in the case of EDI
transaction with a trading partner for efficient data mapping?
A. Manual recalculations
B. Functional acknowledgements
C. Key verification
D. One-for-one checking
438
DISA Review Questions, Answers Manual – Module 5
Q1694. Which of the following cryptographic algorithm does both encryption and
digital signature?
A. International data encryption algorithm (IDE)
B. Digital signature standard (DSS)
C. Rivest, Shamir, Adleman (RS
D. Data encryption standard (DES)
439
DISA Review Questions, Answers Manual – Module 5
Q1698. Which of the following involves routing of traffic through split or duplicate
cable facilities in providing telecommunication continuity?
A. Long haul network diversity
B. Diverse routing
C. Redundancy
D. Alternate routing
440
DISA Review Questions, Answers Manual – Module 5
Q1704. Which of the following is NOT true about a reciprocal agreement for an
alternative processing facility?
A. The reciprocal data centre may not be available during normal
business hours
B. They are expensive to maintain
C. The reciprocal data centre may not have adequate capacity
D. Incompatibilities in the operating software may occur
441
DISA Review Questions, Answers Manual – Module 5
Q1706. Which of the following is NOT true about Pretty good privacy (PGP) and
privacy enhanced mail (PEM)?
A. They are both based on public-key cryptography
B. They both have same uses
C. They both encrypt messages
D. They both sign messages
Q1708. Which of the following is the MOST effective and environment friendly
methods of suppressing fire in a data centre?
A. Carbon dioxide gas
B. Wet-pipe sprinklers
C. Halon gas
D. Dry-pipe sprinklers
442
DISA Review Questions, Answers Manual – Module 5
Q1709. Which of the following is the BEST disaster recovery plan for the
communication processor for a large chain of shops which has a central
communication processor for connecting with the banking network with
electronic fund transfer (EFT at point-of-sale de
A. Alternate standby processor at another network node
B. Alternative standby processor onsite
C. Installation of duplex communication links
D. Offsite storage of daily backup
Q1710. Which of the following is the LEAST important in the case of backup
and recovery plan?
A. Frequency of the backup
B. Usage of backup tapes
C. Frequency of offsite backup
D. Frequency of restoration of backups to test the backup tapes
443
DISA Review Questions, Answers Manual – Module 5
Q1714. Which of the following is TRUE about Electronic Data Interchange (EDI)
application system?
A. Transmits transactions using sophisticated formats and file
definitions
B. Applications, transactions and trading partners supported remain
static over time
C. System that performs based on business needs and activities
D. Provides utility programs for a limited number of application
systems
Q1715. Which of the following is TRUE about most of the business continuity
tests?
A. Address all system components
B. Conducted at the same time as normal business operations
C. Monitored by the IS auditor
D. Evaluate the performance of personnel
Q1716. Which of the following is TRUE in relation to the input controls of EDI ?
A. The data that is entered into the system should have sequence
numbers
B. Data that is entered into the system need not be translated to
EDI standard
C. Parity and redundancy checks should be used
D. Any changes to EDI should be tested before implementation
444
DISA Review Questions, Answers Manual – Module 5
Q1717. Which of the following offsite alternative for business recovery would
require the least amount of funds?
A. Cold site facility
B. Reciprocal agreement
C. Warm site facility
D. Hot site facility
Q1718. Which of the following network risk apply to EDI transactions irrespective
of the type of network involved?
A. Failure to detect the recipient
B. Data being transmitted to the wrong recipient
C. Delay in transmission of the data
D. The data being intercepted and disclosed to others without
authorisation
Q1719. Which of the following project scheduling techniques does not provide
information about predecessor and successor relationships –
A. Gantt Charts
B. Critical Path Method
C. Program Evaluation and Review Technique
D. Critical Chain Path Method
445
DISA Review Questions, Answers Manual – Module 5
Q1722. Which of the following should find a place in a disaster recovery plan
A. Program coding standards for the organization
B. History of updates to the operating system
C. List of applications under development
D. Responsibilities of each organizational unit
Q1724. Which of the following statement is true with respect to Electronic Fund
Transfer/ Point of Sale transaction?
A. To verify the identity of the cardholder, using signature is more
secure than using the PIN
B. All cards are not checked with hot card numbers
C. A central authority verifies the signature of the person holding the
card
D. Before payment, the cardholder and the merchant agree upon the
amount
446
DISA Review Questions, Answers Manual – Module 5
Q1725. Which of the following statements about digital signatures is NOT true?
A. It prevents non-repudiation by the receiver
B. It provides sender authenticity
C. It facilitates repudiation by the sender
D. It prevents repudiation by the sender
447
DISA Review Questions, Answers Manual – Module 5
C. Back-up procedures
D. Audit trails
Q1730. While appointing an auditor to conduct the IS audit the company need
not look into ________ of the auditor?
A. Legal capability
B. Experience
C. Proficiency in different computer languages
D. Secrecy bond, if penetration test is to be done
Q1731. When planning a software audit, the management does not consider:
A. The timing of the audit
B. Persons who should conduct the audit
C. Keeping the audit objective secret
D. Providing access to the required facilities
448
DISA Review Questions, Answers Manual – Module 5
Q1735. An audit technique used to select items from a population for audit
testing purposes based on the characteristics is termed as
A. Continuous Sampling
B. Discrete Sampling
C. Attribute Sampling
D. Statistical Sampling
Q1737. While developing a risk based audit program which of the following
would the IS auditor MOST likely focus on
A. Business processes
B. Critical IT applications
C. Corporate objectives
D. Business strategies
449
DISA Review Questions, Answers Manual – Module 5
Q1739. When an IS auditor obtains a listing of current users with access to the
selected WAN/LAN and verifies that those listed are active associates,
the auditor is performing a:
A. Compliance test.
B. Substantive test
C. Statistical sample
D. Risk assessment
450
DISA Review Questions, Answers Manual – Module 5
451
DISA Review Questions, Answers Manual – Module 5
Q1745. In planning attribute sampling of data, which one of the following factors
would be LEAST important?
A. Review and evaluation of internal controls
B. Age of the system being examined
C. Past audit experience and previous test results
D. Expected error rate
Q1746. The people, who have contact with the system such as employees and
customers, are:
A. Users
B. Systems analysis
C. Programmers
D. Clients/Customers
Q1748. The person who fills the role of the change agent is the
A. System analyst
B. Administration
C. Programmer
D. User
Q1749. The kind of interview where all question are planned in advance is
called
A. Structured
B. Unstructured
452
DISA Review Questions, Answers Manual – Module 5
C. Audit program
D. Checklist
Q1750. When the entire new system is used by a portion of the users it is called
A. Pilot conversion
B. Direct conversion
C. Parallel conversion
D. Phased conversion
453
DISA Review Questions, Answers Manual – Module 5
Q1754. If a program fails to par a test, the programmer can call for a
………………… program run to check on the status of the registers after
each program operations
A. Trace
B. Mapping
C. Linker
D. Loader
454
DISA Review Questions, Answers Manual – Module 5
Q1761. The kind of interview where all question are planned in advance is
called
A. Structured
B. Unstructured
C. Audit program
D. Checklist
455
DISA Review Questions, Answers Manual – Module 5
Q1763. The people, who have contact with the system such as employees and
customers, are:
A. Users
B. Systems analysis
C. Programmers
D. Clients/Customers
Q1764. The person who fills the role of the change agent is the
A. System analyst
B. Administration
C. Programmer
D. User
Q1765. When the entire new system is used by a portion of the users it is called
A. Pilot conversion
B. Direct conversion
C. Parallel conversion
D. Phased conversion
456
DISA Review Questions, Answers Manual – Module 5
C. Structured interview
D. Observations
Q1769. If a program fails to par a test, the programmer can call for a
………………… program run to check on the status of the registers after
each program operations
A. Trace
B. Mapping
C. Linker
D. Loader
457
DISA Review Questions, Answers Manual – Module 5
458
DISA Review Questions, Answers Manual – Module 5
459
DISA Review Questions, Answers Manual – Module 5
460
DISA Review Questions, Answers Manual – Module 5
461
DISA Review Questions, Answers Manual – Module 6
Module 6 Questions
Q1776. “An IS auditor conducting a review of software usage and
licensingdiscovers that numerous PCs contain unauthorized software.
