Cisa V3

question optionA optionB optionC optionD rightAnswer explaination
Which of the A. B. C. D. C. E.
following Binary System-level Logical Physical Logical Component
refers to the access access access access access access
collection of control control control control control control
policies and
procedures
for
implementin
g controls
capable of
restricting
access to
computer
software and
data files?
A trojan A. B. Explanation: A.
horse simply true false As a true
cannot common
operate type of
autonomous Trojan
ly. horses, a
legitimate
software
might have
been
corrupted
with
malicious
codewhich
runs when
the program
is used. The
key is that
the user has
to invoke
the program
in order to
trigger
themalicious
code.In
other words,
a trojan
horse simply
cannot
operate
autonomous
ly. You
would also
want to
Creating B. C. D. E. D. Explanation:
which of the checksum CRC backdoors None of the backdoors A backdoor
following is choices. refers to a
how a generally
hacker can undocument
insure his ed means of
ability to getting into
return to the a system,
hacked mostly for
system at programmin
will?A. g and
rootsec maintenance
/troublesho
oting needs.
Most real
world
programs
have
backdoors.
Creating
backdoors is
how a
hacker can
insure his
ability to
return to the
hacked
system at
will.
Which of the A. B. Explanation: B.
following is Enticement Entrapment Enticement Entrapment
not a good occurs after
tactic to use somebody
against has gained
hackers? unlawful
access to a
system and
then
subsequentl
y lured to
ahoney pot.
Entrapment
encourages
the
commitment
of unlawful
access. The
latter is not
a good tactic
to use asit
involves
encouraging
someone to
commit a
crime.
The A. B. C. D. C. E.
sophisticatio the target’s the target’s the target’s the target’s the target’s the target’s
n and managemen location. size and budget. size and head count.
formality of t hands-on complexity. complexity.
IS audit involvement.
programs
may vary
significantly
depending
on which of
the
following
factors?
Which of the A. B. C. D. A. E.
following is as a trojan as a virus. as an as a device as a trojan as a macro.
one most horse. Adware. driver. horse.
common
way that
spyware is
distributed?
Properly A. B. C. D. A. E.
planned risk- audit audit audit audit audit audit
based audit efficiency efficiency effectiveness transparency efficiency transparency
programs and only. only. only. and and
are often effectiveness effectiveness effectiveness
capable of . . .
offering
which of the
following
benefits?
Which of the A. B. C. D. D. E.
following The cost of The income Resource The nature The nature None of the
should be risk analysis generated allocation and level of and level of choices.
seen as one by the strategy risk risk
of the most business
significant function
factors
considered
when
determining
the
frequency of
IS audits
within your
organization
?
For B. C. D. E. Explanation:
application at the at the final at the None of the For
acquisitions testing approval budget choices. acquisitions
with stage. stage. preparation with
significant stage. significant IT
impacts, impacts,
participation participation
of your IS of IS audit is
audit team often
should be necessary
encouraged: early in the
A. early in due
the due diligence
diligence stage as
stage. defined in
the audit
policy.
A A. B. C. D. D. E.
comprehensi in the in the in the in the in the None of the
ve IS audit developmen acquisition human developmen developmen choices.
policy t and coding and resource t, t,
should of major OS maintenance managemen acquisition, acquisition,
include applications. of major t cycle of the conversion, conversion,
guidelines WEB application and testing and testing
detailing applications. developmen of major of major
what t project. applications. applications.
involvement
the internal
audit team
should
have?
In-house A. B. C. D. A. E.
personnel information sufficient sufficient sufficient information information
performing systems analytical knowledge knowledge systems systems
IS audits knowledge skills to on secure on secure knowledge knowledge
should commensura determine system platform commensura commensura
posses te with the root cause coding developmen te with the te outside of
which of the scope of the of t scope of the the scope of
following IT deficiencies IT the IT
knowledge environment in question environment environment
and/or skills in question in question in question
(choose
2):
The ability of A. B. C. E. C. Explanation:

the internal the training the the None of the the The ability of
IS audit of audit background independenc choices. independenc the internal
function to personnel of audit e of audit e of audit audit
achieve personnel personnelD. personnelD. function to
desired the the achieve
objectives performance performance desired
depends of audit of audit objectives
largely on: personnel personnel depends
largely on
the
independenc
e of
audit
personnel.
Top
managemen
t should
ensure that
the audit
department
does not
participate
in activities
that
may
compromise
its
independenc
e.
Well-written A. B. C. D. A. E.
risk A maximum The timing Documentati Guidelines A maximum None of the
assessment length for of risk on for handling length for choices.
guidelines audit cycles. assessments requirement special audit cycles.
for IS . s. cases.
auditing
should
specify
which of the
following
elements at
the
least
(choose all
that apply):
Your final A. B. C. D. A. E.
audit report after an before an if an without after an None of the
should be agreement agreement agreement mentioning agreement choices.
issued: on the on the on the the on the
observations observations observations observations observations
is reached. is reached. cannot . is reached.
reached.
IS audits A. B. C. D. A. E.
should be those areas those areas those areas areas led by those areas random
selected of greatest of least risk of the the key of greatest events.
through a risk and and greatest people of risk and
risk analysis opportunity opportunity financial the opportunity
process to for for value. organization. for
concentrate improvemen improvemen improvemen
on: ts. ts. ts.
What should A. B. C. D. B. E.
be done to determine define an calculate the define an define an define an
determine the effective company’s effective effective effective
the company’s assessment yearly system assessment network
appropriate quarterly methodolog budget upgrade methodolog implementa
level of audit budget y. requirement methodolog y. tion
coverage for requirement . y. methodolog
an . y.
organization’
s IT
environment
?
following to collect to ensure to verify to collect to collect None of the
correctly and evaluate document data and evaluate and evaluate choices.
describes evidence of validity. accuracy. benefits evidence of
the purpose an brought by an
of an organization’ an organization’
Electronic s organization’ s
data information s information
processing systems, information systems,
audit? practices, systems to practices,
and its and
operations. bottomline. operations.
The use of A. B. C. D. D. E.
risk the use of the use of using the the None of the
assessment risk controls. computer computer developmen developmen choices.
tools for assisted assisted t of written t of written
classifying functions. audit guidelines. guidelines.
risk factors technology
should be tools.
formalized in
your IT audit
effort
through:
A successful A. B. C. D. A. E.
risk-based IT an effective an effective an effective an effective an effective an effective
audit scoring PERT department organization scoring yearly
program system. diagram. al -wide system. budget.
should be brainstorm brainstorm
based on: session. session.
Talking A. B. C. D. A. E.
about performance the ability to input of data output of performance changes to
application and controls limit are data are and controls the system
system of the unauthorize processed processed of the are properly
audit, focus system d access and correctly correctly system authorized
should manipulatio
always be n
placed on:
In a security A. B. C. D. A. E.
server audit, proper adequate continuous proper proper system
focus should segregation user training and accurate application segregation stability
be placed on of duties audit trail licensing of duties
(choose all
that apply):
Which of the A. B. C. D. E. E.
following System audit Application Software License audit Security Security
types of audit audit server audit server audit
audit always
takes high
priority over
the others?
The purpose A. B. D. E. A. F.
of a processes the procedures procedures processes the OS
mainframe are being mainframe is in place are in place are are being applications
audit is to implemente operating as working updated as implemente are secured
provide d as it shouldC. needed d as
assurance required security is required
that (choose strong
all that
apply):
following Software System audit Application Test audit Software Mainframe
refers to a audit System audit audit audit
primary
component
of corporate
risk
managemen
t with the
goal of
minimizing
the risk of
prosecution
for software
piracy due to
use of
unlicensed
software?
The A. B. C. D. A. E.
technique of Information Intelligence Identity System Information Program
rummaging diving diving diving diving diving diving
through
commercial
trash to
collect
useful
business
information
is known as:
Fault- A. B. C. D. D. E.
tolerance is desktop laptop handheld business- business- None of the
a feature systems systems PDAs critical critical choices.
particularly systems systems
sought-after
in which of
the
following
kinds of
computer
systems
(choose all
that apply):
Physical A. B. C. D. A. E.
access mechanical guards operating transaction mechanical None of the
controls are locks systems applications locks choices.
usually
implemente
d based on
which of the
following
means
(choose all
that
apply):
In the A. B. C. D. A. E.
context of Authenticati Authorizatio Accounting Encryption Authenticati Compression
physical on n on
access
control,
what is
known as
the process
of verifying
user
identities?
Effective A. B. C. D. A. E.
transactional reduced shortened enhanced diminished reduced None of the
controls are administrati contract procuremen legal risk administrati choices.
often ve and cycle times t decisions ve and
capable of material material
offering costs costs
which of the
following
benefits
(choose all
that
apply):
Common A. B. C. D. A. E.
implementa ‘something ‘something ‘something ‘something ‘something ‘something
tions of you know’ you have’ you are’ you have you know’ you have
strong done in the installed on
authenticati past on this this same
on may use same system’
which of the system’
following
factors in
their
authenticati
on
efforts
(choose all
that apply):
Which of the A. B. C. E. B. F.
following Strong- Two-factor Dual- Dual-keys Two-factor Rich-factor
refers to any factor authenticati password authenticati authenticati authenticati
authenticati authenticati on authenticati on on on
on protocol on onD. Two-
that requires passphrases
two authenticati
independent on
ways to
establish
identity and
privileges?
following performing performing performing performing performing None of the
refers to an vulnerability data check dictionary capacity vulnerability choices.
important assessments against the check check assessments
procedure against the database. against the against the against the
when database. database. database database.
evaluating system.
database
security
(choose the
BEST
answer)?
Sophisticate A. B. C. D. A. E.
d database Access Auditing Encryption Integrity Access Compression
systems control controls control controls
provide
many layers
and types of
security,
including
(choose all
that apply):
The Federal A. B. C. D. A. E.
Information all non- US all military all private all non- None of the
Processing military government government and public military choices.
Standards government contractors agencies colleges in government
(FIPS) are agencies the US agencies
primarily for
use by
(choose all
that apply):
The Federal A. B. C. D. A. E.
Information the United ANSI ISO IEEE the United IANA
Processing States States
Standards Federal Federal
(FIPS) were government government
developed
by:
Which of the A. B. C. D. B. E.
following potential potential potential potential potential None of the
correctly compatibility compatibility performance performance compatibility choices.
describe the problems problems problems problems problems
potential with with with with with
problem of wireless wireless wireless wireless wireless
deploying network access network access access
Wi-Fi interface points. interface points. points.
Protected cards. cards.
Access to
secure
your
wireless
network?
Cisco IOS A. B. C. D. B. E.
based datagram access lists stateful state access lists link
routers scanning inspection checking progressing
perform
basic traffic
filtering via
which of the
following
mechanisms
?
Iptables is A. B. C. D. A. E.
based on Netfilter NetDoom NetCheck NetSecure Netfilter None of the
which of the choices.
following
frameworks
?
Which of the A. B. D. E. A. Explanation:
following is a ipchains iptablesC. ipcook None of the ipchains Iipchains is a
rewrite of Netfilter choices. free
ipfwadm? software
based
firewall
running on
earlier Linux.
It is a
rewrite of
ipfwadm but
is
superseded
by iptables
in Linux 2.4
and above.
Iptables
controls the
packet
filtering and
NAT
components
within the
Linux kernel.
It is based
on Netfilter,
a
framework
which
provides a
set of hooks
within the
Linux kernel
for
You should A. B. C. Explanation: B.
know the exploit vulnerability both You should vulnerability
difference know the
between an difference
exploit and a between an
vulnerability. exploit and a
Which of the vulnerability.
following An exploit
refers to a refers to
weakness in software,
the system? data,
orcommand
s capable of
taking
advantage of
a bug, glitch
or
vulnerability
in order to
cause
unintended
behavior.Vul
nerability in
this sense
refers to a
weakness in
the system.
following Keywords Keystroke Directory Password Keystroke None of the
types of logging logging logging logging logging choices.
spyware was
originally
designed for
determining
the sources
of error or
for
measuring
staff
productivity
?
The A. B. C. D. B. Explanation:
Trojan.Linux. e-mails. MP3. MS Office. Word MP3. Most trojan
JBellz Trojan template.E. horse
horse runs None of the programs
as a choices. are spread
malformed through e-
file of what mails. Some
format? earlier trojan
horse
programs
were
bundled in
“”Root
Kits””. For
example, the
Linux Root
Kit version 3
(lrk3) which
was released
in December
96 had tcp
wrapper
trojans
included and
enhanced in
the kit.
Portable
devices that
run Linux
can also be
affected by
trojan
horse. The
Trojan.Linux.
Most trojan A. B. C. D. A. E.
horse e-mails. MP3. MS Office. Word e-mails. None of the
programs template. choices.
are spread
through:
What would A. B. C. D. A. E.
be the major to hide to encrypt to corrupt to hijack to hide None of the
purpose of evidence files for files for system evidence choices.
rootkit? from system system system sessions. from system
administrato administrato administrato administrato
rs. rs. rs. rs.
following are the Apache- third-party the mod_ssl the mod_css the Apache- None of the
valid choices SSL project SSL patches module module SSL project choices.
for the
Apache/SSL
combination
(choose all
that apply):
following is a honeymoon honeytrap honeytube honeyd honeyd None of the
tool you can choices.
use to
simulate a
big network
structure on
a single
computer?
following honeypot superpot IDS IPS honeypot firewall
typically
consists of a
computer,
some real
looking data
and/or a
network site
that
appears to
be part of a
production
network but
which is in
fact isolated
and well
prepared?
following stream block cipher check cipher string cipher block cipher None of the
refers to a cipher choices.
symmetric
key cipher
which
operates on
fixedlength
groups of
bits with an
unvarying
transformati
on?
One major A. B. C. D. E. E.
improvemen SKIP RKIP OKIP EKIP TKIP TKIP
t in WPA
over WEP is
the use of a
protocol
which
dynamically
changes
keys as the
system is
used. What
protocol is
this?
Wi-Fi B. C. D. E. Explanation:
Protected 802.11g 802.11x 802.11v None of the Wi-Fi
Access choices. Protected
implements Access (WPA
the majority / WPA2) is a
of which class of
IEEE systems to
standard?A. secure
802.11i wireless
computer
networks. It
implements
the majority
of the IEEE
802.11i
standard,
and is
designed to
work with all
wireless
network
interface
cards (but
not
necessarily
with first
generation
wireless
access
points). One
major
improvemen
t in
WPA over
Many WEP A. B. C. D. B. E.
systems binary hexadecimal 128 bit 256 bit hexadecimal None of the
require a key format. format. format. format. format. choices.
in a
relatively
insecure
format.
What format
is this?
As part of A. B. C. D. A. E.
the IEEE integrity. validity. accuracy. confidentiali integrity. None of the
802.11 ty. choices.
standard
ratified in
September
1999, WEP
uses the
CRC- 32
checksum
for:
As part of A. B. C. D. F.
the IEEE CRC-32 CRC-64 DES 3DESE. RC4 RC5
802.11
standard
ratified in
September
1999, WEP
uses which
stream
cipher for
confidentiali
ty?
An accurate A. B. C. D. A. E.
biometric low EER low CER high EER high CER low EER None of the
system choices.
usually
exhibits
(choose all
that apply):
Talking A. B. C. D. B. E.
about failure to false accept false reject failure to false accept None of the
biometric reject rate rate rate enroll rate rate choices.
measureme
nt, which of
the
following
measures
the percent
of invalid
users who
are
incorrectly
accepted in?
Performance A. B. C. D. B. E.
of a failure to false accept false reject failure to false accept None of the
biometric reject rate rate rate enroll rate rate choices.
measure is
usually
referred to
in terms of
(choose all
that apply):
Talking A. B. C. D. A. E.
about Voice Finger Body Signature Voice None of the
biometric measureme measureme choices.
authenticati nt nt
on, which of
the
following is
often
considered
as a mix of
both
physical and
behavioral
characteristi
cs?
Talking A. C. D. E. A. F.
about fingerprintsB irises facial hand fingerprintsB None of the
biometric . eye retinas patterns measureme . eye retinas choices.
authenticati nts
on, physical
characteristi
cs typically
include
(choose all
that apply):
Gimmes A. B. C. D. C. E.
often work SMS IRC chat email news email file
through: attachment attachment download
following Gimmes Tripwire Icing Soft coding Gimmes Pretexting
types of
attack often
take
advantage of
curiosity or
greed to
deliver
malware?
Phishing A. B. C. D. A. E.
attack works email and SMS chat email email and news
primarily hyperlinks attachment hyperlinks
through:
Why is it not A. B. C. D. A. E.
preferable Such a Such a Such a Such a Such a Such a
for a firewall firewall has firewall is firewall is firewall is firewall has firewall
to treat each no way of costly to too CPU hungry. no way of offers poor
network knowing if setup. complicated knowing if compatibility
frame or any given to maintain. any given .
packet in packet is packet is
isolation? part of an part of an
existing existing
connection, connection,
is trying to is trying to
establish a establish a
new new
connection, connection,
or is just a or is just a
rogue rogue
packet. packet.
A major A. B. C. D. B. E.
portion of strong strong strong strong strong None of the
what is methods for methods for methods for methods for methods for choices.
required to authenticati authenticati authorizatio authenticati authenticati
address on and on and n and on and on and
nonrepudiati ensuring ensuring ensuring ensuring ensuring
on is data validity data data data data
accomplishe integrity. integrity. reliability. integrity.
d through
the use of:
Screening A. B. C. D. A. E.
router message virus message attachment message None of the
inspects header. payload content type header. choices.
traffic
through
examining:
following stateful hardware PIX firewall packet filter packet filter None of the
can be firewall firewall choices.
thought of
as the
simplest and
almost
cheapest
type of
firewall?
Within a A. B. C. D. A. E.
virus, which the payload the the trigger the premium the payload None of the
component signature choices.
is
responsible
for what the
virus does to
the victim
file?
A virus A. B. C. D. A. Explanation:
typically a a payload a signature None of the a A virus
consists of mechanism choices. mechanism typically
what major that allows that allows consist of
parts them to them to three parts,
(choose all infect other infect other which are a
that apply): files and files and mechanism
reproduce” reproduce” that allows
a trigger that a trigger that them to
activates activates infect other
delivery of a delivery of a files and
“”payload””” “”payload””” reproduce a
trigger that
activates
delivery of a
“”payload””
and the
payload
from which
the virus
often gets
itsname. The
payload is
what the
virus does to
the victim
file.
You should A. B. C. D. A. E.
keep all 20 – 70 10 – 70 10 – 60 70 – 90 20 – 70 60 – 80
computer percent. percent. percent. percent. percent. percent.
rooms at
reasonable
humidity
levels, which
are in
between:
You should A. B. C. D. A. E.
keep all 60 – 75 10 – 25 30 – 45 1 – 15 60 – 75 20 – 35
computer degrees degrees degrees degrees degrees degrees
rooms at Fahrenheit Celsius Fahrenheit Celsius Fahrenheit Fahrenheit
reasonable
temperature
s, which is in
between
(choose all
that apply):
following is a every 180 to every 30 to every 10 to every 90 to every 90 to None of the
good time 365 days 45 days 20 days 120 days 120 days choices.
frame for
making
changes to
passwords?
following is a password local DoS network remote password None of the
good tool to cracker attacker hacker windowing cracker choices.
use to help tool
enforcing
the
deployment
of good
passwords?
What is the A. B. C. D. B. E.
recommend 6 characters 8 characters 12 18 8 characters 22
ed minimum characters characters characters
length of a
good
password?
following are It has mixed- It has mixed- It has mixed- It has mixed- It has mixed- None of the
the case case case case case choices.
characteristi alphabetic alphabetic alphabetic alphabetic alphabetic
cs of a good characters, characters characters characters, characters,
password? numbers, and and symbols. numbers, numbers,
and symbols. numbers. and binary and symbols.
codes.
following are certificates security password biometrics password None of the
often token choices.
considered
as the first
defensive
line in
protecting a
typical data
and
information
environment
?
What is A. B. C. D. C. E.
wrong with a you cannot you cannot you cannot you cannot you cannot None of the
Black Box patch it test it examine its tune it examine its choices.
type of internal internal
intrusion workings workings
detection from from
system? outside. outside.
What is the A. B. C. D. A. E.
best defense patch your run a virus run an anti- find the DoS patch your None of the
against systems. checker. spy program and systems. choices.
Distributed software. kill it.
DoS Attack?
following are TFN TFN2K Trin00 Stacheldrach TFN Tripwire
examples of t
tools for
launching
Distributed
DoS Attack
(choose all
that apply):
What is the A. B. C. D. D. E.
best defense patch your run a virus run an anti- find this find this None of the
against Local systems. checker. spy program and program and choices.
DoS attacks? software. kill it. kill it.
following Local DoS Remote DoS Distributed Local Virus Local DoS None of the
types of attacks attacks DoS attacks attacks attacks choices.
attack
involves a
program
that creates
an infinite
loop, makes
lots of
copies of
itself, and
continues to
open lots of
files?
following statefull hardware combination packet stateless stateless
types of firewall firewall firewall filtering firewall firewall
firewall firewall
treats each
network
frame or
packet in
isolation?
Squid is an A. B. C. D. B. E.
example of: IDS caching security connection caching dialer
proxy proxy proxy proxy
With Deep A. B. C. D. A. E.
packet Layer 2 Layer 3 Layer 2 Layer 3 Layer 2 Layer 2
inspection, through through through through through through
which of the Layer 7 Layer 7 Layer 6 Layer 6 Layer 7 Layer 5
following
OSI layers
are
involved?
Pretexting is A. C. D. E. F.
an act of: DoSB. social eavedroppin soft coding hard coding None of the
engineering g choices.
following Pretexting Backgroundi Check Bounce Pretexting None of the
refers to the ng making checking choices.
act of
creating and
using an
invented
scenario to
persuade a
target to
perform an
action?
Relatively A. B. C. D. E. E.
speaking, almost almost almost almost None of the None of the
firewalls always less always less always less always less choices. choices.
operated at efficient. effective. secure. costly to
the physical setup.
level of the
seven-layer
OSI model
are:
Relatively A. B. C. D. A. E.
speaking, almost almost almost almost almost None of the
firewalls always less always less always less always less always less choices.
operated at efficient. effective. secure. costly to efficient.
the setup.
application
level of the
sevenlayer
OSI model
are:
All Social A. B. C. D. A. E.
Engineering human logic. hardware software device logic. human logic. group logic.
techniques logic. logic.
are based on
flaws in:
following Honeypots Hardware Hardware Botnets Honeypots Stateful
may be IPSs IDSs inspection
deployed in firewalls
a network as
lower cost
surveillance
and early-
warning
tools?
Introducing A. B. C. D. D. E.
inhomogene poorer poor weak high costs in high costs in None of the
ity to your performance scalability. infrastructur terms of terms of choices.
network for . e. training and training and
the sake of maintenance maintenance
robustness . .
would have
which of the
following
drawbacks?
following is software software single line of multiple software None of the
an oft-cited monoculture diversificatio defense DMZ monoculture choices.
cause of n
vulnerability
of networks?
Which of the B. C. D. E. B. F.
following Porn dialer War dialer T1 dialer T3 dialer Porn dialer None of the
software choices.
tools is often
used for
stealing
money from
infected PC
owner
through
taking
control of
the modem?
A. System
patcher
In a botnet, A. B. C. D. A. E.
malbot logs Chat system SMS system Email system Log system Chat system Kernel
into a system
particular
type of
system for
making
coordinated
attack
attempts.
What type of
system is
this?
In order to A. B. C. D. D. E.
coordinate wormnets trojannets spynets botnets botnets rootnets
the activity
of many
infected
computers,
attackers
have used
coordinating
systems
known as:
To install A. B. C. D. A. E.
backdoors, either Trojan either either either Trojan either Trojan None of the
hackers horse or Tripwire or eavedropper horse or horse or choices.
generally computer computer or computer eavedropper computer
prefer to worm. virus. worm. . worm.
use:
Which of the A. B. C. D. F. E.
following virus worm trojan horse spyware backdoor rootkits
refers to a
method of
bypassing
normal
system
authenticati
on
procedures?
Which of the B. C. D. E. E. F.
following worm trojan horse spyware rootkits rootkits backdoor
terms is
used more
generally for
describing
concealment
routines in a
malicious
program?A.
virus
Broadly A. B. Explanation: B.
speaking, a True False Broadly False
Trojan horse speaking, a
is any Trojan horse
program is any
that invites program
the user to that invites
run it, but the user to
conceals a run it, but
harmful or conceals a
malicious harmful
payload. The ormalicious
payload may payload. The
take effect payload may
immediately take effect
and can lead immediately
to and can lead
immediate to
yet immediate
undesirable yet
effects, undesirable
or more effects,or
commonly it more
may install commonly it
further may install
harmful further
software harmful
into the software
user’s into the
system to user’s
serve the system to
creator’s serve the
longerterm creator’s
goals. longerterm
following virus worm trojan horse spyware trojan horse rootkits
refers to any
program
that invites
the user to
run it but
conceals a
harmful or
malicious
payload?
Which of the A. B. C. E. E. Explanation:
following are viruses worms trojan All of the All of the Malware is
valid horsesD. above above software
examples of spyware designed to
Malware infiltrate or
(choose all damage a
that apply): computer
system
without the
owner’s
informed
consent.
Software is
considered
malware
based on the
intent of the
creator
rather than
any
particular
features. It
includes
computer
viruses,
worms,
trojan
horses,
spyware,
adware, and
other
malicious
and
unwanted
Software is A. B. C. D. A. E.
considered the intent of its particular its location. its the intent of None of the
malware the creator. features. compatibility the creator. choices.
based on: .
Host Based A. B. C. D. D. E.
ILD&P information information information information information None of the
primarily integrity accuracy validity leakage leakage choices.
addresses
the issue of:
Network A. B. C. D. B. E.
ILD&P are on the on the on each end on the on the None of the
typically organization’ organization’ user firewall. organization’ choices.
installed: s internal s internet stations. s internet
network network network
connection. connection. connection.
following ILD&P ICT&P ILP&C ILR&D ILD&P None of the
terms refers choices.
to systems
designed to
detect and
prevent the
unauthorize
d
transmission
of
information
from the
computer
systems of
an
organization
to outsiders?
following format string integer code command code None of the
types of vulnerabiliti overflow injection injection injection choices.
attack works es
by taking
advantage of
the
unenforced
and
uncheckedas
sumptions
the system
makes about
its inputs?
Integer A. B. C. D. E. E.
overflow string debug output input arithmetic arithmetic
occurs formatting operations formatting verifications operations operations
primarily
with:
following C functions C functions C functions VB functions C functions SQL
kinds of that perform that perform that perform that perform that perform functions
function are output integer real number integer output that perform
particularly formatting computation subtraction conversion formatting string
vulnerable conversion
to format
string
attacks?
following buffer format string integer code format string command
types of overflows vulnerabiliti overflow injection vulnerabiliti injection
attack makes es es
use of
unfiltered
user input as
the format
string
parameter in
the
printf()
function of
the C
language?
following Sufficient Sufficient Sufficient Sufficient Sufficient None of the
measures bounds memory processing code bounds choices.
can checking capability injection checking
effectively
minimize the
possibility of
buffer
overflows?
Buffer A. B. C. D. C. E.
overflow system network system disk storage system None of the
aims processor firewall memory memory choices.
primarily at
corrupting:
following buffer format string integer code buffer None of the
refers to an overflow vulnerabiliti misappropri injection overflow choices.
anomalous es ation
condition
where a
process
attempts to
store data
beyond the
boundaries
of a fixed
length
buffer?
ALL A. B. Explanation: B.
computer True False The majority False
programmin of software
g languages vulnerabiliti
are es result
vulnerable from a few
to command known kinds
injection of coding
attack. defects.
Common
softwaredef
ects include
buffer
overflows,
format string
vulnerabiliti
es, integer
overflow,
and
code/comm
and
injection.So
me
commonlang
uages such
as C and C++
are
vulnerable
to all of
these
defects.
Languages
such as Java
are immune
The majority A. B. C. D. A. E.
of software buffer format string integer code buffer command
vulnerabiliti overflows vulnerabiliti overflow injection overflows injection
es result es
from a few
known kinds
of coding
defects, such
as (choose
all
that apply):
Nowadays, A. B. C. D. A. E.
computer True True only for True only for False True None of the
security trusted untrusted choices.
comprises networks networks
mainly
“preventive”
” measures.
following are Intrusion Audit trails System logs Tripwire Intrusion None of the
designed to Detection Detection choices.
detect Systems Systems
network
attacks in
progress and
assist in
post-attack
forensics?
following is Firewall IDS IPS Hardened Firewall Tripwire
by far the OS
most
common
prevention
system from
a network
security
perspective?
following User User User IDS and User Firewall and
measures account account account cryptograph account cryptograph
can protect access access access y access y
systems files controls and controls and controls and controls and
and data, cryptograph firewall IPS cryptograph
respectively y y
?
You may A. B. C. D. A. E.
reduce a keeping your hiring using using keeping your None of the
cracker’s systems up competent multiple multiple systems up choices.
chances of to date using people firewalls. firewalls and to date using
success by a security responsible IDS. a security
(choose all scanner. for security scanner.
that apply): to scan and
update your
systems.
Why is one- A. B. C. D. A. E.
time pad not it is difficult it is highly it requires it requires it is difficult it is
always to use inconvenient licensing fee. internet to use Microsoft
preferable securely. to use. connectivity. securely. only.
for
encryption
(choose all
that apply):
following Blowfish Tripwire certificate DES one-time one-time
encryption pad pad
methods
uses a
matching
pair of key-
codes,
securely
distributed,
which are
used once-
and-only-
once to
encode and
decode a
single
message?
following key pair Oakley certificate 3-DES one-time one-time
methods of pad pad
encryption
has been
proven to be
almost
unbreakable
when
correctly
used?
following Direct access Wireless Port attack Window Direct access System
types of attack attack attack attack attack
attack
almost
always
requires
physical
access to the
targets?
following Direct access Indirect Port attack Window Direct access Social attack
types of attacks access attack attacks
attack makes attacks
use of
common
consumer
devices that
can be used
to transfer
data
surreptitious
ly?
following rootkits virus trojan tripwire rootkits None of the
will replace choices.
system
binaries
and/or hook
into the
function
calls of the
operating
system to
hide the
presence of
other
programs
(choose the
most precise
answer)?
Back Orifice A. B. C. D. C. E.
is an a virus. a legitimate a backdoor an a backdoor None of the
example of: remote that takes eavedropper that takes choices.
control the form of . the form of
software. an installed an installed
program. program.
Attack A. B. C. D. C. E.
amplifier is Packet ToS DDoS ATP DDoS Wiretapping
often being dropping
HEAVILY
relied upon
on by which
of the
following
types of
attack?
A computer A. B. C. D. C. E.
system is no Eavedroppin DoS DDoS ATP DDoS Social
more secure g Engineering
than the
human
systems
responsible
for its
operation.
Malicious
individuals
have
regularly
penetrated
well-
designed,
secure
computer
systems by
taking
advantage of
the
carelessness
of trusted
individuals,
or by
deliberately
deceiving
them.
zombie
computers
are being
HEAVILY
relied upon
Human error A. B. C. D. E. E.
is being Eavedroppin DoS DDoS ATP Social Social
HEAVILY g Engineering Engineering
relied upon
on by which
of the
following
types of
attack?
TEMPEST is A. B. C. D. A. E.
a hardware Eavedroppin Social Virus Firewalling Eavedroppin None of the
for which of g engineering scanning g choices.
the
following
purposes?
Machines A. B. Explanation: B.
that operate True False Any data False
as a closed that is
system can transmitted
NEVER be over a
eavesdroppe network is at
d. some risk of
being
eavesdroppe
d, or even
modified by
amalicious
person. Even
machines
that operate
as a closed
system can
be
eavesdroppe
d upon via
monitoringt
he faint
electromagn
etic
transmission
s generated
by the
hardware
such as
TEMPEST.
Codes from A. B. C. D. E. E.
exploit trojan computer OS patchers. eavedropper trojan trojan
programs horses only. viruses only. s. horses and horses and
are computer computer
frequently viruses. viruses.
reused in:
following exploit patch quick fix service pack exploit malware
terms
generally
refers to
small
programs
designed to
take
advantage of
a software
flaw
that has
been
discovered?
The ‘trusted A. B. C. D. A. E.
systems’ many earlier the IBM the SUN most OS many earlier None of the
approach Microsoft OS AS/400 Solaris series products in Microsoft OS choices.
has been products series the market products
predominant
in the design
of:
Security A. B. C. D. D. E.
should True True for True for False False None of the
ALWAYS be trusted untrusted choices.
an all or systems only systems only
nothing
issue.
Under the A. B. C. D. B. E.
concept of “”fail “”fail “”react to “”react to “”fail None of the
“”defense in insecure””” secure””” attack””” failure””” secure””” choices.
depth””,
subsystems
should be
designed to:
following Analytical Automated Automated Automated Automated None of the
refers to the theorem technology theorem theorem theorem choices.
proving of proving proving processing proving proving
mathematic
al theorems
by a
computer
program?
Talking A. B. C. D. C. E.
about the most full privilege least null privilege least None of the
different privilege privilege privilege choices.
approaches
to security in
computing,
the principle
of regarding
the
computer
system
itself as
largely an
untrusted
system
emphasizes:
Default A. B. C. D. A. E.
permit is security security security users are security None of the
only a good threats are threats are threats are trained. threats are choices.
approach in non-existent non- serious and non-existent
an or negligible. negligible. severe. or negligible.
environment
where:
Everything A. B. C. D. A. E.
not explicitly it improves it improves it improves it improves it improves None of the
permitted is security at a functionality security at a performance security at a choices.
forbidden cost in at a cost in cost in at a cost in cost in
has which of functionality security. system functionality functionality
the . performance . .
following .
kinds of
tradeoff?
A medium- A. B. C. D. D. Explanation:
sized Full-scale Walk- IT disaster Functional Functional After a
organization, test with through test recovery test of a test of a tabletop
whose IT relocation of of a series of test with scenario scenario exercise has
disaster all predefined business with limited with limited been
recovery departments scenarios departments IT IT performed,
measures , including with all involved in involvement involvement the next
have been in IT, to the critical testing the step would
place and contingency personnel critical be a
regularly site involved applications functional
tested for test, which
years, has includes the
just mobilization
developed a of staff to
formal exercise the
business administrati
continuity ve and
plan (BCP). A organization
basic BCP al functions
tabletop of a
exercise has recovery.
been Since the IT
performed part
successfully. of the
Which recovery has
testing been tested
should an IS for years, it
auditor would be
recommend more
be efficient to
performed verify and
NEXT to optimize the
verify the business
adequacy of continuity
A financial A. B. C. D. B. Explanation:
services The The business The recovery The The business It is a
organization organization continuity time organization continuity common
is uses good capabilities objectives plans to rent capabilities mistake to
developing practice are planned (RTOs) do a shared are planned use scenario
and guidelines around a not take IT alternate around a planning for
documentin instead of carefully disaster site with carefully business
g business industry selected set recovery emergency selected set continuity.
continuity standards of scenarios constraints workplaces of scenarios The problem
measures. In and relies on which into account, which has which is that it is
which of the external describeeve such as only enough describeeve impossible
following advisors nts that personnel or room for nts that to
cases would to ensure might system half of the might plan and
an IS auditor the happen with dependencie normal staff. happen with document
MOST likely adequacy of a reasonable s during the a reasonable actions for
raise an the probability. recovery probability. every
issue? methodolog phase. possible
y. scenario.
Planning for
just selected
scenarios
denies the
fact that
even
improbable
events can
cause an
organization
to break
down. Best
practice
planning
addresses
the four
To optimize A. B. C. D. C. Explanation:
an the business the priorities the business the priorities the business To ensure
organization’ processes and order processes and order of processes the
s business that for recovery that must be recovery that must be organization’
contingency generate the to ensure recovered which will recovered s survival
plan (BCP), most alignment following a recover the following a following a
an IS auditor financial with the disaster to greatest disaster to disaster, it is
should value for the organization’ ensure the number of ensure the important to
recommend organization s business organization’ systems in organization’ recover the
conducting a and strategy. s survival. the shortest s survival. most critical
business therefore time business
impact must be frame. processes
analysis recovered first, it is a
(BlA) in first. common
order to mistake to
determine: overemphasi
ze value (A)
rather than
urgency. For
example,
while the
processing
of incoming
mortgage
loan
payments is
important
from a
financial
perspective,
it could be
delayed
for a few
days in the
An IS auditor A. B. C. D. B. Explanation:
can verify alignment of results of off-site annual results of The
that an the BCP with business facility, its financial cost business effectiveness
organization’ industry best continuity contents, of the BCP continuity of the
s business practices. tests security and activities tests business
continuity performed environment versus the performed continuity
plan (BCP) is by IS and al controls. expected by IS and plan (BCP)
effective by end-user benefit of end-user can best be
reviewing personnel. implementa personnel. evaluated by
the: tion of the reviewing
plan. the results
from
previous
business
continuity
tests for
thoroughnes
s and
accuracy in
accomplishin
g their
stated
objectives.
All
other
choices do
not provide
the
assurance of
the
effectiveness
of the BCP.
An A. B. C. D. A. Explanation:
organization Review Review Review the Review the Review Reviewing
has whether the whether the methodolog accreditatio whether the whether the
outsourced service service level y adopted by n of the service service
its wide area provider’s agreement the third-party provider’s provider’s
network BCP process (SLA) organization service BCP process business
(WAN) to a is aligned contains a in choosing provider’s is aligned continuity
third-party with the penalty the service staff. with the plan (BCP)
service organization’ clause in provider. organization’ process is
provider. s BCP and case of s BCP and aligned with
Under these contractual failure to contractual the
circumstanc obligations. meet the obligations. organization’
es, which of level of s BCP and
the service in contractual
following is case of a obligations is
the disaster. the correct
PRIMARY answer since
task the IS an adverse
auditor effect or
should disruption to
perform the
during an business of
audit of the service
business provider has
continuity a direct
(BCP) and bearing on
disaster the
recovery organization
planning and its
(DRP)? customers.
Reviewing
whether
the service
level
While A. B. C. D. C. Explanation:
observing a the salvage the redundancie the redundancie If the
full team is notification s are built notification s are built notification
simulation of trained to system into the systems are into the system has
the business use the provides for notification stored in a notification been
continuity notification the recovery system. vault. system. severely
plan, an IS system. of the impacted by
auditor backup. the damage,
notices that redundancy
the would be
notifications the best
ystems control.
within the The salvage
organization team would
al facilities not be able
could be to use a
severely severely
impacted by damaged
infra notification
structural system, even
damage. The if they are
BEST trained to
recommend use it. The
ation the IS recovery of
auditor can the backups
provide to has no
the bearing on
organization the
is to ensure: notification
system and
storing the
notification
system in a
vault would
The A. B. C. D. A. Explanation:
activation of duration of type of probability cause of the duration of The
an the outage. outage. of the outage. the outage. initiation of
enterprise’s outage. a business
business continuity
continuity plan (action)
plan should should
be based on primarily be
predetermin based on the
ed criteria maximum
that period for
address the: which
a business
function can
be disrupted
before the
disruption
threatens
the
achievement
of
organization
al
objectives.
organization Review and Perform a Train and Notify Review and The business
has just evaluate the full educate critical evaluate the continuity
completed business simulation of employees contacts in business plan should
their annual continuity the business regarding the business continuity be reviewed
risk plan for continuity the business continuity plan for every time a
assessment. adequacy plan continuity plan adequacy risk
Regarding plan assessment
the business is completed
continuity for the
plan, what organization.
should an IS Training of
auditor the
recommend employees
as the next and a
step for the simulation
organization should be
? performed
after the
business
continuity
plan
has been
deemed
adequate for
the
organization.
There is no
reason to
notify the
business
continuity
plan
contacts at
organization Review and Perform a Train and Notify Review and The business
has just evaluate the full educate critical evaluate the continuity
completed business simulation of employees contacts in business plan should
their annual continuity the business regarding the business continuity be reviewed
risk plan for continuity the business continuity plan for every time a
assessment. adequacy plan continuity plan adequacy risk
Regarding plan assessment
the business is completed
continuity for the
plan, what organization.
should an IS Training of
auditor the
recommend employees
as the next and a
step for the simulation
organization should be
? performed
after the
business
continuity
plan
has been
deemed
adequate for
the
organization.
There is no
reason to
notify the
business
continuity
plan
contacts at
During a A. B. C. D. B. Explanation:
review of a assessment execution of notification potential execution of Execution of
business of the the disaster of the teams crisis the disaster the business
continuity situation recovery might not recognition recovery continuity
plan, an IS may be plan could occur. might be plan could plan would
auditor delayed. be impacted. ineffective. be impacted. be impacted
noticed that if the
the point at organization
which a does not
situation is know when
declared to declare
to be a crisis a crisis.
has not been Choices A, C
defined. The and D are
MAJOR risk steps that
associated must be
with this is performed
that: to know
whether to
declare a
crisis.
Problem
and severity
assessment
would
provide
information
necessary in
declaring a
disaster.
Once a
potential
crisis is
recognized,
During the A. B. C. D. C. Explanation:
design of a responsibilit criteria for recovery responsibiliti recovery The most
business y for selecting a strategy. es of key strategy. appropriate
continuity maintaining recovery site personnel. strategy is
plan, the the business provider. selected
business continuity based on the
impact plan. relative risk
analysis level and
(BIA) criticality
identifies identified in
critical the business
processes impact
and analysis
supporting (BIA.) The
applications. other
This will choices are
PRIMARILY made after
influence the selection
the: or design of
the
appropriate
recovery
strategy.
With respect A. B. C. D. A. Explanation:
to business clarity and adequacy of effectiveness ability of IS clarity and The IS
continuity simplicity of the business of the and end- simplicity of auditor
strategies, the business continuity business user the business should
an IS auditor continuity plans. continuity personnel to continuity interview
interviews plans. plans. respond plans. key
key effectively in stakeholders
stakeholders emergencies to evaluate
in an . how well
organization they
to understand
determine their roles
whether and
they responsibiliti
understand es. When all
their roles stakeholders
and have a
responsibiliti detailed
es. The IS understandi
auditor is ng of their
attempting roles and
to evaluate responsibiliti
the: es in the
event of a
disaster, an
IS auditor
can deem
the business
continuity
plan to be
clear and
simple. To
evaluate
adequacy,
The BEST A. B. C. D. B. Explanation:
method for plans and results from emergency offsite results from Previous test
assessing compare previous procedures storage and previous results will
the them to tests. and environment tests. provide
effectiveness appropriate employee al controls. evidence of
of a business standards. training. the
continuity effectiveness
plan is to of the
review the: business
continuity
plan.
Comparisons
tostandards
will give
some
assurance
that the plan
addresses
the critical
aspects of a
business
continuity
plan
but will not
reveal
anything
about its
effectiveness
. Reviewing
emergency
procedures,
offsite
storage and
environment
Which of the A. B. C. D. B. Explanation:
following Business Fidelity Errors and Extra Fidelity Fidelity
insurance interruption coverage omissions expense coverage insurance
types covers the
provide for a loss arising
loss arising from
from dishonest or
fraudulent fraudulent
acts by acts by
employees? employees.
Business
interruption
insurance
covers the
loss of profit
due to the
disruption in
the
operations
of an
organization.
Errors and
omissions
insurance
provides
legal liability
protection in
the event
that the
professional
practitioner
commits an
act that
results in
Which of the A. B. C. D. C. Explanation:
following Data A recovery Human insurance Human The most
would be backups are site is safety coverage is safety important
MOST performed contracted procedures adequate procedures element in
important on a timely for and are in place and are in place any business
for an IS basis available as premiums continuity
auditor to needed are current process is
verify when the
conducting a protection of
business human life.
continuity This takes
audit? precedence
over all
other
aspects of
the plan.
In the event A. B. C. D. B. Explanation:
of a Load Fault- Distributed High- Fault- Fault-
disruption or balancing tolerant backups availability tolerant tolerant
disaster, hardware computing hardware hardware is
which of the the only
following technology
technologies that
provides for currently
continuous supports
operations? continuous,
uninterrupte
d service.
Load
balancing is
used to
improve the
performance
of the server
by splitting
the work
between
several
servers
basedon
workloads.
High-
availability
(HA)
computing
facilities
provide a
quick but
not
continuous
In A. B. C. D. C. Explanation:
determining only recovery both indirect both Both
the downtime operations downtime downtime downtime downtime
acceptable costs need should be costs and costs should costs and costs and
time period to be analyzed. recovery be ignored. recovery recovery
for the considered. costs need costs need costs need
resumption to be to be to be
of critical evaluated. evaluated. evaluated in
business determining
processes: the
acceptable
time period
before
the
resumption
of critical
business
processes.
The
outcome of
the business
impact
analysis
(BIA) should
be a
recovery
strategy that
represents
the optimal
balance.
Downtime
costs cannot
be looked at
in isolation.
The A. B. C. D. D. Explanation:
PRIMARY familiarize ensure that exercise all identify identify Testing the
objective of employees all residual possible limitations limitations business
testing a with the risks are disaster of the of the continuity
business business addressed. scenarios. business business plan
continuity continuity continuity continuity provides the
plan is to: plan. plan. plan. best
evidence of
any
limitations
that may
exist.
Familiarizing
employees
with the
business
continuity
plan is a
secondary
benefit of a
test. It is not
cost
effective to
address
residual risks
in a business
continuity
plan, and it
is not
practical to
test all
possible
disaster
scenarios.
optimum lowest lowest sum lowest average of lowest sum Both costs
business downtime of downtime recovery the of downtime have to be
continuity cost and cost and cost and combined cost and minimized,
strategy for highest recovery highest downtime recovery and the
an entity is recovery cost. downtime and recovery cost. strategy for
determined cost. cost. cost. which the
by the: costs are
lowest is the
optimum
strategy. The
strategy
with the
highest
recovery
cost cannot
be the
optimum
strategy. The
strategy
with the
highest
downtime
cost cannot
be the
optimum
strategy. The
average of
the
combined
downtime
and recovery
cost will be
higher
Managemen A. B. C. D. A. Explanation:
t considered downtime resumption recovery walkthrough downtime Since the
two costs. costs. costs. costs. costs. recovery
projections time is
for its longer in
business plan B,
continuity resumption
plan; plan A and recovery
with two costs can be
months to expected to
recover and be lower.
plan B with Walkthrough
eight costs are not
months to a part of
recover. The disaster
recovery recovery.
objectives Since the
are the same managemen
in both t considered
plans. It is a higher
reasonable window for
to recovery in
expect that plan B,
plan B downtime
projected costs
higher: included in
the plan are
likely to be
higher.
During an A. B. C. D. A. Explanation:
audit of a Evacuation Recovery Backup Call tree Evacuation Protecting
business plan priorities storages plan human
continuity resources
plan (BCP), during a
an IS auditor disaster-
found that, related
although all event should
departments be
were addressed
housed in first. Having
the same separate
building, BCPs
each could result
department in conflicting
had a evacuation
separate plans, thus
BCP. The IS jeopardizing
auditor the safety of
recommend staff and
ed that the clients.
BCPs be Choices B, C
reconciled. and D
Which of the may be
following unique to
areas should each
be department
reconciled and could be
FIRST? addressed
separately,
but still
should be
reviewed for
possible
When A. B. C. D. C. Explanation:
developing a Business Resource Risk Gap analysis Risk Risk
business continuity recovery assessment assessment assessment
continuity self-audit analysis and business
plan (BCP), impact
which of the assessment
following are tools for
tools should understandi
be used to ng business-
gain an for-business
understandi continuity
ng of the planning.
organization’ Business
s business continuity
processes? self-audit is
a tool for
evaluating
the
adequacy of
the BCP,
resource
recovery
analysis is a
tool for
identifying a
business
resumption
strategy,
while the
role gap
analysis can
play in
business
continuity
noted that Recommend Determine Accept the Recommend Determine Depending
an that an whether the BCPs as the creation whether the on the
organization additional BCPs are written. of a single BCPs are complexity
had comprehensi consistent. BCP. consistent. of the
adequate ve BCP be organization,
business developed. there could
continuity be more
plans (BCPs) than one
for each plan to
individual address
process, but various
no aspects
comprehensi of business
ve BCP. continuity
Which and disaster
would be recovery.
the BEST These do not
course of necessarily
action for have to be
the IS integrated
auditor? into one
single
plan;
however,
each plan
should be
consistent
with other
plans to
have a viable
business
continuity
planning
business recommend assess the report the redefine assess the The business
continuity that the BCP impact of findings to critical impact of impact
audit an IS cover all the the IT processes. the analysis
auditor business processes manager. processes needs to be
found that processes. not covered. not covered. either
the business updated or
continuity revisited to
plan (BCP) assess the
covered only risk of not
critical covering all
processes. processes in
The IS the plan. It is
auditor possible that
should: the cost of
including all
processes
might
exceed the
value of
those
processes;
therefore,
they should
not be
covered. An
IS auditor
should
substantiate
this by
analyzing
the risk.
Depending A. B. C. D. A. Explanation:
on the each plan is all plans are each plan is the each plan is Depending
complexity consistent integrated dependent sequence for consistent on the
of an with one into a single on one implementa with one complexity
organization’ another. plan. another. tion of all another. of an
s business plans is organization,
continuity defined. there could
plan (BCP), be more
the plan may than one
be plan to
developed address
as a set of various
more than aspects
one plan to of business
address continuity
various and disaster
aspects of recovery.
business These do not
continuity necessarily
and disaster have to be
recovery, in integrated
such into one
an single
environment plan.
, it is However,
essential each plan
that: has tobe
consistent
with other
plans to
have a viable
business
continuity
planning
While A. B. C. D. A. Explanation:
designing shadow file electronic hard-disk hot-site shadow file In shadow
the business processing. vaulting. mirroring. provisioning. processing. file
continuity processing,
plan (BCP) exact
for an airline duplicates of
reservation the files are
system, the maintained
MOST at the same
appropriate site or at a
method of remote site.
data The
transfer/bac two files are
kup at an processed
offsite concurrently
location . This is used
would be: for critical
data files,
such as
airline
booking
systems.
Electronic
vaulting
electronicall
y transmits
data either
to direct
access
storage, an
optical disc
or another
storage
medium;
After a full A. B. C. D. A. Explanation:
operational Perform an Broaden the Make increase the Perform an Performing
contingency integral processing improvemen amount of integral an
test, an IS review of capacity to ts in the human review of exhaustive
auditor the recovery gain facility’s resources the recovery review of
performs a tasks. recovery circulation involved in tasks. the recovery
review of time. structure. the tasks would
the recovery recovery. be
steps. The appropriate
auditor to identify
concludes the way
that the these tasks
time it took were
for the performed,
technologica identify the
l time
environment allocated to
and systems each of the
to return to steps
full- required to
functioning accomplish
exceeded recovery,
the required and
critical determine
recovery where
time. Which adjustments
of the can be
following made.
should the Choices B, C
auditor and D could
recommend be actions
? after the
described
review has
PRIMARY safeguard provide for minimize the protect protect Since human
objective of critical IS continuity of loss to an human life. human life. life is
business assets. operations. organization. invaluable,
continuity the main
and disaster priority of
recovery any business
plans should continuity
be to: and disaster
recovery
plan should
be
to protect
people. All
other
priorities are
important
but are
secondary
objectives of
a business
continuity
and
disaster
recovery
plan.
Which of the A. B. C. D. D. Explanation:
following A hot site is A business insurance Media Media Without
would an IS contracted continuity coverage is backups are backups are data to
auditor for and manual is adequate performed performed process, all
consider to available as available and on a timely on a timely other
be the MOST needed. and current. premiums basis and basis and components
important to are current. stored stored of the
review when offsite. offsite. recovery
conducting a effort are in
business vain. Even in
continuity the absence
audit? of a plan,
recovery
efforts of
any type
would not
be practical
without data
to process.
To develop a A. B. C. D. C. Explanation:
successful Business Detailed Business Testing and Business End user
business recovery plan impact maintenance impact involvement
continuity strategy developmen analysis analysis is critical in
plan, end t (BIA) (BIA) the BIA
user phase.
involvement During this
is critical phase the
during which current
of the operations
following of the
phases? business
needs to be
understood
and the
impact on
the business
of various
disasters
must be
evaluated.
End users
are
the
appropriate
persons to
provide
relevant
information
for these
tasks,
inadequate
end user
involvement
following Document is Planning Approval by Audit by an Planning The
would circulated to involves all senior external IS involves all involvement
contribute all user managemen auditor user of user
MOST to an interested departments t departments departments
effective parties in the BCP is
business crucial for
continuity the
plan (BCP)? identificatio
n of the
business
processing
priorities.
The BCP
circulation
will ensure
that the BCP
document is
received by
all users.
Though
essential,
this does not
contribute
significantly
to the
success of
the BCP. A
BCP
approved by
senior
managemen
t would
not ensure
following Verify Review the Perform a Update the Update the An IS assets
activities compatibility implementa walk- IS assets IS assets inventory is
should the with the hot tion report. through of inventory. inventory. the basic
business site. the disaster input for the
continuity recovery business
manager plan. continuity/di
perform saster
FIRST after recovery
the plan, and
replacement the plan
of hardware must
at the be updated
primary to reflect
information changes in
processing the IS
facility? infrastructur
e. The other
choices are
procedures
required to
update the
disaster
recovery
plan after
having
updated the
required
assets
inventory.
As part of A. B. C. D. C. Explanation:
the business Organization Threats to Critical Resources Critical The
continuity al risks, such critical business required for business identificatio
planning as single business processes resumption processes n of the
process, point-of- processes for of business for priority for
which of the failure and ascertaining ascertaining recovering
following infrastructur the priority the priority critical
should be e risk for recovery for recovery business
identified processes
FIRST in the should be
business addressed
impact first.
analysis? Organization
al risks
should be
identified
next,
followed by
the
identificatio
n of threats
to critical
business
processes.
Identificatio
n of
resources
for business
resumption
will occur
after the
tasks
mentioned.
has audited Nonavailabili Absence of a Lack of Failure of Absence of a Failure of a
a business ty of an backup for backup the access backup for network
continuity alternate the network systems for card system the network backbone
plan (BCP). private backbone the users’ backbone will result in
Which of the branch PCs the failure of
following exchange the
findings is (PBX) system complete
the MOST network and
critical? impact the
ability of all
users
to access
information
on the
network.
The
nonavailabili
ty of an
alternate
PBX system
will result in
users not
being able to
make or
receive
telephone
calls or
faxes;
however,
users may
have
alternate
means of
following is Pilot Paper Unit System Paper A paper test
an is
appropriate appropriate
test method for testing a
to apply to a BCP. it is a
business walkthrough
continuity of the entire
plan (BCP)? plan, or part
of the plan,
involving
major
players in
the plan’s
execution,
who reason
out what
may happen
in a
particular
disaster.
Choices A, C
and D are
not
appropriate
for a BCP.
After A. B. C. D. C. Explanation:
completing Test and Develop a Develop implement Develop The next
the business maintain the specific plan. recovery the plan. recovery phase in the
impact plan. strategies. strategies. continuity
analysis plan
(BIA), what developmen
is the next t is to
step in the identify the
business various
continuity recovery
planning strategies
process? and select
the
most
appropriate
strategy for
recovering
from a
disaster.
After
selecting a
strategy, a
specific plan
can be
developed,
tested and
implemente
d.
Which of the A. B. C. D. A. Explanation:
following Resuming Recovering Restoring Relocating Resuming The
would have critical sensitive the site operations critical resumption
the HIGHEST processes processes to an processes of critical
priority in a alternative processes
business site has the
continuity highest
plan (BCP)? priority as it
enables
business
processes to
begin
immediately
after the
interruption
and not later
than the
declared
mean time
between
failure
(MTBF).
Recovery
of sensitive
processes
refers to
recovering
the vital and
sensitive
processes
that can be
performed
manually at
a tolerable
To address A. B. C. D. C. Explanation:
an service level recovery recovery maximum recovery The recovery
organization’ objective time point acceptable point point
s disaster (SLO). objective objective outage objective objective
recovery (RTO). (RPO). (MAO). (RPO). (RPO)
requirement defines the
s, backup point in time
intervals to which
should not data must
exceed the: be restored
after a
disaster so
as to resume
processing
transactions.
Backups
should be
performed
in a way that
the latest
backup is no
older
than this
maximum
time frame.
If service
levels are
not met, the
usual
consequenc
es are
penalty
payments,
not
A live test of A. B. C. D. A. Explanation:
a mutual system and resources connectivity workflow of system and The
agreement the IT and the to the actual the IT applications
for IT system operations environment applications business operations have been
recovery has team can could at the operations team can intensively
been carried sustain sustain the remote site can use the sustain operated,
out, operations transaction meets emergency operations therefore
including a in the load. response system in in the choices B, C
four-hour emergency time case of a emergency and D have
test of environment requirement disaster. environment been
intensive . s. . actually
usage by the tested, but
business the
units. The capability of
test has the system
been and the IT
successful, operations
but gives team to
only partial sustain and
assurance support this
that the: environment
(ancillary
operations,
batch
closing,
error
corrections,
output
distribution,
etc.) is only
partially
tested.
The frequent A. B. C. D. A. Explanation:
updating of Contact Server individual Procedures Contact In the event
which of the information inventory roles and for declaring information of a disaster,
following is of key documentati responsibiliti a disaster of key it is
key to the personnel on es personnel important to
continued have a
effectiveness current
of a disaster updated list
recovery of personnel
plan who are key
(DRP)? to the
operation
of the plan.
Choices B, C
and D would
be more
likely to
remain
stable
overtime.
following Due to the During the The Every year, Every year, A disaster
issues limited test test it was procedures the same the same recovery
should be time noticed that to shut employees employees test should
the window, some of the down and perform the perform the test the
GREATEST only the backup secure the test. The test. The plan,
concern to most systems original recovery recovery processes,
the IS essential were production plan plan people and
auditor systems defective or site before documents documents IT systems.
when were tested. not working, starting the are not used are not used Therefore, if
reviewing an The other causing the backup site since every since every the plan is
IT systems test of these required step is well step is well not
disaster were systems to far more known by all known by all used, its
recovery tested fail. time than participants. participants. accuracy and
test? separately planned. adequacy
during the cannot be
rest of the verified.
year. Disaster
recovery
should not
rely on key
staff since a
disaster can
occur when
they are not
available. It
is common
that not all
systems can
be tested in
a limited
test
time frame.
It is
organization a data loss a 1-minute a processing both a data a data loss The recovery
has a of up to 1 processing interruption loss and a of up to 1 time
recovery minute, but interruption of 1 minute processing minute, but objective
time the but cannot or more. interruption the (RTO)
objective processing tolerate any longer than processing measures an
(RTO) equal must be data loss. 1 minute. must be organization’
to zero and a continuous. continuous. s tolerance
recovery for
point downtime
objective and the
(RPO) close recovery
to 1 minute point
for a critical objective
system. This (RPO)
implies that measures
the system how much
can tolerate: data loss can
be accepted.
Choices B, C
and D are
incorrect
since they
exceed the
RTO limits
set by the
scenario.
During a A. B. C. D. D. Explanation:
disaster event error disaster disaster configuratio configuratio Since the
recovery log recovery recovery ns and ns and configuratio
test, an IS generated at test plan. plan (DRP). alignment of alignment of n of the
auditor the disaster the primary the primary system is the
observes recovery and disaster and disaster most
that the site. recovery recovery probable
performance sites. sites. cause, the IS
of the auditor
disaster should
recovery review that
site’s first. If the
server is issue cannot
slow. To find be clarified,
the root the IS
cause of auditor
this, the IS should then
auditor review the
should FIRST event error
review the: log. The
disaster
recovery
test plan
and the
disaster
recovery
plan (DRP)
would not
contain
information
about the
system
configuratio
n.
Regarding a A. B. C. D. C. Explanation:
disaster identifying determining observing determining observing The IS
recovery critical the external the tests of the criteria the tests of auditor
plan, the applications. service the disaster for the disaster should be
role of an IS providers recovery establishing recovery present
auditor involved in a plan. a recovery plan. when
should recovery time disaster
include: test. objective recovery
(RTO). plans are
tested, to
ensure that
the test
meets the
targets for
restoration,
and the
recovery
procedures
are effective
and efficient.
As
appropriate,
the auditor
should
provide a
report of the
test results.
All other
choices are a
responsibilit
y of
managemen
t.
A lower A. B. C. D. B. Explanation:
recovery higher higher cost. wider more higher cost. A recovery
time disaster interruption permissive time
objective tolerance. windows. data loss. objective
(RTO) results (RTO) is
in: based on the
acceptable
downtime in
case of a
disruption of
operations.
The
lower the
RTO, the
higher the
cost of
recovery
strategies.
The lower
the disaster
tolerance,
the
narrower
the
interruption
windows,
and the
lesser the
permissive
data loss.
When A. B. C. D. D. Explanation:
developing a annualized service quantity of maximum maximum The recovery
disaster loss delivery orphan data. tolerable tolerable time
recovery expectancy objective. outage. outage. objective is
plan, the (ALE). determined
criteria for based on the
determining acceptable
the downtime in
acceptable case of a
downtime disruption of
should be operations,
the: it indicates
the
maximum
tolerable
outage that
an
organization
considers to
be
acceptable
before a
system or
process
must
resume
following a
disaster.
Choice A is
incorrect,
because the
acceptable
downtime
would not
Due to A. B. C. D. A. Explanation:
changes in Catastrophic High Total cost of Users and Catastrophic Choices B, C
IT, the service consumption the recovery recovery service and D are all
disaster interruption of resources may not be teams may interruption possible
recovery minimized face severe problems
plan of a difficulties that might
large when occur, and
organization activating would cause
has been the plan difficulties
changed. and financial
What is the losses
PRIMARY or waste of
risk if the resources.
new plan is However, if
not tested? a new
disaster
recovery
plan is not
tested, the
possibility of
a
catastrophic
service
interruption
is the most
critical of all
risks.
If the A. B. C. D. A. Explanation:
recovery the disaster the cost of a cold site the data the disaster The longer
time tolerance recovery cannot be backup tolerance the recovery
objective increases. increases. used. frequency increases. time
(RTO) increases. objective
increases: (RTO), the
higher
disaster
tolerance
and the
lower the
recovery
cost. It
cannot be
concluded
that a cold
site is
inappropriat
e or that the
frequency of
data backup
would
increase.
An A. B. C. D. D. Explanation:
organization data full posttest. preparednes preparednes A
has a recovery operational s test. s test. preparednes
number of test. test. s test should
branches be
across a performed
wide by each local
geographical office/area
areA. To to test the
ensure that adequacy of
all aspects of the
the preparednes
disaster s of
recovery local
plan are operations
evaluated in in the event
a cost of a disaster.
effective This test
manner, an should be
IS auditor performed
should regularly on
recommend different
the use of a: aspects of
the
plan and can
be a cost-
effective
way to
gradually
obtain
evidence of
the plan’s
adequacy. A
data
Of the A. B. C. D. B. Explanation:
following all threats a cost- the recovery the cost of a cost- It is critical
alternatives, can be effective, time recovery can effective, to initially
the FIRST completely built-in objective be built-in identify
approach to removed. resilience can be minimized. resilience information
developing a can be optimized. can be assets that
disaster implemente implemente can be made
recovery d. d. more
strategy resilient to
would be to disasters,
assess e.g., diverse
whether: routing,
alternate
paths or
multiple
communicati
on carriers.
It is
impossible
to remove
all existing
and future
threats. The
optimization
of the
recovery
time
objective
and efforts
to minimize
the cost of
recovery
come later
in the
following The disaster The The overall The The If nobody
should be of levels are difference BCP is responsibilit responsibilit declares the
MOST based on between documented y for y for disaster, the
concern to scopes of low-level , but declaring a declaring a response
an IS auditor damaged disaster and detailed disaster is disaster is and recovery
reviewing functions, software recovery not not plan would
the BCP? but not on incidents is steps are not identified. identified. not be
duration. not clear. specified. invoked,
making all
other
concerns
mute.
Although
failure to
consider
duration
could be a
problem, it
is not as
significant as
scope, and
neither is as
critical as
the need to
have
someone
invoke the
plan. The
difference
between
incidents
and lowlevel
disasters is
When A. B. C. D. A. Explanation:
auditing a Alert Cancel the Complete Postpone Alert An IS auditor
disaster managemen audit. the audit of the audit managemen should make
recovery t and the systems until the t and managemen
plan for a evaluate the covered by systems are evaluate the t aware that
critical impact of the existing added to the impact of some
business not covering disaster disaster not covering systems are
area, an IS all systems. recovery recovery all systems. omitted
auditor finds plan. plan. from the
that it does disaster
not cover all recovery
the systems. plan.
Which of the An IS auditor
following is should
the MOST continue the
appropriate audit and
action for include an
the IS evaluation of
auditor? the impact
of not
including all
systems in
the disaster
recovery
plan.
Cancelling
the audit,
ignoring the
fact that
some
systems are
not covered
or
postponing
An A. B. C. D. C. Explanation:
organization Obtain Identify Conduct a Perform a Conduct a A best
has senior business paper test. system paper test. practice
implemente managemen needs. restore test. would be to
d a disaster t conduct a
recovery sponsorship. paper test.
plan. Which Senior
of the managemen
following t
steps should sponsorship
be carried and business
outnext? needs
identificatio
n should
have been
obtained
prior to
implementin
g the plan. A
paper test
should be
conducted
first,
followed by
system or
full testing.
A hot site A. B. C. D. A. Explanation:
should be disaster recovery recovery disaster disaster Disaster
implemente tolerance is point time tolerance is tolerance is tolerance is
d as a low. objective objective high. low. the time gap
recovery (RPO) is (RTO) is during which
strategy high. high. the business
when the: can accept
nonavailabili
ty of IT
facilities. If
this
time gap is
low,
recovery
strategies
that can be
implemente
d within a
short period
of time, such
as a hot site,
should be
used. The
RPO is the
earliest
point in time
at which it is
acceptable
to recover
the data. A
high RPO
means that
the process
can wait for
following is interview Perform a Review the Perform a Perform a A business
the BEST the gap analysis. most recent business business impact
method for application application impact impact analysis will
determining programmer audits. analysis. analysis. give the
the criticality s. impact of
of each the loss of
application each
system in application.
the Interviews
production with the
environment application
? programmer
s will
provide
limited
information
related to
the criticality
of the
systems. A
gap analysis
is only
relevant to
systems
developmen
t and project
managemen
t. The audits
may not
contain the
required
information
or may not
following A disaster Customer Processes Results of Results of Plans are
provides the recovery references for tests and tests and important,
BEST plan for the maintaining drills drills but mere
evidence of alternate the disaster plans do not
an site provider recovery provide
organization’ plan reasonable
s disaster assurance
recovery unless
readiness? tested.
References
for the
alternate
site provider
and the
existence
and
maintenance
of a disaster
recovery
plan are
important,
but only
tests and
drills
demonstrate
the
adequacy of
the plans
and provide
reasonable
assurance of
an
organization’
following Develop a Perform a Map Appoint Perform a The first step
tasks should recovery business software recovery business in any
be strategy. impact systems, teams with impact disaster
performed analysis. hardware defined analysis. recovery
FIRST when and network personnel, plan is to
preparing a components. roles and perform a
disaster hierarchy. business
recovery impact
plan? analysis. All
other tasks
come
afterwards.
The cost of A. B. C. D. A. Explanation:
ongoing increase. decrease. remain the be increase. Due to the
operations same. unpredictabl additional
when a e. cost of
disaster disaster
recovery recovery
plan is in planning
place, (DRP)
compared to measures,
not having a the cost of
disaster normal
recovery operations
plan, will for any
MOST likely: organization
will always
increase
after a DRP
implementa
tion, i.e., the
cost of
normal
operations
during a
nondisaster
period will
be more
than the
cost of
operations
during a
nondisaster
period when
no disaster
recovery
A financial A. B. C. D. C. Explanation:
institution Reciprocal Alternate Alternate Installation Alternate The
that agreement processor in processor at of duplex processor at unavailabilit
processes with another the same another communicati another y of the
millions of organization location network on links network central
transactions node node communicati
each day has ons
a central processor
communicati would
ons disrupt all
processor access to the
(switch) for banking
connecting network.
to This could
automated be caused by
teller an
machines equipment,
(ATMs). power or
Which of the communicati
following ons failure.
would be Reciprocal
the BEST agreements
contingency make an
plan for the organization
communicati dependent
ons on the other
processor? organization
and raise
privacy,
competition
and
regulatory
issues.
Having
A disaster A. B. C. D. D. Explanation:
recovery A hot site Distributed Synchronous Synchronous Synchronous The
plan for an that can be database updates of remote copy remote copy synchronous
organization’ operational systems in the data and of the data of the data copy of the
s financial in eight multiple standby in a warm in a warm storage
system hours with locations active site that can site that can achieves the
specifies asynchronou updated systems in a be be RPO
that the s backup of asynchronou hot site operational operational objective
recovery the sly in 48 hours in 48 hours and a warm
point transaction site
objective logs operational
(RPO) in 48 hours
is no data meets the
loss and the required
recovery RTO.
time Asynchrono
objective us updates
(RTO) is 72 of the
hours. database in
Which of the distributed
following is locations do
the MOST not meet the
costeffective RPO.
solution? Synchronous
updates of
the data and
standby
active
systems in a
hot site
meet the
RPO and
RTO
requirement
A disaster A. B. C. D. A. Explanation:
recovery reduce the increase the reduce the affect reduce the One of the
plan for an length of the length of the duration of neither the length of the objectives of
organization recovery recovery the recovery recovery recovery a disaster
should: time and the time and the time and time nor the time and the recovery
cost of cost of increase the cost of cost of plan is to
recovery. recovery. cost of recovery. recovery. reduce the
recovery. duration and
cost of
recovering
from a
disaster. A
disaster
recovery
plan would
increase the
cost of
operations
before and
after the
disaster
occurs,
but should
reduce the
time to
return to
normal
operations
and the cost
that could
result from a
disaster.
An offsite A. B. C. D. A. Explanation:
information cold site. warm site. dial-up site. duplicate cold site. A cold site is
processing processing ready to
facility with facility. receive
electrical equipment
wiring, air but does not
conditioning offer any
and flooring, components
but no at the site in
computer or advance of
communicati the need.
ons A warm site
equipment, is an offsite
is a: backup
facility that
is partially
configured
with
network
connections
and selected
peripheral
equipment-
such as disk
and tape
units,
controllers
and CPUs-to
operate an
information
processing
facility. A
duplicate
information
following The site is The site The The The Resource
must exist to near the contains the workload of hardware is workload of availability
ensure the primary site most the primary tested when the primary must be
viability of a to ensure advanced site is it is installed site is assured. The
duplicate quick and hardware monitored to ensure it monitored workload of
information efficient available. to ensure is working to ensure the site must
processing recovery. adequate properly. adequate be
facility? backup is backup is monitored
available. available. to ensure
that
availability
for
emergency
backup use
is not
impaired.
The site
chosen
should not
be subject to
the same
natural
disaster as
the primary
site. In
addition, a
reasonable
compatibility
of
hardware/so
ftware must
exist to
serve as a
following The User Copies of Feedback is The The
disaster alternate managemen the plan are provided to alternate alternate
recovery/co facility will t is involved kept at the managemen facility will facility
ntinuity plan be available in the homes of t assuring be available should be
components until the identificatio key decision- them that until the made
provides the original n of critical making the business original available
GREATEST information systems and personnel. continuity information until the
assurance of processing their plans are processing original site
recovery facility is associated indeed facility is is restored
after a restored. critical workable restored. to provide
disaster? recovery and that the the greatest
times. procedures assurance of
are current. recovery
after a
disaster.
Without this
assurance,
the plan will
not be
successful.
All other
choices
ensure
prioritization
or the
execution of
the plan.
While A. B. C. D. B. Explanation:
reviewing Deterrence Mitigation Recovery Response Mitigation An effective
the business business
continuity continuity
plan of an plan
organization, includes
an IS auditor steps to
observed mitigate the
that the effects of a
organization’ disaster.
s Files must
data and be restored
software on a timely
files are basis for a
backed up backup plan
on a periodic to be
basis. Which effective. An
characteristi example of
c of an deterrence
effective is when a
plan does plan
this includes
demonstrate installation
? of firewalls
for
information
systems. An
example of
recovery is
when a plan
includes an
organization’
s hot site to
restore
responsibiliti obtaining, locating a managing coordinating coordinating Choice A
es of a packaging recovery the the process the process describes an
disaster and shipping site, if one relocation of moving of moving offsite
recovery media and has not been project and from the hot from the hot storage
relocation records to predetermin conducting a site to a new site to a new team, choice
team the recovery ed, and more location or location or B defines a
include: facilities, as coordinating detailed to the to the transportati
well as the assessment restored restored on team and
establishing transport of of the original original choice C
and company damage to location. location. defines a
overseeing employees the facilities salvage
an offsite to the and team.
storage recovery equipment.
schedule. site.
There are A. B. C. D. B. Explanation:
several alternative diverse long-haul last-mile diverse Diverse
methods of routing. routing. network circuit routing. routing
providing diversity. protection. routes traffic
telecommun through
ications split-cable
continuity. facilities or
The method duplicate-
of routing cable
traffic facilities.
through This can be
split cable or accomplishe
duplicate d
cable with
facilities is different
called: and/or
duplicate
cable
sheaths, if
different
cable
sheaths are
used, the
cable may
be in the
same
conduit and,
therefore,
subject to
the same
interruption
s as the
cable it is
backing up.
reviewing an tested every regularly approved by communicat regularly The plan
organization’ six months. reviewed the chief ed to every reviewed should be
s IS disaster and executive department and reviewed at
recovery updated. officer head in the updated. appropriate
plan should (CEO). organization. intervals,
verify that it depending
is: upon the
nature of
the business
and the rate
of change of
systems and
personnel.
Otherwise, it
may become
out of date
and may no
longer be
effective.
The plan
must be
subjected to
regular
testing, but
the period
between
tests will
again
depend on
the nature
of
the
organization
following Built-in Completing A repair A duplicate Built-in Alternative
would BEST alternative full system contract machine alternative routing
ensure routing backup daily with a alongside routing would
continuity of service each server ensure the
a wide area provider network
network would
(WAN) continue if a
across the server is lost
organization or if a link is
? severed as
message
rerouting
could be
automatic.
System
backup will
not afford
immediate
protection.
The repair
contract is
not as
effective as
perm a
nentalte
(native
routing.
Standby
servers will
not provide
continuity if
a link is
severed
following Developmen Resources The recovery The security Developmen If one
represents ts may result may not be plan cannot infrastructur ts may result organization
the in hardware available be tested. es in each in hardware updates its
GREATEST and software when company and software hardware
risk created incompatibili needed. may be incompatibili and software
by a ty. different. ty. configuratio
reciprocal n, it may
agreement mean that it
for disaster is no longer
recovery compatible
made with the
between systems of
two the other
companies? party in the
agreement.
This may
mean that
each
company is
unable to
use the
facilities at
the other
company to
recover their
processing
following a
disaster.
Resources
being
unavailable
when
needed are
Facilitating A. B. C. D. A. Explanation:
telecommun last-mile long-haul diverse alternative last-mile The method
ications circuit network routing. routing. circuit of providing
continuity by protection. diversity. protection. telecommun
providing ication
redundant continuity
combination through the
s of local use of many
carrier T-1 recovery
lines, facilities,
microwaves providing
and/or redundant
coaxial combination
cables to s of local
access the carrier T-ls,
local microwave
communicati and/or
on loop: coaxial cable
to access the
local
communicati
on
loop in the
event of a
disaster, is
called last-
mile circuit
protection.
Providing
diverse long-
distance
network
availability
utilizing T-l
A large chain A. B. C. D. D. Explanation:
of shops Offsite Alternative installation Alternative Alternative Having an
with storage of standby of duplex standby standby alternative
electronic daily processor communicati processor at processor at standby
funds backups onsite on links another another processor at
transfer network network another
(EFT) at node node network
point-of-sale node would
devices has be the best
a central solution. The
communicati unavailabilit
ons y
processor of the
for central
connecting communicati
to the ons
banking processor
network. would
Which of the disrupt all
following is access to the
the BEST banking
disaster network,
recovery resulting in
plan for the the
communicati disruption of
ons operations
processor? for all of the
shops. This
could be
caused by
failure of
equipment,
power or
communicati
The MAIN A. B. C. D. C. Explanation:
purpose for protect the eliminate ensure the ensure that ensure the The main
periodically integrity of the need to continued program and continued purpose of
testing the data in develop compatibility system compatibility offsite
offsite the detailed of the documentati of the hardware
facilities is database. contingency contingency on remains contingency testing is to
to: plans. facilities. current. facilities. ensure the
continued
compatibility
of the
contingency
facilities.
Specific
software
tools are
available to
protect the
ongoing
integrity of
the
database.
Contingency
plans should
not be
eliminated
and program
and system
documentati
on should be
reviewed
continuously
for
currency.
Disaster A. B. C. D. D. Explanation:
recovery operations strategic the alternative alternative It is
planning turnover long-range probability procedures procedures important
(DRP) for a procedures. planning. that a to process to process that disaster
company’s disaster will transactions. transactions. recovery
computer occur. identifies
system alternative
usually processes
focuses on: that can be
put in place
while the
system is
not
available.
An IS auditor A. B. C. D. C. Explanation:
conducting a take no recommend perform a report that perform a An IS auditor
review of action as the that the review to the financial review to does not
disaster lack of a hardware verify that expenditure verify that have a
recovery current plan configuratio the second on the the second finding
planning is the only n at each configuratio alternative configuratio unless it can
(DRP) at a significant site is n can site is n can be shown
financial finding. identical. support live wasted support live that the
processing processing. without an processing. alternative
organization effective hardware
has plan. cannot
discovered support
the thelive
following: processing
• The system. Even
existing though the
disaster primary
recovery finding is the
plan was lack of a
compiled proven and
two years communicat
earlier by a ed disaster
systems recovery
analyst in plan, it is
the essential
organization’ that this
s IT aspect of
department recovery is
using included in
transaction the audit. If
flow it is found to
projections be
from the inadequate,
operations the finding
An IS auditor A. B. C. D. D. Explanation:
conducting a the deputy a board of the existing a manager a manager The primary
review of CEO be senior plan is coordinates coordinates concern is to
disaster censured for managers is approved the creation the creation establish a
recovery their failure set up to and of a new or of a new or workable
planning to approve review the circulated to revised plan revised plan disaster
(DRP) at a the plan. existing all key within a within a recovery
financial plan. managemen defined time defined time plan, which
processing t and staff. limit. limit. reflects
organization current
has processing
discovered volumes to
the protect the
following: organization
• The from any
existing disruptive
disaster incident.
recovery Censuring
plan was the deputy
compiled CEO will not
two years achieve this
earlier by a and is
systems generally
analyst in not within
the the scope of
organization’ an IS auditor
s IT to
department recommend.
using Establishing
transaction a board to
flow review the
projections plan,
from the which is two
operations years out of
Disaster A. B. C. D. A. Explanation:
recovery technologica operational functional overall technologica Disaster
planning l aspect of piece of aspect of coordination l aspect of recovery
(DRP) business business business of business business planning
addresses continuity continuity continuity continuity continuity (DRP) is the
the: planning. planning. planning. planning. planning. technologica
l aspect of
business
continuity
planning.
Business
resumption
planning
addresses
the
operational
part of
business
continuity
planning.
following is a Invite client involve all Rotate install Rotate Recovery
practice that participation technical recovery locally- recovery managers
should be . staff. managers. stored managers. should be
incorporated backup. rotated to
into the plan ensure the
for testing experience
disaster of the
recovery recovery
procedures? plan is
spread
among the
managers.
Clients may
be involved
but not
necessarily
in every
case. Not all
technical
staff should
be involved
in each test.
Remote or
offsite
backup
should
always be
used.
advantage of the costs hot sites can hot sites can they do not hot sites can Hot sites can
the use of associated be used for be made require that be made be made
hot sites as a with hot an extended ready for equipment ready for ready for
backup sites are amount of operation and systems operation operation
alternative is low. time. within a software be within a normally
that: short period compatible short period within
of time. with the of time. hours.
primary site. However,
the use of
hot sites is
expensive,
should not
be
considered
as a long-
term
solution, and
requires that
equipment
and systems
software be
compatible
with the
primary
installation
being
backed up.
organization’ all all financial only those processing in processing in Business
s disaster information processing applications priority priority managemen
recovery systems applications. designated order, as order, as t should
plan should processes. by the IS defined by defined by know which
address manager. business business systems are
early managemen managemen critical and
recovery of: t. t. when they
need to
process well
in advanceof
a disaster. It
is
managemen
t’s
responsibilit
y to develop
and
maintain the
plan.
Adequate
time will not
be
available for
this
determinatio
n once the
disaster
occurs. IS
and the
information
processing
facility are
service
An A. B. C. D. B. Explanation:
organization Full Preparednes Paper test Regression Preparednes A
having a operational s test test s test preparednes
number of test s test is
offices performed
across a by each local
wide office/area
geographical to test the
area has adequacy of
developed a the
disaster preparednes
recovery s of local
plan. Using operations
actual for disaster
resources, recovery. A
which of the paper test is
following is a structured
the MOST walk-
cost- through of
effective test the disaster
of the recovery
disaster plan and
recovery should be
plan? conducted
before a
preparednes
s test. A full
operational
test is
conducted
after the
paper and
preparednes
s test. A
following is Warm site Mobile site Hot site Cold site Cold site Generally a
the MOST cold site is
reasonable contracted
option for for a longer
recovering a period at a
noncritical lower cost.
system? Since it
requires
more time
to make a
cold site
operational,
it is
generally
used for
noncritical
applications.
A warm site
is generally
available at
a
medium
cost,
requires less
time to
become
operational
and is
suitable for
sensitive
operations.
A mobile site
is
implementa decrease. not change increase. increase or increase. There are
tion of a (remain the decrease costs
disaster same). depending associated
recovery upon the with all
plan, pre- nature of activities
disaster and the business. and disaster
post-disaster recovery
operational planning
costs for an (DRP) is not
organization an
will: exception.
Although
there are
costs
associated
with a
disaster
recovery
plan, there
are
unknown
costs that
are incurred
if
a disaster
recovery
plan is not
implemente
d.
PRIMARY provide a identify the publicize the provide the identify the A business
purpose of a plan for events that commitment framework events that impact
business resuming could impact of the for an could impact analysis
impact operations the organization effective the (BIA) is one
analysis after a continuity of to physical disaster continuity of of the key
(BIA) is to: disaster. an and logical recovery an steps in the
organization’ security. plan. organization’ developmen
s operations. s operations. t of a
business
continuity
plan
(BCP). A BIA
will identify
the diverse
events that
could impact
the
continuity of
the
operations
of an
organization.
following A hot site A A reciprocal A third-party A reciprocal For a
recovery maintained commercial arrangement hot site arrangement business
strategies is by the cold site between its between its having many
MOST business offices offices offices
appropriate within a
for a region, a
business reciprocal
having arrangement
multiple among its
offices offices
within a would be
region and a most
limited appropriate.
recovery Each office
budget? could be
designated
as a
recovery site
for some
other office.
This would
be the least
expensive
approach to
providing an
acceptable
level of
confidence.
A hot site
maintained
by the
business
would be a
following is Timely Availability Adequacy of Effectiveness Timely A warm site
the availability of heat, electrical of the availability has the basic
GREATEST of hardware humidity power telecommun of hardware infrastructur
concern and air connections ications e facilities
when an conditioning network implemente
organization’ equipment d, such as
s backup power, air
facility is at a conditioning
warm site? and
networking,
but is
normally
lacking
computing
equipment.
Therefore,
the
availability
of hardware
becomes a
primary
concern.
A structured A. B. C. D. B. Explanation:
walk- representati all moving the distributing all A structured
through test ves from employees systems to copies of the employees walk-
of a disaster each of the who the alternate plan to the who through test
recovery functional participate processing various participate of a disaster
plan areas in the day- site and functional in the day- recovery
involves: coming to-day performing areas for to-day plan involves
together to operations processing review. operations representati
go over the coming operations. coming ves from
plan. together to together to each of the
practice practice functional
executing executing areas
the plan. the plan. coming
together to
review the
plan to
determine if
the plan
pertaining to
their area is
accurate and
complete
and can be
implemente
d when
required.
Choice B is a
simulation
test to
prepare and
train the
personnel
who will be
required to
In a contract A. B. C. D. C. Explanation:
with a hot, Physical Total Number of References Number of The contract
warm or security number of subscribers by other subscribers should
cold site, measures subscribers permitted to users permitted to specify the
contractual use a site at use a site at number of
provisions one time one time subscribers
should cover permitted to
which of the use the site
following at any one
consideratio time.
ns? Physical
security
measures
are not a
part of the
contract,
although
they are an
important
consideratio
n when
choosing a
third-party
site. The
total
number of
subscribers
is not a
consideratio
n; what is
important is
whether the
agreement
limits the
following is Minimum Acceptable Mean time Acceptable Acceptable Recovery
the MOST operating data loss between time for data loss time
important requirement failures recovery objectives
consideratio s (RTOs) are
n when the
defining acceptable
recovery time delay in
point availability
objectives of business
(RPOs)? operations,
while
recovery
point
objectives
(RPOs) are
the level of
data
loss/reworki
ng an
organization
is willing to
accept.
Mean
time
between
failures and
minimum
operating
requirement
s help in
defining
recovery
strategies.
following is Backup time Backup Storage Server Server In case of a
the would operational operational recovery recovery crash,
GREATEST steadily cost would cost would work may work may recovering a
risk when increase significantly significantly not meet the not meet the server with
storage increase increase recovery recovery an extensive
growth in a time time amount of
critical file objective objective data could
server is not (RTO) (RTO) require a
managed significant
properly? amount of
time. If the
recovery
cannot meet
the recovery
time
objective
(RTO), there
will be a
discrepancy
in IT
strategies.
It’s
important to
ensure that
server
restoration
can meet
the RTO.
Incremental
backup
would only
take the
backup of
audit, an IS the level of information information change the level of Business
auditor information security security managemen information should
notes that security roles and resource t procedures security consider
an required responsibiliti requirement for required whether
organization’ when es in the s. information when information
s business business crisis security that business security
continuity recovery managemen could affect recovery levels
plan (BCP) procedures t structure. business procedures required
does not are invoked. continuity are invoked. during
adequately arrangement recovery
address s. should be
information the same,
confidentiali lower or
ty during a higher than
recovery when
process. The business is
IS auditor operating
should normally. In
recommend particular,
that the plan any special
be modified rules for
to include: access to
confidential
data during
a crisis need
to be
identified.
The other
choices do
not directly
address the
information
confidentiali
What is the A. B. C. D. A. Explanation:
BEST backup Weekly full Daily full Clustered Mirrored Weekly full Weekly full
strategy for backup with backup servers hard disks backup with backup and
a large daily daily daily
database incremental incremental incremental
with data backup backup backup is
supporting the best
online sales? backup
strategy; it
ensures the
ability to
recover
the database
and yet
reduces the
daily backup
time
requirement
s. A full
backup
normally
requires a
couple of
hours, and
therefore it
can be
impractical
to conduct a
full backup
every day.
Clustered
servers
provide a
redundant
following Virtual tape Disk-based Continuous Disk-to-tape Continuous The recovery
backup libraries snapshots data backup backup data backup point
techniques objective
is the MOST (RPO) is
appropriate based on the
when an acceptable
organization data loss in
requires the case of a
extremely disruption.
granular In this
data restore scenario the
points, as organization
defined in needs a
the recovery short RPO.
point Virtual tape
objective libraries,
(RPO)? disk-based
snapshots
and disk-to-
tape
backup
would
require time
to complete
the backup,
while
continuous
data backup
happens
online (in
real time).
In the event A. B. C. D. B. Explanation:
of a data Daily data Real-time Hard disk Real-time Real-time With real-
center backup to replication mirroring to data backup replication time
disaster, tape and to a remote a local to the local to a remote replication
which of the storage at a site server storage area site to a remote
following remote site network site, data are
would be (SAN) updated
the MOST simultaneou
appropriate sly in two
strategy to separate
enable locations;
a complete therefore,
recovery of a a disaster in
critical one site
database? would not
damage the
information
located in
the remote
site. This
assumes
that both
sites
were not
affected by
the disaster.
Daily tape
backup
recovery
could lose
up to a day’s
work of
datA.
Choices C
following Full backup Media costs Restore Media Media To comply
should be window window reliability reliability with
the MOST regulatory
important requirement
criterion in s, the media
evaluating a should be
backup reliable
solution for enough to
sensitive ensure an
data organization’
that must be s ability
retained for to recovery
a long the data
period of should they
time due to be required
regulatory for any
requirement reason.
s? Media price
is a
consideratio
n, but
should not
be
more
important
than the
ability to
provide the
required
reliability.
Choices A
and C are
less critical
organization fast backup to tape data storage fast Disk-to-disk
currently synthetic disk is libraries are on disks is synthetic (D2D)
using tape backups for always no longer more backups for backup
backups offsite significantly needed. reliable than offsite should not
takes one storage are faster than on tapes. storage are be seen as a
full backup supported. backup to supported. direct
weekly and tape. replacement
incremental for backup
backups to tape;
daily. rather, it
They should be
recently viewed as
augmented part of a
their tape multitiered
backup backup
procedures architecture
with a that takes
backup-to- advantage of
disk the best
solution. features of
This is both tape
appropriate and
because: disk
technologies
. Backups to
disks are not
dramatically
faster than
backups to
tapes in a
balanced
environment
. Most often
Network A. B. C. D. A. Explanation:
Data a network the use of file backup a network NDMP
Managemen attached TCP/I P must permissions consistency attached defines
t Protocol storage be avoided. that can not over several storage three kind of
(NDMP) (NAS) be handled related data (NAS) services: a
technology appliance is by legacy volumes appliance is data service
should be required. backup must be required. that
used for systems ensured. interfaces
backup if: must be with the
backed up. primary
storage to
be backed
up or
restored, a
tape service
that
interfaces
with the
secondary
storage
(primarily a
tape device),
and a
translator
service
performing
translations
including
multiplexing
multiple
data streams
into one
data stream
and vice
In which of A. B. C. D. C. Explanation:
the Disaster Recovery Recovery Recovery Recovery A recovery
following tolerance is time point point point point
situations is high. objective is objective is objective is objective is objective
it MOST high. low. high. low. (RPO)
appropriate indicates the
to latest point
implement in time at
data which it is
mirroring as acceptable
the recovery to recover
strategy? the datA.
If the RPO is
low, data
mirroring
should be
implemente
d as the data
recovery
strategy. The
recovery
time
objective
(RTO) is an
indicator of
the disaster
tolerance.
The lower
the RTO, the
lower the
disaster
tolerance.
Therefore,
choice C is
IS A. B. C. D. C. Explanation:
managemen upgrading to increasing reinstating establishing reinstating A RAID
t has a level 5 the the offsite a cold site in the offsite system, at
decided to RAID. frequency of backups. a secure backups. any level,
install a level onsite location. will not
1 Redundant backups. protect
Array of against a
Inexpensive natural
Disks (RAID) disaster. The
system in all problem will
servers to not be
compensate alleviated
for the without
elimination offsite
of offsite backups,
backups. The more
IS auditor frequent
should onsite
recommend: backups or
even setting
up a cold
site. Choices
A, B and D
do not
compensate
for the lack
of offsite
backup.
following Send tapes Send tapes Capture Transmit Transmit The only
ensures the hourly daily transactions transactions transactions way to
availability containing containing to multiple offsite in offsite in ensure
of transactions transactions storage real time. real time. availability
transactions offsite, offsite. devices. of all
in the event transactions
of a is to perform
disaster? a real-time
transmission
to an offsite
facility.
Choices A
and B are
not in real
time and,
therefore,
would not
include all
the
transactions.
Choice C
does not
ensure
availability
at an offsite
location.
To provide A. B. C. D. D. Explanation:
protection located on a easily clearly protected protected The offsite
for media different accessible by labeled for from from storage site
backup floor of the everyone. emergency unauthorize unauthorize should
stored at an building. access. d access. d access. always be
offsite protected
location, the against
storage site unauthorize
should be: d access and
have at least
the same
security
requirement
s as the
primary site.
Choice A is
incorrect
because, if
the backup
is in the
same
building, it
may suffer
the same
event and
may be
inaccessible.
Choices B
and C
represent
access risks.
Online A. B. C. D. D. Explanation:
banking database validation input database database Database
transactions integrity checks. controls. commits and commits and commits
are being checks. rollbacks. rollbacks. ensure the
posted to data are
the database saved to
when disk, while
processing the
suddenly transaction
comes to a processing is
halt. The underway or
integrity of complete.
the Rollback
transaction ensures that
processing is the already
BEST completed
ensured by: processing is
reversed
back, and
the data
already
processed
are not
saved to the
disk in the
event of the
failure of the
completion
of the
transaction
processing.A
ll other
options do
not ensure
following There are Paper Data files The offsite Data files Choice A is
findings three documents that are vault is that are incorrect
should an IS individuals are also stored in the located in a stored in the because
auditor be with a key to stored in the vault are separate vault are more than
MOST enter the offsite vault. synchronize facility. synchronize one person
concerned area. d. d. would
about when typically
performing need to have
an audit of a key to the
backup and vault to
recovery and ensure
the offsite that
storage individuals
vault? responsible
for the
offsite vault
can take
vacations
and rotate
duties.
Choice B is
not correct
because an
IS auditor
would not
be
concerned
with
whether
paper
documents
are stored in
the offsite
following Reviewing Reviewing Turning off Reviewing Reviewing Operations
procedures program operations the UPS, program operations documentati
would BEST code documentati then the documentati documentati on should
determine on power on on contain
whether recovery/res
adequate tart
recovery/res procedures,
tart so
procedures operations
exist? can return to
normal
processing in
a timely
manner.
Turning off
the
uninterrupti
ble power
supply (UPS)
and then
turning off
the
power might
create a
situation for
recovery and
restart, but
the negative
effect on
operations
would prove
this
method to
performing a adequate regular offsite backup offsite Adequate
review of fire hardware storage of processing storage of fire
the backup insurance maintenance transaction facilities are transaction insurance
processing exists. is and master fully tested. and master and fully
facilities performed. files exists. files exists. tested
should be backup
MOST processing
concerned facilities are
that: important
elements for
recovery,
but
without the
offsite
storage of
transaction
and master
files, it is
generally
impossible
to recover.
Regular
hardware
maintenance
does not
relate to
recovery.
information should have should be should be need not should have An offsite
processing the same easily located in have the the same information
facility: amount of identified proximity to same level amount of processing
physical from the the of physical facility
access outside so originating environment access should have
restrictions that, in the site, so it can al restrictions the same
as the event of an quickly be monitoring as the amount of
primary emergency, made as the primary physical
processing it can be operational. originating processing control as
site. easily found. site. site. the
originating
site. It
should not
be easily
identified
from the
outside to
prevent
intentional
sabotage.
The offsite
facility
should
not be
subject to
the same
natural
disaster that
could affect
the
originating
site and thus
should not
As updates A. B. C. D. A. Explanation:
to an online The previous The previous The current The current The previous The previous
order entry day’s backup day’s transaction hard copy day’s backup day’s backup
system are file and the transaction tape and the transaction file and the file will be
processed, current file and the current hard log and the current the most
the updates transaction current copy previous transaction current
are recorded tape transaction transaction day’s tape historical
on a tape log transaction backup of
transaction file activity in
tape and the system.
a hard copy The current
transaction day’s
log. At the transaction
end of the file will
day, the contain all of
order entry the day’s
files are activity.
backed up Therefore,
on tape. the
During the combination
backup of these two
procedure, a files will
drive enable
malfunctions full recovery
and the upto the
order entry point of
files are lost. interruption.
Which of the
following is
necessary to
restore
these files?
In addition A. B. C. D. B. Explanation:
to the Maintaining Ensuring Ensuring Maintaining Ensuring Ensuring
backup system periodic grandfather- important periodic periodic
consideratio software dumps of father-son data at an dumps of dumps of
ns for all parameters transaction file backups offsite transaction transaction
systems, logs location logs logs is the
which of the only safe
following is way of
an important preserving
consideratio timely
n in historical
providing datA. The
backup for volume of
online activity
systems? usually
associated
with an
online
system
makes other
more
traditional
methods of
backup
impractical.
If a database A. B. C. D. A. Explanation:
is restored Before the After the last As the first As the last Before the If before
using last transaction transaction transaction last images are
before- transaction after the before the transaction used, the
image latest latest last
dumps, checkpoint checkpoint transaction
where in the dump
should the will not have
process updated the
begin database
following an prior to the
interruption dump
? being taken.
The last
transaction
will not have
updated the
database
and must be
reprocessed.
Program
checkpoints
are
irrelevant in
this
situation.
following is physically given the outsourced equipped physically It is
the MOST separated same level to a reliable with separated important
important from the of protection third party. surveillance from the that there
criterion data center as that of capabilities. data center be an offsite
when and not the and not storage
selecting a subject to computer subject to location for
location for the same data center. the same IS files and
an offsite risks. risks. that it be in
storage a location
facility for not subject
IS backup to the
files? The same risks as
offsite the primary
facility must data center.
be: The other
choices are
all issues
that must be
considered
when
establishing
the offsite
location, but
they are not
as critical as
the location
selection.
The A. B. C. D. C. Explanation:
PRIMARY achieve provide user ensure ensure the ensure RAID level 1
purpose of performance authenticati availability confidentiali availability provides
implementin improvemen on. of data. ty of data. of data. disk
g Redundant t. mirroring.
Array of Data written
Inexpensive to one disk
Disks (RAID) are also
level 1 in a written to
file server is another disk.
to: Users in the
network
access data
in the first
disk; if disk
one fails, the
second disk
takes over.
This
redundancy
ensures the
availability
of data. RAID
level 1 does
not improve
performance
, has no
relevance to
authenticati
on and does
nothing to
provide for
data
confidentiali
following Daily backup Offsite Mirroring Periodic Mirroring Mirroring of
would BEST storage testing critical
support 24/7 elements is
availability? a too! that
facilitates
immediate
recoverabilit
y. Daily
backup
implies that
it is
reasonable
for
restoration
to take place
within a
number of
hours but
not
immediately
. Offsite
storage and
periodic
testing of
systems do
not of
themselves
support
continuous
availability.
following Daily backup Offsite Mirroring Periodic Mirroring Mirroring of
would BEST storage testing critical
support 24/7 elements is
availability? a too! that
facilitates
immediate
recoverabilit
y. Daily
backup
implies that
it is
reasonable
for
restoration
to take place
within a
number of
hours but
not
immediately
. Offsite
storage and
periodic
testing of
systems do
not of
themselves
support
continuous
availability.
At a hospital, A. B. C. D. A. Explanation:
medical The The Timely The usage of The Data
personal handheld employee synchroniza the handheld confidentiali
carry computers who deletes tion is handheld computers ty is a major
handheld are properly temporary ensured by computers is are properly requirement
computers protected to files from policies and allowed by protected to of privacy
which prevent loss the local PC, procedures. the hospital prevent loss regulations.
contain of data after usage, policy. of data Choices B, C
patient confidentiali is authorized confidentiali and D relate
health data. ty, in case of to maintain ty, in case of to internal
These theft or PCs. theft or security
handheld loss. loss. requirement
computers s, and are
are secondary
synchronize when
d with PCs compared to
which compliance
transfer data with data
from a privacy laws.
hospital
database.
Which of the
following
would be of
the most
importance?
When A. B. C. D. B. Explanation:
reviewing Hard disks All files and Hard disks The All files and Deleting and
the are folders on are rendered transport of folders on formatting
procedures overwritten hard disks unreadable hard disks is hard disks does not
for the several are by hole- escorted by are completely
disposal of times at the separately punching internal separately erase the
computers, sector level, deleted, and through the security staff deleted, and data but
which of the but are not the hard platters at to a nearby the hard only marks
following reformatted disks are specific metal disks are the sectors
should be before formatted positions recycling formatted that
the leaving the before before company, before contained
GREATEST organization. leaving leaving the where leaving files as
concern for the organization. the hard the being free.
the IS organization. disks are organization. There are
auditor? registered tools
and then available
shredded. over the
Internet
which allow
one to
reconstruct
most of a
hard disk’s
contents.
Overwriting
a hard disk
at the sector
level would
completely
erase data,
directories,
indices and
master file
tables.
following invoices An optical Frequent Customer Customer It is
would be recorded on scanner is power credit card credit card important
the MOST the POS not used to outages information information for the IS
significant system are read bar occur, is stored is stored auditor to
audit finding manually codes for resulting in unencrypted unencrypted determine if
when entered into the the manual on the local on the local any credit
reviewing a an generation preparation POS system POS system card
point-of-sale accounting of sales of invoices information
(POS) application invoices is stored on
system? the local
point-of-sale
(POS)
system. Any
such
information,
if stored,
should be
encrypted or
protected by
other means
to avoid the
possibility of
unauthorize
d disclosure.
Manually
inputting
sale invoices
into the
accounting
application
is an
operational
issue, if the
To ensure A. B. C. D. B. Explanation:
authenticati public key private key public key private key private key Obtaining
on, and then and then and then and then and then the hash of
confidentiali encrypt the encrypt the encrypt the encrypt the encrypt the the message
ty and message message message message message ensures
integrity of a with the with the with the with the with the integrity;
message, receiver’s receiver’s receiver’s receiver’s receiver’s signing the
the sender private key. public key. public key. private key. public key. hash of the
should message
encrypt the with the
hash of the sender’s
message private
with the key ensures
sender’s: the
authenticity
of the origin,
and
encrypting
the resulting
message
with the
receiver’s
public key
ensures
confidentiali
ty. The other
choices are
incorrect.
organization Run a low- Erase all Format all Physical Physical The most
is disposing level data data file hard drives destruction destruction effective
of a number wipe utility directories of the hard of the hard method is
of laptop on all hard drive drive physical
computers. drives destruction.