Which of the following actions should the IS auditor perform FIRST? “
A. Personally delete all copies of the unauthorized software.
B. Inform auditee of the unauthorized software and follow-up to
confirm deletion.
C. Report the use of the unauthorized software to auditee
management and the need to prevent recurrence.
D. Take no action, as it is a commonly accepted practice and
operations management is responsible for monitoring such use.
462
DISA Review Questions, Answers Manual – Module 6
Q1781. During a review of the controls over the process of defining IT service
levels an IS auditor would MOST likely interview the:
A. Business unit manager.
B. Legal staff.
C. Systems programmer.
D. Programmer.
463
DISA Review Questions, Answers Manual – Module 6
464
DISA Review Questions, Answers Manual – Module 6
465
DISA Review Questions, Answers Manual – Module 6
Q1792. “The Information Technology Act does not apply to all of the following,
except: “
A. e-banking mechanism used instead of a cheque
B. A will
C. Electronic contract for sale of building through electronic means.
D. Notification of documents in the Government Gazette
Q1793. Identify the one that is NOT a key concept of object-oriented technology.
A. Encapsulation
B. Reusability
C. Messaging
D. Inheritance
466
DISA Review Questions, Answers Manual – Module 6
467
DISA Review Questions, Answers Manual – Module 6
Q1800. Identify the factor that is not part of an expert system architrcture.
A. Knowledge base
B. Computing environment
C. Inference engine
D. End user interface
Q1801. “An IS Auditor has been assigned the task of reviewing the Information
Systems Security of a Sales Database, this refers to evaluation of
Information based on the following criteria: “
A. Effectiveness, Efficiency and Authenticity
B. Confidentiality, Integrity and Availability
C. Availability, Integrity and Reliability
D. Confidentiality, Compliance and Reliability
Q1802. “The risk that an IS auditor uses an inadequate test procedure and
concludes that material errors do not exist when, in fact, they do, is an
example of: “
A. Inherent risk.
B. Control risk.
C. Detection risk.
D. Audit risk.
468
DISA Review Questions, Answers Manual – Module 6
Q1804. “The most effective option of using computer programs for testing client
data is: “
A. Use the client’s program
B. Write a program specifically for the purposes of the audit
C. Use a generalized audit software
D. Use a walk-through approach to understanding the process
Q1805. “An auditor plans to use CAATs extensively for conducting an internal
audit of manufacturing operations of an enterprise. CAATs are least
likely to be used for: “
A. Drawing out appropriate samples
B. Interface with production databases to query
C. Report the audit findings with evidence
D. Uncover fraudulent transactions
Q1807. Using Generalised Audit Software for testing application if correct rates
are applied to sales invoices involves
A. Testing the logic and sales data of the auditee
B. Testing the actual sales data from the database of the client
organisation.
C. Testing the auditee’s sales application software
D. Testing the access controls
Q1808. As a basis of determining the size of the project, COCOMO model uses:
A. Function Points
B. Object Points
C. Lines of Code
D. None of the above
470
DISA Review Questions, Answers Manual – Module 6
Q1812. Compliance testing could be most effectively used for testing the:
A. Completeness of transactions
B. Accuracy of transactions
C. Implementation of controls as per policy
D. Processing of transactions
471
DISA Review Questions, Answers Manual – Module 6
Q1818. “IS audit refers to any audit that encompasses review and evaluation
of:”
A. Efficiency of computing resources and networking technologies
B. Controls in Computerised information systems
C. Risks and controls as regards use of IT for business
D. Automated information processing systems and its interfaces
472
DISA Review Questions, Answers Manual – Module 6
Q1821. In SDLC, in which phase would you perform Boundary value analysis?
A. Requirements
B. Design
C. Implementation
D. Maintenance
Q1822. A lower cost software product metric that is used for data collection :
A. Requirements tracing
B. Defect counts
C. Function points
D. Test coverage
473
DISA Review Questions, Answers Manual – Module 6
474
DISA Review Questions, Answers Manual – Module 6
Q1828. “The most critical control consideration in designing the audit procedures
in a computerized environment is: “
A. Lack of segregation of duties
B. Lack of management control
C. Lack of IT knowledge by IT staff operating the system
D. The online and real time nature of the system
475
DISA Review Questions, Answers Manual – Module 6
476
DISA Review Questions, Answers Manual – Module 6
Q1836. “The risk assessment approach should ensure that formal agreement
on residual risk. The most critical factor on which this depends is: “
A. Risk identification and measurement
B. Corporate policy
C. Adopting risk assessment approach of that of the competitor
D. Cost effectiveness of implementing safeguards and controls
Q1837. The risk assessment process involves all of the following except:
A. Take steps to reduce risk to an acceptable level
B. Assess probability of occurrence of threats
C. Identify the IT resources
D. Ascertain the risk profile
477
DISA Review Questions, Answers Manual – Module 6
Q1840. At which stage of Software Development Life Cycle (SDLC) the program
development work is completed
A. Design specifications
B. “Program specifications
C. System testing
D. Unit testing
478
DISA Review Questions, Answers Manual – Module 6
479
DISA Review Questions, Answers Manual – Module 6
Q1851. Which would ensure that IS organizations do not take more resources
for less output?
A. Full-scale projects
B. Pilot projects
C. Grand design projects
D. Conversion projects
Q1856. Identify the non-cost factor while analysing feasible system alternatives
for an organisation.
A. Conversion
B. Supplies
C. Maintenance
D. Obsolescence
Q1859. In the Software Capability Maturity Model, the Productivity and Quality
of a software project is measured in:
A. Level 1
B. Level 2
C. Level 3
D. Level 4
Q1862. Identify the element that is not connected with structured design.
A. Coupling
B. Cohesion
C. Objects
D. Structure charts
Q1863. In which phase of SDLC would you use software sneak circuit analysis?
A. Requirements
B. Design
C. Implementation
D. Maintenance
482
DISA Review Questions, Answers Manual – Module 6
Q1865. The most efficient stress testing tool used for both front end and
backend applications is:
A. Open STA
B. Microsoft web application stress tool
C. Compuware’s QA load
D. Pureload
Q1867. Which file format requires an acrobat reader to view the file?
A. .zip
B. .pdf
C. .html
D. .arc
483
DISA Review Questions, Answers Manual – Module 6
Q1868. Which of the following is done at various testing points in the production
process.
A. Regression Testing
B. Vee Testing
C. Black Box Testing
D. Integration Testing
Q1869. Which one of the following is NOT a part of software quality metrics?
A. Completeness
B. Ergonomics
C. Correctness
D. Reliability
Q1870. Which of the following would greatly affect the project estimate if any
changes made to it while developing a project?
A. Time
B. Scope
C. Quality
D. Resources
Q1871. Software metric that deals with measurement of lines of code is:
A. Requirements metrics
B. Design metrics
C. Code metrics
D. Test metrics
484
DISA Review Questions, Answers Manual – Module 6
Q1874. Identify the item that is not a part of performance guarantees in software
contract negotiations.
A. Terms of payment
B. Warranty provisions
C. Package fixes
D. Penalty provisions
Q1875. Which one of the following errors will occur because of overflow
conditions?
A. Requirement errors
B. Design errors
C. Process errors
D. Data errors
485
DISA Review Questions, Answers Manual – Module 6
Q1876. The testing process conducted during the “live” application of software
is a ___________
A. Functional test
B. Performance test
C. Beta test
D. Acceptance test
Q1878. Which of the following is the most difficult to manage in a SDLC project?
A. Personnel turnover
B. Changes in hardware
C. Creeping functions
D. Changes in project scheduling
486
DISA Review Questions, Answers Manual – Module 6
Q1882. The process of visualising the design of a project that is yet to take
shape is called:
A. data abstraction
B. Data modeling
C. Data transparency
D. Data designing
487
DISA Review Questions, Answers Manual – Module 6
Q1886. The cost incurred in collecting data comes under: [a] [b] [c] [d]
A. Prevention cost
B. Appraisal cost
C. Internal failure cost
D. External failure cost
Q1887. The of information design type used for navigational aids and graphs
for geographical use is:
A. Pictogrammatic
B. Diagrammatic
C. Cartographic
D. Hybrid
488
DISA Review Questions, Answers Manual – Module 6
489
DISA Review Questions, Answers Manual – Module 6
490
DISA Review Questions, Answers Manual – Module 6
Q1902. Which one of the following metrics deal with “number of entries/exits per
module” ?
A. Requirements metrics
B. Design metrics
C. Code metrics
D. Test metrics
491
DISA Review Questions, Answers Manual – Module 6
Q1908. In the development life cycle model, the place to start software quality
process is:
A. Requirements phase
B. Design phase
C. Coding phase
D. Testing phase
492
DISA Review Questions, Answers Manual – Module 6
C. Integration test
D. Configuration test
Q1910. Availability of computer time is taken care of in which part of the Project
Planning and scheduling ?
A. Milestones
B. Deliverables
C. Baseline
D. Assumptions
Q1912. You would NOT use stubs or drivers in which of the following testing
approaches?
A. A top-down approach
B. A bottom-up approach
C. A sandwich approach
D. A big bang approach
493
DISA Review Questions, Answers Manual – Module 6
494
DISA Review Questions, Answers Manual – Module 6
Q1920. Which of the following software metrics would refer to function points?
A. Requirements metrics
B. Design metrics
C. Code metrics
D. Test metrics
495
DISA Review Questions, Answers Manual – Module 6
Q1927. A computer programmer altered the program for Saving Bank accounts
so that his account would be not be listed, when a list of accounts
with over draft was prepared. Following controls would be effective in
preventing or detecting this fraud EXCEPT?
A. a User sign-off for program changes.
B. Special Internal Auditor review of all employee accounts
C. Independent code review following any changes
D. Prohibiting the programmers to move complied programs to
production.
496
DISA Review Questions, Answers Manual – Module 6
497
DISA Review Questions, Answers Manual – Module 6
Q1932. A software metric will NOT define which one of the following?
A. Number of defects per thousand lines of code
B. Number of defects over the life of a software product
C. Number of customer problems reported to the size of the product
D. Number of customer problems reported per user month
Q1934. Which one of the following will be included in the application software
testing phase for effective controls?
A. Test cases, test documentation
B. Test summaries, test execution reports
C. Activity logs, incident reports, software versioning
D. Test cases rejected, test cases accepted
498
DISA Review Questions, Answers Manual – Module 6
Q1937. With respect to the various phases in the system development life cycle,
which of the following is least likely to vary:
A. conduct of each phase as planned
B. sequence in which the phases are performed
C. resources and time needed to perform each phase
D. presence of each phase
Q1938. Which of the following statements is true with regard to Computer Aided
Software Engineering (CASE) workbench?
A. A single CASE tool is more effective when used individually than
when combined with more than two
B. It is very difficult to add a new case workbench or replace an
existing one
C. An organisation has to depend on a single supplier
D. Workbench can be easily managed with the aid of the
configuration management system
Q1939. Which of the following system life factors is most difficult to control by
a user organization?
A. The length of time the system will satisfy the needs of the initial
user
B. The rate at which computer technology is expected to advance
C. The probability of continued availability of system support
D. The time required for subsequent acquisition to meet the
requirement
499
DISA Review Questions, Answers Manual – Module 6
Q1941. Which of the following testing approaches will test the system’s ability
to withstand misuse by inexperienced users?
A. Functional testing
B. Unit testing
C. Resiliency testing
D. User acceptance testing
Q1942. Which of the following testing method is used when the loops in a
program are not structured.
A. Flow graphs
B. Graph Matrix
C. Concatenating loop
D. No testing is done until loops are redesigned and structureD.
Q1943. Which of the following tests address the interaction and consistency
issues of successfully tested Parts of a system?
A. Unit testing
B. Acceptance testing
C. Integration testing
D. System testing
500
DISA Review Questions, Answers Manual – Module 6
Q1944. Which of the following tests ensures that all the programs in the system
being developed work in concert and their communication among
themselves is as designed?
A. Unit test
B. Interface test
C. Regression test
D. Integration test
Q1946. Which one of the following criteria shall NOT be considered for choosing
an appropriate Computer platform to suit a given application software
system?
A. Database size
B. Data usage
C. System development tools
D. Data storage
Q1947. Which one of the following design approaches would address data
sharing and system access problems in legacy application systems?
A. Develop a shareware application
B. Develop a freeware application
C. Develop an API application
D. Develop a GUI application
501
DISA Review Questions, Answers Manual – Module 6
Q1950. Which one of the following graphical user interface (GUI development
approaches would create more user-friendly interactions ?
A. Object-oriented user interfaces
B. Application-oriented user interfaces
C. Screen-oriented manipulation user interfaces
D. Menu-oriented user interfaces
502
DISA Review Questions, Answers Manual – Module 6
Q1953. Which one of the following maintenance aspects would greatly ensure
the currency of the plan as time passes?
A. Incorporate into hardware upgrades
B. Incorporate into change management procedures
C. Incorporate into software upgrades
D. Incorporate into revision procedures
Q1956. Which one of the following pairs, when performed simultaneously, would
pose a major Risk?
A. Systems analysis and design
B. System design and programming
C. Programming and testing
D. Test case preparation and test case execution
503
DISA Review Questions, Answers Manual – Module 6
Q1957. Which one of the following reasons is the most important to retain a
legacy application system?
A. It meets the needs of the organization
B. Changing the computing platform may not improve the legacy
system
C. resistance to change
D. Low maintenance cost
Q1958. Which one of the following software test methods should invariably
perform Input-tolerance testing?
A. Unit testing
B. Integration testing
C. Production operations acceptance testing
D. User acceptance testing
504
DISA Review Questions, Answers Manual – Module 6
Q1964. After which of the following testing , should formal change control
mechanism start?
A. After completion of integration testing
B. After completion of unit testing
C. After completion of systems testing
D. After completion of acceptance testing
505
DISA Review Questions, Answers Manual – Module 6
Q1965. All of the following assumptions about legacy application systems are
correct except
A. A legacy system is a mainframe computer-based application
system
B. A legacy system is old and hence no longer good
C. A legacy system uses a proprietary programming language
D. A legacy system is difficult to port to other environments
Q1966. Among the various software analyses listed below, the controlling
functionality against software failure is provided by:
A. Safety analysis
B. Sneak circuit analysis
C. Fault tree analysis
D. Hazard analysis
Q1968. An IS auditor takes part in the development team deliberations NOT for
A. ensuring adequacy of data integrity controls
B. ensuring adequacy of data security controls
C. ensuring that there are no cost and time overruns
D. ensuring that documentation is accurate and complete
506
DISA Review Questions, Answers Manual – Module 6
B. the extent of issues pointed out in the user acceptance test and
the unresolved issues
C. the documentation of the test results
D. the log containing the problems reported by the users
Q1972. Auditors gather evidence during the review of the system design of a
software project. Which of the following tools will they NOT depend?