Which of the Running a
following low-level
data data wipe
destruction utility may
methods leave some
would be residual data
the MOST that could
effective? be
recovered;
erasing data
directories
and
formatting
hard drives
are easily
reversed,
exposing all
data on the
drive to
unauthorize
d
individuals.
following Policies that Software for Administrati Searching Software for Software for
would MOST require tracking and vely personnel tracking and centralized
effectively instant managing disabling the for USB managing tracking and
control the dismissal if USB storage USB port storage USB storage monitoring
usage of such devices devices devices at devices would allow
universal are found the facility’s a USB usage
storage bus entrance policy to be
(USB) applied to
storage each user
devices? based on
changing
business
requirement
s, and would
provide for
monitoring
and
reporting
exceptions
to
managemen
t. A policy
requiring
dismissal
may result in
increased
employee
attrition and
business
requirement
s would not
be properly
addressed.
following is Degaussing Defragmenti Erasing Destroying Destroying Destroying
the MOST ng magnetic
robust media is the
method for only way to
disposing of assure that
magnetic confidential
media that information
contains cannot be
confidential recovered.
information? Degaussing
or
demagnetizi
ng is not
sufficient to
fully erase
information
from
magnetic
mediA. The
purpose of
defragmenta
tion is to
eliminate
fragmentatio
n in file
systems and
does not
remove
information.
Erasing or
deleting
magnetic
media does
A hard disk A. B. C. D. D. Explanation:
containing Rewrite the Low-level Demagnetiz Physically Physically Physically
confidential hard disk format the e the hard destroy the destroy the destroying
data was with random hard disk. disk. hard disk. hard disk. the hard disk
damaged Os and Is. is the most
beyond economical
repair. What and practical
should be way to
done to the ensure that
hard disk to the data
prevent cannot be
access to the recovered.
data residing Rewriting
on it? data and
low-level
formatting
are
impractical,
because the
hard disk is
damaged.
Demagnetizi
ng is an
inefficient
procedure,
because it
requires
specialized
and
expensive
equipment
to be fully
effective.
following Processing Volume of Key Complexity Key Symmetric
aspects of power data distribution of the distribution key
symmetric algorithm encryption
key requires that
encryption the keys be
influenced distributed.
the The larger
developmen the user
t of group, the
asymmetric more
encryption? challengingt
he key
distribution.
Symmetric
key
cryptosyste
ms are
generally
less
complicated
and,
therefore,
use less
processing
power than
asymmetric
techniques,
thus making
it ideal for
encrypting a
large volume
of data. The
major
following is identifying Ensuring the Denying or Monitoring Ensuring the Maintaining
the MOST persons who integrity of authorizing logical integrity of data
important need access information access to the accesses information integrity is
objective of to IS system the most
data information important
protection? objective of
data
security. This
is a necessity
if an
organization
is to
continue as
a viable and
successful
enterprise.
The other
choices are
important
techniques
for achieving
the objective
of data
integrity.
following is identifying Ensuring the Denying or Monitoring Ensuring the Maintaining
the MOST persons who integrity of authorizing logical integrity of data
important need access information access to the accesses information integrity is
objective of to IS system the most
data information important
protection? objective of
data
security. This
is a necessity
if an
organization
is to
continue as
a viable and
successful
enterprise.
The other
choices are
important
techniques
for achieving
the objective
of data
integrity.
following is Overwriting initializing Degaussing Erasing the Degaussing The best
the BEST the tapes the tape the tapes tapes the tapes way to
way to labels handle
handle obsolete
obsolete magnetic
magnetic tapes is to
tapes before degauss
disposing of them. This
them? action leaves
a very low
residue of
magnetic
induction,
essentially
erasing the
data from
the tapes.
Overwriting
or erasing
the tapes
may cause
magnetic
errors but
would not
remove the
data
completely.
Initializing
the tape
labels would
not remove
the
data that
following is Overwriting initializing Degaussing Erasing the Degaussing The best
the BEST the tapes the tape the tapes tapes the tapes way to
way to labels handle
handle obsolete
obsolete magnetic
magnetic tapes is to
tapes before degauss
disposing of them. This
them? action leaves
a very low
residue of
magnetic
induction,
essentially
erasing the
data from
the tapes.
Overwriting
or erasing
the tapes
may cause
magnetic
errors but
would not
remove the
data
completely.
Initializing
the tape
labels would
not remove
the
data that
An IS auditor A. B. C. D. A. Explanation:
is reviewing nonpersonal access cards card the nonpersonal Physical
the physical ized access are not issuance and computer ized access security is
security cards are labeled with rights system used cards are meant to
measures of given to the the administrati for given to the control who
an cleaning organization’ on for the programmin cleaning is entering a
organization. staff, who s name and cards are g the cards staff, who secured
Regarding use a sign-in address to done by can only be use a sign-in area, so
the access sheet but facilitate different replaced sheet but identificatio
card show no easy return departments after three show no n of all
system, the proof of of a lost , causing weeks in the proof of individuals is
IS auditor identity. card. unnecessary event identity. of
should be lead time for of a system utmost
MOST new cards. failure. importance.
concerned It is not
that: adequate to
trust
unknown
external
people by
allowing
them to
write down
their
alleged
name
without
proof, e.g.,
identity
card, driver’s
license.
Choice B is
not a
concern
What should A. B. C. D. D. Explanation:
an The Employees Any access The The Physical
organization processes of of the by an organization organization access of
do before the external external external should should information
providing an agency agency agency conduct a conduct a processing
external should be should be should be risk risk facilities
agency subjected to trained on limited to assessment assessment (IPFs) by an
physical an IS audit the security the and design and design external
access to its by an procedures demilitarize and and agency
information independent of the d zone implement implement introduces
processing agency. organization. (DMZ). appropriate appropriate additional
facilities controls. controls. threats
(IPFs)? into an
organization.
Therefore, a
risk
assessment
should be
conducted
and controls
designed
accordingly.
The
processes of
the external
agency are
not of
concern
here. It is
the agency’s
interaction
with the
organization
that needs
following is A smart card User ID Iris scanning A magnetic A smart card A smart card
the BEST requiring the along with plus card requiring the addresses
way to user’s PIN password fingerprint requiring the user’s PIN what the
satisfy a scanning user’s PIN user has.
two-factor This is
user generally
authenticati used in
on? conjunction
with testing
what the
user
knows, e.g.,
a keyboard
password or
personal
identificatio
n number
(PIN). An ID
and
password,
what the
user
knows, is a
single-factor
user
authenticati
on. Choice C
is not a two-
factor user
authenticati
on because
it is only
biometric.
following is A smart card User ID Iris scanning A magnetic A smart card A smart card
the BEST requiring the along with plus card requiring the addresses
way to user’s PIN password fingerprint requiring the user’s PIN what the
satisfy a scanning user’s PIN user has.
two-factor This is
user generally
authenticati used in
on? conjunction
with testing
what the
user
knows, e.g.,
a keyboard
password or
personal
identificatio
n number
(PIN). An ID
and
password,
what the
user
knows, is a
single-factor
user
authenticati
on. Choice C
is not a two-
factor user
authenticati
on because
it is only
biometric.
The MOST A. B. C. D. B. Explanation:
effective which has which has for which for which which has The equal-
biometric the highest the lowest the false- the FRR is the lowest error rate
control equal-error EER. rejection equal to the EER. (EER) of a
system is the rate (EER). rate (FRR) is failure-to- biometric
one: equal to the enroll rate system
false- (FER). denotes the
acceptance percent at
rate (FAR). which the
false-
acceptance
rate (FAR)
is equal to
the false-
rejection
rate (FRR).
The
biometric
that has the
lowest EER is
the most
effective.
The
biometric
that has the
highest EER
is the most
ineffective.
For any
biometric,
there will be
a measure at
which
the FRR will
effective which has which has for which for which which has The equal-
biometric the highest the lowest the false- the FRR is the lowest error rate
control equal-error EER. rejection equal to the EER. (EER) of a
system is the rate (EER). rate (FRR) is failure-to- biometric
one: equal to the enroll rate system
false- (FER). denotes the
acceptance percent at
rate (FAR). which the
false-
acceptance
rate (FAR)
is equal to
the false-
rejection
rate (FRR).
The
biometric
that has the
lowest EER is
the most
effective.
The
biometric
that has the
highest EER
is the most
ineffective.
For any
biometric,
there will be
a measure at
which
the FRR will
following Biometric Combination Deadman Bolting door Deadman Deadman
physical door locks door locks doors locks doors doors use a
access pair of
controls doors. For
effectively the second
reduces the door to
risk of operate, the
piggybacking first entry
? door must
close and
lock
with only
one person
permitted in
the holding
area. This
effectively
reduces the
risk of
piggybacking
. An
individual’s
unique body
features
such as
voice, retina,
fingerprint
or signature
activate
biometric
door locks;
however,
they do not
following Biometric Combination Deadman Bolting door Deadman Deadman
physical door locks door locks doors locks doors doors use a
access pair of
controls doors. For
effectively the second
reduces the door to
risk of operate, the
piggybacking first entry
? door must
close and
lock
with only
one person
permitted in
the holding
area. This
effectively
reduces the
risk of
piggybacking
. An
individual’s
unique body
features
such as
voice, retina,
fingerprint
or signature
activate
biometric
door locks;
however,
they do not
A data A. B. C. D. C. Explanation:
center has a Badge The A process for All badge A process for Tampering
badge-entry readers are computer promptly entry promptly with a badge
system. installed in that controls deactivating attempts are deactivating reader
Which of the locations the badge lost or stolen logged lost or stolen cannot open
following is where system is badges badges the door, so
MOST tampering backed up exists exists this is
important to would be frequently irrelevant.
protect the noticed Logging the
computing entry
assets in the attempts
center? may be
of limited
value. The
biggest risk
is from
unauthorize
d individuals
who can
enter the
data center,
whether
they
are
employees
or not. Thus,
a process of
deactivating
lost or stolen
badges is
important.
The
configuratio
n of the
following is Smart card Password Photo iris scan iris scan Since no two
the MOST identificatio irises are
reliable form n alike,
of single identificatio
factor n and
personal verification
identificatio can be done
n? with
confidence.
There is no
guarantee
that a smart
card is being
used by the
correct
person since
it can be
shared,
stolen or lost
and found.
Passwords
can be
shared and,
if written
down, carry
the risk of
discovery.
Photo IDs
can be
forged or
falsified.
following is Smart card Password Photo iris scan iris scan Since no two
the MOST identificatio irises are
reliable form n alike,
of single identificatio
factor n and
personal verification
identificatio can be done
n? with
confidence.
There is no
guarantee
that a smart
card is being
used by the
correct
person since
it can be
shared,
stolen or lost
and found.
Passwords
can be
shared and,
if written
down, carry
the risk of
discovery.
Photo IDs
can be
forged or
falsified.
The purpose A. B. C. D. A. Explanation:
of a prevent prevent starve a fire prevent an prevent The purpose
deadman piggybacking toxic gases of oxygen. excessively piggybacking of a
door . from rapid entry . deadman
controlling entering the to, or exit door
access to a data center. from, the controlling
computer facility. access to a
facility is computer
primarily to: facility is
primarily
intended to
prevent
piggybacking
. Choices B
and C could
be
accomplishe
d with a
single self-
closing door.
Choice D is
invalid, as a
rapid exit
may be
necessary in
some
circumstanc
es, e.g., a
fire.
of a prevent prevent starve a fire prevent an prevent The purpose
deadman piggybacking toxic gases of oxygen. excessively piggybacking of a
door . from rapid entry . deadman
controlling entering the to, or exit door
access to a data center. from, the controlling
computer facility. access to a
facility is computer
primarily to: facility is
primarily
intended to
prevent
piggybacking
. Choices B
and C could
be
accomplishe
d with a
single self-
closing door.
Choice D is
invalid, as a
rapid exit
may be
necessary in
some
circumstanc
es, e.g., a
fire.
likely that that people the the that people Humans
explanation computers make computer technologica make make errors
for a make logic judgment knowledge l judgment in judging
successful errors. errors. of the sophisticatio errors. others; they
social attackers. n of the may trust
engineering attack someone
attack is: method. when, in
fact, the
person is
untrustwort
hy.
Driven by
logic,
computers
make the
same error
every time
they execute
the
erroneous
logic;
however,
this is
not the basic
argument in
designing a
social
engineering
attack.
Generally,
social
engineering
attacks do
likely that that people the the that people Humans
explanation computers make computer technologica make make errors
for a make logic judgment knowledge l judgment in judging
successful errors. errors. of the sophisticatio errors. others; they
social attackers. n of the may trust
engineering attack someone
attack is: method. when, in
fact, the
person is
untrustwort
hy.
Driven by
logic,
computers
make the
same error
every time
they execute
the
erroneous
logic;
however,
this is
not the basic
argument in
designing a
social
engineering
attack.
Generally,
social
engineering
attacks do
following Palm scan Face Retina scan Hand Retina scan Retina scan
biometrics recognition geometry uses optical
has the technology
highest to map the
reliability capillary
and lowest pattern of an
false- eye’s retina.
acceptance This is highly
rate (FAR)? reliable and
has the
lowest false-
acceptance
rate (FAR)
among the
current
biometric
methods.
Use of palm
scanning
entails
placing a
hand on a
scanner
where a
palm’s
physical
characteristi
cs are
captured.
Hand
geometry,
one
of the oldest
following Palm scan Face Retina scan Hand Retina scan Retina scan
biometrics recognition geometry uses optical
has the technology
highest to map the
reliability capillary
and lowest pattern of an
false- eye’s retina.
acceptance This is highly
rate (FAR)? reliable and
has the
lowest false-
acceptance
rate (FAR)
among the
current
biometric
methods.
Use of palm
scanning
entails
placing a
hand on a
scanner
where a
palm’s
physical
characteristi
cs are
captured.
Hand
geometry,
one
of the oldest
A firm is A. B. C. D. A. Explanation:
considering that a the full the usage of assurance that a The
using registration elimination the that it will registration fingerprints
biometric process is of the risk of fingerprint be process is of
fingerprint executed for a false reader be impossible executed for accredited
identificatio all acceptance. accessed by to gain all users need
n on all PCs accredited a separate unauthorize accredited to be read,
that access PC users. password. d access to PC users. identified
critical datA. critical data. and
This recorded,
requires: i.e.,
registered,
before a
user may
operate the
system from
the screened
PCs. Choice
B is
incorrect, as
the false-
acceptance
risk of a
biometric
device may
be
optimized,
but will
never be
zero
because this
would imply
an
unacceptabl
The use of A. B. C. D. A. Explanation:
residual Replay Brute force Cryptographi Mimic Replay Residual
biometric c biometric
information characteristi
to gain cs, such as
unauthorize fingerprints
d access is left on a
an example biometric
of which of capture
the device, may
following be reused by
attacks? an
attacker to
gain
unauthorize
d access. A
brute force
attack
involves
feeding the
biometric
capture
device
numerous
different
biometric
samples. A
cryptographi
c attack
targets the
algorithm or
the
encrypted
data, in a
following is Visitors are Visitor Visitors sign Visitors are Visitors are Escorting
the MOST escorted. badges are in. spot- escorted. visitors will
effective required. checked by provide the
control over operators. best
visitor assurance
access to a that visitors
data center? have
permission
to access the
data
processing
facility.
Choices B
and C are
not reliable
controls.
Choice D is
incorrect
because
visitors
should be
accompanie
d at all times
while they
are on the
premises,
not only
when they
are in the
data
processing
facility.
following is Visitors are Visitor Visitors sign Visitors are Visitors are Escorting
the MOST escorted. badges are in. spot- escorted. visitors will
effective required. checked by provide the
control over operators. best
visitor assurance
access to a that visitors
data center? have
permission
to access the
data
processing
facility.
Choices B
and C are
not reliable
controls.
Choice D is
incorrect
because
visitors
should be
accompanie
d at all times
while they
are on the
premises,
not only
when they
are in the
data
processing
facility.
The BEST A. B. C. D. C. Explanation:
overall false- false- equal-error estimated- equal-error A low equal-
quantitative rejection acceptance rate. error rate. rate. error rate
measure of rate. rate. (EER) is a
the combination
performance of a low
of biometric false-
control rejection
devices is: rate and a
low false-
acceptance
rate.
EER,
expressed as
a
percentage,
is a measure
of the
number of
times that
the false-
rejection
and
falseaccepta
nce rates are
equal. A low
EER is the
measure of
the more
effective
biometrics
control
device. Low
false-
overall false- false- equal-error estimated- equal-error A low equal-
quantitative rejection acceptance rate. error rate. rate. error rate
measure of rate. rate. (EER) is a
the combination
performance of a low
of biometric false-
control rejection
devices is: rate and a
low false-
acceptance
rate.
EER,
expressed as
a
percentage,
is a measure
of the
number of
times that
the false-
rejection
and
falseaccepta
nce rates are
equal. A low
EER is the
measure of
the more
effective
biometrics
control
device. Low
false-
The MOST A. B. C. D. D. Explanation:
effective a single the use of a biometric a deadman a deadman Deadman
control for entry point smart cards. door lock. door. door. doors are a
addressing with a system of
the risk of receptionist. using a pair
piggybacking of (two)
is: doors. For
the second
door to
operate, the
first entry
door
must close
and lock
with only
one person
permitted in
the holding
area. This
reduces the
risk of an
unauthorize
d person
following an
authorized
person
through a
secured
entry
(piggybackin
g). The other
choices
are all
physical
effective a single the use of a biometric a deadman a deadman Deadman
control for entry point smart cards. door lock. door. door. doors are a
addressing with a system of
the risk of receptionist. using a pair
piggybacking of (two)
is: doors. For
the second
door to
operate, the
first entry
door
must close
and lock
with only
one person
permitted in
the holding
area. This
reduces the
risk of an
unauthorize
d person
following an
authorized
person
through a
secured
entry
(piggybackin
g). The other
choices
are all
physical
organization False- Equal-error False- False- False- FAR is the
with acceptance rate (EER) rejection identificatio acceptance frequency of
extremely rate (FAR) rate (FRR) n rate (FIR) rate (FAR) accepting an
high security unauthorize
requirement d person as
s is authorized,
evaluating thereby
the granting
effectiveness access when
of biometric it
systems. should be
Which of the denied, in an
following organization
performance with high
indicators is security
MOST requirement
important? s, user
annoyance
with a
higher FRR is
less
important,
since it is
better to
deny access
to an
authorized
individual
than to grant
access to an
unauthorize
d
individual.
What is a A. B. C. D. A. Explanation:
risk Unauthorize The Access Removing Unauthorize The concept
associated d individuals contingency cards, keys access for d individuals of
with wait for plan for the and pads can those who wait for piggybacking
attempting controlled organization be easily are no controlled compromise
to control doors to cannot duplicated longer doors to s all physical
physical open and effectively allowing authorized is open and control
access to walk in test easy complex. walk in established.
sensitive behind controlled compromise behind Choice B
areas such those access of the those would be of
as computer authorized. practices. control. authorized. minimal
rooms concern in a
using card disaster
keys or recovery
locks? environment
. Items in
choice C are
not easily
duplicated.
Regarding
choice D,
while
technology
is constantly
changing,
card keys
have existed
for some
time and
appear to be
a viable
option
for the
foreseeable
An accuracy A. B. C. D. D. Explanation:
measure for system registration input file false- false- For a
a biometric response time. size. acceptance acceptance biometric
system is: time. rate. rate. solution
three main
accuracy
measures
are used:
false-
rejection
rate (FRR),
cross-error
rate
(CER) and
false-
acceptance
rate (FAR).
FRR is a
measure of
how often
valid
individuals
are rejected.
FAR is a
measure of
how often
invalid
individuals
are
accepted.
CER is a
measure of
when the
false-
An accuracy A. B. C. D. D. Explanation:
measure for system registration input file false- false- For a
a biometric response time. size. acceptance acceptance biometric
system is: time. rate. rate. solution
three main
accuracy
measures
are used:
false-
rejection
rate (FRR),
cross-error
rate
(CER) and
false-
acceptance
rate (FAR).
FRR is a
measure of
how often
valid
individuals
are rejected.
FAR is a
measure of
how often
invalid
individuals
are
accepted.
CER is a
measure of
when the
false-
During the A. B. C. D. A. Explanation:
review of a enrollment. identificatio verification. storage. enrollment. The users of
biometrics n. a biometrics
system device must
operation, first be
an IS auditor enrolled in
should FIRST the device.
review the The device
stage of: captures a
physical or
behavioral
image of the
human,
identifies
the unique
features and
uses an
algorithm to
convert
them into a
string of
numbers
stored as a
template to
be used in
the
matching
processes.
review of a enrollment. identificatio verification. storage. enrollment. The users of
biometrics n. a biometrics
system device must
operation, first be
an IS auditor enrolled in
should FIRST the device.
review the The device
stage of: captures a
physical or
behavioral
image of the
human,
identifies
the unique
features and
uses an
algorithm to
convert
them into a
string of
numbers
stored as a
template to
be used in
the
matching
processes.
following Wet-pipe Dry-pipe FM- Carbon FM- FM-200 is
fire sprinkler sprinkler 200system dioxide- 200system safer to use
suppression system system based fire than carbon
systems is extinguisher dioxide. It is
MOST s considered a
appropriate clean agent
to use in a for use in
data center gaseous fire
environment suppression
? applications.
A water-
based fire
extinguisher
is suitable
when
sensitive
computer
equipment
could be
damaged
before the
fire
department
personnel
arrive at the
site. Manual
firefighting
(fire
extinguisher
s) may not
provide
fast enough
protection
Users are A. B. C. D. D. Explanation:
issued Users should Users must Users should Users should Users should If a user
security not leave never keep select a PIN never write never write writes their
tokens to be tokens the token in that is down their down their PIN on a slip
used in where they the same completely PIN PIN of paper, an
combination could be bag as their random, individual
with a PIN to stolen laptop with no with the
access the computer repeating token, the
corporate digits slip of paper,
virtual and the
private computer
network could access
(VPN). the
Regarding corporate
the PIN, network. A
what is the token and
MOST the PIN is a
important two-factor
rule to be authenticati
included in a on method.
security Access to
policy? the
token is of
no value
with out the
PIN; one
cannot work
without the
other. The
PIN does not
need to be
random
as long as it
is secret.
A A. B. C. D. C. Explanation:
penetration provides should be exploits the would not exploits the Penetration
test assurance performed existing damage the existing tests are an
performed that all without vulnerabiliti information vulnerabiliti effective
as part of vulnerabiliti warning the es to gain assets when es to gain method of
evaluating es are organization’ unauthorize performed unauthorize identifying
network discovered. s d access. at network d access. real-time
security: managemen perimeters. risks to an
t. information
processing
environment
. They
attempt to
break into a
live site in
order to gain
unauthorize
d access to a
system. They
do
have the
potential for
damaging
information
assets or
misusing
information
because
they mimic
an
experienced
hacker
attacking a
live system.
penetration provides should be exploits the would not exploits the Penetration
test assurance performed existing damage the existing tests are an
performed that all without vulnerabiliti information vulnerabiliti effective
as part of vulnerabiliti warning the es to gain assets when es to gain method of
evaluating es are organization’ unauthorize performed unauthorize identifying
network discovered. s d access. at network d access. real-time
security: managemen perimeters. risks to an
t. information
processing
environment
. They
attempt to
break into a
live site in
order to gain
unauthorize
d access to a
system. They
do
have the
potential for
damaging
information
assets or
misusing
information
because
they mimic
an
experienced
hacker
attacking a
live system.
following Damage of A power Shocks from Water flood Damage of The primary
would be wires failure from earthquakes damage. wires reason for
BEST around static around having a
prevented computers electricity computers raised floor
by a raised and servers and servers is to enable
floor in the power
computer cables and
machine data cables
room? to be
installed
underneath
the floor.
This
eliminates
the safety
and damage
risks posed
when cables
are placed in
a
spaghettilike
fashion on
an open
floor.
Staticelectric
ity should be
avoided in
the machine
room;
therefore,
measures
such as
specially
following Damage of A power Shocks from Water flood Damage of The primary
would be wires failure from earthquakes damage. wires reason for
BEST around static around having a
prevented computers electricity computers raised floor
by a raised and servers and servers is to enable
floor in the power
computer cables and
machine data cables
room? to be
installed
underneath
the floor.
This
eliminates
the safety
and damage
risks posed
when cables
are placed in
a
spaghettilike
fashion on
an open
floor.
Staticelectric
ity should be
avoided in
the machine
room;
therefore,
measures
such as
specially
inspected a The halon Both fire The CO2 The Both fire Protecting
windowless extinguisher suppression extinguisher documentati suppression people’s
room should be systems should be on binders systems lives should
containing removed present a removed, should be present a always be of
phone because risk of because CO2 removed risk of highest
switching halon has a suffocation is ineffective from the suffocation priority in
and negative when used for equipment when used fire
networking impact on in a closed suppressing room to in a closed suppression
equipment the room. fires reduce room. activities.
and atmospheric involving potential COz and
documentati ozone solid risks. halon both
on binders. layer. combustible reduce the
The room s (paper). oxygen ratio
was in the
equipped atmosphere,
with two which can
handheld induce
fire serious
extinguisher personal
s-one filled hazards, in
with CO2, many
the countries
other filled installing or
with halon. refilling
Which ofthe halon fire
following suppression
should be systems is
given the not allowed.
HIGHEST Although
priority in COz and
the auditor’s halon are
report? effective and
appropriate
following Power line Surge Alternative Interruptible Power line Power line
environment conditioners protective power power conditioners conditioners
al controls is devices supplies supplies are used to
appropriate compensate
to protect for peaks
computer and valleys
equipment in the power
against supply and
short-term reduce
reductions in peaks in
electrical the power
power? flow to what
is needed by
the machine.
Any valleys
are removed
by power
stored in the
equipment.
Surge
protection
devices
protect
against high-
voltage
bursts.
Alternative
power
supplies are
intended for
computer
equipment
running for
following Halon gas Wet-pipe Dry-pipe Carbon Dry-pipe Water
methods of sprinklers sprinklers dioxide gas sprinklers sprinklers,
suppressing with an
a fire in a automatic
data center power
is the MOST shutoff
effective and system, are
environment accepted as
ally friendly? efficient
because
they can be
set to
automatic
release
without
threat to
life, and
water is
environment
ally friendly.
Sprinklers
must be dry-
pipe to
prevent the
risk of
leakage.
Halon is
efficient and
effective as
it does not
threaten
human life
and,
following Halon gas Wet-pipe Dry-pipe Carbon Dry-pipe Water
methods of sprinklers sprinklers dioxide gas sprinklers sprinklers,
suppressing with an
a fire in a automatic
data center power
is the MOST shutoff
effective and system, are
environment accepted as
ally friendly? efficient
because
they can be
set to
automatic
release
without
threat to
life, and
water is
environment
ally friendly.
Sprinklers
must be dry-
pipe to
prevent the
risk of
leakage.
Halon is
efficient and
effective as
it does not
threaten
human life
and,
auditing hardware is integrity is immediate hardware is hardware is A voltage
security for a protected maintained power will protected protected regulator
data center, against if the main be available against long- against protects
an IS auditor power power is if the main term power power against
should look surges. interrupted. power is fluctuations. surges. short-term
for the lost. power
presence of fluctuations.
a voltage It normally
regulator to does not
ensure that protect
the: against
longterm
surges, nor
does it
maintain the
integrity if
power is
interrupted
or lost.
following Statistical- Signature- Neural Host-based Statistical- A statistical-
intrusion based based network based based IDS
detection relies on a
systems definition of
(IDSs) will known and
MOST likely expected
generate behavior of
false alarms systems.
resulting Since normal
from network
normal activity may
network at times
activity? include
unexpected
behavior
(e.g., a
sudden
massive
download by
multiple
users), these
activities will
be flagged as
suspicious. A
signature-
based IDS is
limited to its
predefined
set of
detection
rules,
just like a
virus
IS A. B. C. D. A. Explanation:
managemen Review and, Install Create a Redirect all Review and, Firewalls
t is where modems to physically VoIP traffic where used as
considering necessary, allow distinct to allow necessary, entry points
a Voice-over upgrade remote network to clear text upgrade to a Voice-
Internet firewall maintenance handle VoIP logging of firewall over
Protocol capabilities support traffic authenticati capabilities Internet
(VoIP) access on Protocol
network to credentials (VoIP)
reduce network
telecommun should be
ication VoIP-
costs and capable.
managemen VoIP
t asked the network
IS auditor to services
comment on such as
appropriate H.323
security introduce
controls. complexities
Which of the that are
following likely to
security strain the
measures is capabilities
MOST of older
appropriate? firewalls.
Allowing for
remote
support
access is an
important
consideratio
n. However,
a virtual
Upon receipt A. B. C. D. B. Explanation:
of the initial registration certificate certificate receiver. certificate A certificate
signed authority authority repository. authority authority
digital (RA). (CA). (CA). (CA) is a
certificate network
the user will authority
decrypt the that issues
certificate and
with the manages
public key of security
the: credentials
and public
keys
for message
encryption.
As a part of
the public
key
infrastructur
e, a CA
checks with
a
registration
authority
(RA)
to verify
information
provided by
the
requestor of
a digital
certificate. If
the RA
verifies the
perpetrator eavesdroppi spoofing. traffic masqueradin traffic In traffic
looking to ng. analysis. g. analysis. analysis,
gain access which is a
to and passive
gather attack, an
information intruder
about determines
encrypted the nature
data being of the traffic
transmitted flow
over the between
network defined
would use: hosts and
through an
analysis of
session
length,
frequency
and message
length, and
the intruder
is
able to guess
the type of
communicati
on taking
place. This
typically is
used when
messages
are
encrypted
and
following Using a Encrypting Using a Digitally Digitally A digital
would secret the portable signing the signing the signature is
effectively password transaction document transaction transaction an electronic
verify the between the with the format (PDF) with the with the identificatio
originator of originator receiver’s to source’s source’s n of a
a and the public key encapsulate private key private key person,
transaction? receiver transaction created by
content using a
public key
algorithm, to
verify to
a recipient
the identity
of the
source of a
transaction
and the
integrity of
its content.
Since they
are a ‘shared
secret’
between the
user and the
system
itself,
passwords
are
considered a
weaker
means of
authenticati
on.
following Using a Encrypting Using a Digitally Digitally A digital
would secret the portable signing the signing the signature is
effectively password transaction document transaction transaction an electronic
verify the between the with the format (PDF) with the with the identificatio
originator of originator receiver’s to source’s source’s n of a
a and the public key encapsulate private key private key person,
transaction? receiver transaction created by
content using a
public key
algorithm, to
verify to
a recipient
the identity
of the
source of a
transaction
and the
integrity of
its content.
Since they
are a ‘shared
secret’
between the
user and the
system
itself,
passwords
are
considered a
weaker
means of
authenticati
on.
When using A. B. C. D. C. Explanation:
a digital only by the only by the by both the by the by both the A digital
signature, sender. receiver. sender and certificate sender and signature is
the message the receiver. authority the receiver. an electronic
digest is (CA). identificatio
computed: n of a person
or entity. It
is created by
using
asymmetric
encryption.
To verify
integrity of
data, the
sender uses
a
cryptographi
c hashing
algorithm
against the
entire
message to
create a
message
digest to be
sent along
with the
message.
Upon receipt
of the
message,
the
receiver will
recompute
a digital only by the only by the by both the by the by both the A digital
signature, sender. receiver. sender and certificate sender and signature is
the message the receiver. authority the receiver. an electronic
digest is (CA). identificatio
computed: n of a person
or entity. It
is created by
using
asymmetric
encryption.
To verify
integrity of
data, the
sender uses
a
cryptographi
c hashing
algorithm
against the
entire
message to
create a
message
digest to be
sent along
with the
message.
Upon receipt
of the
message,
the
receiver will
recompute
reviewing a There is no The Digital Subscribers The If the
digital registration certificate certificates report key certificate certificate
certificate authority revocation contain a compromise revocation revocation
verification (RA) for list (CRL) is public key s to the list (CRL) is list (CRL) is
process, reporting not current. that is used certificate not current. not current,
which of the key to encrypt authority there could
following compromise messages (CA). be a digital
findings s. and verify certificate
represents digital that is not
the MOST signatures. revoked that
significant could be
risk? used for
unauthorize
d or
fraudulent
activities.
The
certificate
authority
(CA) can
assume the
responsibilit
y if there is
no
registration
authority
(RA). Digital
certificates
containing a
public key
that is used
to
encrypt
effective centralized including publishing security security Phishing is a
control for monitoring signatures the policy on training for training for type of e-
reducing the of systems. for phishing antiphishing all users. all users. mail attack
risk related in antivirus on the that
to phishing software. intranet. attempts to
is: convince a
user that the
originator is
genuine,
with the
intention of
obtaining
information.
Phishing is
an example
of a social
engineering
attack. Any
social
engineering
type of
attack can
best
Decontrolled
through
security and
awareness
training.
effective centralized including publishing security security Phishing is a
control for monitoring signatures the policy on training for training for type of e-
reducing the of systems. for phishing antiphishing all users. all users. mail attack
risk related in antivirus on the that
to phishing software. intranet. attempts to
is: convince a
user that the
originator is
genuine,
with the
intention of
obtaining
information.
Phishing is
an example
of a social
engineering
attack. Any
social
engineering
type of
attack can
best
Decontrolled
through
security and
awareness
training.
GREATEST that there decreased the blocking reliance on the blocking An intrusion
risk posed by will be too network of critical specialized of critical prevention
an many alerts performance systems or expertise systems or system (IPS)
improperly for system due to IPS services due within the IT services due prevents a
implemente administrato traffic. to false organization. to false connection
d intrusion rs to verify. triggers. triggers. or service
prevention based on
system (IPS) how it is
is: programmed
to react
to specific
incidents. If
the packets
are coming
from a
spoofed
address and
the IPS is
triggered
based on
previously
defined
behavior, it
may biock
the service
or
connection
of a critical
internal
system. The
other
choices are
risks that are
GREATEST that there decreased the blocking reliance on the blocking An intrusion
risk posed by will be too network of critical specialized of critical prevention
an many alerts performance systems or expertise systems or system (IPS)
improperly for system due to IPS services due within the IT services due prevents a
implemente administrato traffic. to false organization. to false connection
d intrusion rs to verify. triggers. triggers. or service
prevention based on
system (IPS) how it is
is: programmed
to react
to specific
incidents. If
the packets
are coming
from a
spoofed
address and
the IPS is
triggered
based on
previously
defined
behavior, it
may biock
the service
or
connection
of a critical
internal
system. The
other
choices are
risks that are
is reviewing is configured is installed has been is configured is installed Default
a software- with an on an configured as a virtual on an settings are
based implicit deny operating with rules private operating often
firewall rule as the system with permitting network system with published
configuratio last rule in default or denying (VPN) default and provide
n. Which of the rule settings. access to endpoint. settings. an intruder
the base. systems or with
following networks. predictable
represents configuratio
the n
GREATEST information,
vulnerability which
? The allows easier
firewall system
software: compromise.
To mitigate
this risk,
firewall
software
should be
installed on
a system
using
a hardened
operating
system that
has limited
functionality
, providing
only the
services
necessary to
support the
organization Implement Permit Disable open Implement Implement Wi-Fi
is planning Wired access to broadcast of Wi-Fi Wi-Fi Protected
to replace its Equivalent only service set Protected Protected Access
wired Privacy authorized identifiers Access Access (WPA) 2
networks (WEP) Media (SSID) (WPA) 2 (WPA) 2 implements
with Access most of the
wireless Control requirement
networks. (MAC) s of the IEEE
Which of the addresses 802.11i
following standard.
would The
BEST secure Advanced
the wireless Encryption
network Standard
from (AESJ used in
unauthorize WPA2
d access? provides
better
security.
Also, WPA2
supports
both the
Extensible
Authenticati
on Protocol
and the
preshared
secret key
authenticati
on model.
Implementin
g Wired
Equivalent
In wireless A. B. C. D. C. Explanation:
communicati Device Wireless The use of Packet The use of Calculating
on, which of authenticati intrusion cryptographi headers and cryptographi cryptographi
the on and data detection c hashes trailers c hashes c hashes for
following origin (IDS) and wireless
controls authenticati prevention communicati
allows the on systems (IPS) ons allows
device the device
receiving the receiving the
communicati communicati
ons to ons
verify that to verify that
the received the received
communicati communicati
ons have not ons have not
been altered been altered
in transit? in transit.
This
prevents
masqueradin
g and
message
modification
attacks.
Device
authenticati
on and data
origin
authenticati
on is not the
correct
answer
since
authenticati
protecting Personal Antivirus Intrusion Virtual local Intrusion An intrusion
an firewall programs detection area detection detection
organization’ system (IDS) network system (IDS) system (IDS)
s IT systems, (VLAN) would be
which of the configuratio the next line
following is n of defense
normally the after the
next line of firewall. It
defense would
after detect
the network anomalies in
firewall has the
been network/ser
compromise ver activity
d? and try to
detect the
perpetrator.
Antivirus
programs,
personal
firewalls
and VI_AN
configuratio
ns would be
later in the
line of
defense.
following Targeted External internal Double-blind Double-blind In a double-
penetration testing testing testing testing testing blind test,
tests would the
MOST administrato
effectively r and
evaluate security staff
incident are not
handling and aware of the
response test, which
capabilities will result in
of an an
organization assessment
? of the
incident
handling and
response
capability in
an
organization.
In targeted,
external,
and
internal
testing, the
system
administrato
r and
security staff
are aware of
the tests
since they
are informed
before the
conducting a the finding all restoring all logging all restoring all All
penetration confidentiali possible systems to changes systems to suggested
test of an IT ty of the weaknesses the original made to the the original items should
system, an report. on the state. production state. be
organization system. system. considered
should be by the
MOST system
concerned owner
with: before
agreeing to
penetration
tests, but
the
most
important
task is to be
able to
restore all
systems to
their original
state.
Information
that is
created
and/or
stored on
the tested
systems
should be
removed
from these
systems. If
for some
BEST action Using virtual Enabling Auditing the Logging all Using virtual The best
to prevent private data access changes to private way to
loss of data network encryption control to access lists network ensure
integrity or (VPN) within the the network (VPN) confidentiali
confidentiali tunnels for application tunnels for ty and
ty in the data transfer data transfer integrity of
case of an e- data is to
commerce encrypt it
application using virtual
running on a private
LAN, network
processing (VPN)
electronic tunnels. This
fund is the most
transfers common
(EFT) and and
orders? convenient
way to
encrypt the
data
traveling
over the
network.
Data
encryption
within the
application
is less
efficient
than VPN.
The other
options are
good
finds that The This part of A single sign- Antivirus This part of If the
conference corporate the network on has been software is the network conference
rooms have network is is isolated implemente in place to is isolated rooms have
active using an from the d in the protect the from the access to the
network intrusion corporate corporate corporate corporate corporate
ports. Which prevention network network network network network,
of the system (IPS) unauthorize
following is d users may
MOST be able to
important connect to
to ensure? the
corporate
network;
therefore,
both
networks
should be
isolated
either via a
firewall or
being
physically
separated.
An I PS
would
detect
possible
attacks, but
only after
they have
occurred. A
single sign-
on would
The sender A. B. C. D. C. Explanation:
of a public certificate digital digital registration digital A digital
key would authority, signature. certificate. authority. certificate. certificate is
be an electronic
authenticate document
d by a: that declares
a public key
holder is
who the
holder
claims to be.
The
certificates
do handle
data
authenticati
on as they
are used to
determine
who sent a
particular
message. A
certificate
authority
issues the
digital
certificates,
and
distributes,
generates
and
manages
public keys.
A digital
The sender A. B. C. D. C. Explanation:
of a public certificate digital digital registration digital A digital
key would authority, signature. certificate. authority. certificate. certificate is
be an electronic
authenticate document
d by a: that declares
a public key
holder is
who the
holder
claims to be.
The
certificates
do handle
data
authenticati
on as they
are used to
determine
who sent a
particular
message. A
certificate
authority
issues the
digital
certificates,
and
distributes,
generates
and
manages
public keys.
A digital
The FIRST A. B. C. D. A. Explanation:
step in a gathering gaining denying evading gathering Successful
successful information. access. services. detection. information. attacks start
attack to a by gathering
system information
would be: about the
target
system. This
is done in
advance so
that the
attacker gets
to know the
target
systems and
their
vulnerabiliti
es. All of the
other
choices are
based on the
information
gathered.
step in a gathering gaining denying evading gathering Successful
successful information. access. services. detection. information. attacks start
attack to a by gathering
system information
would be: about the
target
system. This
is done in
advance so
that the
attacker gets
to know the
target
systems and
their
vulnerabiliti
es. All of the
other
choices are
based on the
information
gathered.
The use of A. B. C. D. C. Explanation:
digital requires the provides validates the ensures validates the The use of a
signatures: use of a one- encryption source of a message source of a digital
time to a message. confidentiali message. signature
password message. ty. verifies the
generator. identity of
the sender,
but does not
encrypt the
whole
message,
and
hence is not
enough to
ensure
confidentiali
ty. A one-
time
password
generator is
an option,
but is not a
requirement
for using
digital
signatures.
The use of A. B. C. D. C. Explanation:
digital requires the provides validates the ensures validates the The use of a
signatures: use of a one- encryption source of a message source of a digital
time to a message. confidentiali message. signature
password message. ty. verifies the
generator. identity of
the sender,
but does not
encrypt the
whole
message,
and
hence is not
enough to
ensure
confidentiali
ty. A one-
time
password
generator is
an option,
but is not a
requirement
for using
digital
signatures.
MOST Malicious VPN logon Traffic could VPN Malicious VPN is a
prevalent code could could be be sniffed gateway code could mature
security risk be spread spoofed and could be be spread technology;
when an across the decrypted compromise across the VPN devices
organization network d network are hard to
implements break.
remote However,
virtual when
private remote
network access is
(VPN) access enabled,
to its malicious
network? code in a
remote
client could
spread to
the
organization’
s network.
Though
choices B, C
and D are
security
risks, VPN
technology
largely
mitigates
these risks.
The human A. B. C. D. A. Explanation:
resources SSL Two-factor Encrypted IP address SSL The main
(HR) encryption authenticati session verification encryption risk in this
department on cookies scenario is
has confidentiali
developed a ty, therefore
system to the only
allow option which
employees would
to enroll in provide
benefits via confidentiali
a ty is
web site on Secure
the Socket Layer
corporate (SSL)
Intranet. encryption.
Which of the The
following remaining
would options deal
protect the with
confidentiali authenticati
ty of the on issues.
data?
A firewall is A. B. C. D. B. Explanation:
being Reviewing Testing and Training a Sharing Testing and A mistake in
deployed at logs validating local firewall validating the rule set
a new frequently the rules administrato administrati the rules can render a
location. r at the new ve duties firewall
Which of the location insecure.
following is Therefore,
the MOST testing and
important validating
factor in the rules is
ensuring a the most
successful important
deployment factor in
? ensuring a
successful
deployment.
A regular
review of log
files would
not start
until the
deployment
has been
completed.
Training a
local
administrato
r may not be
necessary if
the firewalls
are
managed
from a
central
following Presence of The use of a The A symmetric Presence of Encryption
would be spyware in traffic implementa cryptograph spyware in using secure
the one of the sniffing tool tion of an y is used for one of the sockets
GREATEST ends RSA- transmitting ends layer/transp
cause for compliant data ort layer
concern solution security
when data (SSL/TLS)
are sent tunnels
over the makes it
Internet difficult to
using intercept
HTTPS data in
protocol? transit, but
when
spyware is
running on
an end
user’s
computer,
data are
collected
before
encryption
takes place.
The other
choices are
related to
encrypting
the traffic,
but the
presence of
spyware in
one of the
After A. B. C. D. D. Explanation:
observing Server is a Guest Recently, Audit logs Audit logs Audit logs
suspicious member of a account is 100 users are not are not can provide
activities in a workgroup enabled on were enabled for enabled for evidence
server, a and not part the server created in the server the server which is
manager of the server the server required to
requests a domain proceed
forensic with an
analysis. investigation
Which of the and should
following not be
findings disabled.
should be of For business
MOST needs, a
concern to server can
the be a
investigator? member of a
workgroup
and,
therefore,
not a
concern.
Having a
guest
account
enabled on a
system is a
poor
security
practice but
not a
forensic
investigation
concern.
selects a The tools Certification Permission An intrusion Permission The data
server for a used to s held by the from the detection from the owner
penetration conduct the IS auditor data owner system (IDS) data owner should be
test that will test of the server is enabled of the server informed of
be carried the risks
out by a associated
technical with a
specialist. penetration
Which of test, what
the types of
following is tests are to
MOST be
important? conducted
and other
relevant
details. All
other
choices are
not as
important as
the data
owner’s
responsibilit
y
for the
security of
the data
assets.
A company A. B. C. D. A. Explanation:
has decided use of the forgery by impersonati forgery by use of the The user’s
to user’s using on of a user substitution user’s digital
implement electronic another by of another electronic signature is
an electronic signature by user’s substitution person’s signature by only
signature another private key of the user’s private key another protected by
scheme person if the to sign a public key on the person if the a password.
based on password is message with another computer. password is Compromise
public key compromise with an person’s compromise of the
infrastructur d. electronic public key. d. password
e. The signature. would
user’s enable
private key access
will be to the
stored on signature.
the This is the
computer’s most
hard drive significant
and risk. Choice
protected by B would
a password. require
The MOST subversion
significant of the public
risk of this key
approach is: infrastructur
e
mechanism,
which is very
difficult and
least likely.
Choice C
would
require that
the message
The network A. B. C. D. D. Explanation:
of an Antivirus Hardening Screening Honeypots Honeypots Honeypots
organization software the servers routers can collect
has been the data on
victim of precursors
several of attacks.
intruders’ Since they
attacks. serve no
Which of the business
following function,
measures honeypots
would allow are
for the early hosts that
detection of have no
such authorized
incidents? users other
than the
honeypot
administrato
rs. All
activity
directed at
them is
considered
suspicious.
Attackers
will scan and
attack
honeypots,
giving
administrato
rs data on
new trends
and
The BEST A. B. C. D. A. Explanation:
filter rule for outgoing incoming incoming incoming outgoing Outgoing
protecting a traffic with traffic with traffic with traffic to traffic with traffic with
network IP source discernible IP options critical IP source an IP source
from being addresses spoofed IP set. hosts. addresses address
used as an externa! to source externa! to different
amplifier in the network. addresses. the network. than the IP
a denial of range in the
service (DoS) network is
attack invalid, in
is to deny most of the
all: cases, it
signals a DoS
attack
originated
by an
internal user
or by a
previously
compromise
d internal
machine;
in both
cases,
applying this
filter will
stop the
attack.
A sender of A. B. C. D. D. Explanation:
an e-mail date and identity of confidentiali authenticity authenticity The
message time stamp the ty of the of the of the signature on
applies a of the originating message’s sender. sender. the digest
digital message. computer. content. can be used
signature to to
the digest of authenticate
the the sender.
message. It does not
This action provide
provides assurance of
assurance of the date
the: and time
stamp or the
identity of
the
originating
computer.
Digitally
signing an e-
mail
message
does not
prevent
access to its
content
and,therefor
e, does not
assure
confidentiali
ty.
What is the A. B. C. D. D. Explanation:
BEST implement Assess web Strong User User Phishing
approach to an intrusion site security authenticati education education attacks can
mitigate the detection on be mounted
risk of a system (IDS) in various
phishing ways;
attack? intrusion
detection
systems
(IDSs) and
strong
authenticati
on
cannot
mitigate
most types
of phishing
attacks.
Assessing
web site
security
does not
mitigate the
risk. Phishing
uses a server
masqueradin
g as a
legitimate
server. The
best way to
mitigate the
risk of
phishing is
to
BEST implement Assess web Strong User User Phishing
approach to an intrusion site security authenticati education education attacks can
mitigate the detection on be mounted
risk of a system (IDS) in various
phishing ways;
attack? intrusion
detection
systems
(IDSs) and
strong
authenticati
on
cannot
mitigate
most types
of phishing
attacks.
Assessing
web site
security
does not
mitigate the
risk. Phishing
uses a server
masqueradin
g as a
legitimate
server. The
best way to
mitigate the
risk of
phishing is
to
To address a A. B. C. D. A. Explanation:
maintenance Secure Shell two-factor dial-in virtual Secure Shell For granting
problem, a (SSH-2) authenticati access. private (SSH-2) temporary
vendor tunnel for on network tunnel for access to the
needs the duration mechanism (VPN) the duration network, a
remote of the for network account for of the Secure Shell
access to a problem. access. the duration problem. (SSH-2)
critical of the tunnel is the
network. vendor best
The MOST support approach. It
secure contract. has
and effective auditing
solution is to features and
provide the allows
vendor with restriction to
a: specific
access
points.
Choices B, C
and D all
give full
access to the
internal
network.
Two-factor
authenticati
on and
virtual
private
network
(VPN)
provide
access to the
entire
A web server A. B. C. D. C. Explanation:
is attacked Dump the Run the Disconnect Shut down Disconnect The first
and volatile server in a the web the web the web action is to
compromise storage data fail-safe server from server. server from disconnect
d. Which of to a disk. mode. the network. the network. the web
the server from
following the network
should be to contain
performed the damage
FIRST to and prevent
handle the more
incident? actions by
the attacker.
Dumping the
volatile
storage data
to a disk
may be used
at the
investigation
stage but
does not
contain an
attack in
progress. To
run the
server in a
fail-safe
mode, the
server needs
to be shut
down.
Shutting
down the
following intrusion Honeypot Intrusion Network Intrusion An intrusion
potentially detection system prevention security prevention prevention
blocks system system scanner system system (IPS)
hacking is deployed
attempts? as an in-line
device that
can detect
and block
hacking
attempts. An
intrusion
detection
system (IDS)
normally is
deployed in
sniffing
mode and
can detect
intrusion
attempts,
but cannot
effectively
stop them. A
honeypot
solution
traps the
intruders to
explore a
simulated
target.
A network
security
scanner
following intrusion Honeypot Intrusion Network Intrusion An intrusion
potentially detection system prevention security prevention prevention
blocks system system scanner system system (IPS)
hacking is deployed
attempts? as an in-line
device that
can detect
and block
hacking
attempts. An
intrusion
detection
system (IDS)
normally is
deployed in
sniffing
mode and
can detect
intrusion
attempts,
but cannot
effectively
stop them. A
honeypot
solution
traps the
intruders to
explore a
simulated
target.
A network
security
scanner
following Man-in-the Dictionary Password Phishing Man-in-the Attackers
attacks middle sniffing middle can establish
targets the a fake
Secure Secure
Sockets Sockets
Layer (SSL)? Layer (SSL)
server to
accept user’s
SSL traffic
and then
route to
the real SSL
server, so
that
sensitive
information
can be
discovered.
A dictionary
attack that
has been
launched
to discover
passwords
would not
attack SSL
since SSL
does not rely
on
passwords.
SSL traffic is
encrypted,
thus it is not
following Man-in-the Dictionary Password Phishing Man-in-the Attackers
attacks middle sniffing middle can establish
targets the a fake
Secure Secure
Sockets Sockets
Layer (SSL)? Layer (SSL)
server to
accept user’s
SSL traffic
and then
route to
the real SSL
server, so
that
sensitive
information
can be
discovered.
A dictionary
attack that
has been
launched
to discover
passwords
would not
attack SSL
since SSL
does not rely
on
passwords.