A. Observation of the design process
B. Interviewing the development team
C. Verifying the documented plan
D. Circulating questionnaires among the members of the team for
their self evaluation
507
DISA Review Questions, Answers Manual – Module 6
Q1975. Customer details like address changes etc are being used in too many
mainframe application systems calling for a great deal of data entry
redundancy effort. In this situation, which one of the following method
will be useful?
A. Develop “seamless” processes
B. Eliminate mainframe computer processing
C. Develop a data synchronization software
D. Develop a client/server system
508
DISA Review Questions, Answers Manual – Module 6
Q1978. Difference between the spiral model and the incremental model is:
A. The former is an evolutionary process, the latter is a classic
process
B. “The former is time consuming, the latter is time saving”
C. The former does not ensure delivery of product after every
iteration, the latter does
D. None of the above
Q1980. Each of the following are preventive controls over the systems
development EXCEPT:
A. Standard methodology
B. Documentation standards.
C. Post implementation reviews.
D. User training program.
509
DISA Review Questions, Answers Manual – Module 6
B. provide the basis for carrying out comprehensive system and user
tests
C. determine whether there are any bugs in the new hardware/
system software configuration that has been chosen
D. provide the basis for validating the design and implementation of
the new system
Q1983. During the conduct of a source code review, the examination of the data
processing installation’s programming standards occurs:
A. after the source code listing has been obtained
B. concurrently with the source code review
C. before reviewing the program’s specifications
D. standard may not be reviewed at all
510
DISA Review Questions, Answers Manual – Module 6
Q1986. During the problem definition phase, the terms of reference do not
describe:
A. boundaries of the system to be examined
B. proposed objectives of the new system
C. problems of the stakeholders
D. organisational and resource constraints
Q1987. Expert systems are NOT associated with one of the following:
A. Expert systems are aimed at solving problems using an
algorithmic approach
B. Expert systems are aimed at solving problems that are
characterized by irregular structure
C. Expert systems are aimed at solving problems characterized by
incomplete information
D. Expert systems are aimed at solving problems characterized by
considerable complexity
Q1988. Find the CRITICAL PATH among the following paths in a PERT chart?
Path 1: A-D-E-G- 120 MANDAYS, Path 2: A-B-C-D-G- 125 MANDAYS,
Path 3: A-F-G -135 MANDAYS, Path 4: A-B-F-G -137 MANDAYS
A. Path 1
B. Path 2
C. Path 3
D. Path 4
511
DISA Review Questions, Answers Manual – Module 6
Q1992. Formal change control mechanism would start after which of the
following in an overall system development project?
A. Completing the system planning document
B. Completing the system requirements document
C. Completing the system design document
D. Completing the program coding work
512
DISA Review Questions, Answers Manual – Module 6
Q1996. Identify the cost that does NOT form part of software package
installation or implementation cost?
A. Cost of hardware
B. Cost of file conversion
C. Cost of computer downtime
D. Cost of initial debugging of software
Q1997. Identify the document which is LEAST effective during the acceptance
test of applications software.
A. Program source code
B. System requirements definition
513
DISA Review Questions, Answers Manual – Module 6
Q1998. Identify the technique that mostly prevents a system failure from
occurring or facilitates quick recovery from failures.
A. Component isolation
B. Component modularity
C. Component redundancy
D. Information hiding
Q1999. Identify the test-case design techniques that is used in unit and
integration testing of applications software.
A. White-box, code-based, logic-driven technique
B. Black-box, code-based, data-driven technique
C. White-box, specification-based, logic-driven technique
D. Black-box, specification-based, data-driven technique
514
DISA Review Questions, Answers Manual – Module 6
515
DISA Review Questions, Answers Manual – Module 6
Q2009. In order to achieve the requirements of the user, the BEST option in
acquiring an off-the-shelf applications software package is
A. Build or buy
B. Purchase and tailor
C. Lease or purchase
D. Rent or purchase
516
DISA Review Questions, Answers Manual – Module 6
Q2012. In the system development life cycle approach, which of the following
is MOST likely to be constant?
A. Allocation of resources for purchase of software platforms and
hardware
B. Certain phases can be dropped
C. Each phase will have to be present
D. The sequence of the phases cannot vary
Q2013. In which of following system development life cycle models one phase
has to be completed before starting another phase?
A. Waterfall model
B. Prototyping model
C. Spiral model
D. Incremental model
517
DISA Review Questions, Answers Manual – Module 6
C. Operation/Maintenance Phase
D. All the five stages of system development life cycle
Q2016. Information Systems auditors can take part in the system development
life cycle as an independent member is not likely to jeopardize his/her
audit quality. In which of the following stages will the participation will
be the MOST effective?
A. Design phase
B. Requirements definition phase
C. Development phase
D. Testing phase
518
DISA Review Questions, Answers Manual – Module 6
Q2020. Many automated tools are designed for testing and evaluating computer
systems. Which one of the following such tools impact the system s
performance with a greater load and stress on the system?
A. Test data generators
B. Statistical software packages
C. Test drivers
D. Network traffic analyzers
Q2022. PC-based analysis and design tools are used alongwith mainframe
computer-based tools. Identify the CASE tool that is required in this
situation.
A. Diagramming tools
B. Simulation tools
C. Export/import tools
D. Diagram checking tools
519
DISA Review Questions, Answers Manual – Module 6
Q2024. Project management needs are addressed first and artificial approach
to development is adopted in
A. rapid prototyping model
B. incremental development model
C. evolutionary development model
D. waterfall model or SDLC model
520
DISA Review Questions, Answers Manual – Module 6
Q2027. Since it is the end-users who are going to use an application, they
must be consulted and their opinions must be incorporated if found
reasonable. Which of the following principle of User-Interface Design
reflects the above statements?
A. User-Perceptions
B. Context-Sensitivity
C. User Testing
D. Aesthetics
521
DISA Review Questions, Answers Manual – Module 6
Q2034. System development controls are designed to prevent all of the following
EXCEPT:
A. Lack of project status reports
B. Implementation of unapproved system
C. Lack of adequate program controls.
D. Unauthorised program modification
522
DISA Review Questions, Answers Manual – Module 6
Q2035. The auditor uses a normative model of the system development process
as a basis for:
A. determining what activities are usually undertaken during system
development
B. describing the activities that are to be carried during system
development that would change the distribution of power within
the organisation
C. determining the activities that should be carried out during system
development
D. determining development activities depending on the
circumstances at hand
523
DISA Review Questions, Answers Manual – Module 6
Q2040. The Critical path in a program evaluation review technique (PERT) chart
is identified by
A. the project management team looking at the criticality of the
function
B. the maximum slack time carrying path
C. the path containing zero slack time
D. an agreement after discussion among the users and the project
development team
524
DISA Review Questions, Answers Manual – Module 6
Q2043. The estimate of time which has the MOST important relevance in
evaluation of the activities in a Program Evaluation Review Technique
(PERT is:
A. Most Likely time
B. Pessimistic time
C. Actual time
D. Optimistic Time
Q2044. The extent to which a newly developed or acquired system meets the
functionality required of it is determined in:
A. Unit testing of the individual program
B. Function test or whole-of-program test
C. User acceptance test (UAT)
D. Interface test
Q2045. The information systems requirements plan is derived directly from the:
A. information systems applications and general controls plan
B. long term master plan
C. organisational strategic plan
D. information systems strategic plan
Q2047. The main focus of the graphical user interface (GUI environments is:
A. Portability guidelines
525
DISA Review Questions, Answers Manual – Module 6
Q2050. The most important factor while creating test data for checking a
system, is :
A. Have a sufficient quantity of data for each test case
B. Keep the test data to a minimum to conserve testing time
C. Select a random sample of actual data to ensure adequate
testing
D. Include data which represent conditions that occur in actual
processing
526
DISA Review Questions, Answers Manual – Module 6
Q2052. The primary difference between program testing and system testing is:
A. program testing is more comprehensive than system testing
B. system testing is concerned with testing all aspects of a system
including user specification document, design document, job
designs and reward system designs
C. programmers have no involvement in system testing, whereas
designers and users are involved in program testing
D. system testing focuses on testing the interfaces between
programs, whereas program testing focuses on individual
programs
527
DISA Review Questions, Answers Manual – Module 6
Q2057. The statement which is NOT false regarding end user computing is:
A. Catering to the user’s requirement is more in such systems.
B. Implementation of change control procedures is easier.
C. Since the respective end users download their required data,
duplication of data does not occur.
D. Due to the programming staff not being involved, segregation of
duties is increased.
Q2058. The System Development Tool which gives the BEST results in an
application maintenance function is:
A. Network control programs
B. Tape Management systems
C. Project Management softwares
D. Test data generators
Q2059. The test approach that includes ALL of the systems requirement, system
design, and systems development documents is :
A. Unit testing
B. Integration testing
C. Systems testing
D. Acceptance testing
528
DISA Review Questions, Answers Manual – Module 6
Q2062. To which one of the following issues that an information systems (IS)
auditor participating in a system development life cycle project should
devote more attention ?
A. Technical issues
B. Organizational issues
C. Behavioral issues
D. Contractual issues
529
DISA Review Questions, Answers Manual – Module 6
Q2066. What is the control that should have been in vogue so as to enable
detection of a change made in a payroll program by a computer
operator?
A. Output of the payroll journal’s audit trail.
B. Review of the control totals.
C. Review of the payroll by the payroll department on a regular
basis.
D. Review of console logs for attempted / illegal intrusion.
530
DISA Review Questions, Answers Manual – Module 6
Q2069. what is the major risk that is faced by a user organization during system
integration projects?
A. Isolated islands of information
B. Processing and computing power
C. Maintenance costs
D. System size and complexity
Q2070. What would you use to enforce integration rules so as to integrate one
component with another?
A. A data flow diagram
B. An entity relationship diagram
C. A state transition diagram
D. A data dictionary
531
DISA Review Questions, Answers Manual – Module 6
Q2072. When a software application is acquired from a vendor, the terms of the
purchase order WILL NOT generally contain :
A. annual maintenance contract terms after the warranty period
B. details of software licence fees and other licence terms
C. terms of acceptance testing
D. dates of future updates and the fees for acquiring them
532
DISA Review Questions, Answers Manual – Module 6
533
DISA Review Questions, Answers Manual – Module 6
534
DISA Review Questions, Answers Manual – Module 6
Q2083. Which of the following are not part of the information systems design:
A. design of the data/information flow
B. design of the user interfaces
C. design of the user specification document layout
D. job design
Q2084. Which of the following factors would bring down the risks most in Joint
Application Design (JAD meetings?
A. The right software
B. The right people
C. The right training
D. The right hardware
Q2085. Which of the following CANNOT be used for measuring the progress of
a software development project?
A. Appraisal of the performance of the team members by the
superiors
B. Milestone achievement
C. Review of the codes generated
D. Review of the system design
535
DISA Review Questions, Answers Manual – Module 6
C. Object-oriented technology
D. Graphical-user interface (GUI) technology
536
DISA Review Questions, Answers Manual – Module 6
Q2092. Which of the following is NOT a constraint while using Computer Aided
Software Engineering (CASE tools running on workstations.
A. Lack of multi-user operations
B. Inability to handle large databases
C. Lack of security controls
D. Lack of tools for source code generation
Q2094. Which of the following is NOT a prerequisite for software system project
planning?
A. Availability of the technical expertise
B. Goals and objectives of the plan
C. The functional requirements
D. Programming area environment and infrastructure
537
DISA Review Questions, Answers Manual – Module 6
Q2098. Which of the following is not true with regard to Black Box Testing.
A. It may leave many program paths untesteD.
B. Both the tester and programmer are independent of each other.
C. Requires knowledge of internal working of the program.
D. Tests are designed to know if the system is sensitive to certain
input values.
Q2099. Which of the following is not true with regard to Commercial Off-The-
Shelf (COTS) systems:
A. Commercial Off-The-Shelf are highly secured
B. The cost of developing Commercial Off-The-Shelf is very high
C. There is no possibility of mismatch between Commercial Off-The-
Shelf components
D. The component user has little or no control over the evolution of
component
538
DISA Review Questions, Answers Manual – Module 6
Q2100. Which of the following is the most likely sequence of phases in the
system development process:
A. feasibility study, system design, procedures and forms
development, acceptance testing
B. acceptance testing, procedures development, management of the
change process
C. entry and feasibility assessment, problem definition, analysis of
the existing system
D. feasibility study, information analysis, system design, program
development
Q2101. Which of the following is the NOT effective control for program
changes?
A. Independent review of changed program by quality assurance
group
B. Version control
C. Annual reviews of program listing
D. Compilation of source code by IS librarian
Q2103. Which of the following is true with regard to the audit of acquisition risks.
A. Conversion costs need not be included in the cost benefit
analysis of the alternatives.
B. Analysis of each alternative takes into account only quantifiable
benefits.
539
DISA Review Questions, Answers Manual – Module 6
Q2104. Which of the following is true with regard to White Box Testing?
A. Output of the program code is not required before the beginning
of the code.
B. It is not very expensive.
C. It may involve testing every line of code.
D. It shows errors caused by omission.
540
DISA Review Questions, Answers Manual – Module 6
Q2108. Which of the following software defect prevention activities would ensure
the highest Rate on Investment?
A. Code inspection
B. Reviews with users/customers Design reviews
C. Design reviews
D. Unit test
Q2110. Which of the following system life factors is most difficult to control by
a user organization?
A. The length of time the system will satisfy the needs ofthe initial
user
B. The rate at which computer technology is expected to advance
C. The probability of continued availability of system support
D. The time required for subsequent acquisition to meet the
requirement
541
DISA Review Questions, Answers Manual – Module 6
542
DISA Review Questions, Answers Manual – Module 6
543
DISA Review Questions, Answers Manual – Module 6
Q2121. Which of the following situations would increase the likelihood of fraud
A. Application programmers are implementing changes to production
programs
B. Application programmers are implementing changes to test
programs
C. Operations support staff are implementing changes to batch
schedules
D. Database administrators are implementing changes to data
structures.
544
DISA Review Questions, Answers Manual – Module 6
Q2123. A company that has to guarantee zero downtime and 100 percent
functionality would choose which type of backup facility?
A. Redundant
B. Rolling site
C. Cold
D. Warm
Q2125. Which of the following best describes the concept and purpose of BCP?
A. BCPs are created to prevent interruptions to normal business
activity
B. BCPs are used to reduce outage times
C. BCPs and procedures are put in place for the response to an
emergency
D. BCPs guarantee the reliability of standby systems
545
DISA Review Questions, Answers Manual – Module 6
Q2127. During the BCP process, which group directs the planning,
implementation, and development of the test procedures?
A. BCP committee
B. Senior business unit management
C. Executive management staff
D. Functional business units
Q2129. Which of the following elements of the BCP process includes the
completion of a vulnerability assessment?