SSL traffic is
encrypted,
thus it is not
To protect a A. B. C. D. B. Explanation:
VoIP access session backbone intrusion session Session
infrastructur control border gateways. detection border border
e against a servers. controllers. system (IDS). controllers. controllers
denial-of- enhance the
service (DoS) security in
attack, it is the access
MOST network and
important to in the core.
secure the: In the access
network,
they hide a
user’s real
address and
provide a
managed
public
address. This
public
address can
be
monitored,
minimizing
the
opportunitie
s for
scanning and
denial-of-
service (DoS)
attacks.
Session
border
controllers
permit
following Digital Digital Online Private key Private key Confidentiali
ensures signature certificate Certificate cryptosyste cryptosyste ty is assured
confidentiali Status m m by a private
ty of Protocol key
information cryptosyste
sent over m. Digital
the signatures
internet? assure data
integrity,
authenticati
on
and
nonrepudiati
on, but not
confidentiall
y. A digital
certificate is
a certificate
that uses a
digital
signature to
bind
together a
public key
with an
identity;
therefore, it
does not
address
confidentiali
ty. Online
Certificate
Status
following Digital Digital Online Private key Private key Confidentiali
ensures signature certificate Certificate cryptosyste cryptosyste ty is assured
confidentiali Status m m by a private
ty of Protocol key
information cryptosyste
sent over m. Digital
the signatures
internet? assure data
integrity,
authenticati
on
and
nonrepudiati
on, but not
confidentiall
y. A digital
certificate is
a certificate
that uses a
digital
signature to
bind
together a
public key
with an
identity;
therefore, it
does not
address
confidentiali
ty. Online
Certificate
Status
In a public A. B. C. D. A. Explanation:
key Nonrepudia Encryption Authenticati Integrity Nonrepudia Nonrepudia
infrastructur tion on tion tion,
e (PKI), achieved
which of the through the
following use of digital
may be signatures,
relied upon prevents the
to prove that claimed
an online sender from
transaction later
was denying
authorized that they
by a specific generated
customer? and sent the
message.
Encryption
may protect
the data
transmitted
over the
Internet, but
may not
prove that
the
transactions
were made.
Authenticati
on is
necessary to
establish the
identificatio
n of all
parties to a
installing an Properly Preventing Identifying Minimizing Properly Proper
intrusion locating it in denial-of- messages the rejection locating it in location of
detection the network service (DoS) that need to errors the network an intrusion
system (IDS), architecture attacks be architecture detection
which of the quarantined system (IDS)
following is in the
MOST network is
important? the most
important
decision
during
installation.
A poorly
located IDS
could leave
key areas of
the network
unprotected.
Choices B, C
and D are
concerns
during the
configuratio
n of an IDS,
but if the IDS
is not placed
correctly,
none of
them would
be
adequately
addressed.
installing an Properly Preventing Identifying Minimizing Properly Proper
intrusion locating it in denial-of- messages the rejection locating it in location of
detection the network service (DoS) that need to errors the network an intrusion
system (IDS), architecture attacks be architecture detection
which of the quarantined system (IDS)
following is in the
MOST network is
important? the most
important
decision
during
installation.
A poorly
located IDS
could leave
key areas of
the network
unprotected.
Choices B, C
and D are
concerns
during the
configuratio
n of an IDS,
but if the IDS
is not placed
correctly,
none of
them would
be
adequately
addressed.
following A remote A proxy A personal A password- A personal A personal
would access server firewall generating firewall firewall is
provide the server token the best way
BEST to protect
protection against
against the hacking,
hacking of a because it
computer can be
connected defined with
to the rules that
Internet? describe
the type of
user or
connection
that is or is
not
permitted. A
remote
access
server can
be mapped
or scanned
from the
Internet,
creating
security
exposures.
Proxy
servers can
provide
protection
based on the
IP address
organization provides is faster than can cause requires a can cause In a
is using authenticity. asymmetric key relatively key symmetric
symmetric encryption. managemen simple managemen algorithm,
encryption. t to be algorithm. t to be each pair of
Which of the difficult. difficult. users needs
following a unique
would be a pair of keys,
valid reason so the
for moving number of
to keys grows
asymmetric and key
encryption? managemen
Symmetric t can
encryption: become
overwhelmi
ng.
Symmetric
algorithms
do not
provide
authenticity,
and
symmetric
encryption is
faster than
asymmetric
encryption.
Symmetric
algorithms
require
mathematic
al
calculations,
following Encrypts the Makes other Facilitates Stores Makes other A directory
BEST information users’ the certificate users’ server
describes transmitted certificates implementa revocation certificates makes other
the role of a over the available to tion of a lists (CRLs) available to users’
directory network applications password applications certificates
server in a policy available to
public key applications.
infrastructur Encrypting
e (PKI)? the
information
transmitted
over the
network and
storing
certificate
revocation
lists (CRLs)
are roles
performed
by a security
server.
Facilitating
the
implementa
tion of a
password
policy is not
relevant to
public key
infrastructur
e (PKl).
reviewing IDS sensors a behavior- a signature- the IDS is the IDS is An intrusion
the are placed based IDS is based IDS is used to used to detection
implementa outside of causing weak against detect detect system (IDS)
tion of an the firewall. many false new types of encrypted encrypted cannot
intrusion alarms. attacks. traffic. traffic. detect
detection attacks
system (IDS) within
should be encrypted
MOST traffic, and it
concerned would be a
if: concern if
someone
was
misinformed
and thought
that the IDS
could detect
attacks in
encrypted
traffic. An
organization
can place
sensors
outside of
the firewall
to detect
attacks.
These
sensors are
placed in
highly
sensitive
areas
To prevent A. B. C. D. A. Explanation:
IP spoofing the source it has a a reset flag dynamic the source IP spoofing
attacks, a routing field broadcast (RST) is routing is routing field takes
firewall is enabled. address in turned on used instead is enabled. advantage of
should be the for the TCP of static the source-
configured destination connection. routing. routing
to drop a field. option in the
packet if: IP protocol.
With this
option
enabled, an
attacker can
insert a
spoofed
source IP
address. The
packet will
travel the
network
according to
the
information
within the
source-
routing field,
bypassing
the logic in
each router,
including
dynamic and
static
routing
(choice
D). Choices B
To prevent A. B. C. D. A. Explanation:
IP spoofing the source it has a a reset flag dynamic the source IP spoofing
attacks, a routing field broadcast (RST) is routing is routing field takes
firewall is enabled. address in turned on used instead is enabled. advantage of
should be the for the TCP of static the source-
configured destination connection. routing. routing
to drop a field. option in the
packet if: IP protocol.
With this
option
enabled, an
attacker can
insert a
spoofed
source IP
address. The
packet will
travel the
network
according to
the
information
within the
source-
routing field,
bypassing
the logic in
each router,
including
dynamic and
static
routing
(choice
D). Choices B
reviewing evaluate the identify the review the review the identify the A client-
access encryption network identity application network server
controls for technique. access managemen level access access environment
a client- points. t system. controls. points. typically
server contains
environment several
should access
FIRST: points and
utilizes
distributed
techniques,
increasing
the risk of
unauthorize
d access to
data and
processing.
To evaluate
the security
of the client
server
environment
, all network
access
points
should be
identified.
Evaluating
encryption
techniques,
reviewing
the
identity
reviewing evaluate the identify the review the review the identify the A client-
access encryption network identity application network server
controls for technique. access managemen level access access environment
a client- points. t system. controls. points. typically
server contains
environment several
should access
FIRST: points and
utilizes
distributed
techniques,
increasing
the risk of
unauthorize
d access to
data and
processing.
To evaluate
the security
of the client
server
environment
, all network
access
points
should be
identified.
Evaluating
encryption
techniques,
reviewing
the
identity
In auditing a A. B. C. D. A. Explanation:
web server, common enterprise applets. web common Common
an IS auditor gateway Java beans services. gateway gateway
should be interface (EJBs). interface interface
concerned (CGI) scripts. (CGI) scripts. (CGI) scripts
about the are
risk of executable
individuals machine
gaining independent
unauthorize software
d programs on
access to the
confidential server that
information can be called
through: and
executed by
a web server
page. CGI
performs
specific tasks
such as
processing
inputs
received
from clients.
The use of
CGI scripts
needs to be
evaluated,
because as
they run in
the server, a
bug in them
may allow a
A virtual A. B. C. D. B. Explanation:
private Secure Tunnelling Digital Phishing Tunnelling VPNs secure
network Sockets signatures data in
(VPN) Layer (SSL) transit by
provides encapsulatin
data g traffic, a
confidentiali process
ty by using: known as
tunnelling.
SSL is a
symmetric
method
of
encryption
between a
server and a
browser.
Digital
signatures
are not used
in the VPN
process,
while
phishing is a
form of a
social
engineering
attack.
A virtual A. B. C. D. B. Explanation:
private Secure Tunnelling Digital Phishing Tunnelling VPNs secure
network Sockets signatures data in
(VPN) Layer (SSL) transit by
provides encapsulatin
data g traffic, a
confidentiali process
ty by using: known as
tunnelling.
SSL is a
symmetric
method
of
encryption
between a
server and a
browser.
Digital
signatures
are not used
in the VPN
process,
while
phishing is a
form of a
social
engineering
attack.
reviewing reduces the is not automaticall increases reduces the Dynamic
wireless risk of suitable for y provides the risks risk of Host
network unauthorize small an IP associated unauthorize Configuratio
security d access to networks. address to with d access to n Protocol
determines the network. anyone. Wireless the network. (DHCP)
that the Encryption automaticall
Dynamic Protocol y assigns IP
Host (WEP). addresses to
Configuratio anyone
n Protocol is connected
disabled at to the
all wireless network.
access With DHCP
points. This disabled,
practice: static IP
addresses
must be
used and
represent
less risk due
to the
potential for
address
contention
between an
unauthorize
d device and
existing
devices on
the network.
Choice B is
incorrect
because
investment encrypting encrypting digitally encrypting encrypting There is no
advisor e- the hash of the hash of signing the the the hash of attempt on
mails the the document newsletter the the part of
periodic newsletter newsletter using the using the newsletter the
newsletters using the using the advisor’s advisor’s using the investment
to clients advisor’s advisor’s private key. private key. advisor’s advisor to
and wants private key. public key. private key. prove their
reasonable identity or to
assurance keep the
that no one newsletter
has confidential.
modified the The
newsletter. objective is
This to assure the
objective receivers
can be that it came
achieved by: to them
without any
modification
, i.e., it has
message
integrity.
Choice Ais
correct
because the
hash is
encrypted
using the
advisor’s
private key.
The
recipients
can open the
organization The new The old The The new The The old
has a mix of access access organization’ access organization’ access
access points with points are s security points are s security points
points that stronger poorer in would be as easier to would be as should be
cannot be security are terms of strong as its manage. strong as its discarded
upgraded to affordable. performance weakest weakest and replaced
stronger . points. points. with
security and products
newer having
access strong
points security;
having otherwise,
advanced they
wireless will leave
security. An security
IS auditor holes open
recommend for attackers
s replacing and thus
the make the
nonupgrade entire
abie access network as
points. weak as they
Which of the are.
following Affordability
would BEST is not the
justify the IS auditor’s
auditor’s major
recommend concern.
ation? Performance
is not as
important as
security in
this
following is a Message Masqueradi Denial of Traffic Traffic The intruder
passive modification ng service analysis analysis determines
attack to a the nature
network? of the flow
of traffic
(traffic
analysis)
between
defined
hosts and is
able to
guess the
type of
communicati
on taking
place.
Message
modification
involves the
capturing of
a message
and
making
unauthorize
d changes or
deletions,
changing the
sequence or
delaying
transmission
of captured
messages.
Masqueradi
following is a Message Masqueradi Denial of Traffic Traffic The intruder
passive modification ng service analysis analysis determines
attack to a the nature
network? of the flow
of traffic
(traffic
analysis)
between
defined
hosts and is
able to
guess the
type of
communicati
on taking
place.
Message
modification
involves the
capturing of
a message
and
making
unauthorize
d changes or
deletions,
changing the
sequence or
delaying
transmission
of captured
messages.
Masqueradi
Sending a A. B. C. D. A. Explanation:
message and authenticity authenticity integrity and privacy and authenticity If the sender
a message and and privacy. privacy. nonrepudiati and sends both a
hash integrity. on. integrity. message and
encrypted a message
by the hash
sender’s encrypted
private key by its private
will ensure: key, then
the receiver
can
apply the
sender’s
public key to
the hash and
get the
message
hash. The
receiver can
apply the
hashing
algorithm to
the message
received and
generate a
hash. By
matching
the
generated
hash with
the one
received, the
receiver is
ensured that
Sending a A. B. C. D. A. Explanation:
message and authenticity authenticity integrity and privacy and authenticity If the sender
a message and and privacy. privacy. nonrepudiati and sends both a
hash integrity. on. integrity. message and
encrypted a message
by the hash
sender’s encrypted
private key by its private
will ensure: key, then
the receiver
can
apply the
sender’s
public key to
the hash and
get the
message
hash. The
receiver can
apply the
hashing
algorithm to
the message
received and
generate a
hash. By
matching
the
generated
hash with
the one
received, the
receiver is
ensured that
organization digitally encrypting compressing password digitally By digitally
can ensure signing all e- all e-mail all e-mail protecting signing all e- signing all e-
that the mail messages. messages. all e-mail mail mail
recipients of messages. messages. messages. messages,
e-mails from the receiver
its will be able
employees to validate
can the
authenticate authenticity
the identity of the
of the sender.
sender by: Encrypting
all e-mail
messages
would
ensure that
only the
intended
recipient will
be able to
open the
message;
however, it
would not
ensure the
authenticity
of the
sender.
Compressing
all e-mail
messages
would
reduce the
Two-factor A. B. C. D. B. Explanation:
authenticati Denial-of- Man-in-the- Key logging Brute force Man-in-the- A man-in-
on can be service middle middle the-middle
circumvente attack is
d through similar to
which of the piggybacking
following , in that the
attacks? attacker
pretends to
be the
legitimate
destination,
and then
merely
retransmits
whatever is
sent by the
authorized
user along
with
additional
transactions
after
authenticati
on has been
accepted. A
denial-of-
service
attack does
not have a
relationship
to
authenticati
on. Key
Two-factor A. B. C. D. B. Explanation:
authenticati Denial-of- Man-in-the- Key logging Brute force Man-in-the- A man-in-
on can be service middle middle the-middle
circumvente attack is
d through similar to
which of the piggybacking
following , in that the
attacks? attacker
pretends to
be the
legitimate
destination,
and then
merely
retransmits
whatever is
sent by the
authorized
user along
with
additional
transactions
after
authenticati
on has been
accepted. A
denial-of-
service
attack does
not have a
relationship
to
authenticati
on. Key
conducting a Use the IP Pause the Conduct the Use multiple Pause the Pausing the
penetration address of scanning scans during scanning scanning scanning
test of an an existing every few evening tools since every few every few
organization’ file server or minutes to hours when each tool minutes to minutes
s internal domain allow no one is has different allow avoids
network, controller. thresholds logged-in. characteristi thresholds overtaxing
which of the to reset. cs. to reset. the network
following as well as
approaches exceeding
would BEST thresholds
enable the that
conductor of may trigger
the test to alert
remain messages to
undetected the network
on the administrato
network? r. Using the
IP address of
a server
would result
in an
address
contention
that would
attract
attention.
Conducting
scans after
hours would
increase the
chance of
detection,
since there
Active radio A. B. C. D. B. Explanation:
frequency ID Session Eavesdroppi Malicious Phishing Eavesdroppi Like wireless
(RFID) tags hijacking ng code ng devices,
are subject active RFID
to which of tags are
the subject to
following eavesdroppi
exposures? ng. They are
by nature
not subject
to session
hijacking,
malicious
code or
phishing.
Active radio A. B. C. D. B. Explanation:

frequency ID Session Eavesdroppi Malicious Phishing Eavesdroppi Like wireless
(RFID) tags hijacking ng code ng devices,
are subject active RFID
to which of tags are
the subject to
following eavesdroppi
exposures? ng. They are
by nature
not subject
to session
hijacking,
malicious
code or
phishing.
following Certificate Certification Certificate PKI Certification The CPS is
public key revocation practice policy (CP) disclosure practice the how-to
infrastructur list (CRL) statement statement statement part in
e (PKI) (CPS) (PDS) (CPS) policy-based
elements PKI. The CRL
provides is a list of
detailed certificates
descriptions that have
for dealing been
with a revoked
compromise before
d private their
key? scheduled
expiration
date. The CP
sets the
requirement
s that are
subsequentl
y
implemente
d by the CPS.
The PDS
covers
critical
items.such
as the
warranties,
limitations
and
obligations
that legally
bind each
following Heuristic Signature- Pattern Bayesian Bayesian Bayesian
antispam (rule-based) based matching (statistical) (statistical) filtering
filtering applies
techniques statistical
would BEST modeling to
prevent a messages,
valid, by
variable- performing a
length e- frequency
mail analysis on
message each word
containing a within the
heavily message and
weighted then
spam evaluating
keyword the message
from being as a whole.
labeled as Therefore, it
spam? can ignore a
suspicious
keywordif
the entire
message is
with
innormal
bounds.
Heuristic
filtering is
less
effective,
since new
exception
rules may
The IS A. B. C. D. A. Explanation:
managemen Reliability Means of Privacy of Confidentiali Reliability The
t of a and quality authenticati voice ty of data and quality company
multinationa of service on transmission transmission of service currently has
l company is (QoS) s s (QoS) a VPN;
considering issues such
upgrading its as
existing authenticati
virtual on and
private confidentiali
network ty have been
(VPN) to implemente
support d by
voice-over IP the VPN
(VoIP) using
communicati tunneling.
ons via Privacy of
tunneling. voice
Which of the transmission
following s is provided
consideratio by the VPN
ns protocol.
should be Reliability
PRIMARILY and QoS
addressed? are,
therefore,
the primary
consideratio
ns to be
addressed.
following 128-bit MAC- Randomly Alphanumeri Randomly A randomly
encryption wired basedpre- generated c service set generated generated
techniques equivalent sharedkey pre-shared identifier pre-shared PSK is
will BEST privacy (PSK) key (PSKJ) (SSID) key (PSKJ) stronger
protect a (WEP) than a MAC-
wireless based PSK,
network because the
from a man- MAC
in-the- address of a
middle computer is
attack? fixed and
often
accessible.
WEP has
been shown
to be a very
weak
encryption
technique
and can be
cracked
within
minutes. The
SSID is
broadcast on
the wireless
network in
plaintext.
IS A. B. C. D. D. Explanation:
managemen Port Back door Man-in-the- War driving War driving A war
t recently scanning middle driving
replaced its attack uses a
existing wireless
wired local Ethernet
area card, set in
network promiscuous
(LAN) with a mode, and a
wireless powerful
infrastructur antenna to
e to penetrate
accommodat wireless
e the systems
increased from
use of outside. Port
mobile scanning will
devices often target
within the the external
organization. firewall of
This will the
increase the organization.
risk of which A back door
of the is an
following opening left
attacks? in software
that enables
an unknown
entry into a
system.
Man-in-the-
middle
attacks
intercept a
notes that Denial-of- Replay Social Buffer Denial-of- Prior to
IDS log service engineering overflow service launching a
entries denial-of-
related to service
port attack,
scanning are hackers
not being often use
analyzed. automatic
This lack of port
analysis scanning
will MOST software to
likely acquire
increase the information
risk of about the
success of subject of
which of the their attack.
following A replay
attacks? attack is
simply
sending the
same packet
again. Social
engineering
exploits end-
user
vulnerabiliti
es, and
buffer
overflow
attacks
exploit
poorly
written
In transport A. B. C. D. D. Explanation:
mode, the connectionle data origin antireplay confidentiali confidentiali Both
use of the ss integrity. authenticati service. ty. ty. protocols
Encapsulatin on. support
g Security choices A, B
Payload and C, but
(ESP) only the ESP
protocol is protocol
advantageou provides
s over the confidentiali
Authenticati ty via
on Header encryption.
(AH)
protocol
because it
provides:
Validated A. B. C. D. A. Explanation:
digital help detect provide add to the significantly help detect Validated
signatures in spam. confidentiali workload of reduce spam. electronic
an e-mail ty. gateway available signatures
software servers. bandwidth. are based on
application qualified
will: certificates
that are
created by a
certification
authority
(CA), with
the technical
standards
required to
ensure the
key can
neither be
forced nor
reproduced
in a
reasonable
time. Such
certificates
are only
delivered
through a
registration
authority
(RA) after a
proof of
identity has
been
passed.
Validated A. B. C. D. A. Explanation:
digital help detect provide add to the significantly help detect Validated
signatures in spam. confidentiali workload of reduce spam. electronic
an e-mail ty. gateway available signatures
software servers. bandwidth. are based on
application qualified
will: certificates
that are
created by a
certification
authority
(CA), with
the technical
standards
required to
ensure the
key can
neither be
forced nor
reproduced
in a
reasonable
time. Such
certificates
are only
delivered
through a
registration
authority
(RA) after a
proof of
identity has
been
passed.
Distributed A. B. C. D. D. Explanation:
denial-of- Logic bombs Phishing Spyware Trojan Trojan Trojan
service horses horses horses are
(DDOS) malicious or
attacks on damaging
Internet code hidden
sites are within an
typically authorized
evoked by computer
hackers program.
using which Hackers use
of Trojans to
the mastermind
following? DDOS
attacks that
affect
computers
that access
the same
Internet site
at the same
moment,
resulting in
overloaded
site servers
that may no
longer be
able to
process
legitimate
requests.
Logic
bombs are
programs
reviewing an Number of Attacks not Reports/logs Legitimate Attacks not Attacks not
intrusion nonthreaten being being traffic being being being
detection ing events identified by produced by blocked by identified by identified by
system (IDS), identified as the system an the system the system the system
an IS auditor threatening automated present a
should be tool higher risk,
MOST because
concerned they are
about which unknown
of and no
the action will
following? be taken to
address the
attack.
Although the
number of
false-
positives is a
serious
issue, the
problem will
be
known and
can be
corrected.
Often, IDS
reports are
first
analyzed by
an
automated
tool to
eliminate
Over the A. B. C. D. B. Explanation:
long term, A Postevent Ongoing Documentin Postevent Postevent
which of the walkthrough reviews by security g responses reviews by reviews to
following review of the incident training for to an the incident find the gaps
has the incident response users incident response and
greatest response team team shortcoming
potential to procedures s in the
improve the actual
security incident
incident response
response processes
process? will help to
improve the
process over
time.
Choices A, C
and D are
desirable
actions, but
postevent
reviews are
the most
reliable
mechanism
for
improving
security
incident
response
processes.
following Bastion host Intrusion Honeypot Intrusion Honeypot The design
provides the detection prevention of a
MOST system system honeypot is
relevant such that it
information lures the
for hacker and
proactively provides
strengthenin clues as to
g security the hacker’s
settings? methods
and
strategies
and the
resources
required to
address such
attacks. A
bastion host
does not
provide
information
about an
attack.
Intrusion
detection
systems and
intrusion
prevention
systems are
designed to
detect and
address an
attack in
Confidentiali A. B. C. D. C. Explanation:
ty of the restricted to encrypted encrypted initiated encrypted When using
data predefined using static using from devices using dynamic
transmitted MAC keys. dynamic that have dynamic keys, the
in a wireless addresses. keys. encrypted keys. encryption
LAN is BEST storage. key is
protected if changed
the session frequently,
is: thus
reducing the
risk of the
key being
compromise
d and the
message
being
decrypted.
Limiting the
number of
devices that
can access
the network
does not
address the
issue of
encrypting
the session.
Encryption
with static
keys-using
the same
key for a
long
period of
Confidentiali A. B. C. D. C. Explanation:
ty of the restricted to encrypted encrypted initiated encrypted When using
data predefined using static using from devices using dynamic
transmitted MAC keys. dynamic that have dynamic keys, the
in a wireless addresses. keys. encrypted keys. encryption
LAN is BEST storage. key is
protected if changed
the session frequently,
is: thus
reducing the
risk of the
key being
compromise
d and the
message
being
decrypted.
Limiting the
number of
devices that
can access
the network
does not
address the
issue of
encrypting
the session.
Encryption
with static
keys-using
the same
key for a
long
period of
key verifies issues the digitally registers verifies A
infrastructur information certificate signs a signed information registration
e, a supplied by after the message to messages to supplied by authority is
registration the subject required achieve protect the subject responsible
authority: requesting a attributes nonrepudiati them from requesting a for verifying
certificate. are verified on of the future certificate. information
and the keys signed repudiation. supplied by
are message. the subject
generated. requesting a
certificate,
and verifies
the
requestor’s
right to
request
certificate
attributes
and that the
requestor
actually
possesses
the
private key
correspondi
ng to the
public key
being sent.
Certification
authorities,
not
registration
authorities,
actually
key verifies issues the digitally registers verifies A
infrastructur information certificate signs a signed information registration
e, a supplied by after the message to messages to supplied by authority is
registration the subject required achieve protect the subject responsible
authority: requesting a attributes nonrepudiati them from requesting a for verifying
certificate. are verified on of the future certificate. information
and the keys signed repudiation. supplied by
are message. the subject
generated. requesting a
certificate,
and verifies
the
requestor’s
right to
request
certificate
attributes
and that the
requestor
actually
possesses
the
private key
correspondi
ng to the
public key
being sent.
Certification
authorities,
not
registration
authorities,
actually
What A. B. C. D. C. Explanation:
method War dialing Social War driving Password War driving War driving
might an IS engineering cracking is a
auditor technique
utilize to test for locating
wireless and gaining
security at access to
branch office wireless
locations? networks by
driving or
walking with
a
wireless
equipped
computer
around a
building.
War dialing
is a
technique
for gaining
access to a
computer or
a
network
through the
dialing of
defined
blocks of
telephone
numbers,
with the
hope of
getting an
method War dialing Social War driving Password War driving War driving
might an IS engineering cracking is a
auditor technique
utilize to test for locating
wireless and gaining
security at access to
branch office wireless
locations? networks by
driving or
walking with
a
wireless
equipped
computer
around a
building.
War dialing
is a
technique
for gaining
access to a
computer or
a
network
through the
dialing of
defined
blocks of
telephone
numbers,
with the
hope of
getting an
following is Creation of Use of Execution of Filing an Execution of The most
the MOST an incident cybenforensi a business insurance a business important
important response c continuity claim continuity key step in
action in team investigators plan plan recovering
recovering from
from a cyberattacks
cyberattack? is the
execution of
a business
continuity
plan to
quickly and
cost-
effectively
recover
critical
systems,
processes
and datA.
The incident
response
team should
exist prior to
a
cyberattack.
When a
cyberattack
is suspected,
cyberforensi
cs
investigators
should be
used to
following is Creation of Use of Execution of Filing an Execution of The most
the MOST an incident cybenforensi a business insurance a business important
important response c continuity claim continuity key step in
action in team investigators plan plan recovering
recovering from
from a cyberattacks
cyberattack? is the
execution of
a business
continuity
plan to
quickly and
cost-
effectively
recover
critical
systems,
processes
and datA.
The incident
response
team should
exist prior to
a
cyberattack.
When a
cyberattack
is suspected,
cyberforensi
cs
investigators
should be
used to
following is Key Certification Web of trust Kerberos Web of trust Web of trust
BEST suited distribution authority Authenticati is a key
for secure center on System distribution
communicati method
ons within a suitable for
small group? communicati
on in a small
group. It
ensures
pretty good
privacy
(PGP) and
distributes
the public
keys of users
within a
group. Key
distribution
center is a
distribution
method
suitable for
internal
communicati
on for a
large group
within an
institution,
and it will
distribute
symmetric
keys for
each
following is Key Certification Web of trust Kerberos Web of trust Web of trust
BEST suited distribution authority Authenticati is a key
for secure center on System distribution
communicati method
ons within a suitable for
small group? communicati
on in a small
group. It
ensures
pretty good
privacy
(PGP) and
distributes
the public
keys of users
within a
group. Key
distribution
center is a
distribution
method
suitable for
internal
communicati
on for a
large group
within an
institution,
and it will
distribute
symmetric
keys for
each
Disabling A. B. C. D. D. Explanation:
which of the MAC (Media WPA (Wi-Fi LEAP SSID (service SSID (service Disabling
following Access Protected (Lightweight set set SSID
would make Control) Access Extensible identifier) identifier) broadcasting
wireless address Protocol) Authenticati broadcasting broadcasting adds
local area filtering on Protocol) security by
networks making it
more secure more
against difficult for
unauthorize unauthorize
d d users to
access? find the
name of
the access
point.
Disabling
MAC
address
filtering
would
reduce
security.
Using MAC
filtering
makes it
more
difficult to
access a
WLAN,
because it
would be
necessary to
catch traffic
and forge
following DES AES Triple DES RSA AES Advanced
cryptographi Encryption
c systems is Standard
MOST (AES), a
appropriate public
for bulk data algorithm
encryption that
and small supports
devices keys from
such as 128 to 256
smart cards? bits in size,
not
only
provides
good
security, but
provides
speed and
versatility
across a
variety of
computer
platforms.
AES
runs
securely and
efficiently on
large
computers,
desktop
computers
and even
small
An efficient A. B. C. D. D. Explanation:
use of public entire private key. public key. symmetric symmetric Public key
key message. session key. session key. (asymmetric
infrastructur )
e (PKI) cryptographi
should c systems
encrypt the: require
larger keys
(1,024 bits)
and involve
intensive
and
timeconsumi
ng
computation
s. In
comparison,
symmetric
encryption is
considerably
faster, yet
relies on the
security
of the
process for
exchanging
the secret
key. To
enjoy the
benefits of
both
systems, a
symmetric
session key
An efficient A. B. C. D. D. Explanation:
use of public entire private key. public key. symmetric symmetric Public key
key message. session key. session key. (asymmetric
infrastructur )
e (PKI) cryptographi
should c systems
encrypt the: require
larger keys
(1,024 bits)
and involve
intensive
and
timeconsumi
ng
computation
s. In
comparison,
symmetric
encryption is
considerably
faster, yet
relies on the
security
of the
process for
exchanging
the secret
key. To
enjoy the
benefits of
both
systems, a
symmetric
session key
following Encrypting The sender Encrypting Encrypting Encrypting To ensure
ensures a the hash of digitally the hash of the message the hash of authenticity
sender’s the message signing the the message with the the message and
authenticity with the message and with the sender’s with the confidentiali
and an e- sender’s thereafter sender’s private key sender’s ty, a
mail’s private key encrypting private key and private key message
confidentiali and the hash of and encrypting and must be
ty? thereafter the message thereafter the message thereafter encrypted
encrypting with the encrypting hash with encrypting twice: first
the hash of sender’s the message the the message with the
the private key with the receiver’s with the sender’s
message receiver’s public key. receiver’s private
with the public key public key key, and
receiver’s then with
public key the
receiver’s
public key.
The receiver
can decrypt
the
message,
thus
ensuring
confidentiali
ty
of the
message.
Thereafter,
the
decrypted
message can
be
decrypted
following Encrypting The sender Encrypting Encrypting Encrypting To ensure
ensures a the hash of digitally the hash of the message the hash of authenticity
sender’s the message signing the the message with the the message and
authenticity with the message and with the sender’s with the confidentiali
and an e- sender’s thereafter sender’s private key sender’s ty, a
mail’s private key encrypting private key and private key message
confidentiali and the hash of and encrypting and must be
ty? thereafter the message thereafter the message thereafter encrypted
encrypting with the encrypting hash with encrypting twice: first
the hash of sender’s the message the the message with the
the private key with the receiver’s with the sender’s
message receiver’s public key. receiver’s private
with the public key public key key, and
receiver’s then with
public key the
receiver’s
public key.
The receiver
can decrypt
the
message,
thus
ensuring
confidentiali
ty
of the
message.
Thereafter,
the
decrypted
message can
be
decrypted
To detect A. B. C. A. D.
attack Firewall and Internet and Internet and Firewall and Web server
attempts the the firewall. the web the and the
that the organization’ server. organization’ firewall.
firewall is s network. s network.
unable to
recognize,
an IS auditor
should
recommend
placing a
network
intrusion
detection
system (IDS)
between
the:

following 128-bit SSID (Service Antivirus MAC (Media SSID (Service SSID
should be a static-key Set software has Access Set broadcasting
concern to WEP (Wired IDentifier) been Control) IDentifier) allows a user
an IS auditor Equivalent broadcasting installed in access broadcasting to browse
reviewing a Privacy) has been all wireless control has been for available
wireless encryption is enabled. clients. filtering has enabled. wireless
network? enabled. been networks
deployed. and to
access them
without
authorizatio
n. Choices A,
C and D are
used to
strengthen a
wireless
network.
following 128-bit SSID (Service Antivirus MAC (Media SSID (Service SSID
should be a static-key Set software has Access Set broadcasting
concern to WEP (Wired IDentifier) been Control) IDentifier) allows a user
an IS auditor Equivalent broadcasting installed in access broadcasting to browse
reviewing a Privacy) has been all wireless control has been for available
wireless encryption is enabled. clients. filtering has enabled. wireless
network? enabled. been networks
deployed. and to
access them
without
authorizatio
n. Choices A,
C and D are
used to
strengthen a
wireless
network.
should be The data The The risk that The risk that The risk that Choice C
MOST collected on information the the the represents
concerned attack offered to honeypot honeypot honeypot the
with what methods outsiders on could be would be could be organization
aspect of an the used to subject to a used to al risk that
authorized honeypot launch distributed launch the
honeypot? further denial-of- further honeypot
attacks on service attacks on could be
the attack the used as a
organization’ organization’ point of
s s access to
infrastructur infrastructur launch
e e further
attacks on
the
enterprise’s
systems.
Choices A
and B are
purposes for
deploying a
honeypot,
not a
concern.
Choice D,
the risk that
the
honeypot
would be
subject to a
distributed
denial-of-
service
should be The data The The risk that The risk that The risk that Choice C
MOST collected on information the the the represents
concerned attack offered to honeypot honeypot honeypot the
with what methods outsiders on could be would be could be organization
aspect of an the used to subject to a used to al risk that
authorized honeypot launch distributed launch the
honeypot? further denial-of- further honeypot
attacks on service attacks on could be
the attack the used as a
organization’ organization’ point of
s s access to
infrastructur infrastructur launch
e e further
attacks on
the
enterprise’s
systems.
Choices A
and B are
purposes for
deploying a
honeypot,
not a
concern.
Choice D,
the risk that
the
honeypot
would be
subject to a
distributed
denial-of-
service
E-mail traffic The A. B. C. C.
from the intrusion alert the create an close close
Internet is detection appropriate entry in the firewall-2. firewall-2.
routed via system (IDS) staff. log.
firewall-1 to detects
the mail traffic for
gateway. the internal
Mail is network that
routed from did not
the mail originate
gateway, from the
via firewall- mail
2, to the gateway.
mail The FIRST
recipients in action
the internal triggered by
network. the IDS
Other traffic should be to:
is not
allowed. For
example, the
firewalls do
not allow
direct traffic
from the
Internet to
the internal
network.
following is a The buyer is All personal The buyer is The The buyer is The usual
distinctive assured that SET liable for any payment liable for any agreement
feature of neither the certificates transaction process is transaction between the
the Secure merchant are stored involving simplified, as involving credit card
Electronic nor any securely in his/her the buyer is his/her issuer and
Transactions other party the buyer’s personal SET not required personal SET the
(SET) can misuse computer. certificates. to enter a certificates. cardholder
protocol their credit credit card stipulates
when used card data. number and that the
for an cardholder
electronic expiration assumes
credit card date. responsibilit
payments? y for any use
of their
personal SET
certificates
for e-
commerce
transactions.
Depending
upon the
agreement
between the
merchant
and the
buyer’s
credit card
issuer, the
merchant
will have
access to the
credit
card number
The role of A. B. C. D. D. Explanation:
the provide host a act as a confirm the confirm the The primary
certificate secured repository of trusted identity of identity of activity of a
authority communicati certificates intermediary the entity the entity CA is to issue
(CA) as a on and with the between owning a owning a certificates.
third party is networking correspondi two certificate certificate The primary
to: services ng public communicati issued by issued by role of the
based on and secret on partners. that CA. that CA. CA is to
certificates. keys issued check the
by that CA. identity of
the
entity
owning a
certificate
and to
confirm the
integrity of
any
certificate it
issued.
Providing a
communicati
on
infrastructur
e is not a CA
activity. The
secret keys
belonging to
the
certificates
would not
be archived
at the CA.
The CA can
The role of A. B. C. D. D. Explanation:
the provide host a act as a confirm the confirm the The primary
certificate secured repository of trusted identity of identity of activity of a
authority communicati certificates intermediary the entity the entity CA is to issue
(CA) as a on and with the between owning a owning a certificates.
third party is networking correspondi two certificate certificate The primary
to: services ng public communicati issued by issued by role of the
based on and secret on partners. that CA. that CA. CA is to
certificates. keys issued check the
by that CA. identity of
the
entity
owning a
certificate
and to
confirm the
integrity of
any
certificate it
issued.
Providing a
communicati
on
infrastructur
e is not a CA
activity. The
secret keys
belonging to
the
certificates
would not
be archived
at the CA.
The CA can
PRIMARY only the the sender the the ability to only the SSL
objective of sender and and receiver alteration of identify the sender and generates a
Secure receiver are can transmitted sender by receiver are session key
Sockets able to authenticate data can be generating a able to used to
Layer (SSL) is encrypt/decr their detected. one-time encrypt/decr encrypt/decr
to ensure: ypt the data. respective session key. ypt the data. ypt the
identities. transmitted
data, thus
ensuring its
confidentiali
ty.
Although SSL
allows the
exchange of
X509
certificates
to provide
for
identificatio
n and
authenticati
on, this
feature
along with
choices C
and D are
not the
primary
objectives.
PRIMARY only the the sender the the ability to only the SSL
objective of sender and and receiver alteration of identify the sender and generates a
Secure receiver are can transmitted sender by receiver are session key
Sockets able to authenticate data can be generating a able to used to
Layer (SSL) is encrypt/decr their detected. one-time encrypt/decr encrypt/decr
to ensure: ypt the data. respective session key. ypt the data. ypt the
identities. transmitted
data, thus
ensuring its
confidentiali
ty.
Although SSL
allows the
exchange of
X509
certificates
to provide
for
identificatio
n and
authenticati
on, this
feature
along with
choices C
and D are
not the
primary
objectives.
following Proof of Nonrepudia Proof of Message Nonrepudia Nonrepudia
message delivery tion submission origin tion tion services
services authenticati provide
provides the on evidence
strongest that a
evidence specific
that a action
specific occurred.
action has Nonrepudia
occurred? tion services
are similar
to
their weaker
proof
counterparts
, i.e., proof
of
submission,
proof of
delivery and
message
origin
authenticati
on.
However,
nonrepudiati
onprovides
stronger
evidence
because the
proof can be
demonstrate
d to a third
copying files A scan of all A virus Scheduled A virus Scheduled Scheduled
from a floppy disks monitor on daily scans monitor on daily scans daily scans
floppy disk, before use the network of all the user’s of all of all
a user file server network personal network network
introduced a drives computer drives drives will
virus into detect the
the network. presence of
Which of the a virus after
following the infection
would has
MOST occurred.
effectively All of the
detect the other
existence of choices are
the virus? controls
designed to
prevent a
computer
virus from
infecting the
system.
following Public key Data Message Personal Public key PKl is the
provides infrastructur Encryption authenticati identificatio infrastructur administrati
nonrepudiati e (PKI) Standard on code n number e (PKI) ve
on services (DES) (MAC) (PIN) infrastructur
for e- e for digital
commerce certificates
transactions and
? encryption
key pairs.
The qualities
of an
acceptable
digital
signature
are: it is
unique to
the person
using it; it is
capable of
verification;
it is under
the sole
control of
the person
using it; and
it is linked to
data in such
a manner
that if data
are changed,
the digital
signature is
invalidated.
following Public key Data Message Personal Public key PKl is the
provides infrastructur Encryption authenticati identificatio infrastructur administrati
nonrepudiati e (PKI) Standard on code n number e (PKI) ve
on services (DES) (MAC) (PIN) infrastructur
for e- e for digital
commerce certificates
transactions and
? encryption
key pairs.
The qualities
of an
acceptable
digital
signature
are: it is
unique to
the person
using it; it is
capable of
verification;
it is under
the sole
control of
the person
using it; and
it is linked to
data in such
a manner
that if data
are changed,
the digital
signature is
invalidated.
The most A. B. C. D. A. Explanation:
common the receiving reject-error denial-of- the Because of
problem in detection of trap rates. service detection of the
the false messages. attacks. false configuratio
operation of positives. positives. n and the
an intrusion way IDS
detection technology
system (IDS) operates,
is: the main
problem in
operating
IDSs is the
recognition
(detection)
of events
that are not
really
security
incidents-
false
positives,
the
equivalent
of a false
alarm. An IS
auditor
needs to be
aware of this
and should
check for
implementa
tion of
related
controls,
common the receiving reject-error denial-of- the Because of
problem in detection of trap rates. service detection of the
the false messages. attacks. false configuratio
operation of positives. positives. n and the
an intrusion way IDS
detection technology
system (IDS) operates,
is: the main
problem in
operating
IDSs is the
recognition
(detection)
of events
that are not
really
security
incidents-
false
positives,
the
equivalent
of a false
alarm. An IS
auditor
needs to be
aware of this
and should
check for
implementa
tion of
related
controls,
difference searches and and is executed is executed searches and The
between a checks the penetration by by checks the objective of
vulnerability infrastructur tests are automated commercial infrastructur a
assessment e to detect different tools, tools, e to detect vulnerability
and a vulnerabiliti names for whereas whereas vulnerabiliti assessment
penetration es, whereas the same penetration penetration es, whereas is to find the
test is that a penetration activity. testing is a testing is penetration security
vulnerability testing totally executed by testing holds in the
assessment: intends to manual public intends to computers
exploit the process. processes. exploit the and
vulnerabiliti vulnerabiliti elements
es to probe es to probe analyzed; its
the damage the damage intent is not
that could that could to damage
result from result from the
the the infrastructur
vulnerabiliti vulnerabiliti e. The intent
es. es. of
penetration
testing is to
imitate a
hacker’s
activities
and
determine
how far they
could go into
the network.
They are not
the same;
they have
different
approaches.
performing determine evaluate assess users’ evaluate the determine In
detailed the points of users’ access identificatio domain- the points of performing
network entry. authorizatio n and controlling entry. detailed
assessments n. authorizatio server network
and access n. configuratio assessments
control n. and access
reviews control
should reviews, an
FIRST: IS auditor
should first
determine
the points of
entry to the
system and
review the
points of
entry
accordingly
for
appropriate
controls.
Evaluation
of user
access
authorizatio
n,
assessment
of user
identificatio
n and
authorizatio
n, and
evaluation of
performing determine evaluate assess users’ evaluate the determine In
detailed the points of users’ access identificatio domain- the points of performing
network entry. authorizatio n and controlling entry. detailed
assessments n. authorizatio server network
and access n. configuratio assessments
control n. and access
reviews control
should reviews, an
FIRST: IS auditor
should first
determine
the points of
entry to the
system and
review the
points of
entry
accordingly
for
appropriate
controls.
Evaluation
of user
access
authorizatio
n,
assessment
of user
identificatio
n and
authorizatio
n, and
evaluation of
PRIMARY authenticati authenticati preventing the same authenticati Authenticati
goal of a on of the on of the surfing of purpose as on of the ng the site
web site web site that user who the web site that of a web site that to be surfed
certificate is: will be surfs by hackers. digital will be is the
surfed. through that certificate. surfed. primary goal
site. of a web
certificate.
Authenticati
on of a user
is achieved
through
passwords
and not by a
web site
certificate.
The site
certificate
does not
prevent
hacking nor
does it
authenticate
a person.
PRIMARY authenticati authenticati preventing the same authenticati Authenticati
goal of a on of the on of the surfing of purpose as on of the ng the site
web site web site that user who the web site that of a web site that to be surfed
certificate is: will be surfs by hackers. digital will be is the
surfed. through that certificate. surfed. primary goal
site. of a web
certificate.
Authenticati
on of a user
is achieved
through
passwords
and not by a
web site
certificate.
The site
certificate
does not
prevent
hacking nor
does it
authenticate
a person.
The Secure A. B. C. D. A. Explanation:
Sockets symmetric message hash digital symmetric SSL uses a
Layer (SSL) encryption. authenticati function. signature encryption. symmetric
protocol on code. certificates. key for
addresses message
the encryption.
confidentiali A message
ty of a authenticati
message on code is
through: used for
ensuring
data
integrity.
Hash
function is
used for
generating a
message
digest; it
does not use
public key
encryption
for
message
encryption.
Digital
signature
certificates
are used by
SSL for
server
authenticati
on.
The Secure A. B. C. D. A. Explanation:
Sockets symmetric message hash digital symmetric SSL uses a
Layer (SSL) encryption. authenticati function. signature encryption. symmetric
protocol on code. certificates. key for
addresses message
the encryption.
confidentiali A message
ty of a authenticati
message on code is
through: used for
ensuring
data
integrity.
Hash
function is
used for
generating a
message
digest; it
does not use
public key
encryption
for
message
encryption.
Digital
signature
certificates
are used by
SSL for
server
authenticati
on.
If A. B. C. D. A. Explanation:
inadequate, Router Design of Updates to Audit testing Router Inadequate
which of the configuratio the internal the router and review configuratio router
following n and rules network system techniques n and rules configuratio
would be software n and rules
the MOST would lead
likely to an
contributor exposure to
to a denial- denial-of-
of-service service
attack? attacks.
Choices B
and C would
be lesser
contributors.
Choice D is
incorrect
because
audit testing
and review
techniques
are
applied after
the fact.
following is a The Messages Data might The The The SSL
concern organization are not reach communicati organization security
when data does not subjected to the intended on may not does not protocol
are have control wire recipient. be secure. have control provides
transmitted over tapping. over data
through encryption. encryption. encryption,
Secure server
Sockets authenticati
Layer (SSL) on, message
encryption, integrity and
implemente optional
d on a client
trading authenticati
partner’s on. Because
server? SSL is built
into all
major
browsers
and web
servers,
simply
installing a
digital
certificate
turns on the
SSL
capabilities.
SSL encrypts
the datum
while it is
being
transmitted
over the
following Theft of data Exposure of A Trojan Eavesdroppi A Trojan Internet
internet from the network horse ng on the horse security
security client configuratio browser net browser threats/vuln
threats n erabilities to
could information integrity
compromise include a
integrity? Trojan
horse, which
could modify
user data,
memory and
messages
found in
client-
browser
software.
The other
options
compromise
confidentiali
ty.
following Theft of data Exposure of A Trojan Eavesdroppi A Trojan Internet
internet from the network horse ng on the horse security
security client configuratio browser net browser threats/vuln
threats n erabilities to
could information integrity
compromise include a
integrity? Trojan
horse, which
could modify
user data,
memory and
messages
found in
client-
browser
software.
The other
options
compromise
confidentiali
ty.
following The prehash The prehash The prehash The sender The prehash Encrypting
provides the code is code is code and the attains the code is the prehash
GREATEST derived encrypted message are recipient’s encrypted code using
assurance of mathematic using the encrypted public key using the the sender’s
message ally from the sender’s using the and verifies sender’s private key
authenticity message private key. secret key. the private key. provides
? being sent. authenticity assurance of
of its digital the
certificate authenticity
with a of the
certificate message.
authority. Mathematic
ally deriving
the prehash
code
provides
integrity to
the
message.
Encrypting
the prehash
code and the
message
using the
secret key
provides
confidentiali
ty.
following The prehash The prehash The prehash The sender The prehash Encrypting
provides the code is code is code and the attains the code is the prehash
GREATEST derived encrypted message are recipient’s encrypted code using
assurance of mathematic using the encrypted public key using the the sender’s
message ally from the sender’s using the and verifies sender’s private key
authenticity message private key. secret key. the private key. provides
? being sent. authenticity assurance of
of its digital the
certificate authenticity
with a of the
certificate message.
authority. Mathematic
ally deriving
the prehash
code
provides
integrity to
the
message.
Encrypting
the prehash
code and the
message
using the
secret key
provides
confidentiali
ty.
following is Digital Asymmetric Digital Message Digital Digital
the MOST signatures cryptograph certificates authenticati certificates certificates
reliable y on code are issued by
sender a trusted
authenticati third party.
on method? The message
sender
attaches the
certificate
and the
recipient can
verify
authenticity
with the
certificate
repository.
Asymmetric
cryptograph
y, such as
public key
infrastructur
e (PKl),
appears to
authenticate
the sender
but is
vulnerable
to a man-in-
the-middle
attack.
Digital
signatures
are used for
following is Digital Asymmetric Digital Message Digital Digital
the MOST signatures cryptograph certificates authenticati certificates certificates
reliable y on code are issued by
sender a trusted
authenticati third party.
on method? The message
sender
attaches the
certificate
and the
recipient can
verify
authenticity
with the
certificate
repository.
Asymmetric
cryptograph
y, such as
public key
infrastructur
e (PKl),
appears to
authenticate
the sender
but is
vulnerable
to a man-in-
the-middle
attack.
Digital
signatures
are used for
following Transport Secure Tunnel Triple-DES Tunnel Tunnel
implementa mode with Sockets mode with encryption mode with mode
tion modes authenticati Layer (SSL) AH plus ESP mode AH plus ESP provides
would on header mode protection
provide the (AH) plus to the entire
GREATEST encapsulatin IP package.
amount of g security To
security for payload accomplish
outbound (ESP) this, AH and
data ESP services
connecting can be
to the nested. The
internet? transport
mode
provides
primary
protection
for the
higher layers
of the
protocols by
extending
protection
to the data
fields
(payload) of
an IP
package. The
SSL mode
provides
security to
the higher
communicati
following Customers Customers The The The If the
would an IS are widely can make certificate organization organization certificate
auditor dispersed their authority is the owner is the owner authority
consider a geographical transactions has several of the of the belongs to
weakness ly, but the from any data certificate certificate the same
when certificate computer or processing authority. authority. organization,
performing authorities mobile subcenters this would
an audit of are not. device. to generate a
an administer conflict of
organization certificates. interest.
that uses a That is, if
public key a customer
infrastructur wanted to
e with digital repudiate a
certificates transaction,
for its they could
business-to- allege that
consumer because of
transactions the shared
via the interests, an
internet? unlawful
agreement
exists
between the
parties
generating
the
certificates,
if a customer
wanted to
repudiate a
transaction,
they could
Applying a A. B. C. D. C. Explanation:
digital confidentiali security and integrity and confidentiali integrity and The process
signature to ty and nonrepudiati nonrepudiati ty and nonrepudiati of applying a
data integrity. on. on. nonrepudiati on. mathematic
traveling in a on. al algorithm
network to the data
provides: that travel in
the network
and placing
the results
of this
operation
with the
hash data is
used for
controlling
data
integrity,
since any
unauthorize
d
modification
tothis data
would result
in a different
hash. The
application
of a digital
signature
would
accomplish
the non
repudiation
of the
Applying a A. B. C. D. C. Explanation:
digital confidentiali security and integrity and confidentiali integrity and The process
signature to ty and nonrepudiati nonrepudiati ty and nonrepudiati of applying a
data integrity. on. on. nonrepudiati on. mathematic
traveling in a on. al algorithm
network to the data
provides: that travel in
the network
and placing
the results
of this
operation
with the
hash data is
used for
controlling
data
integrity,
since any
unauthorize
d
modification
tothis data
would result
in a different
hash. The
application
of a digital
signature
would
accomplish
the non
repudiation
of the
following Hiding Enforcing Detecting Regulating Hiding A VPN hides
functions is information security misuse or access information information
performed from sniffers policies mistakes from sniffers from sniffers
by a virtual on the net on the net on the net
private using
network encryption.