A. Business impact assessment
B. Plan approval and implementation
C. Scope and plan initiation
D. Business continuity plan development
Q2130. Which phase of the BCP process includes project parameter definition?
A. Scope and plan initiation
B. Plan approval and implementation
C. Business impact assessment
D. Business continuity plan development
546
DISA Review Questions, Answers Manual – Module 6
Q2134. In disaster recovery, each level of employee should have clearly defined
responsibilities. Which of the following is a responsibility of senior
executives?
A. Oversee budgets and the overall project
B. Develop testing plans
C. Establish project goals and develop plans
D. Identify critical business systems
547
DISA Review Questions, Answers Manual – Module 6
Q2136. There are several reasons for a company to develop and implement
a disaster recovery plan. What is the most important goal of disaster
recovery?
A. Protect human life
B. Protect the integrity of the business
C. Protect critical operating systems
D. Protect customer relationships
Q2137. What is the maximum tolerable downtime (MTD) for urgent systems and
functions?
A. 24 hours
B. Minutes of hours
C. 4 to 6 hours
D. 72 hours
Q2138. A company that has to guarantee zero downtime and 100 percent
functionality would choose which type of backup facility?
A. Redundant
B. Rolling site
C. Cold
D. Warm
548
DISA Review Questions, Answers Manual – Module 6
Q2140. Which of the following best describes the concept and purpose of BCP?
A. BCPs are created to prevent interruptions to normal business
activity
B. BCPs are used to reduce outage times
C. BCPs and procedures are put in place for the response to an
emergency
D. BCPs guarantee the reliability of standby systems
Q2142. During the BCP process, which group directs the planning,
implementation, and development of the test procedures?
A. BCP committee
B. Senior business unit management
C. Executive management staff
D. Functional business units
549
DISA Review Questions, Answers Manual – Module 6
Q2144. Which of the following elements of the BCP process includes the
completion of a vulnerability assessment?
A. Business impact assessment
B. Plan approval and implementation
C. Scope and plan initiation
D. Business continuity plan development
Q2145. Which phase of the BCP process includes project parameter definition?
A. Scope and plan initiation
B. Plan approval and implementation
C. Business impact assessment
D. Business continuity plan development
550
DISA Review Questions, Answers Manual – Module 6
Q2148. What is the maximum tolerable downtime (MTD) for urgent systems and
functions?
A. 24 hours
B. Minutes of hours
C. 4 to 6 hours
D. 72 hours
Q2150. In disaster recovery, each level of employee should have clearly defined
responsibilities. Which of the following is a responsibility of senior
executives?
A. Oversee budgets and the overall project
B. Develop testing plans
C. Establish project goals and develop plans
D. Identify critical business systems
551
DISA Review Questions, Answers Manual – Module 6
Q2152. There are several reasons for a company to develop and implement
a disaster recovery plan. What is the most important goal of disaster
recovery?
A. Protect human life
B. Protect the integrity of the business
C. Protect critical operating systems
D. Protect customer relationships
552
DISA Review Questions, Answers Manual – Module 6
553
DISA Review Questions, Answers Manual – Module 6
554
DISA Review Questions, Answers Manual – Module 6
555
DISA Review Questions, Answers Manual – Module 6
556
DISA Review Questions, Answers Manual – Module 6
557
DISA Review Questions, Answers Manual – Module 7
Module 7 Questions
Q2153. In order to provide maximum assurance on user identification the best
method of user authentication should be based on what user
A. is.
B. knows.
C. has.
D. does.
Q2155. The controls in Client-Server architecure first addres the risks arising
out of:
A. Client malfuntion.
B. Ping of death attack.
C. Network failure.
D. Application development.
558
DISA Review Questions, Answers Manual – Module 7
559
DISA Review Questions, Answers Manual – Module 7
C. corrective control
D. compensating control
Q2163. User found and repaired virus on his work station should first report to:
A. System administrator.
B. Network administrator.
C. Security administrator.
D. Data Base Administrator.
560
DISA Review Questions, Answers Manual – Module 7
Q2169. During the audit, control self assessment questionnaire replied by the
local management was made available to IS Auditor. The IS auditor
should:
A. Substantiate the answers.
B. Rely the answers and do nothing.
C. Ignore it since it is out of scope.
D. Ask for previous audit report instead.
561
DISA Review Questions, Answers Manual – Module 7
Q2172. In a financial organization the transaction are posted into the Date Base
by the accounts assistant. A member of managerial staff authorizes the
transaction after posting. Which of the following access rights can be
allotted to the member of supervising staff in addition to ‘Update the
data base for confirming authorization of transactions.’?
A. Generate report and query the contents of fields from the
database.
B. Enter the transactions when accounts assistant is on leave.
C. Change the access rights of other staff members.
D. Necessary rights to modify the programs which updates the data
base.
562
DISA Review Questions, Answers Manual – Module 7
Q2174. Which of the following control functions will be most effective due to the
use of Biometric Security solutions?
A. Authentication
B. Access
C. Password
D. Smart Cards
Q2175. Which of the following is the MOST likely reason why e-mail systems
have become a useful source of evidence for litigation?
A. Poor housekeeping leads to excessive cycles of backup files
remaining available.
B. Strong access controls establish accountability for activity on the
e-mail system.
C. Data classification is often used to regulate what information
should be communicated via e-mail.
D. Clear policy for using e-mail within the enterprise ensures that the
right evidence is available.
563
DISA Review Questions, Answers Manual – Module 7
C. Corrective control.
D. Compensating control.
Q2178. Which of the following is a dynamic analysis tool for the purpose of
testing of software modules?
A. Black box test
B. Desk checking
C. Structured walk-through
D. Design and code
Q2180. The risk that an IS auditor uses an inadequate test procedure and
concludes that material errors do not exist when, in fact, they do, is an
example of:
A. Inherent risk.
B. Control risk.
C. Detection risk.
D. Audit risk.
564
DISA Review Questions, Answers Manual – Module 7
Q2182. An internal IS Auditor had been given charter to audit the software
implementation. During preliminary review the auditor found that the
scope of audit need to be enhanced to include review of software
development process. Which of the following should approve this
change?
A. Chief Information Officer
B. Board of Directors
C. Audit Committee
D. Chief Executive officer
Q2183. An IS auditor is assigned to help design the data security, data integrity
and business continuity aspects of an application under development.
Which of the following provides the MOST reasonable assurance that
corporate assets are protected when the application is certified for
production?
A. A certification review conducted by the internal auditor.
B. A certification review conducted by the assigned IS auditor.
C. Specifications by the user on the depth and content of the
certification review.
D. An independent review conducted by another equally experienced
IS auditor.
Q2184. Which of the following controls would BEST serve to effectively detect
intrusion?
A. User creation and user privileges are granted through authorized
procedures.
B. Automatic logoff when a workstation is inactive for a particular
period of time.
C. Automatic logoff of the system after a specified number of
unsuccessful attempts.
D. Unsuccessful logon attempts are actively monitored by the
security administrator.
565
DISA Review Questions, Answers Manual – Module 7
Q2188. A feature of a digital signature that ensures that the claimed sender
cannot later deny generating and sending the message is:
A. Provide an audit trail
B. Can be used in a switchboard environment
C. Permit unlimited user mobility
D. Allow call forwarding
566
DISA Review Questions, Answers Manual – Module 7
Q2192. While auditing IT infrastructure the IS auditor observed that there were
no procedures defined for the performance monitoring of third-party
567
DISA Review Questions, Answers Manual – Module 7
568
DISA Review Questions, Answers Manual – Module 7
569
DISA Review Questions, Answers Manual – Module 7
C. Sensitive.
D. Non-critical.
Q2200. Which of the following methods of results analysis, during the testing of
the business continuity plan BCP , provides the BEST assurance that
the plan is workable?
A. Quantitatively measuring the results of the test
B. Measurement of accuracy
C. Elapsed time for completion of prescribed tasks
D. Evaluation of the observed test results
570
DISA Review Questions, Answers Manual – Module 7
Q2205. Which of the following program change controls is NOT the responsibility
of the user department?
A. Updating documentation to reflect all changes
B. Initiating requests within its scope of authority
C. Approving changes before implementation, based on the results
of testing
D. Approving changes before implementation, based on review of
changes to manual procedures
571
DISA Review Questions, Answers Manual – Module 7
Q2209. Which of the following testing methods is MOST effective during the
initial phases of prototyping?
A. System testing
B. Parallel testing
C. Volume testing
D. Top-down testing
572
DISA Review Questions, Answers Manual – Module 7
573
DISA Review Questions, Answers Manual – Module 7
Q2215. If the decision has been made to acquire software rather than develop
it internally, this decision is normally made during the:
A. Requirements definition phase of the project.
B. Feasibility study phase of the project.
C. Detailed design phase of the project.
D. Programming phase of the project.
Q2218. Which of the following is the FIRST point at which control totals
should be implemented in order to prevent the loss of data during the
processing cycle?
A. During data preparation
B. In transit to the computer
574
DISA Review Questions, Answers Manual – Module 7
Q2221. The primary reason for replacing cheques with elect ronic funds transfer
EFT systems in the accounts payable area is to:
A. Make the payment process more efficient.
B. Comply with international EFT banking standards.
C. Decrease the number of paper-based payment forms.
D. Reduce the risk of unauthorized changes to payment
transactions.
575
DISA Review Questions, Answers Manual – Module 7
Q2222. A tax calculation program maintains several hundred tax rates. The
BEST control to ensure that tax rates entered into the program are
accurate is:
A. Independent review of the transaction listing.
B. Programmed edit check to prevent entry of invalid data.
C. Programmed reasonableness checks with 20% data entry range.
D. Visual verification of data entered by the processing department.
576
DISA Review Questions, Answers Manual – Module 7
Q2228. A general hardware control that helps to detect data errors when data
are communicated from one computer to another is known as a:
A. Duplicate check.
B. Table look up.
577
DISA Review Questions, Answers Manual – Module 7
C. Validity check.
D. Parity check.
578
DISA Review Questions, Answers Manual – Module 7
Q2235. To ensure continued operations data back-ups are stored off-site where
the redundant processing facilities are stored. Which of the following
statements is FALSE?
A. The site should bear the nameplate in order to identify the place
correctly in case of emergency.
B. The site should have similar physical access restriction as that of
original site.
C. The facilities are to be tested periodically in order to ensure
continued availability.
D. The hardware and software should be compatible
Q2236. In a situation where frequent power failures for varying periods from 6
to 8 hours, which of the following is the BEST possible solution?
A. Installation of UPS.
B. Installation of power generators.
579
DISA Review Questions, Answers Manual – Module 7
580
DISA Review Questions, Answers Manual – Module 7
Q2241. A systems analyst should have access to each of the following expect
A. Source code
B. Password identification tables
C. user procedures
D. Edit criteria
Q2243. CASE (computer-aided software engineering )is the use of the computer
to aid in the development of computer-based information systems.
Which of the following could not be automatically generated with CASE
tools and techniques?
A. Information requirements determination
B. Program logic design
C. Computer program code
D. Program documentation
581
DISA Review Questions, Answers Manual – Module 7
Q2246. Which of the following statements regarding security concerns for laptop
computers is true ?
A. The primary methods of control usually involve general controls .
B. Centralized control over the selection and acquisition of hardware
and software is not a major concern
C. Some traditional controls such as segregation of duties become
more important
D. As their use becomes more sophisticated, the degree of concern
regarding physical security decreases.
Q2247. Which of the following is a control that will prevent accessing the
accounts receivable files from a hardwired terminal located in a
manufacturing department?
A. An echo check.
B. A device authorization table
C. Providing only dial-up terminals
D. Using data encryption .
582
DISA Review Questions, Answers Manual – Module 7
Q2250. To increase the security of application software, the internal audit direct
or recommended that programmers be given diskless workstations
Using diskless workstations would increase security by
A. Making theft of programs more difficult
B. Reducing workstation maintenance expense
C. Imposing a stricter level of access control
D. Prompting programmers to work more closely together
583
DISA Review Questions, Answers Manual – Module 7
Q2252. Security Policy for Information technology of a Bank specifies that all the
employees should clear the screen of monitor when not working. Which
of the following best describes the reason for this policy?
A. Prevent shoulder surfing.
B. Restrict electronic eavesdropping.
C. Save monitor from damage.
D. Avoid password sniffing.
584
DISA Review Questions, Answers Manual – Module 7
Q2259. Which of the following manages the certificate life cycle of public key
pairs to ensure adequate security and controls exist in e-commerce
applications?
A. Registration authority
B. Certificate authority
C. Certification relocation list
D. Certification practice statement
585
DISA Review Questions, Answers Manual – Module 7
Q2263. When auditing the proposed acquisition of a new computer system, the
IS auditor should FIRST establish that:
A. A clear business case has been approved by management.
B. Corporate security standards will be met.
C. Users will be involved in the implementation plan.
D. The new system will meet all required user functionality.
586
DISA Review Questions, Answers Manual – Module 7
Q2266. Which of the following types of firewalls provide the GREATEST degree
and granularity of control?
A. Screening router
B. Packet-filter
C. Application-gateway
D. Circuit-gateway
587
DISA Review Questions, Answers Manual – Module 7
588
DISA Review Questions, Answers Manual – Module 7
Q2275. Which of the following is the BEST way to handle obsolete magnetic
tapes before disposing of them?
A. Overwriting the tapes
B. Initializing the tape labels
C. Degaussing the tapes
D. Erasing the tapes
589
DISA Review Questions, Answers Manual – Module 7
Q2276. Which of the following data entry controls provides the GREATEST
assurance that data entered does not contain errors?
A. Key verification
B. Segregation of the data entry function from data entry verification
C. Maintaining a log/record detailing the time, date, employee’s
initials/user-id and progress of various data preparation and
verification tasks
D. Check digits
Q2278. How can an enterprise provide access to its intranet i.e., extranet across
the Internet to its business partners?
A. Virtual private network
B. Client/server
C. Dial-in access
D. Network service provider
590
DISA Review Questions, Answers Manual – Module 7
Q2281. Most effective preventive control for use against unlicensed software is:
A. Periodic scans.
B. IT Security Policy.
C. Frequent audits.
D. Inventory of licenses.
Q2283. In a web server, a common gateway interface CGI is MOST often used
as an:
A. Consistent way for data transfer to the application program and
back to the user.
B. Computer graphics imaging method for movie and TV.
C. Graphic user interface for web design.
D. Interface to access the private gateway domain.
Q2284. A virtual private network VPN performs which of the following functions?
A. Hides information from sniffers on the net
B. Enforces security policies
591
DISA Review Questions, Answers Manual – Module 7
592
DISA Review Questions, Answers Manual – Module 7
Q2288. Which of the following is a continuity plan test that uses actual
resources to simulate a system crash to cost-effectively obtain evidence
about the plan’s effectiveness?
A. Paper test
B. Post test
C. Preparedness test
D. Walkthrough
Q2291. The difference between white-box testing and black-box testing is that
white-box testing:
A. Involves the IS auditor.
B. Is performed by an independent programmer team.
593
DISA Review Questions, Answers Manual – Module 7
Q2293. Which of the following is most appropriate indication that prompts for
changing operating system?