(VPN)? It works
based on
tunneling. A
VPN does
not
analyze
information
packets and,
therefore,
cannot
enforce
security
policies, it
also does
not check
the content
of packets,
so it cannot
detect
misuse or
mistakes. A
VPN also
does not
perform an
authenticati
on function
and,
following Hiding Enforcing Detecting Regulating Hiding A VPN hides
functions is information security misuse or access information information
performed from sniffers policies mistakes from sniffers from sniffers
by a virtual on the net on the net on the net
private using
network encryption.
(VPN)? It works
based on
tunneling. A
VPN does
not
analyze
information
packets and,
therefore,
cannot
enforce
security
policies, it
also does
not check
the content
of packets,
so it cannot
detect
misuse or
mistakes. A
VPN also
does not
perform an
authenticati
on function
and,
potential for connecting users take terminals terminals connecting Any person
unauthorize points are precautions with are located points are with
d system available in to keep their password within the available in wrongful
access by the facility passwords protection facility in the facility intentions
way of to connect confidential. are located small to connect can connect
terminals or laptops to in insecure clusters laptops to a laptop to
workstations the network. locations. under the the network. the network.
within an supervision The insecure
organization’ of an connecting
s administrato points make
facility is r. unauthorize
increased d access
when: possible if
the
individual
has
knowledge
of a valid
user ID and
password.
The other
choices are
controls for
preventing
unauthorize
d network
access. If
system
passwords
are not
readily
available
for intruders
following is Virtual Dedicated Leased line integrated Virtual The most
the MOST private line services private secure
secure and network digital network method is a
economical network virtual
method for private
connecting a network
private (VPN), using
network encryption,
over the authenticati
Internet in a on and
small- to tunneling to
medium- allow data to
sized travel
organization securely
? from a
private
network to
the internet.
Choices B, C
and D are
network
connectivity
options that
are normally
too
expensive to
be practical
for small- to
medium-
sized
organization
s.
organization An A remote A proxy Port An An
is application- access server scanning application- application-
considering level server level level
connecting a gateway gateway gateway is
critical PC- the best way
based to protect
system to against
the Internet. hacking
Which of the because it
following can define
would with detail
provide the rules
BEST that
protection describe the
against type of user
hacking? or
connection
that is or is
not
permitted, it
analyzes in
detail each
package, not
only in
layers one
through four
of the OSI
model but
also layers
five through
seven, which
means that
it reviews
E-mail A. B. C. D. A. Explanation:
message sender’s sender’s receiver’s receiver’s sender’s By signing
authenticity private key public key private key public key private key the message
and and and and and and with the
confidentiali encrypting encrypting encrypting encrypting encrypting sender’s
ty is BEST the message the message the message the message the message private key,
achieved by using the using the using the using the using the the receiver
signing the receiver’s receiver’s sender’s sender’s receiver’s can verify its
message public key. private key. public key. private key. public key. authenticity
using the: using the
sender’s
public key.
By
encrypting
the message
with the
receiver’s
public key,
only the
receiver can
decrypt the
message
using their
own private
key. The
receiver’s
private key
is
confidential
and,
therefore,
unknown to
the sender.
Messages
Use of A. B. C. D. A. Explanation:
asymmetric customer hosting customer hosting customer Any false
encryption over the organization over the organization over the site will not
in an authenticity over the confidentiali over the authenticity be able to
internet e- of the authenticity ty of confidentiali of the encrypt
commerce hosting of the messages ty of hosting using the
site, where organization. customer. from the messages organization. private key
there is one hosting passed to of the real
private key organization. the site, so the
for the customer. customer
hosting would not
server and be able
the public to decrypt
key is widely the message
distributed using the
to the public key.
customers, Many
is MOST customers
likely to have access
provide to the same
comfort to public key so
the: the host
cannot use
this
mechanism
to ensure
the
authenticity
of the
customer.
The
customer
cannot be
assured of
following The The The The The Most
encrypt/decr recipient encrypted encrypted recipient recipient encrypted
ypt steps uses their prehash prehash uses the uses the transactions
provides the private key code and the code is sender’s sender’s use a
GREATEST to decrypt message are derived public key, public key, combination
assurance of the secret encrypted mathematic verified with verified with of private
achieving key. using a ally from the a certificate a certificate keys, public
confidentiali secret key. message to authority, to authority, to keys, secret
ty, be sent. decrypt the decrypt the keys, hash
message prehash prehash functions
integrity and code. code. and
nonrepudiati digital
on by either certificates
sender or to achieve
recipient? confidentiali
ty, message
integrity and
nonrepudiati
on by either
sender or
recipient.
The
recipient
uses the
sender’s
public key to
decrypt the
prehash
code into a
posthash
code, which
when
equaling the
planning an Wiring and Users’ lists Application Backup and Wiring and The wiring
audit of a schematic and lists and recovery schematic and
network diagram responsibiliti their details procedures diagram schematic
setup, an IS es diagram of
auditor the network
should give is necessary
highest to carry out
priority to a network
obtaining audit. A
which of the network
following audit
network may not be
documentati feasible if a
on? network
wiring and
schematic
diagram is
not
available. All
other
documents
are
important
but not
necessary.
During an A. B. C. D. B. Explanation:
audit of an A biometric, A hash of A hash of The A hash of The
enterprise digitalized the data that the data that customer’s the data that calculation
that is and is is scanned is of a hash, or
dedicated to encrypted transmitted transmitted signature transmitted digest, of
e- parameter and and encrypted and the data that
commerce, with the encrypted encrypted with the encrypted are
the IS customer’s with the with the customer’s with the transmitted
manager public key customer’s customer’s public key customer’s and its
states that private key public key private key encryption
digital require the
signatures public key of
are used the client
when (receiver)
receiving and is called
communicati a signature
ons from of the
customers. message, or
To digital
substantiate signature.
this, an IS The receiver
auditor must performs
prove that the
which of the same
following is process and
used? then
compares
the received
hash, once it
has been
decrypted
with their
private key,
to the
following Proxy server Firewall Network Password Password The most
controls installation administrato implementa implementa comprehensi
would be r tion and tion and ve control in
the MOST administrati administrati this situation
comprehensi on on is password
ve in a implementa
remote tion and
access administrati
network on. While
with firewall
multiple installations
and diverse are the
subsystems? primary line
of defense,
they cannot
protect all
access and,
therefore,
an element
of risk
remains. A
proxy server
is a type of
firewall
installation;
thus, the
same rules
apply. The
network
administrato
r
may serve as
a control,
An internet- A. B. C. D. C. Explanation:
based attack enable one cause be used to result in be used to Password
using party to act modification gain access major gain access sniffing
password as if they are to the to systems problems to systems attacks can
sniffing can: another contents of containing with billing containing be used to
party. certain proprietary systems and proprietary gain access
transactions. information. transaction information. to systems
processing on which
agreements. proprietary
information
is stored.
Spoofing
attacks can
be used to
enable one
party to act
as if they are
another
party. Data
modification
attacks
can be used
to modify
the contents
of certain
transactions.
Repudiation
of
transactions
can cause
major
problems
with billing
systems and
An internet- A. B. C. D. C. Explanation:
based attack enable one cause be used to result in be used to Password
using party to act modification gain access major gain access sniffing
password as if they are to the to systems problems to systems attacks can
sniffing can: another contents of containing with billing containing be used to
party. certain proprietary systems and proprietary gain access
transactions. information. transaction information. to systems
processing on which
agreements. proprietary
information
is stored.
Spoofing
attacks can
be used to
enable one
party to act
as if they are
another
party. Data
modification
attacks
can be used
to modify
the contents
of certain
transactions.
Repudiation
of
transactions
can cause
major
problems
with billing
systems and
audit of a encryption. callback message dedicated encryption. Encryption
telecommun modems. authenticati leased lines. of data is the
ications on. most secure
system, an IS method. The
auditor finds other
that the risk methods are
of less secure,
intercepting with leased
data lines being
transmitted possibly the
to and from least secure
remote sites method.
is very high.
The MOST
effective
control for
reducing this
exposure is:
technique encapsulatio wrapping. transform. encryption. encapsulatio Encapsulatio
used to n. n. n, or
ensure tunneling, is
security in a technique
virtual used to carry
private the traffic of
networks one protocol
(VPNs) is: over a
network that
does not
support that
protocol
directly. The
original
packet is
wrapped in
another
packet. The
other
choices are
not
security
techniques
specific to
VPNs.
technique encapsulatio wrapping. transform. encryption. encapsulatio Encapsulatio
used to n. n. n, or
ensure tunneling, is
security in a technique
virtual used to carry
private the traffic of
networks one protocol
(VPNs) is: over a
network that
does not
support that
protocol
directly. The
original
packet is
wrapped in
another
packet. The
other
choices are
not
security
techniques
specific to
VPNs.
public key both the key the key used the key used both the key the key used Public key
encryption used to to encrypt is to encrypt is used to to encrypt is encryption,
to secure encrypt and private, but public, but encrypt and public, but also known
data being decrypt the the key used the key used decrypt the the key used as
transmitted data are to decrypt to decrypt data are to decrypt asymmetric
across a public. the data is the data is private. the data is key
network: public. private. private. cryptograph
y, uses a
public key to
encrypt the
message
and a private
key to
decrypt it.

public key both the key the key used the key used both the key the key used Public key
encryption used to to encrypt is to encrypt is used to to encrypt is encryption,
to secure encrypt and private, but public, but encrypt and public, but also known
data being decrypt the the key used the key used decrypt the the key used as
transmitted data are to decrypt to decrypt data are to decrypt asymmetric
across a public. the data is the data is private. the data is key
network: public. private. private. cryptograph
y, uses a
public key to
encrypt the
message
and a private
key to
decrypt it.
following is Scanners Active integrity Vaccines integrity Integrity
the MOST monitors checkers checkers checkers
effective compute a
type of binary
antivirus number on a
software? known virus-
free
program
that is then
stored in a
database
file. This
number is
called a
cyclical
redundancy
check (CRC).
When that
program is
called to
execute, the
checker
computes
the CRC on
the program
about to be
executed
and
compares it
to the
number in
the
database. A
following is Scanners Active integrity Vaccines integrity Integrity
the MOST monitors checkers checkers checkers
effective compute a
type of binary
antivirus number on a
software? known virus-
free
program
that is then
stored in a
database
file. This
number is
called a
cyclical
redundancy
check (CRC).
When that
program is
called to
execute, the
checker
computes
the CRC on
the program
about to be
executed
and
compares it
to the
number in
the
database. A
performing a maintenance authorizatio adequate accountabilit authorizatio The
telecommun of access n and protection of y system and n and authorizatio
ication logs of usage authenticati stored data the ability to authenticati n and
access of various on of the on servers identify any on of the authenticati
control system user prior to by terminal user prior to on of users
review resources. granting encryption accessing granting is the most
should be access to or other system access to significant
concerned system means. resources. system aspect in a
PRIMARILY resources. resources. telecommun
with the: ications
access
control
review, as it
is a
preventive
control.
Weak
controls at
this level can
affect all
other
aspects. The
maintenance
of access
logs of usage
of system
resources is
a detective
control. The
adequate
protection of
data being
transmitted
following is a Gathering Identifying Blocking Preventing Gathering An IDS can
feature of an evidence on weaknesses access to certain users evidence on gather
intrusion attack in the policy particular from attack evidence on
detection attempts definition sites on the accessing attempts intrusive
system Internet specific activity such
(IDS)? servers as an attack
or
penetration
attempt.
Identifying
weaknesses
in the policy
definition is
a limitation
of an IDS.
Choices C
and D are
features of
firewalls,
while
choice B
requires a
manual
review, and
therefore is
outside the
functionality
of an IDS.
following is a Gathering Identifying Blocking Preventing Gathering An IDS can
feature of an evidence on weaknesses access to certain users evidence on gather
intrusion attack in the policy particular from attack evidence on
detection attempts definition sites on the accessing attempts intrusive
system Internet specific activity such
(IDS)? servers as an attack
or
penetration
attempt.
Identifying
weaknesses
in the policy
definition is
a limitation
of an IDS.
Choices C
and D are
features of
firewalls,
while
choice B
requires a
manual
review, and
therefore is
outside the
functionality
of an IDS.
following User IDs and Automatic Automatic Unsuccessful Unsuccessful Intrusion is
controls user logoff is logoff of the logon logon detected by
would BEST privileges used when a system attempts are attempts are the active
detect are granted workstation occurs after monitored monitored monitoring
intrusion? through is inactive a specified by the by the and review
authorized for a number of security security of
procedures. particular unsuccessful administrato administrato unsuccessful
period of attempts. r. r. logons. User
time. IDs and the
granting of
user
privileges
define a
policy, not a
control.
Automatic
logoff is a
method of
preventing
access on
inactive
terminals
and is not a
detective
control.
Unsuccessful
attempts to
log on are a
method for
preventing
intrusion,
not
detecting.
following User IDs and Automatic Automatic Unsuccessful Unsuccessful Intrusion is
controls user logoff is logoff of the logon logon detected by
would BEST privileges used when a system attempts are attempts are the active
detect are granted workstation occurs after monitored monitored monitoring
intrusion? through is inactive a specified by the by the and review
authorized for a number of security security of
procedures. particular unsuccessful administrato administrato unsuccessful
period of attempts. r. r. logons. User
time. IDs and the
granting of
user
privileges
define a
policy, not a
control.
Automatic
logoff is a
method of
preventing
access on
inactive
terminals
and is not a
detective
control.
Unsuccessful
attempts to
log on are a
method for
preventing
intrusion,
not
detecting.
following is a Encryption Sniffing Spoofing Data Sniffing Sniffing is an
technique destruction attack that
that could can be used
be used to to capture
capture sensitive
network pieces of
user information
passwords? (e.g., a
password)
passing
through the
network.
Encryption is
a method of
scrambling
information
to prevent
unauthorize
d individuals
from
understandi
ng the
transmission
. Spoofing is
forging an
address and
inserting it
into a packet
to disguise
the
origin of the
communicati
on. Data
following is a Encryption Sniffing Spoofing Data Sniffing Sniffing is an
technique destruction attack that
that could can be used
be used to to capture
capture sensitive
network pieces of
user information
passwords? (e.g., a
password)
passing
through the
network.
Encryption is
a method of
scrambling
information
to prevent
unauthorize
d individuals
from
understandi
ng the
transmission
. Spoofing is
forging an
address and
inserting it
into a packet
to disguise
the
origin of the
communicati
on. Data
following Protecting Preventing The ability of Disabling The ability of For the
should data using unauthorize users to floppy drives users to purpose of
concern an an d access access and on the users’ access and data security
IS auditor encryption using a modify the machines modify the in a client-
when technique diskless database database server
reviewing workstation directly directly environment
security in a , an IS
client-server auditor
environment should be
? concerned
with the
users ability
to access
and modify a
database
directly. This
could affect
the integrity
of the data
in the
database.
Data
protected by
encryption
aid in
securing the
data.
Diskless
workstations
prevent
copying of
data into
local
doing evaluate examine ensure virus- use tools use tools Penetration
penetration configuratio security scanning and and testing is a
testing ns. settings. software is techniques techniques technique
during an in use. available to available to used to
audit of a hacker. a hacker. mimic an
internet experienced
connections hacker
would: attacking a
live site by
using tools
and
techniques
available to
a hacker.
The other
choices are
procedures
that an IS
auditor
would
consider
undertaking
during an
audit of
Internet
connections,
but are not
aspects of
penetration
testing
techniques.
doing evaluate examine ensure virus- use tools use tools Penetration
penetration configuratio security scanning and and testing is a
testing ns. settings. software is techniques techniques technique
during an in use. available to available to used to
audit of a hacker. a hacker. mimic an
internet experienced
connections hacker
would: attacking a
live site by
using tools
and
techniques
available to
a hacker.
The other
choices are
procedures
that an IS
auditor
would
consider
undertaking
during an
audit of
Internet
connections,
but are not
aspects of
penetration
testing
techniques.
The feature A. B. C. D. C. Explanation:
of a digital data authenticati non replay non All of the
signature integrity. on. repudiation. protection. repudiation. above are
that ensures features of a
the sender digital
cannot later signature.
deny Non
generating repudiation
and sending ensures that
the the claimed
message is sender
called: cannot later
deny
generating
and sending
the
message.
Data
integrity
refers to
changes in
the plaintext
message
that would
result in the
recipient
failing to
compute the
same
message
hash. Since
only the
claimed
sender has
Digital A. B. C. D. B. Explanation:
signatures signer to signer to signer and signer and signer to Digital
require the: have a have a receiver to receiver to have a signatures
public key private key have a have a private key are intended
and the and the public key. private key. and the to verify to a
receiver to receiver to receiver to recipient the
have a have a have a integrity of
private key. public key. public key. the data and
the identity
of the
sender. The
digital
signature
standard is a
public key
algorithm.
This requires
the signer to
have a
private key
and the
receiver to
have a
public key.
Digital A. B. C. D. B. Explanation:
signatures signer to signer to signer and signer and signer to Digital
require the: have a have a receiver to receiver to have a signatures
public key private key have a have a private key are intended
and the and the public key. private key. and the to verify to a
receiver to receiver to receiver to recipient the
have a have a have a integrity of
private key. public key. public key. the data and
the identity
of the
sender. The
digital
signature
standard is a
public key
algorithm.
This requires
the signer to
have a
private key
and the
receiver to
have a
public key.
A TCP/IP- A. B. C. D. A. Explanation:
based Work is A digital Digital Work is Work is Tunnel
environment completed signature certificates being completed mode with
is exposed in tunnel with RSA has with RSA are completed in tunnel IP security
to the mode with been being used. in TCP mode with provides
Internet. IP security implemente services. IP security encryption
Which of the using the d. using the and
following nested nested authenticati
BEST services of services of on of the
ensures that authenticati authenticati complete IP
complete on header on header package. To
encryption (AH) (AH) accomplish
and and and this, the AH
authenticati encapsulatin encapsulatin and ESP
on protocols g security g security services can
exist for payload payload be nested.
protecting (ESP). (ESP). Choices B
information and C
while provide
transmitted? authenticati
on and
integrity.
TCP services
do not
provide
encryption
and
authenticati
on.
following Registration Certificate Certification Certification Certificate The
manages the authority authority relocation practice authority certificate
digital (CA) list statement (CA) authority
certificate maintains a
life cycle to directory of
ensure digital
adequate certificates
security and for the
controls reference of
exist in those
digital receiving
signature them, it
applications manages the
related to e- certificate
commerce? life cycle,
including
certificate
directory
maintenance
and
certificate
revocation
list
maintenance
and
publication.
Choice A is
not correct
because a
registration
authority is
an optional
entity that is
A digital A. B. C. D. A. Explanation:
signature show if the define the confirm the enable show if the The message
contains a message has encryption identity of message message has digest is
message been altered algorithm. the transmission been altered calculated
digest to: after originator. in a digital after and included
transmission format. transmission in a digital
. . signature to
prove that
the message
has not been
altered. It
should be
the same
value as a
recalculation
performed
upon
receipt. It
does not
define the
algorithm
or enable
the
transmission
in digital
format and
has no effect
on the
identity of
the user; it is
there to
ensure
integrity
rather than
A digital A. B. C. D. A. Explanation:
signature show if the define the confirm the enable show if the The message
contains a message has encryption identity of message message has digest is
message been altered algorithm. the transmission been altered calculated
digest to: after originator. in a digital after and included
transmission format. transmission in a digital
. . signature to
prove that
the message
has not been
altered. It
should be
the same
value as a
recalculation
performed
upon
receipt. It
does not
define the
algorithm
or enable
the
transmission
in digital
format and
has no effect
on the
identity of
the user; it is
there to
ensure
integrity
rather than
following Unauthorize Unauthorize A delay in A delay in Unauthorize Firewalls are
concerns d access d access Internet downloading d access meant to
associated from outside from within connectivity using File from outside prevent
with the the the Transfer the outsiders
World Wide organization organization Protocol organization from gaining
Web would (FTP) access to an
be organization’
addressed s computer
by a systems
firewall? through
the internet
gateway.
They form a
barrier with
the outside
world, but
are not
intended to
address
access by
internal
users; they
are more
likely to
cause delays
than address
such
concerns.
following Analyzer Administrati User Sensor Sensor Sensors are
components on console interface responsible
is for collecting
responsible data.
for the Analyzers
collection of receive input
data in an from sensors
intrusion and
detection determine
system intrusive
(IDS)? activity. An
administrati
on console
and a user
interface are
components
of an IDS.
During what A. B. C. D. B. Explanation:
process Environment Network Business Data Network Network
should al review security continuity integrity security security
router review review review review reviews
access include
control lists reviewing
be router
reviewed? access
control lists,
port
scanning,
internal and
external
connections
to the
system, etc.
Environment
al reviews,
business
continuity
reviews and
data
integrity
reviews
do not
require a
review of
the router
access
control lists.
During what A. B. C. D. B. Explanation:
process Environment Network Business Data Network Network
should al review security continuity integrity security security
router review review review review reviews
access include
control lists reviewing
be router
reviewed? access
control lists,
port
scanning,
internal and
external
connections
to the
system, etc.
Environment
al reviews,
business
continuity
reviews and
data
integrity
reviews
do not
require a
review of
the router
access
control lists.
The security A. B. C. D. A. Explanation:
level of a encryption messages keys. channels encryption The security
private key key bits. sent. used. key bits. level of a
system private key
depends on system
the number depends on
of: the number
of
encryption
key bits. The
larger the
number
of bits, the
more
difficult it
would be to
understand
or
determine
the
algorithm.
The security
of the
message will
depend on
the
encryption
key bits
used. More
than keys by
themselves,
the
algorithm
and its
The security A. B. C. D. A. Explanation:
level of a encryption messages keys. channels encryption The security
private key key bits. sent. used. key bits. level of a
system private key
depends on system
the number depends on
of: the number
of
encryption
key bits. The
larger the
number
of bits, the
more
difficult it
would be to
understand
or
determine
the
algorithm.
The security
of the
message will
depend on
the
encryption
key bits
used. More
than keys by
themselves,
the
algorithm
and its
Transmitting A. B. C. D. C. Explanation:
redundant feedback block sum forward cyclic forward Forward
information error check. error redundancy error error control
with each control. control. check. control. involves
character or transmitting
frame to additional
facilitate redundant
detection information
and with each
correction of character or
errors frame to
is called a: facilitate
detection
and
correction of
errors, in
feedback
error
control, only
enough
additional
information
is
transmitted
so the
receiver can
identify that
an error has
occurred.
Choices B
and D are
both error
detection
methods but
following is Traffic Masqueradi Denial of E-mail Traffic Internet
an example analysis ng service spoofing analysis security
of a passive threats/vuln
attack erabilities
initiated are divided
through the into passive
Internet? and active
attacks.
Examples of
passive
attacks
include
network
analysis,
eavesdroppi
ng and
traffic
analysis.
Active
attacks
include
brute force
attacks,
masqueradin
g, packet
replay,
message
modification
,
unauthorize
d access
through the
Internet or
following is Traffic Masqueradi Denial of E-mail Traffic Internet
an example analysis ng service spoofing analysis security
of a passive threats/vuln
attack erabilities
initiated are divided
through the into passive
Internet? and active
attacks.
Examples of
passive
attacks
include
network
analysis,
eavesdroppi
ng and
traffic
analysis.
Active
attacks
include
brute force
attacks,
masqueradin
g, packet
replay,
message
modification
,
unauthorize
d access
through the
Internet or
PRIMARY confidentiali integrity. availability. timeliness. integrity. Digital
reason for ty. signatures
using digital provide
signatures is integrity
to ensure because the
data: digital
signature of
a signed
message
(file, mail,
document,
etc.)
changes
every time a
single bit of
the
document
changes;
thus, a
signed
document
cannot be
altered.
Depending
on the
mechanism
chosen to
implement a
digital
signature,
the
mechanism
might be
PRIMARY confidentiali integrity. availability. timeliness. integrity. Digital
reason for ty. signatures
using digital provide
signatures is integrity
to ensure because the
data: digital
signature of
a signed
message
(file, mail,
document,
etc.)
changes
every time a
single bit of
the
document
changes;
thus, a
signed
document
cannot be
altered.
Depending
on the
mechanism
chosen to
implement a
digital
signature,
the
mechanism
might be
following on the at the in at the in One risk of a
would be of enterprise’s backup site. employees’ enterprise’s employees’ virtual
MOST internal homes. remote homes. private
concern to network. offices. network
an IS auditor (VPN)
reviewing a implementa
virtual tion is the
private chance of
network allowing
(VPN) high-risk
implementa computers
tion? onto
Computers the
on the enterprise’s
network that network. All
are located: machines
that are
allowed
onto the
virtual
network
should be
subject to
the same
security
policy. Home
computers
are least
subject to
the
corporate
security
policies, and
following Server Virus walls Workstation Virus Virus walls An
antivirus antivirus antivirus signature important
software software software updating means of
implementa controlling
tion the spread
strategies of viruses is
would be to detect the
the MOST virus at the
effective in point of
an entry,
interconnect before it has
ed corporate an
network? opportunity
to cause
damage. In
an
interconnect
ed corporate
network,
virus
scanning
software,
used as an
integral part
of firewall
technologies
, is referred
to as a virus
wall. Virus
walls scan
incoming
traffic with
the
To ensure A. B. C. D. A. Explanation:
message the entire any part of the entire the entire the entire Applying a
integrity, message, the message, message, message, cryptographi
confidentiali enciphering message, enciphering enciphering enciphering c hashing
ty and non the message enciphering the message the message the message algorithm
repudiation digest using the message digest using digest using digest using against the
between the sender’s digest using the sender’s the sender’s the sender’s entire
two parties, private key, the sender’s private key, private key private key, message
the MOST enciphering private key, enciphering and enciphering addresses
effective the enciphering the enciphering the the message
method message the message message the message integrity
would be to with a with a with a message with a issue.
create a symmetric symmetric symmetric using the symmetric Enciphering
message key and key and key and receiver’s key and the message
digest by enciphering enciphering enciphering public key. enciphering digest using
applying a the key by the key both the the key by the sender’s
cryptographi using the using the encrypted using the private key
c hashing receiver’s receiver’s message and receiver’s addresses
algorithm public key. public key. digest using public key. non
against: the repudiation.
receiver’s Encrypting
public key. the
message
with a
symmetric
key,
thereafter
allowing the
key to be
enciphered
using the
receiver’s
public key,
most
following Secure Intrusion Public key Virtual Public key PKl would be
would be Sockets detection infrastructur private infrastructur the best
the BEST Layer (SSL) system (IDS) e (PKI) network e (PKI) overall
overall (VPN) technology
control for because
an Internet cryptograph
business y provides
looking for for
confidentiali encryption,
ty, digital
reliability signatures
and integrity and
of data? non
repudiation
controls for
confidentiali
ty and
reliability.
SSL can
provide
confidentiali
ty. IDS is a
detective
control. A
VPN would
provide
confidentiali
ty and
authenticati
on
(reliability).
following is Computation Ability to Simpler key Greater Computation The main
the speed support distribution strength for speed advantage of
GREATEST digital a given key elliptic curve
advantage of signatures length encryption
elliptic curve over RSA
encryption encryption is
over RSA its
encryption? computation
speed. This
method
was first
independent
ly suggested
by Neal
Koblitz and
Victor S.
Miller. Both
encryption
methods
support
digital
signatures
and are used
for public
key
encryption
and
distribution.
However, a
stronger key
per se does
not
necessarily
following is Computation Ability to Simpler key Greater Computation The main
the speed support distribution strength for speed advantage of
GREATEST digital a given key elliptic curve
advantage of signatures length encryption
elliptic curve over RSA
encryption encryption is
over RSA its
encryption? computation
speed. This
method
was first
independent
ly suggested
by Neal
Koblitz and
Victor S.
Miller. Both
encryption
methods
support
digital
signatures
and are used
for public
key
encryption
and
distribution.
However, a
stronger key
per se does
not
necessarily
following Brute force Ping of Leapfrog Negative Ping of The use of
results in a attack death attack acknowledg death Ping with a
denial-of- ement (NAK) packet size
service attack higher than
attack? 65 KB and no
fragmentatio
n flag on will
cause a
denial of
service. A
brute force
attack is
typically a
text attack
that
exhausts all
possible key
combination
s. A leapfrog
attack, the
act of
telneting
through one
or more
hosts to
preclude a
trace, makes
use of user
ID and
password
information
obtained
illicitly from
following Brute force Ping of Leapfrog Negative Ping of The use of
results in a attack death attack acknowledg death Ping with a
denial-of- ement (NAK) packet size
service attack higher than
attack? 65 KB and no
fragmentatio
n flag on will
cause a
denial of
service. A
brute force
attack is
typically a
text attack
that
exhausts all
possible key
combination
s. A leapfrog
attack, the
act of
telneting
through one
or more
hosts to
preclude a
trace, makes
use of user
ID and
password
information
obtained
illicitly from
A certificate A. B. C. D. C. Explanation:
authority revocation generation establishing issuing and establishing Establishing
(CA) can and and a link distributing a link a link
delegate the suspension distribution between the subscriber between the between the
processes of: of a of the CA requesting certificates., requesting requesting
subscriber’s public key. entity and its entity and its entity and its
certificate. public key. public key. public key is
a function of
a
registration
authority.
This
may or may
not be
performed
by a CA;
therefore,
this function
can be
delegated.
Revocation
and
suspension
and issuance
and
distribution
of the
subscriber
certificate
are
functions of
the
subscriber
certificate
A certificate A. B. C. D. C. Explanation:
authority revocation generation establishing issuing and establishing Establishing
(CA) can and and a link distributing a link a link
delegate the suspension distribution between the subscriber between the between the
processes of: of a of the CA requesting certificates., requesting requesting
subscriber’s public key. entity and its entity and its entity and its
certificate. public key. public key. public key is
a function of
a
registration
authority.
This
may or may
not be
performed
by a CA;
therefore,
this function
can be
delegated.
Revocation
and
suspension
and issuance
and
distribution
of the
subscriber
certificate
are
functions of
the
subscriber
certificate
following Honeypots Firewalls Trapdoors Traffic Honeypots Honeypots
acts as a analysis are
decoy to computer
detect active systems that
internet are expressly
attacks? set up to
attract and
trap
individuals
who attempt
to
penetrate
other
individuals’
computer
systems. The
concept of a
honeypot is
to learn
from
intruder’s
actions. A
properly
designed
and
configured
honeypot
provides
data on
methods
used to
attack
systems. The
following Honeypots Firewalls Trapdoors Traffic Honeypots Honeypots
acts as a analysis are
decoy to computer
detect active systems that
internet are expressly
attacks? set up to
attract and
trap
individuals
who attempt
to
penetrate
other
individuals’
computer
systems. The
concept of a
honeypot is
to learn
from
intruder’s
actions. A
properly
designed
and
configured
honeypot
provides
data on
methods
used to
attack
systems. The
following Behavior Cyclical Immunizers Active Immunizers Immunizers
append blockers redundancy monitors defend
themselves checkers against
to files as a (CRCs) viruses by
protection appending
against sections of
viruses? themselves
to files. They
continuously
check the
file for
changes and
report
changes as
possible viral
behavior.
Behavior
blockers
focus on
detecting
potentially
abnormal
behavior,
such as
writing to
the boot
sector or the
master boot
record, or
making
changes to
executable
files. Cyclical
following Behavior Cyclical Immunizers Active Immunizers Immunizers
append blockers redundancy monitors defend
themselves checkers against
to files as a (CRCs) viruses by
protection appending
against sections of
viruses? themselves
to files. They
continuously
check the
file for
changes and
report
changes as
possible viral
behavior.
Behavior
blockers
focus on
detecting
potentially
abnormal
behavior,
such as
writing to
the boot
sector or the
master boot
record, or
making
changes to
executable
files. Cyclical
following Remote Heuristic Behavior Immunizers Remote Remote
virus booting scanners blockers booting booting
prevention (e.g.,
techniques diskless
can be workstations
implemente ) is a method
d through of
hardware? preventing
viruses, and
can be
implemente
d
through
hardware.
Choice C is a
detection,
not a
prevention,
although it is
hardware-
based.
Choices B
and D
are not hard
ware-based.
following Remote Heuristic Behavior Immunizers Remote Remote
virus booting scanners blockers booting booting
prevention (e.g.,
techniques diskless
can be workstations
implemente ) is a method
d through of
hardware? preventing
viruses, and
can be
implemente
d
through
hardware.
Choice C is a
detection,
not a
prevention,
although it is
hardware-
based.
Choices B
and D
are not hard
ware-based.
The MOST A. B. C. D. C. Explanation:
important the scheduling the the the The most
success documentati and deciding involvement qualification involvement important
factor in on of the on the timed of the s and of the part of
planning a planned length of the managemen experience managemen planning any
penetration testing test. t of the of staff t of the penetration
test is: procedure. client involved in client test is the
organization. the test. organization. involvement
of the
managemen
t of the
client
organization.
Penetration
testing
without
managemen
t approval
could
reasonably
be
considered
espionage
and
is illegal in
many
jurisdictions.
important the scheduling the the the The most
success documentati and deciding involvement qualification involvement important
factor in on of the on the timed of the s and of the part of
planning a planned length of the managemen experience managemen planning any
penetration testing test. t of the of staff t of the penetration
test is: procedure. client involved in client test is the
organization. the test. organization. involvement
of the
managemen
t of the
client
organization.
Penetration
testing
without
managemen
t approval
could
reasonably
be
considered
espionage
and
is illegal in
many
jurisdictions.
following The A long The hash is A secret key A long Computer
cryptograph encryption is asymmetric encrypted is used. asymmetric processing
y options symmetric encryption rather than encryption time is
would rather than key is used. the key is used. increased
increase asymmetric. message. for longer
overhead/co asymmetric
st? encryption
keys, and
the increase
may be
disproportio
nate. For
example,
one
benchmark
showed that
doubling the
length of an
RSA key
from 512
bits to
1,024 bits
caused the
decrypt time
to increase
nearly six-
fold. An
asymmetric
algorithm
requires
more
processing
time than
following The A long The hash is A secret key A long Computer
cryptograph encryption is asymmetric encrypted is used. asymmetric processing
y options symmetric encryption rather than encryption time is
would rather than key is used. the key is used. increased
increase asymmetric. message. for longer
overhead/co asymmetric
st? encryption
keys, and
the increase
may be
disproportio
nate. For
example,
one
benchmark
showed that
doubling the
length of an
RSA key
from 512
bits to
1,024 bits
caused the
decrypt time
to increase
nearly six-
fold. An
asymmetric
algorithm
requires
more
processing
time than
The MOST A. B. C. D. A. Explanation:
important is output is the is concerned is the same is Hashing
difference irreversible. same length with at the irreversible. works one
between as the integrity and sending and way; by
hashing and original security. receiving applying a
encryption is message. end. hashing
that hashing: algorithm to
a message, a
message
hash/digest
is created. If
the same
hashing
algorithm is
applied to
the message
digest, it will
not result in
the original
message. As
such,
hashing is
irreversible,
while
encryption is
reversible.
This is the
basic
difference
between
hashing and
encryption.
Hashing
creates an
The MOST A. B. C. D. A. Explanation:
important is output is the is concerned is the same is Hashing
difference irreversible. same length with at the irreversible. works one
between as the integrity and sending and way; by
hashing and original security. receiving applying a
encryption is message. end. hashing
that hashing: algorithm to
a message, a
message
hash/digest
is created. If
the same
hashing
algorithm is
applied to
the message
digest, it will
not result in
the original
message. As
such,
hashing is
irreversible,
while
encryption is
reversible.
This is the
basic
difference
between
hashing and
encryption.
Hashing
creates an
following Signature- Neural Statistical- Host-based Neural The neural
intrusion based networks- based networks- networks-
detection based based based IDS
systems monitors the
(IDSs) general
monitors the patterns of
general activity and
patterns of traffic on the
activity and network and
traffic on creates
a network a database.
and creates This is
a database? similar to
the
statistical
model but
has the
added
function of
self-learning.
Signature-
based
systems are
a type of IDS
in which the
intrusive
patterns
identified
are stored in
the form of
signatures.
These
IDS systems
What would A. B. C. D. A. Explanation:
be the MOST implement a implement a Use table Separate implement a Accountabili
effective log two-factor views to database log ty means
control for managemen authenticati access and managemen knowing
enforcing t process on sensitive application t process what is
accountabilit data servers being done
y among by whom.
database The best
users way to
accessing enforce the
sensitive principle is
information? to
implement a
log
managemen
t process
that would
create and
store logs
with
pertinent
information
such as user
name, type
of
transaction
and hour.
Choice B,
implementin
g a two-
factor
authenticati
on, and
choice C,
organization Stateful Web content Web cache Proxy server Web content A web
has created inspection filter server filter content
a policy that firewall filter accepts
defines the or denies
types of web web
sites that communicati
users are ons
forbidden to according to
access. the
What is the configured
MOST rules. To
effective help the
technology administrato
to enforce r properly
this policy? configure
the tool,
organization
s and
vendors
have made
available
URL
blacklists
and
classification
s for millions
of web sites.
A stateful
inspection
firewall is of
little help in
filtering web
traffic since
responsibilit data owner. security IT security requestor’s data owner. When a
y for administrato manager. immediate business
authorizing r. supervisor. application
access to a is
business developed,
application the best
system practice is to
belongs to assign an
the: information
or data
owner to the
application.
The
Information
owner
should be
responsible
for
authorizing
access to the
application
itself or to
back-end
databases
for queries.
Choices B
and C are
not correct
because the
security
administrato
r and
manager
responsibilit data owner. security IT security requestor’s data owner. When a
y for administrato manager. immediate business
authorizing r. supervisor. application
access to a is
business developed,
application the best
system practice is to
belongs to assign an
the: information
or data
owner to the
application.
The
Information
owner
should be
responsible
for
authorizing
access to the
application
itself or to
back-end
databases
for queries.
Choices B
and C are
not correct
because the
security
administrato
r and
manager
following implement Enhance Organize the Log user implement Choice A
should an IS column- and user data access to the column- and specifically
auditor row-level authenticati warehouse data row-level addresses
recommend permissions on via strong into subject warehouse permissions the question
for the passwords matter- of sensitive
protection of specific data by
specific databases controlling
sensitive what
information information
stored in the users can
data access.
warehouse? Column-
level
security
prevents
users from
seeing one
or more
attributes on
a table. With
row-level
security a
certain
grouping of
information
on a table is
restricted;
e.g., if a
table held
details of
employee
salaries,
then a
following Selecting a implementin increasing increasing implementin Challenge
would MOST more robust g measures the the length of g measures response-
effectively algorithm to to prevent frequency of authenticati to prevent based
enhance the generate session associated on strings session authenticati
security of a challenge hijacking password hijacking on is prone
challenge- strings attacks changes attacks to session
response hijacking or
based man-in-the-
authenticati middle
on system? attacks.
Security
managemen
t should be
aware of this
and engage
in risk
assessment
and control
design when
they employ
this
technology.
Selecting a
more robust
algorithm
will enhance
the security;
however,
this may not
be as
important
in terms of
risk when
following Selecting a implementin increasing increasing implementin Challenge
would MOST more robust g measures the the length of g measures response-
effectively algorithm to to prevent frequency of authenticati to prevent based
enhance the generate session associated on strings session authenticati
security of a challenge hijacking password hijacking on is prone
challenge- strings attacks changes attacks to session
response hijacking or
based man-in-the-
authenticati middle
on system? attacks.
Security
managemen
t should be
aware of this
and engage
in risk
assessment
and control
design when
they employ
this
technology.
Selecting a
more robust
algorithm
will enhance
the security;
however,
this may not
be as
important
in terms of
risk when
has Network Wiring Network Network Network Choice A is
completed a workstations closets are operating componentsworkstations the only
network are not left unlocked manuals and are not are not logical
audit. Which disabled documentati equipped disabled security
of the automaticall on are not with an automaticall finding.
following is y after a properly uninterrupti
y after a Network
the MOST period of secured. ble power period of logical
significant inactivity. supply. inactivity. security
logical controls
security should be in
finding? place to
restrict,
identify, and
report
authorized
and
unauthorize
d users of
the network.
Disabling
inactive
workstations
restricts
users of the
network.
Choice D is
an
environment
al issue and
choices B
and C are
physical
security
should process system security data owners. data owners. Data owners
expect the owners. administrato administrato are primarily
responsibilit rs. r. responsible
y for for
authorizing safeguarding
access rights the data and
to authorizing
production access to
data and production
systems to data on a
be need-to-
entrusted to know basis.
the:
What should A. B. C. D. A. Explanation:
be the The copying The copying The cost of They The copying The MAIN
GREATEST of sensitive of songs and these facilitate the of sensitive concern with
concern to data on videos on devices spread of data on MP3 players
an IS auditor them them multiplied malicious them and flash
when by all the code drives is
employees employees through the data
use portable could be corporate leakage,
media (MP3 high network especially
players, sensitive
flash information.
drives)? This
could occur
if the
devices were
lost or
stolen. The
risk when
copying
songs and
videos is
copyright
infringement
, but this is
normally
aless
important
risk than
information
leakage.
Choice C is
hardly an
issue
because
organization User-level Role-based Fine-grained Discretionar Role-based Role-based
is using an permissions y access
enterprise controls the
resource system
managemen access by
t (ERP) defining
application. roles for a
Which of the group of
following users. Users
would are assigned
be an to the
effective various roles
access and the
control? access is
granted
based on the
user’s role.
User-level
permissions
for an ERP
system
would
create a
larger
administrati
ve overhead.
Fine-grained
access
control is
very difficult
to
implement
and
A technical A. B. C. D. A. Explanation:
lead who Audit logs A logon ID Spyware is A Trojan is Audit logs Audit logs
was working are not for the installed on installed on are not are critical
on a major enabled for technical the system the system enabled for to the
project has the system lead still the system investigation
left the exists of the event;
organization. however, if
The project not enabled,
manager misuse of
reports the logon ID
suspicious of the
system technical
activities on lead and the
one of the guest
servers that account
is accessible could not be
to the whole established.
team. What The logon ID
would be of of the
GREATEST technical
concern if lead should
discoveredd have
uring a been
forensic deleted as
investigation soon as the
? employee
left the
organization
but, without
audit logs,
misuse of
the ID is
difficult to
prove.
following is information identity information An identity Personnel
the BEST owner managemen owners authorizatio managemen and
practice to provides t is periodically n matrix is t is department
ensure that authorizatio integrated review the used to integrated al changes
access n for users with human access establish with human can result in
authorizatio to gain resource controls validity of resource authorizatio
ns are still access processes access processes n creep and
valid? can impact
the
effectiveness
of
access
controls.
Many times
when
personnel
leave an
organization,
or
employees
are
promoted,
transferred
or
demoted,
their system
access is not
fully
removed,
which
increases
the risk of
unauthorize
following is information identity information An identity Personnel
the BEST owner managemen owners authorizatio managemen and
practice to provides t is periodically n matrix is t is department
ensure that authorizatio integrated review the used to integrated al changes
access n for users with human access establish with human can result in
authorizatio to gain resource controls validity of resource authorizatio
ns are still access processes access processes n creep and
valid? can impact
the
effectiveness
of
access
controls.
Many times
when
personnel
leave an
organization,
or
employees
are
promoted,
transferred
or
demoted,
their system
access is not
fully
removed,
which
increases
the risk of
unauthorize
A business A. B. C. D. B. Explanation:
application Introduce a Apply role- Have users Set an Apply role- When a
system secondary based input the ID expiration based single ID and
accesses a authenticati permissions and period for permissions password
corporate on method within the password for the database within the are
database such as card application each password application embedded
using a swipe system database embedded system in a
single ID and transaction in the program, the
password program best
embedded compensatin
in a g control
program. would be a
Which of the sound
following access
would control over
provide the
efficient application
access layer and
control over procedures
the to ensure
organization’ access to
s data? data is
granted
based on a
user’s
role. The
issue is user
permissions,
not
authenticati
on,
therefore
adding a
stronger
When using A. B. C. D. D. Explanation:
a universal carry the assure request that encrypt the encrypt the Encryption,
storage bus flash drive in managemen managemen folder folder with a strong
(USB) flash a portable t that you t deliver the containing containing key, is the
drive to safe. will not lose flash drive the data the data most secure
transport the flash by courier. with a strong with a strong method for
confidential drive. key. key. protecting
corporate the
data to an information
offsite on the flash
location, an drive.
effective Carrying the
control flash drive in
would be to: a portable
safe does
not
guarantee
the safety of
the
information
in the event
that the
safe is stolen
or lost. No
matter what
measures
you take, the
chance of
losing the
flash drive
still exists. It
is
possible that
a courier
finds that a accept the assess the recommend review user assess the It is good
DBA has DBA access controls the access controls practice
read and as a relevant to immediate authorizatio relevant to when finding
write access common the DBA revocation ns approved the DBA a potential
to practice. function. of the DBA by the DBA. function. exposure to
production access to look for the
data. The IS production best
auditor data. controls.
should: Though
granting the
database
administrato
r (DBA)
access to
production
data might
be a
common
practice, the
IS auditor
should
evaluate the
relevant
controls. The
DBA should
have access
based on a
need-to-
know and
need-to-do
basis;
therefore,
revocation
finds that a accept the assess the recommend review user assess the It is good
DBA has DBA access controls the access controls practice
read and as a relevant to immediate authorizatio relevant to when finding
write access common the DBA revocation ns approved the DBA a potential
to practice. function. of the DBA by the DBA. function. exposure to
production access to look for the
data. The IS production best
auditor data. controls.
should: Though
granting the
database
administrato
r (DBA)
access to
production
data might
be a
common
practice, the
IS auditor
should
evaluate the
relevant
controls. The
DBA should
have access
based on a
need-to-
know and
need-to-do
basis;
therefore,
revocation
Minimum A. B. C. D. D. Explanation:
password detection control audit control control Control
length and controls. objectives. objectives. procedures. procedures. procedures
password are practices
complexity established
verification by
are managemen
examples of: t to achieve
specific
control
objectives.
Password
controls are
preventive
controls, not
detective
controls.
Control
objectives
are
declarations
of expected
results
from
implementin
g controls
and audit
objectives
are the
specific
goals of an
audit.
Minimum A. B. C. D. D. Explanation:
password detection control audit control control Control
length and controls. objectives. objectives. procedures. procedures. procedures
password are practices
complexity established
verification by
are managemen
examples of: t to achieve
specific
control
objectives.
Password
controls are
preventive
controls, not
detective
controls.
Control
objectives
are
declarations
of expected
results
from
implementin
g controls
and audit
objectives
are the
specific
goals of an
audit.
audit of the Look for Review Review the Ask the Look for The best
logical compensatin financial scope of the administrato compensatin logical
access g controls. transactions audit. r to disable g controls. access
control of an logs. these control
ERP financial accounts. practice is to
system an IS create user
auditor IDs for each
found some individual to
user define
accounts accountabilit
shared by y. This is
multiple possible only
individuals. by
The user IDs establishing
were based a one-to-one
on roles relationship
rather than between IDs
individual and
identities. individuals.
These However, if
accounts the user IDs
allow access are created
to financial based on
transactions role
on the ERP. designations
What should , an IS
the IS auditor
auditor do should first
next? understand
the reasons
and then
evaluate the
effectiveness
responsibilit data database data owner. security data owner. Data owners
y for custodian. administrato administrato should have
authorizing r (DBA). r. the
access to authority
application and
data should responsibilit
be with the: y for
granting
access to the
data and
applications
for
which they
are
responsible.
Data
custodians
are
responsible
only for
storing and
safeguarding
the data.
The
database
administrato
r (DBA) is
responsible
for
managing
the database
and the
security
responsibilit data database data owner. security data owner. Data owners
y for custodian. administrato administrato should have
authorizing r (DBA). r. the
access to authority
application and
data should responsibilit
be with the: y for
granting
access to the
data and
applications
for
which they
are
responsible.
Data
custodians
are
responsible
only for
storing and
safeguarding
the data.
The
database
administrato
r (DBA) is
responsible
for
managing
the database
and the
security
following is Encrypt the Enable the Use a Use two- Encrypt the Only
the BEST hard disk boot biometric factor hard disk encryption
method for with the password authenticati authenticati with the of the data
preventing owner’s (hardware- on device. on to logon owner’s with a
the leakage public key. based to the public key. secure key
of password). notebook. will prevent
confidential the loss of
information confidential
in a laptop information.
computer? In such a
case,
confidential
information
can be
accessed
only with
knowledge
of the
owner’s
private key,
which
should never
be
shared.
Choices B, C
and D deal
with
authenticati
on and not
with
confidentiali
ty of
information.
In an online A. B. C. D. C. Explanation:
banking Encryption Restricting Two-factor Periodic Two-factor Two-factor
application, of personal the user to a authenticati review of authenticati authenticati
which of the password specific on access logs on on requires
following terminal two
would BEST independent
protect methods for
against establishing
identity identity and
theft? privileges.
Factors
include
something
you know,
such as a
password;
something
you have,
such as a
token; and
something
you
are, which is
biometric.
Requiring
two of these
factors
makes
identity theft
more
difficult. A
password
could be
guessed or
banking Encryption Restricting Two-factor Periodic Two-factor Two-factor
application, of personal the user to a authenticati review of authenticati authenticati
which of the password specific on access logs on on requires
following terminal two
would BEST independent
protect methods for
against establishing
identity identity and
theft? privileges.
Factors
include
something
you know,
such as a
password;
something
you have,
such as a
token; and
something
you
are, which is
biometric.
Requiring
two of these
factors
makes
identity theft
more
difficult. A
password
could be
guessed or
After A. B. C. D. B. Explanation:
reviewing its Fine-grained Role-based Access Network/ser Role-based Authorizatio
business access access control lists vice access access n in this VoIP
processes, a control control control control case can
large (RBAC) (RBAC) best be
organization addressed
is deploying by role-
a new web based access
application control
based on a (RBAC)
VoIP technology.
technology. RBAC
Which of the is easy to
following is manage and
the MOST can enforce
appropriate strong and
approach for efficient
implementin access
g access controls in
control large-scale
that will web
facilitate environment
security s
managemen including
t of the VoIP VoIP
web implementa
application? tion. Access
control lists
and fine-
grained
access
control on
VoIP web
applications
following Write- Writing a Daily Storing the Storing the Storing the
would protecting duplicate log printing of system log in system log in system log in
prevent the directory to another the system write-once write-once write-once
unauthorize containing server log media media media
d changes to the system ensures the
information log log cannot
stored in a be modified.
server’s log? Write-
protecting
the system
log
does not
prevent
deletion or
modification
, since the
superuser or
users that
have special
permission
can
override the
write
protection.
Writing a
duplicate log
to another
server or
daily printing
of the
system log
cannot
prevent
following Write- Writing a Daily Storing the Storing the Storing the
would protecting duplicate log printing of system log in system log in system log in
prevent the directory to another the system write-once write-once write-once
unauthorize containing server log media media media
d changes to the system ensures the
information log log cannot
stored in a be modified.
server’s log? Write-
protecting
the system
log
does not
prevent
deletion or
modification
, since the
superuser or
users that
have special
permission
can
override the
write
protection.
Writing a
duplicate log
to another
server or
daily printing
of the
system log
cannot
prevent
Inadequate A. B. C. D. B. Explanation:
programmin phishing. buffer SYN flood. brute force buffer Buffer
g and coding overflow attacks. overflow overflow
practices exploitation. exploitation. exploitation
introduce may occur
the risk of: when
programs do
not check
the length of
the data that
are input
into a
program. An
attacker can
send data
that exceed
the length of
a buffer and
override
part of the
program
with
malicious
code. The
countermea
sure is
proper
programmin
g and good
coding
practices.
Phishing,
SYN flood
and brute
Inadequate A. B. C. D. B. Explanation:
programmin phishing. buffer SYN flood. brute force buffer Buffer
g and coding overflow attacks. overflow overflow
practices exploitation. exploitation. exploitation
introduce may occur
the risk of: when
programs do
not check
the length of
the data that
are input
into a
program. An
attacker can
send data
that exceed
the length of
a buffer and
override
part of the
program
with
malicious
code. The
countermea
sure is
proper
programmin
g and good
coding
practices.
Phishing,
SYN flood
and brute
The logical A. B. C. D. B. Explanation:
exposure denial of an wire computer an Asynchrono
associated service. asynchronou tapping. shutdown. asynchronou us attacks
with the use s attack. s attack. are
of a operating
checkpoint system-
restart based
procedure attacks. A
is: checkpoint
restart is a
feature that
stops a
program at
specified
intermediate
points for
later restart
in an orderly
manner
without
losing data
at the
checkpoint.
The
operating
system saves
a copy of the
computer
programs
and data in
their current
state as
well as
several
The logical A. B. C. D. B. Explanation:
exposure denial of an wire computer an Asynchrono
associated service. asynchronou tapping. shutdown. asynchronou us attacks
with the use s attack. s attack. are
of a operating
checkpoint system-
restart based
procedure attacks. A
is: checkpoint
restart is a
feature that
stops a
program at
specified
intermediate
points for
later restart
in an orderly
manner
without
losing data
at the
checkpoint.
The
operating
system saves
a copy of the
computer
programs
and data in
their current
state as
well as
several
organization all system managemen only the access all system The
has been access is t has system authorizatio access is downsizing
recently authorized authorized administrato n forms are authorized of an
downsized, and appropriate r has used to and organization
in light of appropriate access for all authority to grant or appropriate implies a
this, an IS for an newly-hired grant or modify for an large
auditor individual’s individuals. modify access to individual’s number of
decides to role and access to individuals. role and personnel
test logical responsibiliti individuals. responsibiliti actions over
access es. es. a relatively
controls. The short period
IS auditor’s of
PRIMARY time.
concern Employees
should be can be
that: assigned
new duties
while
retaining
some or all
of their
former
duties.
Numerous
employees
may be laid
off. The
auditor
should be
concerned
that an
appropriate
segregation
From a A. B. C. D. A. Explanation:
control establish ensure assist identify establish Information
perspective, guidelines access managemen which assets guidelines has varying
the for the level controls are t and need to be for the level degrees of
PRIMARY of access assigned to auditors in insured of access sensitivity
objective of controls that all risk against controls that and
classifying should be information assessment. losses. should be criticality in
information assigned. assets. assigned. meeting
assets is to: business
objectives.
By assigning
classes or
levels of
sensitivity
and
criticality to
information
resources,
managemen
t can
establish
guidelines
for
the level of
access
controls that
should be
assigned.
End user
managemen
t and the
security
administrato
r will
From a A. B. C. D. A. Explanation:
control establish ensure assist identify establish Information
perspective, guidelines access managemen which assets guidelines has varying
the for the level controls are t and need to be for the level degrees of
PRIMARY of access assigned to auditors in insured of access sensitivity
objective of controls that all risk against controls that and
classifying should be information assessment. losses. should be criticality in
information assigned. assets. assigned. meeting
assets is to: business
objectives.
By assigning
classes or
levels of
sensitivity
and
criticality to
information
resources,
managemen
t can
establish
guidelines
for
the level of
access
controls that
should be
assigned.
End user
managemen
t and the
security
administrato
r will
examining a Kerberos Vitality Multimodal Before- Kerberos Kerberos is a
biometric detection biometrics image/after- network
user image authenticati
authenticati logging on protocol
on system for client-
establishes server
the applications
existence of that can be
a control used to
weakness restrict
that would access to
allow an the database
unauthorize to
d individual authorized
to update users.
the Choices B
centralized and C are
database on incorrect
the server because
that is vitality
used to detection
store and
biometric multimodal
templates. biometrics
Ofthe are controls
following, against
which is the spoofing and
BEST control mimicry
against this attacks.
risk? Before-
image/after-
image
logging of
For a A. B. C. D. A. Explanation:
discretionary operate operate enable users be operate Mandatory
access within the independent to override specifically within the access
control to be context of ly of mandatory permitted by context of controls are
effective, it mandatory mandatory access the security mandatory prohibitive;
must: access access controls policy. access anything
controls. controls. when controls. that is not
necessary. expressly
permitted is
forbidden.
Only within
this
context do
discretionary
controls
operate,
prohibiting
still more
access with
the same
exclusionary
principle.
When
systems
enforce
mandatory
access
control
policies,
they must
distinguish
between
these and
the
For a A. B. C. D. A. Explanation:
discretionary operate operate enable users be operate Mandatory
access within the independent to override specifically within the access
control to be context of ly of mandatory permitted by context of controls are
effective, it mandatory mandatory access the security mandatory prohibitive;
must: access access controls policy. access anything
controls. controls. when controls. that is not
necessary. expressly
permitted is
forbidden.
Only within
this
context do
discretionary
controls
operate,
prohibiting
still more
access with
the same
exclusionary
principle.
When
systems
enforce
mandatory
access
control
policies,
they must
distinguish
between
these and
the
following Application Data Disabling Network Application The use of
BEST level access encryption floppy disk monitoring level access application-
restricts control drives device control level access
users to control
those programs is
functions a
needed to managemen
perform t control
their duties? that restricts
access by
limiting
users to only
those
functions
needed to
perform
their duties.
Data
encryption
and
disabling
floppy disk
drives
can restrict
users to
specific
functions,
but are not
the best
choices. A
network
monitoring
device is a
following Application Data Disabling Network Application The use of
BEST level access encryption floppy disk monitoring level access application-
restricts control drives device control level access
users to control
those programs is
functions a
needed to managemen
perform t control
their duties? that restricts
access by
limiting
users to only
those
functions
needed to
perform
their duties.
Data
encryption
and
disabling
floppy disk
drives
can restrict
users to
specific
functions,
but are not
the best
choices. A
network
monitoring
device is a
following is a Creating Verifying Creating Logging Creating Creating
general database user individual database individual individual
operating profiles authorizatio accountabilit access accountabilit accountabilit
system n at a field y activities for y y is the
access level monitoring function of
control access the general
function? violation operating
system.
Creating
database
profiles,
verifying
user
authorizatio
n at a field
level and
logging
database
access
activities for
monitoring
access
violations
are all
database-
level access
control
functions.
following is a Creating Verifying Creating Logging Creating Creating
general database user individual database individual individual
operating profiles authorizatio accountabilit access accountabilit accountabilit
system n at a field y activities for y y is the
access level monitoring function of
control access the general
function? violation operating
system.
Creating
database
profiles,
verifying
user
authorizatio
n at a field
level and
logging
database
access
activities for
monitoring
access
violations
are all
database-
level access
control
functions.
following Piggybacking Viruses Data Unauthorize Data Data
presents an diddling d application diddling diddling
inherent risk shutdown involves
with no changing
distinct data before
identifiable they are
preventive entered into
controls? the
computer. It
is one of the
most
common
abuses,
because it
requires
limited
technical
knowledge
and occurs
before
computer
security can
protect the
data. There
are only
compensatin
g controls
for data
diddling.
Piggybacking
is the act of
following an
authorized
following Piggybacking Viruses Data Unauthorize Data Data
presents an diddling d application diddling diddling
inherent risk shutdown involves
with no changing
distinct data before
identifiable they are
preventive entered into
controls? the
computer. It
is one of the
most
common
abuses,
because it
requires
limited
technical
knowledge
and occurs
before
computer
security can
protect the
data. There
are only
compensatin
g controls
for data
diddling.
Piggybacking
is the act of
following an
authorized
information Piggybacking Shoulder Dumpster Impersonati Piggybacking Piggybacking
security surfing diving on refers to
policy that unauthorize
states ‘each d persons
individual following
must have authorized
their badge persons,
read at either
every physically or
controlled virtually,
door’ into
addresses restricted
which of the areas. This
following policy
attack addresses
methods? the polite
behavior
problem of
holding
doors open
for a
stranger, if
every
employee
must have
their badge
read at
every
controlled
door no
unauthorize
d person
could enter
reviewing Digitalized Hashing Parsing Steganograp Steganograp Steganograp
digital rights signatures hy hy hy is a
managemen technique
t (DRM) for
applications concealing
should the
expect to existence of
find an messages or
extensive information.
use An
for which of increasingly
the important
following steganograp
technologies hical
? technique is
digital
watermarkin
g, which
hides data
within data,
e.g., by
encoding
rights
information
in a picture
or music file
without
altering the
picture or
music’s
perceivable
aesthetic
qualities.
has more than there is no user users have a there is no Without an
identified one way to limit accounts can need-to- way to limit appropriate
the lack of individual the be shared. know the authorizatio
an can claim to functions privilege. functions n process, it
authorizatio be a specific assigned to assigned to will be
n process for user. users. users. impossible
users of an to establish
application. functional
The IS limits and
auditor’s accountabilit
main y. The risk
concern that more
should be than one
that: individual
can claim to
be a specific
user is
associated
with the
authenticati
on
processes,
rather than
with
authorizatio
n. The risk
that user
accounts can
be shared is
associated
with
identificatio
n processes,
To ensure A. B. C. D. C. Explanation:
compliance the company passwords an security an The use of
with a policy be are automated awareness automated an
security changed. periodically password training is password automated
policy changed. managemen delivered. managemen password
requiring t tool be t tool be managemen
that used. used. t tool is a
passwords preventive
be a control
combination measure.
of letters The software
and would
numbers, prevent
an IS auditor repetition
should (semantic)
recommend and would
that: enforce
syntactic
rules, thus
making the
passwords
robust. It
would
also provide
a method for
ensuring
frequent
changes and
would
prevent the
same user
from reusing
their old
password for
information Piggybacking Dumpster Shoulder Impersonati Shoulder If a
security diving surfing on surfing password is
policy displayed on
stating that a monitor,
‘the display any person
of nearby could
passwords look over
must be the shoulder
masked or of the user
suppressed’ to obtain
addresseswh the
ich of the password.
following Piggybacking
attack refers to
methods? unauthorize
d persons
following,
either
physically or
virtually,
authorized
persons into
restricted
areas.
Masking the
display of
passwords
would not
prevent
someone
from
tailgating an
authorized
following Security increased E-mail intrusion Security Social
would MOST awareness physical monitoring detection awareness engineering
effectively training security policy systems training exploits
reduce measures human
social nature and
engineering weaknesses
incidents? to obtain
information
and access
privileges.
By
increasing
employee
awareness
of security
issues, it is
possible to
reduce the
number of
successful
social
engineering
incidents. In
most cases,
social
engineering
incidents do
not require
the physical
presence of
the
intruder.
Therefore,
following Security increased E-mail intrusion Security Social
would MOST awareness physical monitoring detection awareness engineering
effectively training security policy systems training exploits
reduce measures human
social nature and
engineering weaknesses
incidents? to obtain
information
and access
privileges.
By
increasing
employee
awareness
of security
issues, it is
possible to
reduce the
number of
successful
social
engineering
incidents. In
most cases,
social
engineering
incidents do
not require
the physical
presence of
the
intruder.
Therefore,
following The data Authorized The data The data The data The data
would be owner staff owner and owner owner owner holds
the BEST formally implements an IS creates and formally the privilege
access authorizes the user manager updates the authorizes and
control access and authorizatio jointly user access and responsibilit
procedure? an n tables and create and authorizatio an y for
administrato the data update the n tables. administrato formally
r owner user r establishing
implements sanctions authorizatio implements the access
the user them. n tables. the user rights. An IS
authorizatio authorizatio administrato
n tables. n tables. r should
then
implement
or update
user
authorizatio
n tables.
Choice B
alters the
desirable
order.
Choice C is
not a formal
procedure
for
authorizing
access.
following The data Authorized The data The data The data The data
would be owner staff owner and owner owner owner holds
the BEST formally implements an IS creates and formally the privilege
access authorizes the user manager updates the authorizes and
control access and authorizatio jointly user access and responsibilit
procedure? an n tables and create and authorizatio an y for
administrato the data update the n tables. administrato formally
r owner user r establishing
implements sanctions authorizatio implements the access
the user them. n tables. the user rights. An IS
authorizatio authorizatio administrato
n tables. n tables. r should
then
implement
or update
user
authorizatio
n tables.
Choice B
alters the
desirable
order.
Choice C is
not a formal
procedure
for
authorizing
access.
following is Using two Using a Having no Using two Using a Defense in-
an example firewalls of firewall as physical firewalls in firewall as depth means
of the different well as signs on the parallel to well as using
defense in- vendors to logical outside of a check logical different
depth consecutivel access computer different access security
security y check the controls on center types of controls on mechanisms
principle? incoming the hosts to building incoming the hosts to that back
network control traffic control each other
traffic incoming incoming up. When
traffic traffic traffic
passes the
firewall
unintentiona
lly, the
logical
access
controls
form a
second line
of defense.
Using two
firewalls
of different
vendors to
consecutivel
y check the
incoming
network
traffic is an
example of
diversity in
defense.
following is Using two Using a Having no Using two Using a Defense in-
an example firewalls of firewall as physical firewalls in firewall as depth means
of the different well as signs on the parallel to well as using
defense in- vendors to logical outside of a check logical different
depth consecutivel access computer different access security
security y check the controls on center types of controls on mechanisms
principle? incoming the hosts to building incoming the hosts to that back
network control traffic control each other
traffic incoming incoming up. When
traffic traffic traffic
passes the
firewall
unintentiona
lly, the
logical
access
controls
form a
second line
of defense.
Using two
firewalls
of different
vendors to
consecutivel
y check the
incoming
network
traffic is an
example of
diversity in
defense.
The A. B. C. D. D.
implementa a the labeling the creation an inventory an inventory
tion of classification of IS of an access of IS of IS
access of IS resources. control list. resources. resources.
controls resources.
FIRST
requires:
The A. B. C. D. D.
implementa a the labeling the creation an inventory an inventory
tion of classification of IS of an access of IS of IS
access of IS resources. control list. resources. resources.
controls resources.
FIRST
requires:
performing critical. vital. sensitive. noncritical. sensitive. Sensitive
an functions
independent are best
classification described as
of systems those that
should can be
consider a performed
situation manually at
where a tolerable
functions cost for an
could be extended
performed period of
manually at time. Critical
a tolerable functions
cost for an are those
extended that cannot
period of be
time as: performed
unless they
are replaced
by
identical
capabilities
and cannot
be replaced
by manual
methods.
Vital
functions
refer to
those that
can be
performed
following Three users Five users Five users Three users Three users The ability of
user profiles with the with the with the with the with the one
should be of ability to ability to ability to ability to ability to individual to
MOST capture and capture and verify other capture and capture and capture and
concern to verify their send their users and to verify the verify their verify
an IS auditor own own send their messages of own messages
when messages messages own other users messages represents
performing messages and to send an
an audit of their own inadequate
an EFT messages segregation,
system? since
messages
can be taken
as correct
and as if
they had
already been
verified.
reliability of user IDs are the security date and users can users can An audit trail
an recorded in administrato time stamps amend audit amend audit is not
application the audit r has read- are recorded trail records trail records effective if
system’s trail. only rights when an when when the details in
audit trail to the audit action correcting correcting it can be
may be file. occurs. system system amended.
questionable errors. errors.
if:
reliability of user IDs are the security date and users can users can An audit trail
an recorded in administrato time stamps amend audit amend audit is not
application the audit r has read- are recorded trail records trail records effective if
system’s trail. only rights when an when when the details in
audit trail to the audit action correcting correcting it can be
may be file. occurs. system system amended.
questionable errors. errors.
if:
A hacker A. B. C. D. A. Explanation:
could obtain social sniffers. back doors. Trojan social Social
passwords engineering. horses. engineering. engineering
without the is based on
use of the
computer divulgence
tools or of private
programs information
through the through
technique dialogues,
of: interviews,
inquiries,
etc., in
which a user
may be
indiscreet
regarding
their or
someone
else’s
personal
data. A
sniffer is a
computer
tool to
monitor the
traffic in
networks.
Back doors
are
computer
programs
left by
hackers to
following Information Access Password System Information The
provides the systems control lists managemen configuratio systems information
framework security t n files security systems
for designing policy policy security
and policy
developing developed
logical and
access approved by
controls? an
organization’
s top
managemen
t is the
basis upon
which logical
access
control is
designed
and
developed.
Access
control lists,
password
managemen
t and
systems
configuratio
n files are
tools for
implementin
g the access
controls.
step in data establish perform a define create a data establish Data
classification ownership. criticality access rules. dictionary. ownership. classification
is to: analysis. is necessary
to define
access rules
based on a
need-to-do
and need-to-
know basis.
The
data owner
is
responsible
for defining
the access
rules;
therefore,
establishing
ownership is
the first step
in data
classification
. The other
choices are
incorrect. A
criticality
analysis is
required for
protection of
data, which
takes input
from data
classification
step in data establish perform a define create a data establish Data
classification ownership. criticality access rules. dictionary. ownership. classification
is to: analysis. is necessary
to define
access rules
based on a
need-to-do
and need-to-
know basis.
The
data owner
is
responsible
for defining
the access
rules;
therefore,
establishing
ownership is
the first step
in data
classification
. The other
choices are
incorrect. A
criticality
analysis is
required for
protection of
data, which
takes input
from data
classification
With the A. B. C. D. A. Explanation:
help of a data owners. programmer system librarians. data owners. Data owners
security s. analysts. are
officer, responsible
granting for the use
access to of datA.
data is the Written
responsibilit authorizatio
y of: n for users
to gain
access to
computerize
d
information
should be
provided by
the data
owners.
Security
administrati
on with the
owners’
approval
sets up
access rules
stipulating
which users
or group of
users are
authorized
to access
data or files
and the level
of
With the A. B. C. D. A. Explanation:
help of a data owners. programmer system librarians. data owners. Data owners
security s. analysts. are
officer, responsible
granting for the use
access to of datA.
data is the Written
responsibilit authorizatio
y of: n for users
to gain
access to
computerize
d
information
should be
provided by
the data
owners.
Security
administrati
on with the
owners’
approval
sets up
access rules
stipulating
which users
or group of
users are
authorized
to access
data or files
and the level
of
Security A. B. C. D. B. Explanation:
administrati access security log logging user profiles. security log Security
on control files. options. files. administrati
procedures tables. on
require procedures
read-only require
access to: read-only
access to
security log
files to
ensure that,
once
generated,
the logs are
not
modified.
Logs provide
evidence
and track
suspicious
transactions
and
activities.
Security
administrati
on
procedures
require
write access
to access
control
tables to
manage and
update the
Security A. B. C. D. B. Explanation:
administrati access security log logging user profiles. security log Security
on control files. options. files. administrati
procedures tables. on
require procedures
read-only require
access to: read-only
access to
security log
files to
ensure that,
once
generated,
the logs are
not
modified.
Logs provide
evidence
and track
suspicious
transactions
and
activities.
Security
administrati
on
procedures
require
write access
to access
control
tables to
manage and
update the
Electromagn A. B. C. D. D. Explanation:
etic affect noise disrupt produce can be can be Emissions
emissions pollution. processor dangerous detected detected can be
from a functions. levels of and and detected by
terminal electric displayed. displayed. sophisticate
represent an current. d equipment
exposure and
because displayed,
they: thus giving
unauthorize
d persons
access
to data. They
should not
cause
disruption of
CPUs or
effect noise
pollution.
Electromagn A. B. C. D. D. Explanation:
etic affect noise disrupt produce can be can be Emissions
emissions pollution. processor dangerous detected detected can be
from a functions. levels of and and detected by
terminal electric displayed. displayed. sophisticate
represent an current. d equipment
exposure and
because displayed,
they: thus giving
unauthorize
d persons
access
to data. They
should not
cause
disruption of
CPUs or
effect noise
pollution.
following Unauthorize Excessive Lockout of Multiplexor Unauthorize Line
exposures d data CPU cycle terminal control d data grabbing will
could be access usage polling dysfunction access enable
caused by a eavesdroppi
line grabbing ng, thus
technique? allowing
unauthorize
d data
access, it will
not
necessarily
cause
multiplexor
dysfunction,
excessive
CPU usage
or lockout of
terminal
polling.
following Unauthorize Excessive Lockout of Multiplexor Unauthorize Line
exposures d data CPU cycle terminal control d data grabbing will
could be access usage polling dysfunction access enable
caused by a eavesdroppi
line grabbing ng, thus
technique? allowing
unauthorize
d data
access, it will
not
necessarily
cause
multiplexor
dysfunction,
excessive
CPU usage
or lockout of
terminal
polling.
Naming A. B. C. D. B. Explanation:
conventions ensure that reduce the ensure that ensure that reduce the Naming
for system resource number of user access international number of conventions
resources names are rules to resources ly rules for system
are not required to is clearly and recognized required to resources
important ambiguous. adequately uniquely names are adequately are
for access protect identified. used to protect important
control resources. protect resources. for the
because resources. efficient
they: administrati
on of
security
controls. The
conventions
can be
structured,
so resources
beginning
with the
same high-
level
qualifier can
be governed
by
one or more
generic
rules. This
reduces the
number of
rules
required to
adequately
protect
resources,
Naming A. B. C. D. B. Explanation:
conventions ensure that reduce the ensure that ensure that reduce the Naming
for system resource number of user access international number of conventions
resources names are rules to resources ly rules for system
are not required to is clearly and recognized required to resources
important ambiguous. adequately uniquely names are adequately are
for access protect identified. used to protect important
control resources. protect resources. for the
because resources. efficient
they: administrati
on of
security
controls. The
conventions
can be
structured,
so resources
beginning
with the
same high-
level
qualifier can
be governed
by
one or more
generic
rules. This
reduces the
number of
rules
required to
adequately
protect
resources,
PRIMARY review ensure walk provide ensure The scope of
objective of access access is through and assurance access is a logical
a logical controls granted per assess the that granted per access
access provided the access computer the control
control through organization’ provided in hardware is organization’ review is
review is to: software. s authorities. the IT adequately s authorities. primarily to
environment protected determine
. against whether or
abuse. not access is
granted per
the
organization’
s
authorizatio
ns. Choices A
and C relate
to
procedures
of a logical
access
control
review,
rather
than
objectives.
Choice D is
relevant to a
physical
access
control
review.
PRIMARY review ensure walk provide ensure The scope of
objective of access access is through and assurance access is a logical
a logical controls granted per assess the that granted per access
access provided the access computer the control
control through organization’ provided in hardware is organization’ review is
review is to: software. s authorities. the IT adequately s authorities. primarily to
environment protected determine
. against whether or
abuse. not access is
granted per
the
organization’
s
authorizatio
ns. Choices A
and C relate
to
procedures
of a logical
access
control
review,
rather
than
objectives.
Choice D is
relevant to a
physical
access
control
review.
Sign-on A. B. C. D. C. Explanation:
procedures change the educate build in require a build in The
include the company’s users about validations periodic validations compromise
creation of a security the risk of to prevent review of to prevent of the
unique user policy. weak this during matching this during password is
ID and passwords. user user ID and user the highest
password. creation and passwords creation and risk. The
However, an password for detection password best control
IS auditor change. and change. is a
discovers correction. preventive
that in many control
cases the through
username validation
and at the time
password the
are the password is
same. The created or
BEST control changed.
to mitigate Changing
this risk is the
to: company’s
security
policy and
educating
users
about the
risks of weak
passwords
only
provides
information
to users, but
does little to
enforce this
conducting exposure is operating operating user exposure is Information
an access greater, efficiency is procedures friendliness greater, in all its
control since enhanced, are more and since forms needs
review in a information since anyone effective, flexibility is information to be
client-server is available can print any since facilitated, is available protected
environment to report at any information since there to from
discovers unauthorize time. is easily is a smooth unauthorize unauthorize
that all d users. available. flow of d users. d access.
printing information Unrestricted
options are among access to the
accessible by users. report
all users. In option
this results in an
situation, exposure.
the IS Efficiency
auditor is and
MOST likely effectiveness
to conclude are not
that: relevant
factors in
this
situation.
Greater
control over
reports will
not be
accomplishe
d since
reports need
not be in a
printed form
only.
Information
To prevent A. B. C. D. D. Explanation:
unauthorize online online ID cards are online online The most
d entry to terminals terminals required to access is access is appropriate
the data are placed in are gain access terminated terminated control to
maintained restricted equipped to online after a after a prevent
in a dial-up, areas. with key terminals. specified specified unauthorize
fast locks. number of number of d entry is to
response unsuccessful unsuccessful terminate
system, an IS attempts. attempts. connection
auditor after a
should specified
recommend: number
of attempts.
This will
deter access
through the
guessing of
IDs and
passwords.
The other
choices are
physical
controls,
which are
not effective
in deterring
unauthorize
d accesses
via
telephone
lines.
performing Read access Delete Logged Update Delete Deletion of
an audit of to data access to read/execut access to job access to transaction
access transaction e access to control transaction data files
rights, an IS data files programs language/scr data files should be a
auditor ipt files function of
should be the
suspicious of application
which of the support
following if team, not
allocated to operations
a computer staff.
operator? Read access
to
production
data is a
normal
requirement
of a
computer
operator, as
is logged
access to
programs
and access
to JCL to
control job
execution.
Passwords A. B. C. D. A. Explanation:
should be: assigned by changed reused often displayed on assigned by Initial
the security every 30 to ensure the screen the security password
administrato days at the the user so that the administrato assignment
r for first discretion of does not user can r for first should be
time logon. the user. forget the ensure that time logon. done
password. it has been discretely by
entered the security
properly. administrato
r. Passwords
should be
changed
often (e.g.,
every 30
days);
however,
changing
should not
be
voluntary, it
should be
required by
the
system.
Systems
should not
permit
previous
passwords
to be used
again. Old
passwords
may have
been
Passwords A. B. C. D. A. Explanation:
should be: assigned by changed reused often displayed on assigned by Initial
the security every 30 to ensure the screen the security password
administrato days at the the user so that the administrato assignment
r for first discretion of does not user can r for first should be
time logon. the user. forget the ensure that time logon. done
password. it has been discretely by
entered the security
properly. administrato
r. Passwords
should be
changed
often (e.g.,
every 30
days);
however,
changing
should not
be
voluntary, it
should be
required by
the
system.
Systems
should not
permit
previous
passwords
to be used
again. Old
passwords
may have
been
reviewing an Passwords Password Redundant The Password When
organization’ are not files are not logon IDs are allocation of files are not evaluating
s logical shared. encrypted. deleted. logon IDs is encrypted. the technical
access controlled. aspects of
security, logical
which of the security,
following unencrypted
should be of files
MOST represent
concern to the greatest
an IS risk. The
auditor? sharing of
passwords,
checking for
the
redundancy
of logon IDs
and proper
logon ID
procedures
are
essential,
but they are
less
important
than
ensuring
that the
password
files are
encrypted.
following is a Provides an Can be used Permits Allows call Provides an A callback
benefit of audit trail in a unlimited forwarding audit trail feature
using a switchboard user mobility hooks into
callback environment the access
device? control
software and
logs all
authorized
and
unauthorize
d access
attempts,
permitting
the follow-
up and
further
review of
potential
breaches.
Call
forwarding
(choice D) is
a
means of
potentially
bypassing
callback
control. By
dialing
through an
authorized
phone
number
following is a Provides an Can be used Permits Allows call Provides an A callback
using a switchboard user mobility hooks into
device? control
software and
logs all
authorized
and
unauthorize
d access
attempts,
permitting
the follow-
up and
further
review of
potential
breaches.
Call
forwarding
(choice D) is
a
means of
potentially
bypassing
callback
control. By
dialing
through an
authorized
phone
number
following is Security Reading the Security Logical Logical To retain a
the awareness security committee access access competitive
PRIMARY policy controls controls advantage
safeguard and meet
for securing basic
software and business
data within requirement
an s,
information organization
processing s must
facility? ensure that
the
integrity of
the
information
stored on
their
computer
systems
preserve the
confidentiali
ty of
sensitive
data and
ensure the
continued
availability
of their
information
systems. To
meet these
goals, logical
access
What is the A. B. C. D. C. Explanation:
MOST Automated Tape Access Locked Access Access
effective file entry librarian control library control control
method of software software software is
preventing an active
unauthorize control
d use of data designed to
files? prevent
unauthorize
d access to
data.
MOST Automated Tape Access Locked Access Access
effective file entry librarian control library control control
method of software software software is
preventing an active
unauthorize control
d use of data designed to
files? prevent
unauthorize
d access to
data.

following Iris scanning Terminal ID A smart card User ID A smart card A smart card
satisfies a plus plus global requiring the along with requiring the addresses
two-factor fingerprint positioning user’s PIN password user’s PIN what the
user scanning system (GPS) user has.
authenticati This is
on? generally
used in
conjunction
with testing
what the
user
knows, e.g.,
a keyboard
password or
personal
identificatio
n number
(PIN).
Proving who
the user is
usually
requires a
biometrics
method,
such as
fingerprint,
iris scan or
voice
verification,
to prove
biology. This
is not a
two-factor
following Iris scanning Terminal ID A smart card User ID A smart card A smart card
satisfies a plus plus global requiring the along with requiring the addresses
two-factor fingerprint positioning user’s PIN password user’s PIN what the
user scanning system (GPS) user has.
authenticati This is
on? generally
used in
conjunction
with testing
what the
user
knows, e.g.,
a keyboard
password or
personal
identificatio
n number
(PIN).
Proving who
the user is
usually
requires a
biometrics
method,
such as
fingerprint,
iris scan or
voice
verification,
to prove
biology. This
is not a
two-factor
logical an user access passwords user user The use of a
access unauthorize managemen are easily accountabilit accountabilit single user
controls d user may t is time guessed. y may not be y may not be ID by more
review, an IS use the ID to consuming. established. established. than one
auditor gain access. individual
observes precludes
that user knowing
accounts are who in fact
shared. The used that ID
GREATEST to access a
risk resulting system;
from this therefore, it
situation is is literally
that: impossible
to hold
anyone
accountable.
All user IDs,
not just
shared IDs,
can be
used by
unauthorize
d
individuals.
Access
managemen
t would not
be any
different
with shared
IDs, and
shared
following is Vendor User Administrato User IDs are User The most
the MOST access accounts are r access is deleted accounts are effective
effective corresponds created with provided for when the created with control is to
control to the expiration a limited work is expiration ensure that
when service level dates and period. completed. dates and the granting
granting agreement are based on are based on of
temporary (SLA). services services temporary
access to provided. provided. access is
vendors? based on
services to
be
provided
and that
there is an
expiration
date
(hopefully
automated)
associated
with each ID.
The SLA may
have
a provision
for providing
access, but
this is not a
control; it
would
merely
define the
need for
access.
Vendors
following is Vendor User Administrato User IDs are User The most
the MOST access accounts are r access is deleted accounts are effective
effective corresponds created with provided for when the created with control is to
control to the expiration a limited work is expiration ensure that
when service level dates and period. completed. dates and the granting
granting agreement are based on are based on of
temporary (SLA). services services temporary
access to provided. provided. access is
vendors? based on
services to
be
provided
and that
there is an
expiration
date
(hopefully
automated)
associated
with each ID.
The SLA may
have
a provision
for providing
access, but
this is not a
control; it
would
merely
define the
need for
access.
Vendors
To A. B. C. D. B. Explanation:
determine activity lists. access logon ID password access Access
who has control lists. lists. lists. control lists. control lists
been given are the
permission authorizatio
to use a n tables that
particular document
system the users
resource, an who have
IS auditor been given
should permission
review: to
use a
particular
system
resource and
the types of
access they
have been
granted. The
other
choices
would not
document
who has
been given
permission
to use
(access)
specific
system
resources.
GREATEST make make use of remotely update data make Having
risk when unauthorize a system access the without unauthorize access to the
end users d changes to query database. authenticati d changes to database
have access the database language on. the database could
to a directly, (SQL) to directly, provide
database at without an access without an access to
its system audit trail. information. audit trail. database
level, utilities,
instead of which can
through the update the
application, database
is that the without an
users can: audit trail
and without
using the
application.
Using SQL
only
provides
read access
to
information,
in a
networked
environment
, accessing
the database
remotely
does not
make a
difference.
What is
critical is
Accountabili A. B. C. D. C. Explanation:
ty for the security systems data and systems data and Managemen
maintenance administrato administrato systems operations systems t should
of r. r. owners. group. owners. ensure that
appropriate all
security information
measures assets (data
over and systems)
information have an
assets appointed
resides with owner who
the: makes
decisions
about
classification
and access
rights.
System
owners
typically
delegate
day-to-day
custodianshi
p to the
systems
delivery/ope
rations
group and
security
responsibiliti
es to a
security
administrato
r.
following System Authorizatio Application Data Authorizatio The
functions analysis n of access programmin administrati n of access application
should be to data g on to data owner is
performed responsible
by the for
application authorizing
owners to access to
ensure an data.
adequate Application
segregation developmen
of duties t and
between IS programmin
and end g
users? are
functions of
the IS
department.
Similarly,
system
analysis
should be
performed
by qualified
persons in IS
who have
knowledge
of IS and
user
requirement
s. Data
administrati
on is a
specialized
reviewing the best whether the whether the The first step
the practices for components importance subcompone importance is to
configuratio the type of of the of the nts of the of the understand
n of network network network are network network are network the
devices, an devices missing. device in the being used device in the importance
IS auditor deployed. topology. appropriatel topology. and role of
should FIRST y. the network
identify: device
within the
organization’
s network
topology.
After
understandi
ng the
devices in
the network,
the best
practice for
using the
device
should be
reviewed to
ensure that
there are no
anomalies
within the
configuratio
n.
Identificatio
n of which
component
or
reviewing the best whether the whether the The first step
the practices for components importance subcompone importance is to
configuratio the type of of the of the nts of the of the understand
n of network network network are network network are network the
devices, an devices missing. device in the being used device in the importance
IS auditor deployed. topology. appropriatel topology. and role of
should FIRST y. the network
identify: device
within the
organization’
s network
topology.
After
understandi
ng the
devices in
the network,
the best
practice for
using the
device
should be
reviewed to
ensure that
there are no
anomalies
within the
configuratio
n.
Identificatio
n of which
component
or
The MAIN A. B. C. D. D. Explanation:
reason for prevent ensure ensure that support the support the During an
requiring omission or smooth data e-mail incident incident investigation
that all duplication transition messages investigation investigation of incidents,
computer of from client have process. process. audit logs
clocks across transactions. machines to accurate are used as
an servers. time stamps. evidence,
organization and the time
be stamp
synchronize information
d is to: in them is
useful. If the
clocks are
not
synchronize
d,
investigation
s will be
more
difficult
because a
time line of
events
might not be
easily
established.
Time-
stamping a
transaction
has nothing
to do with
the update
itself.
Therefore,
During the A. B. C. D. C. B.
audit of a The Default Old data Database Old data Default
database password global have not activity is have not global
server, does not security been purged not fully been purged security
which of the expire on settings for A hacker logged A hacker settings for
following the the database may be able FTP could may be able the database
would be administrato remain to use the significantly to use the remain
considered r account unchanged FTP service reduce the FTP service unchanged
the A user from QUESTION to bypass performance to bypass QUESTION
GREATEST within could 673 the firewall. of a DMZ the firewall. 673
exposure? send a file to Which server. Which
an significant significant
unauthorize risk is risk is
d person. introduced introduced
by running by running
the file the file
transfer transfer
protocol protocol
(FTP) service (FTP) service
on a server on a server
in a in a
demilitarize demilitarize
d zone d zone
(DMZ)? (DMZ)?
FTP services FTP services
could allow could allow
a user to a user to
download download
files from files from
unauthorize unauthorize
d sources. d sources.
following is a Session keys Private Keys are Source Session keys WPA uses
feature of are dynamic symmetric static and addresses are dynamic dynamic
Wi-Fi keys are shared are not session keys,
Protected used encrypted or achieving
Access authenticate stronger
(WPA) in d encryption
wireless than
networks? wireless
encryption
privacy
(WEP),
which
operates
with static
keys (same
key is used
for everyone
in the
wireless
network). All
other
choices are
weaknesses
of WEP.
following is a Session keys Private Keys are Source Session keys WPA uses
feature of are dynamic symmetric static and addresses are dynamic dynamic
Wi-Fi keys are shared are not session keys,
Protected used encrypted or achieving
Access authenticate stronger
(WPA) in d encryption
wireless than
networks? wireless
encryption
privacy
(WEP),
which
operates
with static
keys (same
key is used
for everyone
in the
wireless
network). All
other
choices are
weaknesses
of WEP.
reviewing an an traffic wired analog traffic To ensure
implementa integrated engineering. equivalent phone engineering. that quality
tion of a services privacy terminals. of service
VoIP system digital (WEP) requirement
over a network encryption s are
corporate (ISDN) data of data. achieved,
WAN, an IS link. the Voice-
auditor over IP
should (VoIP)
expect to service over
find: the wide
area
network
(WAN)
should be
protected
from packet
losses,
latency or
jitter. To
reach this
objective,
the
network
performance
can be
managed
using
statistical
techniques
such as
traffic
engineering.
examining transaction authorizatio parameter routing parameter Parameters
the logs. n tables. settings. tables. settings. allow a
configuratio standard
n of an piece of
operating software to
system to be
verify the customized
controls for diverse
should environment
review the: s and are
important in
determining
how a
system runs.
The
parameter
settings
should be
appropriate
to an
organization’
s workload
and control
environment
, improper
implementa
tion and/or
monitoring
of operating
systems can
result in
undetected
errors and
should Simple Address Routing Transmission Address Address
review the Object Resolution Information Control Resolution Resolution
configuratio Access Protocol Protocol Protocol Protocol Protocol
n of which of Protocol (ARP) (RIP) (TCP) (ARP) (ARP)
the (SOAP) provides
following dynamic
protocols to address
detect mapping
unauthorize between an
d IP address
mappings and
between the hardware
IP address address.
and the Simple
media Object
access Access
control Protocol
(MAC) (SOAP) is a
address? platform-
independent
XML-based
protocol,
enabling
applications
to
communicat
e with each
other over
the Internet,
and does not
deal with
media
access
auditing a verify that review verify that test whether verify that A proxy-
proxy-based the firewall Address the filters routing the filters based
firewall, an is not Resolution applied to information applied to firewall
IS auditor dropping Protocol services is forwarded services works as an
should: any (ARP) tables such as HTTP by the such as HTTP intermediary
forwarded for are effective. firewall. are effective. (proxy)
packets. appropriate between the
mapping service or
between application
media and the
access client, it
control makes a
(MAC) and IP connection
addresses. with the
client and
opens a
different
connection
with the
server and,
based on
specific
filters and
rules,
analyzes all
the traffic
between the
two
connections.
Unlike a
packet-
filtering
gateway, a
auditing a verify that review verify that test whether verify that A proxy-
proxy-based the firewall Address the filters routing the filters based
firewall, an is not Resolution applied to information applied to firewall
IS auditor dropping Protocol services is forwarded services works as an
should: any (ARP) tables such as HTTP by the such as HTTP intermediary
forwarded for are effective. firewall. are effective. (proxy)
packets. appropriate between the
mapping service or
between application
media and the
access client, it
control makes a
(MAC) and IP connection
addresses. with the
client and
opens a
different
connection
with the
server and,
based on
specific
filters and
rules,
analyzes all
the traffic
between the
two
connections.
Unlike a
packet-
filtering
gateway, a
Reverse A. B. C. D. A. Explanation:
proxy http servers’ accelerated caching is bandwidth http servers’ Reverse
technology addresses access to all needed for to the user is addresses proxies are
for web must be published fault limited. must be primarily
servers hidden. pages is tolerance. hidden. designed to
should be required. hide physical
deployed if: and logical
internal
structures
from outside
access.
Complete
URLs or URIs
can be
partially or
completely
redirected
without
disclosing
which
internal or
DMZ
server is
providing
the
requested
data. This
technology
might be
used if a
trade-off
between
security,
performance
Reverse A. B. C. D. A. Explanation:
proxy http servers’ accelerated caching is bandwidth http servers’ Reverse
technology addresses access to all needed for to the user is addresses proxies are
for web must be published fault limited. must be primarily
servers hidden. pages is tolerance. hidden. designed to
should be required. hide physical
deployed if: and logical
internal
structures
from outside
access.
Complete
URLs or URIs
can be
partially or
completely
redirected
without
disclosing
which
internal or
DMZ
server is
providing
the
requested
data. This
technology
might be
used if a
trade-off
between
security,
performance
requirement Storage area Network Network file Common Storage area In contrast
s definition network Attached system (NFS Internet File network to the other
phase for a (SAN) Storage v2) System (SAN) options, in a
database (NAS) (CIFS) SAN
application, comprised
performance of
is listed as a computers,
top priority. FC switches
To or routers
access the and storage
DBMS files, devices,
which of the there is no
following computer
technologies system
should be hosting and
recommend exporting its
ed for mounted file
optimal I/O system for
performance remote
? access, aside
fromspecial
file systems.
Access to
information
stored on
the storage
devices in a
SAN is
comparable
to direct
attached
storage,
which
To A. B. C. D. C. Explanation:
determine business infrastructur application system application Projects
how data software. e platform services. developmen services. should
are accessed tools. t tools. identify the
across complexities
different of the IT
platforms in Infrastructur
a e that can be
heterogeneo simplified or
us isolated by
environment the
, an IS developmen
auditor t of
should FIRST application
review: services.
Application
services
isolate
system
developers
from the
complexities
of
the IT
infrastructur
e and offer
common
functionaliti
es that are
shared by
many
applications.
Application
services take
following is Review the Interview Review the Review the Review the A review of
the BEST parameter the firewall actual device’s log parameter the
audit settings. administrato procedures. file for settings. parameter
procedure to r. recent settings will
determine if attacks. provide a
a firewall is good basis
configured for
in comparison
compliance of the actual
with an configuratio
organization’ n to the
s security security
policy? policy and
will provide
audit
evidence
documentati
on. The
other
choices do
not provide
audit
evidence
as strong as
choice A.
following Copper wire Twisted pair Fiberoptic Coaxial Fiberoptic Fiberoptic
types of cables cables cables cables have
transmission proven to be
media more secure
provide the than the
BEST other media.
security Satellite
against transmission
unauthorize and copper
d access? wire
can be
violated with
inexpensive
equipment.
Coaxial cable
can also be
violated
more easily
than other
transmission
media.
In large A. B. C. D. A. Explanation:
corporate Appliances Operating Host-based Demilitarize Appliances The software
networks system- d for
having based appliances is
supply embedded
partners into chips.
across the Firmware-
globe, based
network firewall
traffic may products
continue to cannot be
rise. The moved to
infrastructur higher
e capacity
components servers.
in such Firewall
environment software
s should be that sits on
scalable. an operating
Which of the system can
following always be
firewall scalable due
architecture to its
s limits ability to
future enhance the
scalability? power of
servers.
Host-based
firewalls
operate on
top of the
server
operating
system and
Java applets A. B. C. D. C. Explanation:
and ActiveX a firewall a secure the source the host web the source Acceptance
controls are exists. web of the site is part of of the of these
distributed connection executable the executable mechanisms
executable is used. file is organization. file is should be
programs certain. certain. based on
that execute established
in the trust. The
background control is
of a web provided by
browser only
client. This knowing the
practice is source and
considered then
reasonable allowing the
when: acceptance
of the
applets.
Hostile
applets can
be received
from
anywhere. It
is virtually
impossible
at this time
to filter at
this level. A
secure web
connection
or firewall is
considered
an external
defense. A
following Simple File Transfer Simple Mail Telnet Simple The Simple
protocols Network Protocol Transfer Network Network
would be Managemen Protocol Managemen Managemen
involved in t Protocol t Protocol t Protocol
the provides a
implementa means to
tion of a monitor and
router and control
an network
interconnec devices and
tivity to
device manage
monitoring configuratio
system? ns and
performance
. The File
Transfer
Protocol
(FTP)
transfers
files from a
computer on
the Internet
to the user’s
computer
and does not
have any
functionality
related to
monitoring
network
devices.
Simple Mail
following A program Applets Downloaded Applets Applets An applet is
applet that deposits recording code that opening opening a program
intrusion a virus on a keystrokes reads files connections connections downloaded
issues poses client and, on a client’s from the from the from a web
the machine therefore, hard drive client client server to the
GREATEST passwords machine machine client,
risk of usually
disruption to through a
an web browser
organization that
? provides
functionality
for database
access,
interactive
web pages
and
communicati
ons with
other users.
Applets
opening
connections
from the
client
machine to
other
machines on
the network
and
damaging
those
machines, as
Reconfigurin A. B. C. D. B. Explanation:
g which of Circuit Application Packet filter Screening Application An
the gateway gateway router gateway application
following gateway
firewall firewall is
types will effective in
prevent preventing
inward applications,
downloading such as FTPs,
of files from
through the entering the
File organization
Transfer network. A
Protocol circuit
(FTP)? gateway
firewall is
able to
prevent
paths or
circuits, not
applications,
from
entering the
organization’
s network. A
packet filter
firewall or
screening
router will
allow or
prevent
access
based on IP
packets/add
following Screened- Screened- Dual-homed Stateful- Screened- A screened-
would be host firewall subnet firewall inspection subnet subnet
the MOST firewall firewall firewall firewall, also
secure used as a
firewall demilitarize
system? d zone
(DMZ),
utilizes two
packet
filtering
routers and
a
bastion host.
This
provides the
most secure
firewall
system,
since it
supports
both
network-
and
applicationle
vel security
while
defining a
separate
DMZ
network. A
screened-
host firewall
utilizes a
following Screened- Screened- Dual-homed Stateful- Screened- A screened-
would be host firewall subnet firewall inspection subnet subnet
the MOST firewall firewall firewall firewall, also
secure used as a
firewall demilitarize
system? d zone
(DMZ),
utilizes two
packet
filtering
routers and
a
bastion host.
This
provides the
most secure
firewall
system,
since it
supports
both
network-
and
applicationle
vel security
while
defining a
separate
DMZ
network. A
screened-
host firewall
utilizes a
reviewing node list. acceptance network user’s list. network To properly
the test report. diagram. diagram. review a LAN
implementa implementa
tion of a tion, an IS
LAN, an IS auditor
auditor should first
should FIRST verify the
review the: network
diagram and
confirm the
approval.
Verification
of nodes
from the
node list and
the network
diagram
would be
next,
followed by
a review
of the
acceptance
test report
and then the
user’s list.
reviewing node list. acceptance network user’s list. network To properly
the test report. diagram. diagram. review a LAN
implementa implementa
tion of a tion, an IS
LAN, an IS auditor
auditor should first
should FIRST verify the
review the: network
diagram and
confirm the
approval.
Verification
of nodes
from the
node list and
the network
diagram
would be
next,
followed by
a review
of the
acceptance
test report
and then the
user’s list.
likely error incorrectly compromisi connecting a inadequately incorrectly An updated
to occur configuring ng the modem to protecting configuring and flawless
when the access passwords the the network the access access list is
implementin lists. due to social computers and server lists. a significant
g a firewall engineering. in the from virus challenge
is: network. attacks. and,
therefore,
has the
greatest
chance for
errors
at the time
of the initial
installation.
Passwords
do not apply
to firewalls,
a modem
bypasses a
firewall and
a
virus attack
is not an
element in
implementin
g a firewall.
likely error incorrectly compromisi connecting a inadequately incorrectly An updated
to occur configuring ng the modem to protecting configuring and flawless
when the access passwords the the network the access access list is
implementin lists. due to social computers and server lists. a significant
g a firewall engineering. in the from virus challenge
is: network. attacks. and,
therefore,
has the
greatest
chance for
errors
at the time
of the initial
installation.
Passwords
do not apply
to firewalls,
a modem
bypasses a
firewall and
a
virus attack
is not an
element in
implementin
g a firewall.
following A graphical Capacity to Connectivity An export A graphical To trace the
would be interface to interact with to a help facility for interface to topology of
considered map the the Internet desk for piping data map the the network,
an essential network to solve the advice on to network a graphical
feature of a topology problems difficult spreadsheet topology interface
network issues s would be
managemen essential. It
t system? is not
necessary
that each
network be
on the
internet and
connected
to a help
desk, while
the ability to
export to a
spreadsheet
is not an
essential
element.
following A graphical Capacity to Connectivity An export A graphical To trace the
would be interface to interact with to a help facility for interface to topology of
considered map the the Internet desk for piping data map the the network,
an essential network to solve the advice on to network a graphical
feature of a topology problems difficult spreadsheet topology interface
network issues s would be
managemen essential. It
t system? is not
necessary
that each
network be
on the
internet and
connected
to a help
desk, while
the ability to
export to a
spreadsheet
is not an
essential
element.
Receiving an A. B. C. D. B. Explanation:
EDI translating routing passing data creating a routing The
transaction and verification to the point of verification communicati
and passing unbundling procedures. appropriate receipt audit procedures. on’s
it through transactions. application log. interface
the system. stage
communicati requires
on’s routing
interface verification
stage usually procedures.
requires: EDI or ANSI
X12 is a
standard
that must be
interpreted
by an
application
for
transactions
to be
processed
and then to
be invoiced,
paid and
sent,
whether
they are for
merchandise
or services.
There is no
point in
sending and
receiving EDI
transactions
In what way A. B. C. D. A. Explanation:
is a common Consistent Computer Graphic user interface to Consistent The
gateway way for graphics interface for access the way for common
interface transferring imaging web design private transferring gateway
(CGI) MOST data to the method for gateway data to the interface
often used application movies and domain application (CGI) is a
on a program and TV program and standard
webserver? back to the back to the way for a
user user web server
to pass a
user’s
request to
an
application
program and
to move
data back
and forth to
the user.
When the
user
requests a
web page
(for
example, by
clicking on a
highlighted
word or
entering a
web site
address), the
server sends
back the
requested
In what way A. B. C. D. A. Explanation:
is a common Consistent Computer Graphic user interface to Consistent The
gateway way for graphics interface for access the way for common
interface transferring imaging web design private transferring gateway
(CGI) MOST data to the method for gateway data to the interface
often used application movies and domain application (CGI) is a
on a program and TV program and standard
webserver? back to the back to the way for a
user user web server
to pass a
user’s
request to
an
application
program and
to move
data back
and forth to
the user.