A. Vendor’s report.
B. Requirements.
C. Obsolescence.
D. Response time.
Q2295. Which of following exposure to the data security occurs before the
computer security can protect the data?
A. Data diddling.
B. Trap Door.
C. Logic Bomb.
D. Trojan Horse.
594
DISA Review Questions, Answers Manual – Module 7
Q2299. The need for the modification of validation and editing routines to
improve efficiency is normally indicated by:
A. Excess overrides.
B. An override activity report.
C. Error control and correction.
D. Separation of duties.
595
DISA Review Questions, Answers Manual – Module 7
Q2303. A company uses a bank to process its weekly payroll. Time sheets and
payroll adjustment forms e.g., hourly rate changes, terminations are
filled in and delivered to the bank, which prepares checks cheques and
reports for distribution. To BEST ensure payroll data accuracy:
A. Payroll reports should be compared to input forms.
B. Gross payroll should be recalculated manually.
596
DISA Review Questions, Answers Manual – Module 7
Q2304. An external auditor was planning for the audit for effectiveness of IT
controls. However only internal auditor’s audit report was available
but not the work papers. The auditor could not determine type of tests
performed by the internal auditor to assure the effectiveness of controls
by internal auditor. The auditor should:
A. Change the scope of audit to include the tests.
B. Refuse to perform audit till work papers were made available.
C. Rely on previous audit report and not work papers.
D. Differ the tests till work papers were made available.
Q2307. Which of the following report is most useful for internal auditor in order
to gain understanding about auditee area?
A. Long term IT plan.
B. Annual financial results
C. Annual financial audit report
D. Minutes of Steering committee meeting
597
DISA Review Questions, Answers Manual – Module 7
Q2309. IS auditor observed that some controls defined by security policy were
not implemented by auditee management. What should auditor do next?
A. Compliance testing of implemented controls .
B. Substantive testing of implemented controls.
C. Risk assessment of non-implemented controls.
D. Suspend the audit and report to Management.
598
DISA Review Questions, Answers Manual – Module 7
Q2313. While auditing the Business continuity plan for information systems, the
IS auditor should first ensure that the plan:
A. Covers all business processes.
B. Provides for recovery of IT resources.
C. Specifies for insurance cover.
D. Has address of alternate site.
599
DISA Review Questions, Answers Manual – Module 7
Q2316. Which of the following will help management in getting feedback about
the achievement of planned IT goals?
A. Key Goal Indicators.
B. Balance Score Card.
C. Critical Success Factors.
D. Key Performance Indicators.
Q2318. Which of the following risk in wireless LAN must be controlled first?
A. Terminals are not connected to server.
B. Unauthorized terminal/client.
C. Possible unauthorized use of LAN.
D. Unauthorized software.
Q2320. During the Business continuity audit an IS auditor found that the BCP
covered only critical applications. The IS auditor should first:
A. Assess the impact on business due to non-availability of
processes not covered.
B. Insist on redesigning the BCP covering all is related processes.
600
DISA Review Questions, Answers Manual – Module 7
601
DISA Review Questions, Answers Manual – Module 7
Q2327. While auditing Risk Management program, the auditor should first
ensure that:
A. Management accepts all natural risks.
B. Program monitors all residual risks.
C. Risk mitigation does not have preventive controls
D. Program use qualitative measurement standards.
Q2328. Which of the following will help auditor in determining the effectiveness
of help desk operations?
A. Problem aging analysis.
B. Query log maintained by help desk.
C. problem escalation report.
D. awareness level of end users.
602
DISA Review Questions, Answers Manual – Module 7
603
DISA Review Questions, Answers Manual – Module 7
Q2333. While auditing hardware acquisition the IS auditor should first ensure
that:
A. Request for Proposal is in accordance with requirement analysis.
B. Hardware is selected on the basis of through put.
C. Request for proposal was sent to all vendors.
D. Selected hardware was offered at lowest cost.
Q2334. Which of the following feature of Job Scheduling software will be most
useful in ensuring successful completion of scheduled jobs?
A. Sequencing of processes.
B. Completion and error reporting.
C. Documentation of system.
D. Defined job dependencies.
Q2335. Centralize data base server is being accessed by users from various
geographical locations. Concurrency controls provided in this system
primarily ensures:
A. Integrity of data.
B. Usability of data.
C. Confidentiality of data.
D. Availability of data.
604
DISA Review Questions, Answers Manual – Module 7
Q2337. An IS Auditor was asked to audit ERP implementation. The auditor did
not have prior experience of ERP implantation. The auditor should:
A. Take help of independent skilled professional.
B. Refuse the assignment in absence of required skills.
C. Attend the training program on implementation of ERP.
D. Conduct the audit with due professional care.
Q2338. Some organizations have ‘required paid vacation’ facility for its’
employees. The purpose of this facility is :
A. A motivating incentive for hard working employees.
B. Increase the opportunity to discover fraudulent/irregular activities
of the employee.
C. A rest and recuperation refreshes the mind and improves the
quality of life.
D. Give opportunity to spend more time with family.
Q2340. It was decided to introduce the image processing technique for handling
of documents. IS auditor is concerned about the use of this technique.
Which of the following is PRIMARY reason of IS auditors’ concern.
A. The image processing software is very expensive.
B. Inadequate training may result in poor quality of images.
C. Imaging system may change or eliminate the traditional controls.
D. Workflow processes may have to be redesigned.
605
DISA Review Questions, Answers Manual – Module 7
Q2341. Which of the following would BEST ensure the proper updating of critical
fields in a master records?
A. Field checks.
B. Control totals.
C. Reasonableness checks.
D. Before and after maintenance report.
Q2342. While auditing the computer installation internal IS auditor found a virus-
infected file. What IS auditor should do FIRST?
A. Report to the IS manager and top management about the
presence of virus.
B. Inform the IS manager about the infection so as to enable him to
take the necessary steps.
C. Disinfect or Erase the infected file and check other computer
systems for infection.
D. Check the other computer systems whether they have similar
infection.
606
DISA Review Questions, Answers Manual – Module 7
Q2345. The auditor observed that, in absence of explicit mention in SLA, the
third party has appointed a sub-contractor to perform the outsourced
function. The auditor should FIRST:
A. Look for the auditability option in third party and sub-contractor.
B. Ascertain the control of third party over sub-contractor.
C. Report the absence of mention about sub-contracting in SLA.
D. Report the risk associated in such arrangement.
Q2347. Which of the following would BEST ensure continuity of a wide area
network WAN across the organization?
A. Built-in alternative routing
B. Full system back-up taken daily
C. A repair contract with a service provider
D. A duplicate machine alongside each server
607
DISA Review Questions, Answers Manual – Module 7
the following key algorithms decrypt data with the same key used for
encryption?
A. Symmetric key algorithm.
B. Asymmetric key algorithm.
C. Symmetric and public key algorithm.
D. Asymmetric and secret key algorithm.
Q2349. Risk management consists of risk assessment and risk mitigation. Which
of the following is NOT an element of risk mitigation?
A. Measure risk.
B. Select appropriate safeguards.
C. Implement and test safeguards.
D. Accept residual risks.
608
DISA Review Questions, Answers Manual – Module 7
Q2352. Your organization has hired a security-consulting firm for testing the
logical access security for dial-up connections. Which of the following
person MOST likely to be hired by the security firm?
A. Hackers.
B. Crackers.
C. Hardware Engineer
D. Software Engineer.
609
DISA Review Questions, Answers Manual – Module 7
610
DISA Review Questions, Answers Manual – Module 7
611