When the
user
requests a
web page
(for
example, by
clicking on a
highlighted
word or
entering a
web site
address), the
server sends
back the
requested
In a client- A. B. C. D. B. Explanation:
server address of resolution IP addresses domain resolution DNS is
architecture, the domain service for for the name service for utilized
a domain server. the internet. system. the primarily on
name name/addre name/addre the Internet
service ss. ss. for
(DNS) is resolution of
MOST the
important name/addre
because it ss of the
provides web site. It
the: is an
Internet
service that
translates
domain
names into
IP addresses.
As names
are
alphabetic,
they are
easier to
remember.
However,
the Internet
is based on
IP addresses.
Every time a
domain
name is
used, a DNS
service
must
organization A Secure Firewall inbound The firewall The firewall
The greatest
provides Sockets policies are traffic is is placed on is placed on
concern
information Layer (SSL) updated on blocked top of the top of the
when
to its supply has been the basis of unless the commercial commercial
implementin
chain implemente changing traffic type operating operating
g firewalls
partners and d for user requirement and system with system with
on top of
customers authenticati s. connections all allcommercial
through on and have been installation installation
operating
an extranet remote specifically options. options.
systems is
infrastructur administrati permitted. the potential
e. Which of on of presence of
the the firewall. vulnerabiliti
following es that could
should be undermine
the the security
GREATEST posture of
concern to the firewall
an IS auditor platform
reviewing itself. In
the firewall most
security circumstanc
architecture es, when
? commercial
firewalls are
breached
that breach
is facilitated
by
vulnerabiliti
es in the
underlying
operating
system.
In the 2c A. B. C. B. D.
area of the Virus attack Performance Poor Performance Vulnerability
diagram, degradation managemen degradation to external
there are t controls hackers
three hubs
connected
to each
other. What
potential
risk might
this
indicate?
For locations A. B. C. C. D.
3a, 1d and Intelligent Physical Physical Physical No controls
3d, the hub security over security and security and are
diagram the hubs an an necessary
indicates intelligent intelligent since this is
hubs with hub hub not a
lines that weakness
appear to be
open and
active.
Assuming
that is true,
what
control, if
any, should
be
recommend
ed to
mitigate this
weakness?
Assuming A. B. C. D. D.
this diagram No firewalls Op-3 MIS (Global) SMTP SMTP
represents are needed location only and NAT2 Gateway Gateway
an internal and op-3 and op-3
facility and
the
organization
is
implementin
g a firewall
protection
program,
where
should
firewalls be
installed?
Neural A. B. C. D. C. Explanation:
networks discover solve attack make attack Neural
are effective new trends problems problems assumptions problems networks
in detecting since they where large that require about the that require can be used
fraud are and general consideratio shape of any consideratio to attack
because inherently sets of n of a large curve n of a large problems
they can: linear. training data number of relating number of that require
are not input variables to input consideratio
obtainable. variables. the output. variables. n of
numerous
input
variables.
They
are capable
of capturing
relationships
and patterns
often missed
by other
statistical
methods,
but they will
not
discover
new trends.
Neural
networks
are
inherently
nonlinear
and make no
assumption
about the
shape of any
Neural A. B. C. D. C. Explanation:
networks discover solve attack make attack Neural
are effective new trends problems problems assumptions problems networks
in detecting since they where large that require about the that require can be used
fraud are and general consideratio shape of any consideratio to attack
because inherently sets of n of a large curve n of a large problems
they can: linear. training data number of relating number of that require
are not input variables to input consideratio
obtainable. variables. the output. variables. n of
numerous
input
variables.
They
are capable
of capturing
relationships
and patterns
often missed
by other
statistical
methods,
but they will
not
discover
new trends.
Neural
networks
are
inherently
nonlinear
and make no
assumption
about the
shape of any
following Screened Application Packet Circuit-level Screened A screened
types of subnet filtering filtering gateway subnet subnet
firewalls firewall gateway router firewall firewall
would BEST would
protect a provide the
network best
from an protection.
internet The
attack? screening
router can
be a
commercial
router
or a node
with routing
capabilities
and the
ability to
allow or
avoid traffic
between
nets or
nodes based
on
addresses,
ports,
protocols,
interfaces,
etc.
Application-
level
gateways
are
following Screened Application Packet Circuit-level Screened A screened
types of subnet filtering filtering gateway subnet subnet
firewalls firewall gateway router firewall firewall
would BEST would
protect a provide the
network best
from an protection.
internet The
attack? screening
router can
be a
commercial
router
or a node
with routing
capabilities
and the
ability to
allow or
avoid traffic
between
nets or
nodes based
on
addresses,
ports,
protocols,
interfaces,
etc.
Application-
level
gateways
are
following Broadband Baseband Dial-up Dedicated Dedicated Dedicated
line media network network lines lines lines are set
would digital apart for a
provide the transmission particular
BEST user or
security for a organization.
telecommun Since there
ication is no sharing
network? of lines or
intermediate
entry points,
the risk of
interception
or disruption
of
telecommun
ications
messages is
lower.
An installed A. B. C. D. D. Explanation:
Ethernet Electromagn Cross-talk Dispersion Attenuation Attenuation Attenuation
cable run in etic is the
an interference weakening
unshielded (EMI) of signals
twisted pair during
(UTP) transmission
network is . When the
more than signal
100 meters becomes
long. weak, it
Which of the begins to
following read
could be a 1 for a 0,
caused by and the user
the length of may
the cable? experience
communicati
on
problems.
UTP faces
attenuation
around 100
meters.
Electromagn
etic
interference
(EMl)is
caused by
outside
electromagn
etic waves
affecting the
desired
following is a Restricting Monitoring Providing Establishing Providing Redundancy
control over operator and network physical network by building
component access and reviewing redundancy barriers to redundancy some form
communicati maintaining system the data of
on audit trails engineering transmitted duplication
failure/error activity over the into the
s? network network
components,
such as a
link, router
or switch
to prevent
loss, delays
or data
duplication
is a control
over
component
communicati
on failure or
error. Other
related
controls are
loop/echoch
ecks to
detect line
errors, parity
checks, error
correction
codes and
sequence
checks.
Choices A, B
following is a Restricting Monitoring Providing Establishing Providing Redundancy
control over operator and network physical network by building
component access and reviewing redundancy barriers to redundancy some form
communicati maintaining system the data of
on audit trails engineering transmitted duplication
failure/error activity over the into the
s? network network
components,
such as a
link, router
or switch
to prevent
loss, delays
or data
duplication
is a control
over
component
communicati
on failure or
error. Other
related
controls are
loop/echoch
ecks to
detect line
errors, parity
checks, error
correction
codes and
sequence
checks.
Choices A, B
reviewing they are set changes are changes are access to they are set The primary
system to meet recorded in authorized parameters to meet concern is to
parameters, security and an audit trail and in the security and find the
an IS performance and supported system is performance balance
auditor’s requirement periodically by restricted. requirement between
PRIMARY s. reviewed. appropriate s. security and
concern documents. performance
should be . Recording
that: changes in
an audit
trail and
periodically
reviewing
them is a
detective
control;
however, if
parameters
are not set
according to
business
rules,
monitoring
of changes
may not be
an effective
control.
Reviewing
changes to
ensure they
are
supported
by
reviewing they are set changes are changes are access to they are set The primary
system to meet recorded in authorized parameters to meet concern is to
parameters, security and an audit trail and in the security and find the
an IS performance and supported system is performance balance
auditor’s requirement periodically by restricted. requirement between
PRIMARY s. reviewed. appropriate s. security and
concern documents. performance
should be . Recording
that: changes in
an audit
trail and
periodically
reviewing
them is a
detective
control;
however, if
parameters
are not set
according to
business
rules,
monitoring
of changes
may not be
an effective
control.
Reviewing
changes to
ensure they
are
supported
by
In a client- A. B. C. D. C. Explanation:
server Diskless Data Network Authenticati Network Network
system, workstations encryption monitoring on systems monitoring monitoring
which of the techniques devices devices devices may
following be used to
control inspect
techniques activities
is used to from known
inspect or unknown
activity from users and
known or can identify
unknown client
users? addresses,
which may
assist in
finding
evidence of
unauthorize
d access.
This serves
as a
detective
control.
Diskless
workstations
prevent
access
control
software
from being
bypassed.
Data
encryption
techniques
following Filters Switches Routers Firewalls Switches Switches are
BEST at the lowest
reduces the level of
ability of one network
device to security and
capture the transmit a
packets that packet to
are meant the device to
for another which it is
device? addressed.
This reduces
the ability of
one device
to capture
the packets
that are
meant for
another
device.
Filters allow
for
some basic
isolation of
network
traffic based
on the
destination
addresses.
Routers
allow
packets to
be given
or denied
is compromise installs a steals a listens to the compromise In a WAP
performing a s the sniffing customer’s wireless s the gateway, the
network Wireless program in PDA. transmission Wireless encrypted
security Application front of the . Application messages
review of a Protocol server. Protocol from
telecom (WAP) (WAP) customers
company gateway. gateway. must be
that decrypted to
provides transmit
Internet over the
connection Internet
services to and vice
shopping versa.
malls for Therefore, if
their the gateway
wireless is
customers. compromise
The d, all of the
company messages
uses would be
Wireless exposed. SSL
Transport protects
Layer the
Security messages
(WTLS) and from sniffing
Secure on the
Sockets Internet,
Layer (SSL) limiting
technology disclosure of
for the
protecting customer’s
their information.
customer’s WTLS
A company A. B. C. D. D. Explanation:
is Most A packet The IP Access to a Access to a Given
implementin employees filtering address network network physical
g a dynamic use laptops. firewall is space is port is not port is not access to a
host used. smaller than restricted. restricted. port, anyone
configuratio the number can connect
n protocol of PCs. to the
(DHCP). internal
Given that network.
the The other
following choices do
conditions not present
exist, which the
represents exposure
the that access
GREATEST to a port
concern? does. DHCP
provides
convenience
(an
advantage)
to the laptop
users.
Sharing IP
addresses
and the
existence of
a firewall
can be
security
measures.
following Firewalls Routers Layer 2 VLANs Firewalls Firewall
network switches systems are
components the primary
is PRIMARILY tool that
set up to enable an
serve as a organization
security to prevent
measure by unauthorize
preventing d access
unauthorize between
d traffic networks.
between An
different organization
segments of may choose
the to deploy
network? one or more
systems that
function as
firewalls.
Routers can
filter packets
based on
parameters,
such as
source
address, but
are not
primarily a
security tool.
Based on
Media
Access
Control
evaluating the setup is the network a hot site is diverse the network A clustered
the geographical servers are ready for routing is servers are setup in one
resilience of ly dispersed. clustered in activation. implemente clustered in location
a high- a site. d for the a site. makes the
availability network. entire
network network
should be vulnerable
MOST to natural
concerned disasters or
if: other
disruptive
events.
Dispersed
geographical
locations
and diverse
routing
provide
backup if a
site has
been
destroyed. A
hot site
would also
be a good
alternative
for a single
point-of-
failure site.
evaluating the setup is the network a hot site is diverse the network A clustered
the geographical servers are ready for routing is servers are setup in one
resilience of ly dispersed. clustered in activation. implemente clustered in location
a high- a site. d for the a site. makes the
availability network. entire
network network
should be vulnerable
MOST to natural
concerned disasters or
if: other
disruptive
events.
Dispersed
geographical
locations
and diverse
routing
provide
backup if a
site has
been
destroyed. A
hot site
would also
be a good
alternative
for a single
point-of-
failure site.
following Financial Number of Percentage Number of Financial The most
would be an impact per security of business successful impact per important
indicator of security vulnerabiliti applications penetration security indicator is
the incident es that were that are tests incident the financial
effectiveness patched being impact per
of a protected security
computer incident.
security Choices B, C
incident and D could
response be
team? measures of
effectiveness
of security,
but would
not be a
measure of
the
effectiveness
of a
response
team.
criterion for cost of negative geographic downtime. downtime. The longer
determining recovery. public location. the period of
the severity opinion. time a client
level of a cannot be
service serviced, the
disruption greater the
incident is: severity of
the incident.
The cost of
recovery
could be
minimal yet
the service
downtime
could have a
major
impact.
Negative
public
opinion is a
symptom of
an incident.
Geographic
location
does not
determine
the severity
of the
incident.
criterion for cost of negative geographic downtime. downtime. The longer
determining recovery. public location. the period of
the severity opinion. time a client
level of a cannot be
service serviced, the
disruption greater the
incident is: severity of
the incident.
The cost of
recovery
could be
minimal yet
the service
downtime
could have a
major
impact.
Negative
public
opinion is a
symptom of
an incident.
Geographic
location
does not
determine
the severity
of the
incident.
computer use this forward the implement fail to use this An
security information security individual understand information organization’
incident to launch alert. solutions. the threat. to launch s computer
response attacks. attacks. security
team (CSIRT) incident
of an response
organization team (CSIRT)
disseminates should
detailed disseminate
descriptions recent
of threats,
recent security
threats. An guidelines
IS auditor’s and security
GREATEST updates to
concern the users to
should be assist them
that the in
users might: understandi
ng the
security risk
of errors
and
omissions.
However,
this
introduces
the risk that
the users
may use this
information
to launch
attacks,
PRIMARY improve harden the highlight the improve improve A
objective of internal network to importance employee internal postincident
performing a control industry best of incident awareness control review
postincident procedures. practices. response of the procedures. examines
review is managemen incident both the
that it t to response cause and
presents an managemen process. response to
opportunity t. an incident.
to: The lessons
learned from
the
review can
be used to
improve
internal
controls.
Understandi
ng the
purpose and
structure of
postincident
reviews and
follow-up
procedures
enablesthe
information
security
manager to
continuously
improve the
security
program.
Improving
PRIMARY improve harden the highlight the improve improve A
objective of internal network to importance employee internal postincident
performing a control industry best of incident awareness control review
postincident procedures. practices. response of the procedures. examines
review is managemen incident both the
that it t to response cause and
presents an managemen process. response to
opportunity t. an incident.
to: The lessons
learned from
the
review can
be used to
improve
internal
controls.
Understandi
ng the
purpose and
structure of
postincident
reviews and
follow-up
procedures
enablesthe
information
security
manager to
continuously
improve the
security
program.
Improving
following is Install the Block the Block the Stop the Stop the Stopping the
the MOST vendor’s protocol protocol service until service until service and
effective security fix traffic in the traffic an an installing the
method for for the perimeter between appropriate appropriate security fix is
dealing with vulnerability. firewall. internal security fix is security fix is the safest
the network installed. installed. way to
spreading of segments. prevent the
a network worm from
worm that spreading, if
exploits the
vulnerability service is not
in a stopped,
protocol? installing the
fix is not the
most
effective
method
because the
worm
continues
spreading
until the fix
becomes
effective.
Blocking the
protocol on
the
perimeter
does not
stop the
worm from
spreading to
the internal
The FIRST A. B. C. D. C. Explanation:
step in assess the evaluate the identify estimate identify The first step
managing vulnerability likelihood of critical potential critical in managing
the risk of a impact. threats. information damage. information risk is the
cyber attack assets. assets. identificatio
is to: n and
classification
of critical
information
resources
(assets).
Once the
assets have
been
identified,
the process
moves onto
the
identificatio
n of threats,
vulnerabiliti
es and
calculation
of potential
damages.
The FIRST A. B. C. D. C. Explanation:
step in assess the evaluate the identify estimate identify The first step
managing vulnerability likelihood of critical potential critical in managing
the risk of a impact. threats. information damage. information risk is the
cyber attack assets. assets. identificatio
is to: n and
classification
of critical
information
resources
(assets).
Once the
assets have
been
identified,
the process
moves onto
the
identificatio
n of threats,
vulnerabiliti
es and
calculation
of potential
damages.
installing a Differential False- False- Less-detail False- False-
network, an reporting positive negative reporting negative negative
organization reporting reporting reporting reporting on
installed a weaknesses
vulnerability means the
assessment control
tool or weaknesses
security in the
scanner to network are
identify not
possible identified
weaknesses. and
Which is the therefore
MOST may not be
serious risk addressed,
associated leaving the
with such network
tools? vulnerable
to attack.
False-
positive
reporting is
one in
which the
controls are
in place, but
are
evaluated as
weak, which
should
prompt a
rechecking
of the
Time A. B. C. D. A. Explanation:
constraints Achieve Align the Delay the Enforce Achieve Provided
and standards data project until standard standards that data
expanded alignment definition compliance compliance alignment architecture,
needs have through an standards with by adopting through an technical,
been found increase of after standards punitive increase of and
by an IS resources completion can be measures resources operational
auditor to be devoted to of the achieved against devoted to requirement
the root the project project violators the project s are
causes for sufficiently
recent documented
violations of , the
corporate alignment to
data standards
definition could be
standards in treated as a
a new specific work
business package
intelligence assigned to
project. new project
Which of the resources.
following is The
the MOST usage of
appropriate nonstandard
suggestion data
for an definitionsw
auditor to ould lower
make? the
efficiency of
the new
developmen
t, and
increase the
risk
In a small A. B. C. D. A. Explanation:
organization, Approve and Limit Obtain Disable the Approve and It may be
developers document developer secondary compiler document appropriate
may release the change access to approval option in the the change to allow
emergency the next production before production the next programmer
changes business day to a specific releasing to machine business day s to make
directly to timeframe production emergency
production. changes as
Which of the long as they
following are
will BEST documented
control the and
risk in this approved
situation? after the
fact.
Restricting
release time
frame may
help
somewhat;
however, it
would not
apply to
emergency
changes and
cannot
prevent
unauthorize
d release of
the
programs.
Choices C
and D are
not
notes that the training any delaying the delaying Deploying
patches for needs for beneficial deployment necessity of deployment patches
the users after impact of until testing advising end until testing without
operating applying the the patch on the impact users of new the impact testing
system used patch. the of the patch. patches. of the patch. exposes an
by an operational organization
organization systems. to the risk of
are system
deployed by disruption or
the IT failure.
department Normally,
as advised there is no
by the need for
vendor. The training or
MOST advising
significant users when
concern an a new
IS auditor operating
should have system
with this patch has
practice is been
the installed.
nonconsider Any
ation bylT of: beneficial
impact is
less
important
than the risk
of
unavailabilit
y that could
be avoided
with proper
following Change Backup and incident Configuratio Configuratio The
processes managemen recovery managemen n n configuratio
should an IS t t managemen managemen n
auditor t t managemen
recommend t process
to assist in may include
the automated
recording of tools that
baselines for will provide
software an
releases? automated
recording
of software
release
baselines.
Should the
new release
fail, the
baseline will
provide a
point to
which to
return.
The other
choices do
not provide
the
processes
necessary
for
establishing
software
release
discovers Commands Hash keys Access to Software Hash keys The
that typed on the are the developmen are matching of
developers command calculated operating t tools and calculated hash keys
have line are periodically system compilers periodically over time
operator logged for programs command have been for programs would allow
access to the and line is removed and detection of
command matched granted from the matched changes to
line of a against hash through an production against hash files. Choice
production keys access environment keys A is incorrect
environment calculated restriction calculated because
operating for the most tool with for the most having a log
system. recent preapproved recent is not a
Which of the authorized rights authorized control,
following versions of versions of reviewing
controls wou the the the log is a
Id BEST programs programs control.
mitigate the Choice C is
risk of incorrect
undetected because the
and access was
unauthorize already
d program granted-it
changes to does not
the matter how.
production Choice D is
environment wrong
? because files
can be
copied to
and from the
production
environment
.
application Rewrite the Code review Develop in- identify and identify and Suitable
systems of patches and and house test suitable test suitable patches
an apply them application patches patches patches from the
organization of available before before existing
using open- patches applying applying developers
source them them should be
software selected and
have no tested
single before
recognized applying
developer them.
producing Rewriting
patches. the patches
Which of the and applying
following them is not a
would be correct
the MOST answer
secure way because it
of updating would
open-source require
software? skilled
resources
and
time to
rewrite the
patches.
Code review
could be
possible but
tests need to
be
performed
before
To A. B. C. D. C. Explanation:
determine if examine the review examine review examine The
unauthorize change access object code change object code procedure of
d changes control control to find approved to find examining
have been system permissions instances of designations instances of object code
made to records and operating changes and established changes and files to
production trace them within the trace them within the trace them establish
code the forward to production back to change back to instances of
BEST audit object code program change control change code
procedure is files. libraries. control system. control changes and
to: records. records. tracing these
back to
change
control
system
records is a
substantive
test that
directly
addresses
the risk of
unauthorize
d code
changes. The
other
choices are
valid
procedures
to apply in a
change
control audit
but they do
not directly
address the
reviewing allow allow do not allow allow allow There may
procedures changes, undocument any programmer changes, be situations
for which will be ed changes emergency s permanent which will be where
emergency completed directly to changes. access to completed emergency
changes to using after- the production using after- fixes are
programs, the-fact production programs. the-fact required to
the IS follow-up. library. follow-up. resolve
auditor system
should verify problems.
that the This involves
procedures: the use
of special
logon IDs
that grant
programmer
s temporary
access to
production
programs
during
emergency
situations.
Emergency
changes
should be
completed
using after-
the-fact
follow-up
procedures,
which
ensure
that normal
organization apply the ensure that thoroughly approve the ensure that An IS auditor
has recently patch a good test the patch after a good must review
installed a according to change patch before doing a risk change the change
security the patch’s managemen sending it to assessment. managemen managemen
patch, which release t process is production. t process is t process,
crashed the notes. in place. in place. including
production patch
server. To managemen
minimize the t
probability procedures,
of this and
occurring verify that
again, an IS the process
auditor has
should: adequate
controls and
make
suggestions
accordingly.
The other
choices are
part of
a good
change
managemen
t process but
are not an IS
auditor’s
responsibilit
y.
should program only modified source and program Library
recommend changes thoroughly programs executable changes control
the use of have been tested are code have been software
library authorized. programs automaticall integrity is authorized. should be
control are released. y moved to maintained. used to
software to production. separate
provide test from
reasonable production
assurance libraries in
that: mainframe
and/or client
server
environment
s. The main
objective of
library
control
software is
to provide
assurance
that
program
changes
have been
authorized.
Library
control
software is
concerned
with
authorized
program
changes and
of code the software the the signer of the private the software Code signing
signing is to has not been application the key of the has not been can only
provide subsequentl can safely application signer has subsequentl ensure that
assurance y modified. interface is trusted. not been y modified. the
that: with another compromise executable
signed d. code has not
application. been
modified
after being
signed. The
other
choices are
incorrect
and actually
represent
potential
and
exploitable
weaknesses
of code
signing.
A A. B. C. D. B. Explanation:
programmer Comparing Reviewing Comparing Reviewing Reviewing Reviewing
maliciously source code system log object code executable system log system log
modified a files and source files files is the
production code only trail
program to integrity that may
change data provide
and then information
restored the about the
original unauthorize
code. d activities in
Which of the the
following production
would MOST library.
effectively Source and
detect the object code
malicious comparisons
activity? are
ineffective,
because the
original
programs
were
restored and
do not exist.
Reviewing
executable
and source
code
integrity is
an
ineffective
control,
because
reviewing a Analyze the Recommend Recommend Determine if Determine if An IS auditor
database need for the restoration the the the should first
application structural to the implementa modification modification determine if
discovers change. originally tion of a s were s were the
that the designed change properly properly modification
current structure. control approved. approved. s were
configuratio process. properly
n does not approved.
match the Choices A, B
originally and C are
designed possible
structure. subsequent
Which of the actions,
following should the IS
should be auditor find
the IS that the
auditor’s structural
next action? modification
had not
been
approved.
following Review identify Review Ensure that identify The most
tests software changes that change only changes that effective
performed migration have control appropriate have method is to
by an IS records and occurred documentati staff can occurred determine
auditor verify and verify on and verify migrate and verify through
would be approvals. approvals. approvals. changes into approvals. code
the MOST production. comparisons
effective in what
determining changes
compliance have been
with an made and
organization’ then
s change verify that
control they have
procedures? been
approved.
Change
control
records and
software
migration
records may
not have all
changes
listed.
Ensuring
that only
appropriate
staff can
migrate
changes into
production
is a key
reviewing Allow Make Use the DBA Use the Use the DBA The use of a
database changes to changes to user account normal user user account database
controls be made the database to make account to to make administrato
discovered only with after changes, log make changes, log r (DBA) user
that changes the DBA user granting the changes changes, log the changes account is
to the account. access to a and review the changes and review normally set
database normal user the change and review the change up to log all
during account. log the the change log the changes
normal following log the following made and is
working day. following day. most
hours were day. appropriate
handled for changes
through a made
standard set outside of
of normal
procedures. hours. The
However, use of a log,
changes which
made after records the
normal changes,
hours allows
required changes to
only an be reviewed.
abbreviated The use of
number of the DBA user
steps. In this account
situation, without
which of the logging
following would
would be permit
considered uncontrolled
an changes
adequate set to be made
In regard to A. B. C. D. D. Explanation:
moving an application application production production production The best
application programmer programmer control control control control
program copy the copy the group group copy group copy would be
from the source source compile the the source the source provided by
test program and program to object program to program to having the
environment compiled the module to the the production
to the object production the production production control
production module to libraries and production libraries and libraries and group copy
environment the then have libraries then then the source
, the BEST production the using the compile the compile the program to
control libraries. production source program. program. the
would be to control program in production
have the: group the test libraries and
compile the environment then
program. . compile the
program.
Change A. B. C. D. A. Explanation:
managemen control the control the ensure the verify that control the Change
t procedures movement interruption uninterrupte system movement managemen
are of of business d operation changes are of t procedures
established applications operations of the properly applications are
by IS from the from lack of business in documented from the established
managemen test attention to the event of . test by IS
t to: environment unresolved a disaster. environment managemen
to the problems. to the t to control
production production the
environment environment movement
. . of
applications
from the
test
environment
to the
production
environment
. Problem
escalation
procedures
control the
interruption
of business
operations
from lack of
attention to
unresolved
problems,
and quality
assurance
procedures
verify that
following Release-to- Library Restricted Date and Date and Date and
controls release control access to time-stamp time-stamp time-stamp
would be source and software source code reviews of reviews of reviews of
MOST object restricting and object source and source and source and
effective in comparison changes to code object code object code object code
ensuring reports source code would
that ensure that
production source code,
source code which has
and object been
code are compiled,
synchronize matches the
d? production
object code.
This is the
most
effective
way to
ensure that
the
approved
production
source code
is compiled
and is the
one being
used.
Vendors A. B. C. D. A. Explanation:
have Assess the Ask the install the Decline to Assess the The effect of
released impact of vendors for security deal with impact of installing the
patches patches a new patch these patches patch should
fixing prior to software immediately vendors in prior to be
security installation. version with . the future. installation. immediately
flaws in their all fixes evaluated
software. included. and
Which of the installation
following should occur
should an IS based on the
auditor results of
recommend the
in this evaluation.
situation? To install the
patch
without
knowing
what it
might affect
could easily
cause
problems.Ne
w software
versions
withall fixes
included are
not always
available
and a full
installation
could be
time
consuming.
In a small A. B. C. D. C. Explanation:
organization, Automated Additional Procedures Access Procedures While it
an employee logging of staff to that verify controls to that verify would be
performs changes to provide that only prevent the that only preferred
computer developmen separation approved operator approved that strict
operations t libraries of duties program from making program separation
and, when changes are program changes are of duties be
the situation implemente modification implemente adhered to
demands, d s d and that
program additional
modification staff is
s. Which of recruited as
the suggested in
following choice B,
should the IS this practice
auditor is not always
recommend possible in
? small
organization
s. An IS
auditor must
look at
recommend
ed
alternative
processes.
Of the
choices, C is
the only
practical one
that has an
impact. An IS
auditor
should
reviewing recommend review the review the recommend review the Capacity
the IT the use of adequacy of capacity the use of a capacity managemen
infrastructur disk offsite managemen compression managemen t is the
e, an IS mirroring. storage. t process. algorithm. t process. planning and
auditor monitoring
notices that of computer
storage resources to
resources ensure that
are available IT
continuously resources
being are used
added. The efficiently
IS auditor and
should: effectively.
Business
criticality
must be
considered
before
recommendi
ng a
disk
mirroring
solution and
offsite
storage is
unrelated to
the problem.
Though data
compression
may save
disk
space, it
A review of A. B. C. D. A. Explanation:
wide area analysis is WAN the line users should analysis is The peak at
network required to capacity is should be required to 96 percent
(WAN) usage determine if adequate for immediately instructed to determine if could be the
discovers a pattern the be replaced reduce their a pattern result of a
that traffic emerges maximum by one with traffic emerges one-off
on one that results traffic a larger demands or that results incident,
communicati in a service demands capacity to distribute in a service e.g., a user
on line loss for a since provide them across loss for a downloading
between short period saturation approximate all service short period a large
sites, of time. has not been ly 85 percent hours to of time. amount of
synchronous reached. saturation. flatten data;
ly linking the bandwidth therefore,
master and consumption analysis to
standby . establish
database, whether this
peaks at 96 is a regular
percent of pattern and
the line what causes
capacity. An this behavior
IS auditor should be
should carried out
conclude before
that: expenditure
on a larger
line capacity
is
recommend
ed. Since the
link provides
for a
standby
database, a
short loss of
following is Integrity Availability Completene Confidentiali Availability In case of a
MOST ss ty disruption in
directly service, one
affected by of the key
network functions of
performance network
monitoring performance
tools? monitoring
tools is to
ensure
that the
information
has
remained
unaltered. It
is a function
of security
monitoring
to assure
confidentiali
ty by
using such
tools as
encryption.
However,
the most
important
aspect of
network
performance
is assuring
the
ongoing
following Screening Packet filter Application Circuit Application The
types of router gateway gateway gateway application
firewalls gateway is
provide the similar to a
GREATEST circuit
degree and gateway, but
granularity it has
of control? specific
proxies for
each service.
To handle
web
services, it
has an HTTP
proxy that
acts as an
intermediary
between
externals
and
internals,
but is
specifically
for HTTP.
This means
that it not
only checks
the packet IP
addresses
(layer 3) and
the ports it
is
directed to
following Parity check Echo check Block sum Cyclic Cyclic The cyclic
controls will check redundancy redundancy redundancy
MOST check check check (CRC)
effectively can check
detect the for a block
presence of of
bursts of transmitted
errors in data. The
network workstations
transmission generate the
s? CRC and
transmit it
with the
data. The
receiving
workstation
computes a
CRC and
compares it
to the
transmitted
CRC. if both
of them are
equal.then
the block is
assumed
error free, in
this case
(such as in
parity
error or
echo check),
multiple
following is Configuratio Topological Application Proxy server Configuratio Configuratio
widely n mappings of troubleshoo n n
accepted as managemen monitoring ting managemen managemen
one of the t tools t t is widely
critical accepted as
components one of the
in key
networking components
managemen of any
t? network,
since it
establishes
how the
network will
function
internally
and
externally, it
also deals
with the
managemen
t of
configuratio
n and
monitoring
performance
. Topological
mappings
provide
outlines of
the
components
of the
finds that, at Permanent Commitmen User spool Read/write User spool User spool
certain times table-space t and and access log and limits
of the day, allocation rollback database controls database restrict the
the data controls limit limit space
warehouse controls controls available for
query running user
performance queries. This
decreases prevents
significantly. poorly
Which of the formed
following queries from
controls consuming
would it be excessive
relevant for system
the IS resources
auditor to and
review? impacting
general
query
performance
. Limiting the
space
available
to users in
their own
databases
prevents
them from
building
excessively
large tables.
This helps to
control
following Authenticati Data Read/write Commitmen Commitmen Commitmen
database on controls normalizatio access log t and t and t and
controls n controls controls rollback rollback rollback
would controls controls controls are
ensure that directly
the integrity relevant to
of integrity.
transactions These
is controls
maintained ensure that
in an database
online operations
transaction that form a
processing logical
system’s transaction
database? unit will
complete in
its entirety
or not at all;
i.e., if, for
some
reason, a
transaction
cannot be
fully
completed,
then
incomplete
inserts/upda
tes/deletes
are rolled
back so that
the
finds that increase the Centralize all Change the implement Change the Keeping the
client frequency request application reconciliatio application data in one
requests for data processing in architecture n controls to architecture place is the
were replication one so that detect so that best way to
processed between the department common duplicates common ensure that
multiple different to avoid data are before data are data are
times when department parallel held in just orders are held in just stored
received systems to processing one shared processed in one shared without
from ensure of the same database for the systems. database for redundancy
different timely request. all all and that all
independent updates. departments departments users have
department . . the same
al databases, data on their
which are systems.
synchronize Although
d weekly. increasing
What would the
be the BEST frequency
recommend may help to
ation? minimize the
problem, the
risk of
duplication
cannot be
eliminated
completely
because
parallel data
entry is still
possible.
Business
requirement
s will most
A database A. B. C. D. D. Explanation:
administrato concurrent deadlocks. unauthorize a loss of a loss of Normalizatio
r has access. d access to data data n is the
detected a data. integrity. integrity. removal of
performance redundant
problem data
with some elements
tables which from the
could be database
solved structure.
through Disabling
denormaliza normalizatio
tion. This n
situation will in relational
increase the databases
risk of: will create
redundancy
and a risk of
not
maintaining
consistency
of data, with
the
consequent
loss of data
integrity.
Deadlocks
are not
caused by
denormaliza
tion. Access
to data is
controlled
by
performing a recommend review the review the review the review the If the
database that the conceptual stored justification. justification. database is
review, an IS database be data model. procedures. not
auditor normalized. normalized,
notices that the IS
some tables auditor
in the should
database are review the
not justification
normalized. since, in
The IS some
auditor situations,
should next: denormaliza
tion is
recommend
ed for
performance
reasons. The
IS auditor
should not
recommend
normalizing
the database
until further
investigation
takes place.
Reviewing
the
conceptual
data model
or the stored
procedures
will not
In a A. B. C. D. A. Explanation:
relational Foreign key Primary key Secondary Public key Foreign key In a
database key relational
with database
referential with
integrity, the referential
use of which integrity, the
of the use of
following foreign keys
keys would would
prevent prevent
deletion of events such
a row from a as primary
customer key changes
table as long and record
as the deletions,
customer resulting in
number of orphaned
that row is relations
stored with within the
live orders database. It
on the should not
orders be possible
table? to delete a
row from a
customer
table when
the
customer
number
(primary
key) of that
row is stored
with live
During A. B. C. D. A. Explanation:
maintenance the detail of there is no the database the database the detail of When the
of a involved way of will will no involved external key
relational transactions reconstructi immediately longer transactions of a
database, may no ng the lost stop accept input may no transaction
several longer be information, execution data. longer be is corrupted
values of the associated except by and lose associated or lost, the
foreign key with master deleting the more with master application
in a data, causing dangling information. data, causing system will
transaction errors when tuples and errors when normally be
table of a these reentering these incapable of
relational transactions the transactions directly
database are transactions. are attaching
have been processed. processed. the master
corrupted. data to the
The transaction
consequenc data. This
e is that: will normally
cause the
system to
undertake a
sequential
search and
slow down
the
processing.
If the
concerned
files are big,
this
slowdown
will be
unacceptabl
e. Choice B
analyzing Consistency Isolation Durability Atomicity Atomicity Atomicity
the audit log guarantees
of a that either
database the entire
managemen transaction
t system is processed
(DBMS) finds or none of it
that some is.
transactions Consistency
were ensures that
partially the database
executed as is in a legal
a result of an state when
error, and the
are not transaction
rolled back. begins and
Which of the ends,
following isolation
transaction means that,
processing while in an
features has intermediate
been state, the
violated? transaction
data is
invisible to
external
operations.
Durability
guarantees
that a
successful
transaction
will persist,
following Audit log Table Query/table Rollback and Table Performing
controls procedures link/referenc access time rollforward link/referenc table
would e checks checks database e checks link/referenc
provide the features e checks
GREATEST serves to
assurance of detect table
database linking
integrity? errors (such
as
completenes
s and
accuracy of
the contents
of the
database),
and thus
provides the
greatest
assurance of
database
integrity.
Audit
log
procedures
enable
recording of
all events
that have
been
identified
and help in
tracing the
events.
objective of restrict prevent prevent ensure the prevent Concurrency
concurrency updating of integrity inadvertent accuracy, integrity controls
control in a the database problems or completenes problems prevent data
database to when two unauthorize s and when two integrity
system is to: authorized processes d disclosure consistency processes problems,
users. attempt to of data in of data. attempt to which can
update the the update the arise when
same data at database. same data at two update
the same the same processes
time. time. access the
same data
item at the
same time.
Access
controls
restrict
updating of
the database
to
authorized
users, and
controls
such as
passwords
prevent the
inadvertent
or
unauthorize
d disclosure
of data from
the
database.
Quality
following Cyclic Domain Relational Referential Referential Referential
will prevent integrity integrity integrity integrity integrity integrity
dangling ensures that
tuples in a a foreign key
database? in one table
will equal
null or the
value of a
primary in
the other
table. For
every tuple
in a table
having a
referenced/f
oreign key,
there should
be a
correspondi
ng tuple in
another
table, i.e.,
for existence
of all foreign
keys in the
original
tables, if this
condition is
not satisfied,
then it
results in a
dangling
tuple.
following Granting Capturing Writing dual Sending log Sending log Establishing
would BEST access to log log events in logs onto information information a dedicated
maintain the information the separate to a to a third-party
integrity of a only to operating storage dedicated dedicated log server
firewall log? administrato system layer media third-party third-party and logging
rs log server log server events in it is
the best
procedure
for
maintaining
the
integrity of a
firewall log.
When access
control to
the log
server is
adequately
maintained,
the risk of
unauthorize
d log
modification
will be
mitigated,
therefore
improving
the integrity
of log
information.
To enforce
segregation
of duties,
Doing which A. B. C. D. B. Explanation:
of the Performing Performing Promoting Replacing a Performing Choices A
following data preventive applications failed power preventive and C are
during peak migration or maintenance from supply in the maintenance processing
production tape backup on electrical developmen core router on electrical events
hours could systems t to the of the data systems which may
result in staging center impact
unexpected environment performance
downtime? , but would
not cause
downtime.
Enterprise-
class routers
have
redundant
hot-
swappable
power
supplies, so
replacing a
failed power
supply
should not
be an issue.
Preventive
maintenance
activities
should be
scheduled
for non-peak
times of the
day,
and
preferably
following is A security An open- A log An extract, A log A log
the BEST information source managemen transform, managemen managemen
type of event correlation t tool load (ETL) t tool t tool is a
program for managemen engine system product
an t (SIEM) designed to
organization product aggregate
to events from
implement many log
to files (with
aggregate, distinct
correlate formats and
and store from
different log different
and event sources),
files, and store them
then and typically
produce correlate
weekly and them offline
monthly to produce
reports for IS many
auditors? reports (e.g.,
exception
reports
showing
different
statistics
including
anomalies
and
suspicious
activities),
and to
answer
To verify A. B. C. D. C. Explanation:
that the operator operator system logs. output system logs. System logs
correct problem work distribution are
version of a reports. schedules. reports. automated
data file was reports
used for a which
production identify
run, an IS most of the
auditor activities
should performed
review: on the
computer.
Programs
that analyze
the system
log have
been
developed
to report on
specifically
defined
items. The
auditor can
then
carry out
tests to
ensure that
the correct
file version
was used for
a production
run.
Operator
problem
observes a Staging and Supervisory Regular Offsite Staging and If the IS
weakness in job set up review of back-up of storage of job set up auditor finds
the tape logs tapes tapes that there
managemen are effective
t system at a staging and
data center job set up
in that some processes,
parameters this can be
are set to accepted as
bypass or a
ignore tape compensatin
header g control.
records. Choice B is a
Which of the detective
following is control
the MOST while
effective choices C
compensatin and D are
g corrective
control for controls,
this none of
weakness? which would
serve as
good
compensatin
g controls.
reviewing a the schedule it is in line it has been the program the program Though
hardware of all with approved by is validated is validated maintenance
maintenance unplanned historical the IS against against requirement
program, an maintenance trends. steering vendor vendor s vary based
IS auditor is committee. specification specification on
should maintained. s. s. complexity
assess and
whether: performance
work loads,
a hardware
maintenance
schedule
should be
validated
against the
vendor-
provided
specification
s. For
business
reasons,
an
organization
may choose
a more
aggressive
maintenance
program
than the
vendor’s
program.
The
maintenance
following Redundant Clustering Dial backup Standby Clustering Clustering
BEST limits pathways lines power allows two
the impact or more
of server servers to
failures in a work as a
distributed unit, so that
environment when one of
? them fails,
the other
takes over.
Choices A
and C are
intended to
minimize the
impact of
channel
communicati
ons failures,
but not a
server
failure.
Choice D
provides an
alternative
power
source in the
event of an
energy
failure.
reviewing an source data file version one-for-one version For
organization’ documentati security. usage checking. usage processing
s data file on control. control. to be
control retention. correct, it is
procedures essential
finds that that the
transactions proper
are applied version of a
to the file is used.
most current Transactions
files, while should be
restart applied to
procedures the most
use earlier current
versions. database,
The IS while restart
auditor procedures
should should use
recommend earlier
the versions.
implementa Source
tion of: documentati
on should be
retained for
an adequate
time period
to enable
documentati
on retrieval,
reconstructi
on or
verification
of data, but
The BEST A. B. C. D. D. Explanation:
way to compression functional or a packet- leased leased Leased
minimize the software to message filtering asynchronou asynchronou asynchronou
risk of minimize acknowledg firewall to s transfer s transfer s transfer
communicati transmission ments. reroute mode lines. mode lines. mode lines
on failures in duration. messages. are a way to
an e- avoid using
commerce public and
environment shared
would be to infrastructur
use: es from the
carrier or
Internet
service
provider
that have a
greater
number of
communicati
on failures.
Choice A,
compression
software, is
a valid way
to reduce
the problem,
but is not as
good as
leased
asynchronou
s
transfer
mode lines.
Choice B is a
Web and e- A. B. C. D. A. Explanation:
mail filtering protect the maximize safeguard assist the protect the The main
tools are organization employee the organization organization reason for
PRIMARILY from viruses performance organization’ in from viruses investing in
valuable to and . s image. preventing and web and e-
an nonbusiness legal issues nonbusiness mail filtering
organization materials. materials. tools is that
because they
they: significantly
reduce risks
related to
viruses,
spam, mail
chains,
recreational
surfing and
recreational
e-mail.
Choice B
could be
true in some
circumstanc
es (i.e., it
would need
to be
implemente
d along with
an
awareness
program, so
that
employee
performance
can be
database loss of increased unauthorize application increased Normalizatio
administrato confidentiali redundancy. d accesses. malfunctions redundancy. n is a design
r (DBA) ty. . or
suggests optimization
that DB process for a
efficiency relational
can be database
improved by (DB) that
denormalizin minimizes
g some redundancy;
tables. therefore,
This would denormaliza
result in: tion would
increase
redundancy.
Redundancy
which is
usually
considered
positive
when
it is a
question of
resource
availability is
negative in a
database
environment
, since it
demands
additional
and
otherwise
significant contents are data cannot data can be device may data can be Unless
security highly be backed copied. not be copied. properly
concern volatile. up. compatible controlled,
when using with other flash
flash peripherals. memory
memory provides an
(e.g., USB avenue for
removable anyone to
disk) is that copy any
the: content with
ease. The
contents
stored in
flash
memory are
not volatile.
Backing up
flash
memory
data is not a
control
concern, as
the
data are
sometimes
stored as a
backup.
Flash
memory will
be accessed
through a PC
rather than
any other
following Protecting Setting a Hardening Implementin Hardening Hardening a
BEST the server in boot the server g activity the server system
ensures the a secure password configuratio logging configuratio means to
integrity of a location n n configure it
server’s in the most
operating secure
system? manner
(install latest
security
patches,
properly
define the
access
authorizatio
n for users
and
administrato
rs, disable
insecure
options and
uninstall
unused
services) to
prevent
nonprivilege
d users from
gaining the
right to
execute
privileged
instructions
and thus
take
IT A. B. C. D. A. Explanation:
operations The The service Recently a incident logs The The lack of a
for a large outsourcing provider corrupted are not outsourcing disaster
organization contract does not database being contract recovery
have been does not have could not be reviewed. does not provision
outsourced. cover incident recovered cover presents a
An IS auditor disaster handling because of disaster major
reviewing recovery for procedures. library recovery for business
the the managemen the risk.
outsourced outsourced t problems. outsourced Incorporatin
operation IT IT g such a
should be operations. operations. provision
MOST into the
concerned contract will
about which provide the
of the outsourcing
following organization
findings? leverage
over the
service
provider.
Choices B, C
and D are
problems
that should
be
addressed
by the
service
provider, but
are not as
important as
contract
requirement
following Mirroring Simultaneou Write- Storing the Simultaneou A write-once
will help the system sly protecting backup of sly CD cannot
detect log on duplicating the directory the system duplicating be
changes another the system containing log offsite the system overwritten.
made by an server log on a the system log on a Therefore,
intruder to write-once log write-once the system
the system disk disk log
log of a duplicated
server? on the disk
could be
compared to
the original
log to detect
differences,
which could
be the result
of changes
made by an
intruder.
Write-
protecting
the system
log does not
prevent
deletion or
modification
, since the
superuser
can override
the write
protection.
Backup and
mirroring
following is a Online Downtime Help desk Protocol Protocol Protocol
network monitor report report analyzer analyzer analyzers
diagnostic are network
tool that diagnostic
monitors tools that
and records monitor and
network record
information? network
information
from packets
traveling in
the link to
which the
analyzer is
attached.
Online
monitors
(choice A)
measure
telecommun
ications
transmission
s and
determine
whether
transmission
s were
accurate and
complete.
Downtime
reports
(choice B)
track the
Applying a A. B. C. D. B. Explanation:
retention data cannot data will not backup datasets data will not A retention
date on a file be read until be deleted copies are having the be deleted date will
will ensure the date is before that not retained same name before that ensure that
that: set. date. after that are date. a file cannot
date. differentiate be
d. overwritten
before that
date has
passed. The
retention
date will
not affect
the ability to
read the file.
Backup
copies
would be
expected to
have a
different
retention
date and
therefore
may be
retained
after the file
has been
overwritten.
The creation
date, not the
retention
date, will
differentiate
following Sensitive Data can be Unauthorize Output can Unauthorize Unless
exposures data can be amended d report be lost in the d report controlled,
associated read by without copies can event of copies can spooling for
with the operators. authorizatio be printed. system be printed. offline
spooling of n. failure. printing may
sensitive enable
reports for additional
offline copies to be
printing printed.
should an Print files
IS auditor are unlikely
consider to to be
be the MOST available for
serious? online
reading by
operators.
Data on
spool files
are no easier
to amend
without
authority
than
any other
file. There is
usually a
lesser threat
of
unauthorize
d access to
sensitive
reports in
the event of
following A system Vendors’ Regularly A written A system A system
would an IS downtime reliability scheduled preventive downtime downtime
auditor log figures maintenance maintenance log log provides
consider to log schedule information
be the MOST regarding
helpful the
when effectiveness
evaluating and
the adequacy of
effectiveness computer
and preventive
adequacy of maintenance
a computer programs.
preventive
maintenance
program?
To A. B. C. D. D. Explanation:
determine System Enabled Logs of System System A review of
which users access log access access configuratio configuratio system
can gain files control control n files for n files for configuratio
access to the software violations control control n files for
privileged parameters options used options used control
supervisory options used
state, which would show
of the which users
following have access
should an to the
IS auditor privileged
review? supervisory
state. Both
systems
access log
files and logs
of access
violations
are
detective in
nature.
Access
control
software is
run under
the
operating
system.
following The use of Periodic The use of Policies that Periodic The periodic
procedures diskless checking of current result in checking of checking of
would MOST workstations hard drives antivirus instant hard drives hard drives
effectively software dismissal if would be
detect the violated the most
loading of effective
illegal method of
software identifying
packages illegal
onto software
a network? packages
loaded to
the network.
Antivirus
software will
not
necessarily
identify
illegal
software,
unless the
software
contains a
virus. Disk
less
workstations
act as a
preventive
control and
are not
effective,
since users
could still
During a A. B. C. D. C. Explanation:
human Postpone Report the Confirm the Draft a Confirm the An IS auditor
resources the audit existence of content of service level content of should first
(HR) audit, until the the the agreement the confirm and
an IS auditor agreement is undocument agreement (SLA) for the agreement understand
is informed documented ed with both two with both the current
that there is agreement departments departments departments practice
a verbal to senior before
agreement managemen making any
between the t recommend
IT ations.
and HR The
departments agreement
as to the can be
level of IT documented
services after it has
expected. In been
this established
situation, that there is
what should an
the IS agreement
auditor do in place. The
FIRST? fact
that there is
not a written
agreement
does not
justify
postponing
the audit,
and
reporting to
senior
managemen
IT best A. B. C. D. C. Explanation:
practices for minimize provide for provide produce provide It is
the costs sufficient reasonable timely reasonable important
availability associated capacity to assurance performance assurance that
and with meet the that agreed metric that agreed negotiated
continuity of disaster- agreed upon upon reports. upon and agreed
IT services resilient demands of obligations obligations commitment
should: components. the business. to customers to customers s (i.e.,
can be met. can be met. service level
agreements
[SLAs]) can
be fulfilled
all the time.
If this were
not
achievable,
IT should not
have agreed
to these
requirement
s, as
entering into
such
a
commitment
would be
misleading
to the
business. ‘All
the time’ in
this context
directly
relates to
the ‘agreed
following Minimizing Prohibiting Evaluating Determining Determining From an IS
should be of costs for the the provider the process if the if the auditor’s
PRIMARY services from for services services perspective,
concern to provided subcontracti transferring were were the primary
an IS auditor ng services knowledge provided as provided as objective of
reviewing to the IT contracted contracted auditing the
the department managemen
managemen t of service
t of external providers
IT service should
providers? be to
determine if
the services
that were
requested
were
provided in a
way that is
acceptable,
seamless
and in
line with
contractual
agreements.
Minimizing
costs, if
applicable
and
achievable
(depending
on the
customer’s
need) is
PRIMARY define, ensure that keep the monitor and define, The
objective of agree, services are costs report any agree, objective of
service-level record and managed to associated legal record and service-level
managemen manage the deliver the with any noncomplian manage the managemen
t (SLM) is to: required highest service at a ce to required t (SLM) is to
levels of achievable minimum. business levels of negotiate,
service. level of managemen service. document
availability. t. and manage
(i.e., provide
and
monitor) the
services in
the manner
in which the
customer
requires
those
services.
This does
not
necessarily
ensure that
services are
delivered
atthe
highest
achievable
level of
availability
(e.g.,
redundancy
and
clustering).
organization Overall Percentage Number of Number of Percentage Since it is
has number of of incidents incidents agents of incidents about
outsourced users solved in the reported to answering solved in the service level
its help desk. supported first call the help the phones first call (performanc
Which of the desk e) indicators,
following the
indicators percentage
would be of incidents
the best to solved on
include in the first call
the SLA? is the
only option
that is
relevant.
Choices A, C
and D are
not quality
measures of
the help
desk service.
A benefit of A. B. C. D. C. Explanation:
quality of entire telecom participating communicati participating The main
service network’s carrier will applications ons link will applications function of
(QoS) is that availability provide the will have be will have QoS is to
the: and company guaranteed supported guaranteed optimize
performance with service by security service network
will be accurate levels. controls to levels. performance
significantly service-level perform by assigning
improved. compliance secure priority to
reports. online business
transactions. applications
and
end users,
through the
allocation of
dedicated
parts of the
bandwidth
to specific
traffic.
Choice A is
not true
because the
communicati
on itself will
not be
improved.
While the
speed of
data
exchange for
specific
applications
could be
following Utilization Hardware System logs Availability Availability IS inactivity,
reports reports error reports reports reports such as
should an IS downtime, is
auditor use addressed
to check by
compliance availability
with a reports.
service level These
agreement’s reports
(SLA) provide the
requirement time periods
for uptime? during which
the
computer
was
available for
utilization by
users or
other
processes.
Utilization
reports
document
the use of
computer
equipment,
and can be
used by
managemen
t to predict
how/where/
when
resources
performing The Employees A single Five weeks A single Major
an audit of a technical pilot-testing implementa prior to the implementa system
client migration is the system tion is target date, tion is migrations
relationship planned for are planned, there are planned, should
managemen a Friday concerned immediately still immediately include a
t (CRM) preceding a that the data decommissi numerous decommissi phase of
system long representati oning the defects in oning the parallel
migration weekend, on in the legacy the printing legacy operation or
project, and the time new system system. functionality system. a phased
which of the window is is of the new cut-over to
following too short completely system’s reduce
should be of for different software. implementa
GREATEST completing from the old tion risks.
concern to all tasks. system. Decommissi
an IS oning or
auditor? disposing of
the old
hardware
would
complicate
any fallback
strategy,
should the
new system
not operate
correctly. A
weekend
can be used
as a time
buffer so
that the new
system will
have a
After A. B. C. D. D. Explanation:
discovering a Stress Black box Interface System System Given the
security extensivenes
vulnerability s of the
in a third- patch and its
party interfaces to
application external
that systems,
interfaces system
with several testing is
external most
systems, appropriate.
a patch is Interface
applied to a testing is not
significant enough, and
number of stress or
modules. black box
Which of the testing are
following inadequate
tests should in these
an IS auditor circumstanc
recommend es.
?
performing authorizatio creation number of creation authorizatio The manual
an n of program date of a program date of a n of program log will most
application changes. current changes current changes. likely
maintenance object actually source contain
audit would module. made. program. information
review the on
log of authorized
program changes to a
changes for program.
the: Deliberate,
unauthorize
d changes
will not be
documented
by the
responsible
party. An
automated
log, found
usually in
library
managemen
t products,
and not a
change log
would most
likely
contain date
information
for the
source
and
executable
A number of A. B. C. D. B. Explanation:
system Unit testing Integration Design Configuratio Integration A common
failures are testing walkthrough n testing system
occurring s managemen maintenance
when t problem is
corrections that errors
to previously are often
detected corrected
errors are quickly
resubmitted (especially
for when
acceptance deadlines
testing. This are tight).
would Units are
indicate that tested by
the the
maintenance programmer
team is and then
probably not transferred
performing to the
adequately acceptance
which test area;
of the this often
following results in
types of system
testing? problems
that should
have been
detected
during
integration
or system
testing.
Integration
An existing A. B. C. D. D. Explanation:
system is reverse prototyping. software reengineerin reengineerin Old (legacy)
being engineering. reuse. g. g. systems that
extensively have been
enhanced by corrected,
extracting adapted and
and reusing enhanced
design and extensively
program require
components. reengineerin
This is an g to
example of: remain
maintainabl
e.
Reengineeri
ng is a
rebuilding
activity to
incorporate
new
technologies
into existing
systems.
Using
program
language
statements,
reverse
engineering
involves
reversing a
program’s
machine
code into
reviewing an The risks The latest Due to After hours The risks Since the
organization’ associated version of licensing support is associated business
s approved with the use software is issues the offered with the use conditions
software of the listed for list does not of the surrounding
product list, products are each contain products are vendors may
which of the periodically product open source periodically change, it is
following is assessed software assessed important
the MOST for an
important organization
thing to to conduct
verify? periodic risk
assessments
of the
vendor
software list.
This might
be best
incorporated
into the IT
risk
managemen
t process.
Choices B, C
and D are
possible
consideratio
ns but would
not be the
most
important.
evaluating excessive application improper nonvalidated improper Foremost
the controls transaction interface transaction batch totals. transaction among the
of an EDI turnaround failure. authorizatio authorizatio risks
application, time. n. n. associated
an IS auditor with
should electronic
PRIMARILY data
be interchange
concerned (EDI) is
with the improper
risk of: transaction
authorizatio
n. Since the
interaction
with the
parties is
electronic,
there is no
inherent
authenticati
on. The
other
choices,
although
risks, are not
assignificant.
reviewing an review the accept stress the review the stress the Experience
accounts integrity of managemen importance background importance has
payable system t’s of having a checks of of having a demonstrate
system access statement system the accounts system d that
discovers controls. that control payable control reliance
that audit effective framework staff. framework purely on
logs are not access in place. in place. preventative
being controls are controls is
reviewed. in place. dangerous.
When Preventative
this issue is controls
raised with may not
managemen prove to be
t the as strong as
response is anticipated
that or their
additional effectiveness
controls are can
not deteriorate
necessary over time.
becauseeffe Evaluating
ctive system the
access cost of
controls are controls
in place. The versus the
BEST quantum of
response the risk is a valid
auditor can managemen
make is to: t concern.
However, in
a high-risk
system a
comprehensi
GREATEST secure improved efficient enhanced efficient Web
advantage of communicati performance interfacing. documentati interfacing. services
using web ons. . on. facilitate the
services for exchange of
the information
exchange of between
information two systems,
between regardless of
two systems the
is: operating
system
or
programmin
g language
used.
Communica
tion is not
necessarily
securer or
faster, and
there is no
documentati
on benefit in
using web
services.
A clerk A. B. C. D. A. Explanation:
changed the The system The system The system The system The system Choice A
interest rate will not generates a requires the displays a will not would
for a loan on process the weekly clerk to warning process the prevent or
a master file. change until report listing enter an message to change until detect the
The rate the clerk’s all rate approval the clerk. the clerk’s use of an
entered is manager exceptions code. manager unauthorize
outside the confirms the and the confirms the d interest
normal change by report is change by rate. Choice
range for entering an reviewed by entering an B informs
such a loan. approval the clerk’s approval the manager
Which of the code. manager. code. after
following the fact that
controls is a change
MOST was made,
effective in thereby
providing making it
reasonable possible for
assurance transactions
that the to use an
change was unauthorize
authorized? d rate prior
to
managemen
t review.
Choices C
and D do not
prevent the
clerk from
entering an
unauthorize
d rate
change.
When using A. B. C. D. B. Explanation:
an production test data are a test data master files test data are An
integrated data are isolated generator is are updated isolated integrated
test facility used for from used. with the test from test facility
(ITF), an IS testing. production data. production (ITF) creates
auditor data. data. a fictitious
should file in the
ensure that: database,
allowing for
test
transactions
to be
processed
simultaneou
sly with live
data. While
this ensures
that periodic
testing does
not require a
separate
test process,
there is a
need to
isolate test
data from
production
data. An IS
auditor is
not required
to use
production
data or a
test data
reviewing not be ensure that verify recommend ensure that If input
input concerned overrides whether all that overrides procedures
controls, an since there are such overrides are allow
IS auditor may be automaticall overrides not be automaticall overrides of
observes other y logged and are referred permitted. y logged and data
that, in compensatin subject to to senior subject to validation
accordance g controls to review. managemen review. and editing,
with mitigate the t for automatic
corporate risks. approval. logging
policy, should
procedures occur. A
allow managemen
supervisory t individual
override of who did not
data initiate the
validation override
edits. The IS should
auditor review this
should: log. An IS
auditor
should not
assume
that
compensatin
g controls
exist. Aslong
as the
overrides
are policy-
compliant,
there is no
need for
senior
transmitting Use of a Enciphering Deciphering A sequence A sequence When
a payment cryptographi the message the message number and number and transmitting
instruction, c hashing digest digest time stamp time stamp data, a
which of the algorithm sequence
following number
will help and/or time
verify that stamp built
the into the
instruction message to
was not make it
duplicated? unique can
be
checked by
the recipient
to ensure
that the
message
was not
intercepted
and
replayed.
This is
known as
replay
protection,
and could be
used to
verify that a
payment
instruction
was not
duplicated.
Use of a
following is Accuracy of Credibility of Accuracy of Accuracy of Accuracy of Accuracy of
the MOST the source the data the the data the source source data
critical and data source extraction transformati data is a
contributes process on prerequisite
the greatest for the
to the quality of
quality of the data in a
data in a data
data warehouse.
warehouse? Credibility of
the data
source,
accurate
extraction
processes
and accurate
transformati
on routines
are all
important,
but would
not
change
inaccurate
data into
quality
(accurate)
data.
following Transaction Loss or Transmission Deletion or Transaction Since the
represents authorizatio duplication delay manipulatio authorizatio interaction
the n of EDI n of n between
GREATEST transmission transactions parties is
potential s prior to or electronic,
risk in an EDI after there is no
environment establishme inherent
? nt of authenticati
application on
controls occurring;
therefore,
transaction
authorizatio
n is the
greatest risk.
Choices B
and D are
examples of
risks, but the
impact is not
as
great as that
of
unauthorize
d
transactions.
Transmission
delays may
terminate
the process
or hold the
line until
the normal
uses a bank payroll gross payroll checks checks payroll The best
to process reports should be (cheques) (cheques) reports way to
its weekly should be recalculated should be should be should be confirm data
payroll. Time compared to manually. compared to reconciled compared to accuracy,
sheets and input forms. input forms. with output input forms. when input
payroll reports. is provided
adjustment by the
forms (e.g., company
hourly and output
rate is generated
changes, by the
terminations bank, is to
) are verify the
completed data input
and (input
delivered to forms) with
the bank, the results
which of the
prepares payroll
checks reports.
(cheques) Hence,
and comparing
reports for payroll
distribution. reports with
To BEST input forms
ensure is the best
payroll data mechanism
accuracy: of verifying
data
accuracy.
Recalculatin
g gross
payroll
Once an A. B. C. D. B. Explanation:
organization pre-BPR post-BPR BPR project continuous post-BPR An IS
has finished process process plans. improvemen process auditor’s
the business flowcharts. flowcharts. t and flowcharts. task is to
process monitoring identify and
reengineerin plans. ensure that
g (BPR) of all key controls
its critical have been
operations, incorporated
an IS into the
auditor reengineere
would MOST d
likely focus process.
on a review Choice A is
of: incorrect
because an
IS auditor
must review
the process
as it is today,
not as it was
in the
past.
Choices C
and D are
incorrect
because
they are
steps within
a BPR
project.
A company A. B. C. D. D. Explanation:
has recently Key One-for-one Manual Functional Functional Acting as an
upgraded its verification checking recalculation acknowledg acknowledg audit trail
purchase s ements ements for EDI
system to transactions,
incorporate functional
EDI acknowledg
transmission ements are
s. Which of one of the
the main
following controls
controls used in
should be data
implemente mapping. All
d in the EDI the other
interface to choices are
provide for manual
efficient input
data controls,
mapping? whereas
data
mapping
deals with
automatic
integration
of data in
the receiving
company.
recommend check to verify the ensure that confirm that verify the The initial
s that an ensure that format of the the card is format of validation
initial the type of the number transaction not shown the number should
validation transaction entered entered is as lost or entered confirm
control be is valid for then locate within the stolen on then locate whether the
programmed the card it on the cardholder’s the master it on the card is valid.
into a credit type. database. credit limit. file. database. This validity
card is
transaction established
capture through the
application. card
The initial number and
validation PIN entered
process by the user.
would MOST Based on
likely: this initial
validation,
all other
validations
will proceed.
A
validation
control in
data capture
will ensure
that the data
entered is
valid (i.e., it
can be
processed
by the
system). If
the data
who has EDI trading physical authenticati program authenticati Authenticati
discovered partner controls for on change on on
unauthorize agreements. terminals. techniques control techniques techniques
d for sending procedures. for sending for sending
transactions and and and
during a receiving receiving receiving
review of messages. messages. messages
EDI play a key
transactions role in
is likely to minimizing
recommend exposure to
improving unauthorize
the: d
transactions.
The EDI
trading
partner
agreements
would
minimize
exposure to
legal issues.
When two A. B. C. D. C. Explanation:

or more systems systems systems interfaces systems Both of the
systems are receiving the sending sending and between the sending and systems
integrated, output of output to receiving two systems. receiving must be
input/output other other data. data. reviewed for
controls systems. systems. input/output
must be controls,
reviewed by since the
an IS auditor output for
in the: one system
is the input
for
the other.
has Verifying Logging all Using hash Approving Verifying Verification
implemente production customer totals in the (production production will ensure
d a new to customer orders in the order supervisor) to customer that
client-server orders ERP system transmitting orders prior orders production
enterprise process to orders
resource production match
planning customer
(ERP) orders.
system. Logging can
Local be used to
branches detect
transmit inaccuracies,
customer but does not
orders to a in itself
central guarantee
manufacturi accurate
ng facility. processing.
Which of the Hash totals
following will ensure
would BEST accurate
ensure that order
theorders transmission
are entered , but not
accurately accurate
and the processing
correspondi centrally.
ng products Production
are supervisory
produced? approval is a
time
consuming,
manual
process that
undertakes a Whether key If the system Whether the Whether Whether key The audit
business controls are addresses system can owners have controls are team must
process in place to corporate meet the been in place to advocate the
reengineerin protect customer performance identified protect inclusion of
g (BPR) assets and requirement goals (time who will be assets and the key
project in information s and responsible information controls and
support of a resources resources) for the resources verify that
new and process the controls
direct are in place
marketing before
approach to implementin
its g the new
customers. process.
Which of the Choices B, C
following and D are
would be an objectives
IS auditor’s that the
main business
concern process
about the reengineerin
new g
process? (BPR)
process
should
achieve, but
they are not
the auditor’s
primary
concern.
Business A. B. C. D. A. Explanation:
units are Develop a Define Prepare the implement Develop a An IS auditor
concerned baseline and alternate maintenance the changes baseline and should
about the monitor processing manual. users have monitor recommend
performance system procedures. suggested. system the
of a newly usage. usage. developmen
implemente t of a
d system. performance
Which of the baseline and
following monitor the
should an IS system’s
auditor performance
recommend , against the
? baseline, to
develop
empirical
data upon
which
decisions for
modifying
the system
can be
made.
Alternate
processing
proceduresa
nd a
maintenance
manual will
not alter a
system’s
performance
.
Implementin
following Verification Usage of a Analysis of Synchroniza Usage of a The use of
would help of database structured stored tion of the structured SQL
to ensure import and query procedures/ entity- query facilitates
the export language triggers relation language portability.
portability of procedures (SQL) model with (SQL) Verification
an the database of import
application physical and export
connected schema procedures
to a with other
database? systems
ensures
better
interfacing
with other
systems,
analyzing
stored
procedures/
triggers
ensures
proper
access/perfo
rmance,
and
reviewing
the design
entity-
relation
model will
be helpful,
but none of
these
contribute
transaction isolation. consistency. atomicity. durability. atomicity. The principle
processing of atomicity
system, data requires that
integrity is a transaction
maintained be
by ensuring completed
that a in its
transaction entirety or
is either not at all. If
completed an error or
in its interruption
entirety or occurs, all
not at all. changes
This made up to
principle of that point
data are backed
integrity is out.
known as: Consistency
ensures that
all integrity
conditions in
the database
be
maintained
with each
transaction.
Isolation
ensures that
each
transaction
is
isolated
from other
Responsibilit A. B. C. D. C. Explanation:
y and diversified staff ownership is duties ownership is Because of
reporting control traditionally difficult to change difficult to the
lines cannot makes changes jobs establish frequently in establish diversified
always be ownership with greater where the rapid where nature of
established irrelevant. frequency. resources developmen resources both data
when are shared. t of are shared. and
auditing technology. application
automated systems, the
systems actual owner
since: of data and
applications
may be hard
to establish.
finds out-of- Log all table implement Use tracing implement implement Implementin
range data update before-and- and tagging. integrity integrity g integrity
in some transactions. after image constraints constraints constraints
tables of a reporting. in the in the in the
database. database. database. database is a
Which of the preventive
following control,
controls because
should the data is
IS auditor checked
recommend against
to avoid this predefined
situation? tables or
rules
preventing
any
undefined
data from
being
entered.
Logging all
table update
transactions
and
implementin
g before-
and-after
image
reporting
are
detective
controls that
would not
application implement Define Ensure that Establish implement Implementin
audit, an IS data backup standards only controls to data backup g data
auditor finds and recovery and closely authorized handle and recovery backup and
several procedures. monitor for personnel concurrent procedures. recovery
problems compliance. can update access procedure is
related to the problems. a corrective
corrupted database. control,
data in the because
database. backup and
Which of the recovery
following is a procedures
corrective can be used
control that to roll back
the IS database
auditor errors.
should Defining or
recommend establishing
? standards is
a preventive
control,
while
monitoring
for
compliance
is a
detective
control.
Ensuring
that only
authorized
personnel
can update
the
During a A. B. C. D. A. Explanation:
postimplem review evaluate review evaluate review Reviewing
entation access interface detailed system access access
review of an control testing. design testing. control control
enterprise configuratio documentati configuratio configuratio
resource n. on. n. n would be
managemen the first task
t system, an performed
IS auditor to
would MOST determine
likely: whether
security has
been
appropriatel
y mapped in
the system.
Since a
postimplem
entation
review is
done after
user
acceptance
testing and
actual
implementa
tion, on
ewould not
engage in
interface
testing or
detailed
design
documentati
The reason a A. B. C. D. A. Explanation:
certification security data have the systems the systems security Certified and
and compliance been have been have compliance accredited
accreditatio has been encrypted tested to run followed the has been systems are
n process is technically and are on different phases of a technically systems that
performed evaluated. ready to be platforms. waterfall evaluated. have had
on critical stored. model. their
systems is to security
ensure that: compliance
technically
evaluated
for
running on a
specific
production
server.
Choice B is
incorrect
because not
all data of
certified
systems are
encrypted.
Choice C is
incorrect
because
certified
systems are
evaluated to
run in a
specific
environment
. Awaterfall
model is a
organization correlation correlation correlation relative correlation Due to the
is migrating of semantic of arithmetic of functional efficiency of of semantic fact that the
from a characteristi characteristi characteristi the characteristi two systems
legacy cs of the cs of the cs of the processes cs of the could have a
system to an data data processes between the data different
enterprise migrated migrated between the two systems. migrated data
resource between the between the two systems. between the representati
planning two systems. two systems. two systems. on, including
(ERP) the database
system. schema,
While the IS
reviewing auditor’s
the data main
migration concern
activity, the should be to
MOST verify that
important the
concern for interpretatio
the IS n of the data
auditor is to is the same
determine in the new
that there is as it
a: was in the
old system.
Arithmetic
characteristi
cs represent
aspects of
data
structure
and internal
definition in
the
From a risk A. B. C. D. C. Explanation:
managemen a big bang prototyping a to simulate a When
t point of deployment and a one- deployment the new deployment developing a
view, the after proof phase plan based infrastructur plan based large and
BEST of concept. deployment. on e before on complex IT
approach sequenced deployment. sequenced infrastructur
when phases. phases. e, the best
implementin practice is to
g a large and use a phased
complex IT approach to
infrastructur fitting
e is: the entire
system
together.
This will
provide
greater
assurance of
quality
results. The
other
choices are
riskier
approaches.
following Ensuring Checking the Correcting Checking the Correcting Correction
would compliance testing coding code to coding of code
impair the with assumptions errors during ensure errors during should not
independenc developmen the testing proper the testing be a
e of a quality t methods process documentati process responsibilit
assurance on y of the
team? quality
assurance
team as it
would not
ensure
segregation
of duties and
would
impair the
team’s
independenc
e. The other
choices are
valid quality
assurance
functions.
following Direct Pilot study Phased Parallel run Parallel run Parallel runs
system and cutover approach are the
data safest-
conversion though the
strategies most
provides the expensive-
GREATEST approach,
redundancy? because
both the old
and new
systems are
run, thus
incurring
what might
appear to be
double
costs. Direct
cutover is
actually
quite risky,
since it does
not
provide for a
‘shake down
period’ nor
does it
provide an
easy fallback
option. Both
a pilot study
and a
phased
approach
organization Pilot Parallel Direct Phased Direct Direct
is cutover cutover cutover
implementin implies
g a new switching to
system to the new
replace a system
legacy immediately
system. , usually
Which of the without the
following ability to
conversion revert to the
practices old
creates the system in
GREATEST the event of
risk? problems.
All other
alternatives
are done
gradually
and thus
provide
greater
recoverabilit
y and are
therefore
less risky.
following is Managemen Semistructur inability to Changes in inability to The inability
an t control ed specify decision specify to specify
implementa dimensions purpose and processes purpose and purpose and
tion risk usage usage usage
within the patterns patterns patterns is a
process of risk that
decision developers
support need to
systems? anticipate
while
implementin
g a decision
support
system
(DSS).
Choices A, B
and D are
not risks, but
characteristi
cs of a DSS.
At the end of A. B. C. D. C. Explanation:
the testing report the attempt to recommend ignore the recommend When an IS
phase of error as a resolve the that error, as it is that auditor
software finding and error. problem not possible problem observes
developmen leave further resolution to get resolution such
t, an IS exploration be objective be conditions, it
auditor to the escalated. evidence for escalated. is best to
observes auditee’s the software fully apprise
that an discretion. error. the auditee
intermittent and suggest
software that further
error has not problem
been resolutions
corrected. be
No action attempted.
has been Recording it
taken to as a minor
resolve the error and
error. The IS leaving it to
auditor the auditee’s
should: discretion
would
be
inappropriat
e, and
neglecting
the error
would
indicate that
the auditor
has not
taken steps
to further
probe
following Parallel Pilot testing Interface/int Sociability Sociability The purpose
types of testing egration testing testing of sociability
testing testing testing is to
would confirm that
determine a new or
whether a modified
new or system can
modified operate in
system can its target
operate in environment
its without
target adversely
environment impacting
without existing
adversely systems.
impacting This should
other cover the
existing platform
systems? that will
perform
primary
application
processing
and
interfaces
with other
systems, as
well as
changes to
the desktop
in a
clientserver
or web
finds that Consider Schedule implement a Only retest Consider A separate
user feasibility of user testing source code high priority feasibility of environment
acceptance a separate to occur at a version defects a separate or
testing of a user given time control tool user environment
new system acceptance each day acceptance s is normally
is being environment environment necessary
repeatedly for testing to
interrupted be efficient
as defect and
fixes effective,
are and to
implemente ensure the
d by integrity of
developers. production
Which of the code, it is
following important
would be that the
the BEST developmen
recommend t and testing
ation for an code base
IS auditor to be separate.
make? When
defects are
identified
they can be
fixed in the
developmen
t
environment
, without
interrupting
testing,
before being
is reviewing Use of a Regular Extensive Postiteration Postiteration A key tenet
a project process- monitoring use of reviews that reviews that of the Agile
that is using based of task-level software identify identify approach to
an Agile maturity progress developmen lessons lessons software
software model such against t tools to learned for learned for project
developmen as the schedule maximize future use in future use in managemen
t approach. capability team the project the project t is team
Which of the maturity productivity learning and
following model the use of
should the IS (CMM) team
auditor learning to
expect to refine
find? project
managemen
t and
software
developmen
t processes
as the
project
progresses.
One of
the best
ways to
achieve this
is that, at
the end of
each
iteration,
the team
considers
and
documents
Following A. B. C. D. B. Explanation:
best developmen design testing deployment design Planning for
practices, t phase. phase. phase. phase. phase. implementa
formal plans tion should
for begin well in
implementa advance of
tion of new the actual
information implementa
systems are tion date. A
developed formal
during the: implementa
tion plan
should be
constructed
in the design
phase and
revised as
the
developmen
t progresses.
The specific A. B. C. D. C. Explanation:
advantage of verifies a ensures a determines examines a determines White box
white box program can program’s procedural program’s procedural testing
testing is operate functional accuracy or functionality accuracy or assesses the
that it: successfully operating conditions of by executing conditions of effectiveness
with other effectiveness a program’s it in a tightly a program’s of software
parts of the without specific logic controlled or specific logic program
system. regard to paths. virtual paths. logic.
the internal environment Specifically,
program with test data are
structure. restricted used in
access to the determining
host system. procedural
accuracy or
conditions of
a program’s
logic paths.
Verifying the
program can
operate
successfully
with other
parts of the
system is
sociability
testing.
Testing the
program’s
functionality
without
knowledge
of internal
structures is
black box
The MAJOR A. B. C. D. D. Explanation:
advantage of ability to provision for capacity to support of support of Components
a manage an modeling meet the multiple multiple written in
component- unrestricted complex demands of developmen developmen one
based variety of relationships a changing t t language can
developmen data types. . environment environment environment interact with
t approach is . s. s. components
the: written in
other
languages or
running on
other
machines,
which can
increase the
speed of
developmen
t. Software
developers
can then
focus on
business
logic. The
other
choices are
not the most
significant
advantages
of a
component-
based
developmen
t
approach.
Normally, it A. B. C. D. A. Explanation:
would be System System users System System System System
essential to owners designers builders owners owners are
involve the
which of the information
following systems
stakeholders (project)
in the sponsors or
initiation chief
stage of a advocates.
project? They
normally are
responsible
for initiating
and funding
projects to
develop,
operate and
maintain
information
systems.
System
users are the
individuals
who use or
are affected
by the
information
system.
Their
requirement
s are crucial
in
the testing
following is a Applications increased increased Decision- Applications End-user
prevalent may not be developmen application making may may not be developed
risk in the subject to t and developmen be impaired subject to applications
developmen testing and maintenance t time due to testing and may not be
t of end-user IT general costs diminished IT general subjected to
computing controls responsiven controls an
(EUC) ess to independent
applications requests for outside
? information review by
systems
analysts
and
frequently
are not
created in
the context
of a formal
developmen
t
methodolog
y. These
applications
may
lack
appropriate
standards,
controls,qual
ity assurance
procedures,
and
documentati
on. A risk of
end-user
following increase the implement increase the Require the implement Inspections
would be time formal developmen sign-off of all formal of code and
the MOST allocated for software t staff project software design are a
cost- system inspections deliverables inspections proven
effective testing software
recommend quality
ation for technique.
reducing the An
number of advantage of
defects this
encountered approach is
during that
software defects are
developmen identified
t projects? before they
propagate
through the
developmen
t life cycle.
This reduces
the cost of
correction as
less rework
is involved.
Allowing
more time
for testing
may
discover
more
defects;
however,
little
system conceptual vendor error program error Testing is
testing design contract. reports. change reports. crucial in
phase of an specification requests. determining
application s. that user
developmen requirement
t project the s have been
IS auditor validated.
should The IS
review the: auditor
should be
involved
in this phase
and review
error reports
for their
precision in
recognizing
erroneous
data and
review the
procedures
for resolving
errors. A
conceptual
design
specification
is a
document
prepared
during the
requirement
s definition
phase. A
following is Interface Testing can it is more Errors in Interface The
an errors are be started effective critical errors are advantage of
advantage of identified before all than other modules are identified the top-
the top- early programs testing detected early down
down are approaches sooner approach is
approach to complete that tests of
software major
testing? functions
are
conducted
early, thus
enabling the
detection of
interface
errors
sooner. The
most
effective
testing
approach is
dependent
on the
environment
being tested.
Choices B
and D are
advantages
of the
bottom-up
approach to
system
testing.
During the A. B. C. D. D. Explanation:
requirement test data detailed test quality user user A key
s definition covering plans. assurance acceptance acceptance objective in
phase of a critical test testing testing any software
software applications. specification specification specification developmen
developmen s. s. s. t project is
t project, the to ensure
aspects of that the
software developed
testing that software will
should be meet the
addressed business
are objectives
developing: and the
requirement
s of the user.
The users
should be
involved in
the
requirement
s
definition
phase of a
developmen
t project and
user
acceptance
test
specification
should be
developed
during
this phase.
Which A. B. C. D. C. Explanation:
testing Bottom up Sociability Top-down System test Top-down The top-
approach is testing down
MOST approach to
appropriate testing
to ensure ensures that
that internal interface
application errors are
interface detected
errors are early and
identified as that testing
soon as of major
possible? functions is
conducted
early. A
bottom-up
approach to
testing
begins with
atomic units,
such as
programs
and
modules,
and works
upward until
a complete
system test
has taken
place.
Sociability
testing and
system tests
take place at
review of a buffer brute force distributed war dialing buffer Poorly
web-based overflow. attack. denial-of- attack. overflow. written
software service code,
developmen attack. especially in
t project, an web-based
IS auditor applications,
realizes that is often
coding exploited by
standards hackers
are not using buffer
enforced overflow
and code techniques.
reviews are A brute
rarely force attack
carried out. is used to
This will crack
MOST likely passwords.
increase the A distributed
likelihood of denial-of-
a service
successful: attack floods
its
target with
numerous
packets, to
prevent it
from
responding
to legitimate
requests.
War dialing
uses
modemscan
following is A sufficient Data Completing A random Data Selecting the
MOST quantity of representing the test on sample of representing right kind of
critical when data for conditions schedule actual data conditions data is key in
creating each test that are that are testing a
data for case expected in expected in computer
testing the actual actual system. The
logic in a processing processing data should
new or not only
modified include valid
application and
system? invalid data
but should
be
representati
ve of actual
processing;
quality is
more
important
than
quantity. It is
more
important to
have
adequate
test data
than to
complete
the testing
on schedule.
It is unlikely
that a
random
waterfall life requirement requirement the project the project requirement Historically,
cycle model s are well s are well intends to will involve s are well the waterfall
of software understood understood apply an the use of understood model has
developmen and are and the object- new and are been best
t is most expected to project is oriented technology. expected to suited to the
appropriatel remain subject to design and remain stable
y used stable, as is time programmin stable, as is conditions
when: the business pressures. g approach. the business described in
environment environment choice A.
in in When the
which the which the degree of
system will system will uncertainty
operate. operate. of the
system to be
delivered
and the
conditions in
which it will
be used
rises, the
waterfall
model has
not been
successful,
in these
circumstanc
es, the
various
forms of
iterative
developmen
t life cycle
gives the
By A. B. C. D. D. Explanation:
evaluating reliable programmer security predictable predictable By
application products are s’ efficiency requirement software software evaluating
developmen guaranteed. is improved. s are processes processes the
t projects designed. are are organization’
against the followed. followed. s
capability developmen
maturity t projects
model against the
(CMM), an IS CMM, an IS
auditor auditor
should be determines
able to whether the
verify that: developmen
t
organization
follows a
stable,
predictable
software
process.
Although the
likelihood of
success
should
increase as
the software
processes
mature
toward the
optimizing
level,
mature
processes do
GREATEST capturing of sharing of enhancemen reduction of capturing of The basis for
benefit in the knowledge t of employee the an expert
implementin knowledge in a central personnel turnover in knowledge system is the
g an expert and repository. productivity key and capture and
system is experience and departments experience recording of
the: of performance . of the
individuals . individuals knowledge
in an in an and
organization. organization. experience
of
individuals
in
an
organization.
Coding and
entering the
knowledge
in a central
repository,
shareable
within the
enterprise, is
a
means of
facilitating
the expert
system.
Enhancing
personnel
productivity
and
performance
is a benefit;
reviewing a operating planned OS OS has the products are products are Choices A, B
proposed system (OS) updates latest compatible compatible and C are
application being used is have been versions and with the with the incorrect
software compatible scheduled to updates. current or current or because
acquisition with the minimize planned OS. planned OS. none of
should existing negative them are
ensure that hardware impacts on related to
the: platform. company the area
needs. being
audited. In
reviewing
the
proposed
application
the auditor
should
ensure that
the products
to be
purchased
are
compatible
with the
current or
planned OS.
Regarding
choice A, if
the OS is
currently
being used,
it is
compatible
with the
GREATEST facilitates allows early facilitates shortens the shortens the The greatest
advantage of user testing of conversion developmen developmen advantage of
rapid involvement. technical to the new t time frame. t time frame. RAD is the
application features. system. shorter time
developmen frame for
t (RAD) over the
the developmen
traditional t of a
system system.
developmen Choices A
t and B
life cycle are true, but
(SDLC) is they are also
that it: true for the
traditional
systems
developmen
t life cycle.
Choice C is
not
necessarily
always true.
developmen increased improper inadequate delays in inadequate The major
t of an maintenance documentati functional problem functional risk of
application, . on of testing. resolution. testing. combining
the quality testing. quality
assurance assurance
testing and testing and
user user
acceptance acceptance
testing were testing is
combined. that
The MAJOR functional
concern for testing may
an IS auditor be
reviewing inadequate.
the project Choices A, B
is that there and D are
will be: not as
important.
Functionality A. B. C. D. A. Explanation:
is a existence of ability of the capability of relationship existence of Functionality
characteristi a set of software to software to between the a set of is the set of
c associated functions be maintain its performance functions attributes
with and their transferred level of of the and their that bears
evaluating specified from one performance software and specified on the
the quality properties. environment under stated the amount properties. existence of
of software to another. conditions. of resources a set of
products used. functions
throughout and their
their life specified
cycle, and is properties.
BEST The
described as functions
the set of are those
attributes that satisfy
that bear on stated or
the: implied
needs.
Choice B
refers to
portability,
choice C
refers to
reliability
and choice D
refers to
efficiency.
following Intrusion Data mining Firewalls Packet Data mining Data mining
systems or detection techniques filtering techniques is a
tools can systems routers technique
recognize used to
that a credit detect
card trends or
transaction patterns of
is more transactions
likely to or datA. If
have the historical
resulted pattern of
from a charges
stolen credit against a
card than credit card
from the account is
holder of the changed,
credit card? then it is a
flag that the
transaction
may have
resulted
from a
fraudulent
use of the
card.
A company A. B. C. D. B. Explanation:
has Acceptance A quality Not all Prototyping A quality A quality
contracted testing is to plan is not business is being used plan is not plan is an
with an be managed part of the functions to confirm part of the essential
external by users. contracted will be that the contracted element of
consulting deliverables. available on system deliverables. all projects.
firm to initial meets It is critical
implement a implementa business that the
commercial tion. requirement contracted
financial s. supplier be
system to required to
replace its produce
existing such a plan.
system The quality
developed plan for the
in-house. in proposed
reviewing developmen
the t contract
proposed should be
developmen comprehensi
t approach, ve and
which of the encompass
following all phases of
would be of the
GREATESTco developmen
ncern? t and include
which
business
functions
will be
included and
when.
Acceptance
is normally
likely it is sent the server they it is a JAVA they An applet is
explanation over the does not run improve the program improve the a JAVA
for the use network the program performance downloaded performance program
of applets in from the and the of the web through the of the web that is sent
an Internet server. output is not server and web browser server and over the
application sent over network. and network. network
is that: the network. executed by from the
the web web server,
server of the through a
client web browser
machine. and to
the client
machine;
the code is
then run on
the machine.
Since the
server does
not run the
program and
the
output is not
sent over
the network,
the
performance
on the web
server and
network-
over which
the server
and
client are
organization a backup a backup the systems source code source code Whenever
has server be server be staff of the of the ETCS of the ETCS proprietary
contracted available to loaded with organization application application application
with a run ETCS all the be trained to be placed in be placed in software is
vendor for a operations relevant handle any escrow. escrow. purchased,
turnkey with up-to- software and event. the contract
solution for date data. data. should
their provide for a
electronic source code
toll agreement.
collection This will
system ensure that
(ETCS). The the
vendor has purchasing
provided its company
proprietary will have the
application opportunity
software as to modify
part of the the software
solution. The should the
contract vendor
should cease to be
require that: in
business.Hav
ing a backup
server with
current data
and staff
training is
critical
but not as
critical as
ensuring the
When a new A. B. C. D. B. Explanation:
system is to finish writing perform add last- ensure that perform It would be
be user user minute the code has user most
implemente manuals. acceptance enhancemen been acceptance important to
d within a testing. ts to documented testing. complete
short time functionaliti and the user
frame, it is es. reviewed. acceptance
MOST testing to
important ensure that
to: the system
to be
implemente
d is working
correctly.
The
completion
of the user
manuals is
similar to
the
performance
of code
reviews. If
time is tight,
the last thing
one would
want to do is
add another
enhancemen
t, as it would
be
necessary to
freeze the
code and
following The The detailed The The The Encryption
should be encryption internal necessary proposed necessary algorithms,
included in a algorithm control communicati trusted communicati third-party
feasibility format procedures on protocols third-party on protocols agreements
study for a agreement and internal
project to control
implement procedures
an EDI are too
process? detailed for
this phase.
They would
only be
outlined and
any cost or
performance
implications
shown. The
communicati
ons
protocols
must be
included, as
there may
be
significant
cost
implications
if new
hardware
and software
are involved,
and
risk
object- facilitate the improve enhance speed up the facilitate the One of the
oriented ability to system control system ability to major
design and reuse performance effectiveness developmen reuse benefits of
developmen modules. . . t life cycle. modules. object-
t techniques oriented
would MOST design and
likely: developmen
t is the
ability to
reuse
modules.
The other
options do
not normally
benefit from
the object-
oriented
technique.
During A. B. C. D. B. Explanation:
which of the Feasibility Requiremen implementa Postimplem Requiremen During
following study ts definition tion entation ts definition requirement
phases in planning review s definition,
system the project
developmen team will be
t would user working with
acceptance the users to
test plans define their
normally precise
beprepared? objectives
and
functional
needs. At
this time,
the users
should be
working with
the team to
consider and
document
how
the system
functionality
canbe tested
to ensure it
meets their
stated
needs. The
feasibility
study is too
early for
such
detailed user
advantage in interface confidence errors in major errors in The bottom-
using a errors are in the critical functions critical up approach
bottom-up detected system is modules are and modules are to software
vs. a top- earlier. achieved detected processing detected testing
down earlier. earlier. are tested earlier. begins with
approach to earlier. the testing
software of atomic
testing is units, such
that: as programs
and
modules,
and works
upward until
a complete
system
testing has
taken place.
The
advantages
of using a
bottom-up
approach to
software
testing are
the fact that
there is no
need for
stubs or
drivers and
errors in
critical
modules are
found
knowledge rules. decision semantic dataflow decision Decision
base of an trees. nets. diagrams. trees. trees use
expert questionnair
system that es to lead a
uses user through
questionnair a series of
es to lead choices until
the user a conclusion
through a is reached.
series of Rules refer
choices to the
before a expression
conclusion is of
reached is declarative
known as: knowledge
through the
use of if-
then
relationships
. Semantic
nets
consist of a
graph in
which nodes
represent
physical or
conceptual
objects and
the arcs
describe the
relationship
between the
nodes.
following is To To enable To highlight To ensure To ensure The purpose
the determine if comprehensi errors in the the new the new of parallel
PRIMARY the system is ve unit and program system system testing is to
purpose for cost- system interfaces meets user meets user ensure that
conducting effective testing with files requirement requirementthe
parallel s s implementa
testing? tion of a
new system
will meet
user
requirement
s. Parallel
testing may
show that
the old
system is, in
fact, better
than the
new system,
but this is
not the
primary
reason. Unit
and system
testing are
completed
before
parallel
testing.
Program
interfaces
with
files are
An IS A. B. C. D. B. Explanation:
auditor’s users may unauthorize error the full unauthorize Unless the
PRIMARY prefer to use d access to handling and functionality d access to data are
concern contrived sensitive credibility of the new sensitive sanitized,
when data for data may checks may process may data may there is a
application testing. result. not be fully not result. risk of
developers proven. necessarily disclosing
wish to use a be tested. sensitive
copy of data.
yesterday’s
production
transaction
file for
volume tests
is that:
advantage of all every error no special test test Test data
using transaction condition is routines are transactions transactions will be
sanitized live types will be likely to be required to are are representati
transactions included. tested. assess the representati representati ve of live
in test data results. ve of live ve of live processing;
is that: processing. processing. however, it
is unlikely
that all
transaction
types or
error
conditions
will be
tested in this
way.
A decision A. B. C. D. C. Explanation:
support is aimed at combines emphasizes supports emphasizes DSS
system solving the use of flexibility in only flexibility in emphasizes
(DSS): highly models with the decision structured the decision flexibility in
structured nontradition making decision making the decision
problems. al data approach of making approach of making
access and users. tasks. users. approach of
retrieval users. It is
functions. aimed at
solving less
structured
problems,
combines
the use of
models and
analytic
techniques
with
traditional
data access
and retrieval
functions,
and supports
semistructur
ed decision
making
tasks.
following is The finished Prototype Change It ensures Prototype Prototype
an system systems can control is that systems can systems can
advantage of normally has provide often less functions or provide provide
prototyping? strong significant complicated extras are significant significant
internal time and with not added to time and time and
controls. cost savings. prototype the intended cost savings. cost savings;
systems. system. however,
they also
have several
disadvantag
es. They
often have
poor internal
controls,
change
control
becomes
much more
complicated,
and it
often leads
to functions
or extras
being added
to the
system that
were not
originally
intended.
implementin Uncontrolle Source incorrectly Programmin incorrectly Parameters
g an d multiple programs set g errors. set that are not
application software that are not parameters parameters set correctly
software versions synchronize would be
package, d with the greatest
which of the object code concern
following when
presents the implementin
GREATEST g an
risk? application
software
package. The
other
choices,
though
important,
are a
concern of
the provider,
not the
organization
that is
implementin
g the
software
itself.
following is a Function Critical path Rapid Program Rapid Rapid
managemen point methodolog application evaluation application application
t technique analysis y developmen review developmen developmen
that enables t technique t t is a
organization managemen
s to develop t technique
strategically that enables
importantsy organization
stems faster, s to develop
while strategically
reducing important
developmen systems
t costs and faster, while
maintaining reducing
quality? developmen
t costs and
maintaining
quality. The
program
evaluation
review
technique
(PERT) and
critical path
methodolog
y (CPM) are
both
planning and
control
techniques,
while
function
point
The phases A. B. C. D. A. Explanation:
and during the after early throughout only after all during the It is
deliverables initial planning has the work risks and initial extremely
of a system planning been stages, exposures planning important
developmen stages of the completed, based on have been stages of the that the
t life cycle project. but before risks and identified project. project be
(SDLC) work has exposures. and the IS planned
project begun. auditor has properly and
should be recommend that the
determined: ed specific
appropriate phases and
controls. deliverables
be
identified
during the
early stages
of the
project.
following is a Black box Desk Structured Design and Black box A black box
dynamic test checking walkthrough code test test is a
analysis tool dynamic
for the analysis tool
purpose of for testing
testing software
software modules.
modules? During the
testing of
software
modules
a black box
test works
first in a
cohesive
manner as a
single
unit/entity
consisting of
numerous
modules,
and
second with
the user
data that
flows across
software
modules, in
some cases,
this even
drives the
software
behavior. In
following is inheritance Dynamic Encapsulatio Polymorphis Encapsulatio Encapsulatio
an object- warehousing n m n n is a
oriented property of
technology objects, and
characteristi it prevents
c that accessing
permits an either
enhanced properties or
degree of methods
security over that have
data? not
been
previously
defined as
public. This
means that
any
implementa
tion of the
behavior of
an object is
not
accessible.
An object
defines a
communicati
on interface
with the
exterior and
only that
which
belongs to
that
Ideally, A. B. C. D. C. Explanation:
stress test production test production test Stress
testing environment environment environment environment environment testing is
should be using test using live using live using test using live carried out
carried out data. workloads. workloads. data. workloads. to ensure a
in a: system can
cope with
production
workloads. A
test
environment
should
always be
used to
avoid
damaging
the
production
environment
. Hence,
testing
should never
take place in
a
production
environment
(choices
Band D), and
if only test
data is used,
there is no
certainty
that the
system
following is Quality of Speed of the Volatility of Vulnerability Quality of Quality of
the most the transactions the data of the the the
important metadata system metadata metadata is
element in the most
the design of important
a data element in
warehouse? the design of
a data
warehouse.
A data
warehouse
is
a copy of
transaction
data
specifically
structured
for query
and analysis.
Metadata
aim to
provide a
table of
contents to
the
information
stored in the
data
warehouse.
Companies
that have
built
warehouses
organization Controls the Expands the Increases Prevents Expands the A strength of
has an proliferation programmin program and valid programmin an IDE is that
integrated of multiple g resources processing changes g resources it expands
developmen versions of and aids integrity from being and aids the
t programs available overwritten available programmin
environment by other g resources
(IDE) on changes and aids
which the available.
program The other
libraries choices are
reside on IDE
the weaknesses.
server, but
modification
/developme
nt and
testing are
done from
PC
workstations
. Which of
the
following
would
be a
strength of
an IDE?
Failure in A. B. C. D. B. Explanation:
which of the System Acceptance Integration Unit testing Acceptance Acceptance
following testing testing testing testing testing is the
testing final stage
stages would before the
have the software is
GREATEST installed and
impact on is available
the for use. The
implementa greatest
tion of impact
new would occur
application if the
software? software
fails at the
acceptance
testing level,
as this could
result in
delays and
cost
overruns.
System
testing is
undertaken
by the
developer
team to
determine if
the software
meets user
requirement
s per
specification
During the A. B. C. D. D. Explanation:
audit of an test the perform a review the ensure that ensure that In the case
acquired software for gap analysis. licensing the the of a
software compatibility policy. procedure procedure deviation
package, an with existing had been had been from the
IS auditor hardware. approved. approved. predefined
learned that procedures,
the software an IS auditor
purchase should first
was based ensure that
on the
information procedure
obtained followed for
through the acquiring
Internet, the software
rather than is consistent
from with the
responses to business
a request for objectives
proposal and has
(RFP). The been
IS auditor approved by
should the
FIRST: appropriate
authorities.
The other
choices are
not the first
actions an IS
auditor
should take.
They are
steps that
may or may
is told by IS continuous quantitative a a process continuous An
managemen improvemen quality documented tailored to improvemen organization
t that the t. goals. process. specific t. would have
organization projects. reached the
has recently highest level
reached the of the
highest level software
of the CMM at
software level 5,
capability optimizing.
maturity Quantitative
model quality goals
(CMM). The can be
software reached at
quality level 4 and
process below, a
MOST documented
recently process is
added by executed at
the level 3 and
organization below, and
is: a process
tailored to
specific
projects can
be achieved
at level 3 or
below.
manufacturi Establishing Outsourcing Establishing Reengineeri Establishing EDI is the
ng firm an inter- the function an EDI ng the an EDI best answer.
wants to networked to a firm system of existing system of Properly
automate its system of specializing electronic processing electronic implemente
invoice client in business and business d (e.g.,
payment servers with automated documents redesigning documents agreements
system. suppliers for payments and the existing and with trading
Objectives increased and transactions system transactions partners
state that efficiencies accounts with key with key transaction
the system receivable/i suppliers, suppliers, standards,
should nvoice computer computer controls
require processing to computer, to computer, over
considerably in a standard in a standard network
less time for format format security
review and mechanisms
authorizatio in
n and the conjunction
system with
should be application
capable of controls),
identifying EDI is best
errors that suited to
require identify and
follow up. follow up on
Which of the errors more
following quickly,
would BEST given
meet these reduced
objectives? opportunitie
s for review
and
authorizatio
n.
appropriate acknowledg perform verify the encrypt verify the An
control for e receipt of reasonablen identity of electronic identity of electronic
ensuring the electronic ess checks senders and orders. senders and data
authenticity orders with on determine if determine if interchange
of orders a quantities orders orders (EDI) system
received in confirmation ordered correspond correspond is subject
an EDI message. before filling to contract to contract not only to
application orders. terms. terms. the usual
is to: risk
exposures of
computer
systems but
also to those
arising from
the potential
ineffectivene
ss of
controls on
the part of
the trading
partner
and the
third-party
service
provider,
making
authenticati
on of users
and
messages a
major
security
concern.
The MAIN A. B. C. D. B. Explanation:
purpose of a reduce the determine help an IS provide determine Enabling
transaction use of accountabilit auditor trace useful accountabilit audit trails
audit trail is storage y and transactions. information y and aids in
to: media. responsibilit for capacity responsibilit establishing
y for planning. y for the
processed processed accountabilit
transactions. transactions. y and
responsibilit
y for
processed
transactions
by
tracing them
through the
information
system.
Enabling
audit trails
increases
the use of
disk space. A
transaction
log file
would be
used to
trace
transactions,
but would
not aid in
determining
accountabilit
y and
responsibilit
following is Removal of inadequate Collusion Unresolved Collusion Collusion is
the manual procedure between regulatory between an active
GREATEST processing manuals employees compliance employees attack that
risk to the steps issues can be
effectiveness sustained
of and is
application difficult to
system identify
controls? since even
well-
thought-out
application
controls may
be
circumvente
d. The other
choices do
not impact
well-
designed
application
controls.
following Stringent Detailed and Awareness Postimplem Detailed and When
will BEST contract correctly of cultural entation correctly dealing with
ensure the managemen applied and political reviews applied offshore
successful t practices specification differences specification operations,
offshore s s it is essential
developmen that detailed
t of business specification
applications s be created.
? Language
differences
and a lack of
interaction
between
developers
and
physically
remote end
users could
create gaps
in
communicati
on in which
assumptions
and
modification
s may not be
adequately
communicat
ed. Contract
managemen
t practices,
cultural and
political
following is increased Access Data Data that is Access Once the
the response controls that duplication not updated controls that data is in a
GREATEST time on the are not or current are not warehouse,
risk when production adequate to adequate to no
implementin systems prevent data prevent data modification
g a data modification modification s should be
warehouse? made to it
and access
controls
should be in
place
to prevent
data
modification
. Increased
response
time on the
production
systems is
not a risk,
because a
data
warehouse
does not
impact
production
data. Based
on data
replication,
data
duplication
is inherent in
a data
What A. B. C. D. B. Explanation:
process uses Test Base-case Integrated Parallel Base-case A base-case
test data as data/deck system test facility simulation system system
part of a evaluation (ITF) evaluation evaluation
comprehensi uses test
ve test of data sets
program developed
controls in a as part of
continuous comprehensi
online ve testing
manner? programs, it
is
used to
verify
correct
systems
operations
before
acceptance,
as well as
periodic
validation.
Test
data/deck
simulates
transactions
through real
programs.
An ITF
creates
fictitious
files in the
database
with test
control Reasonablen Parity check Redundancy Check digits Redundancy A
detects ess check check check redundancy
transmission check
errors by detects
appending transmission
calculated errors by
bits onto the appending
end of each calculated
segment of bits onto the
data? end of each
segment of
data. A
reasonablen
ess check
compares
data to
predefined
reasonability
limits or
occurrence
rates
established
for the data.
A parity
check is a
hardware
control that
detects data
errors when
data are
read from
one
computer to
A proposed A. B. C. D. D. Explanation:
transaction validation internal clerical automated automated Automated
processing controls. credibility control systems systems systems
application checks. procedures. balancing. balancing. balancing
will have would be
many data the best way
capture to ensure
sources and that no
outputs in transactions
paper and are lost as
electronic any
form. To imbalance
ensure that between
transactions total inputs
are not lost and total
during outputs
processing, would be
an IS auditor reported for
should investigation
recommend and
the inclusion correction.
of: Validation
controls and
internal
credibility
checks are
certainly
valid
controls, but
will not
detect and
report lost
transactions.
In addition,
Functional A. B. C. D. A. Explanation:
acknowledg as an audit to to document as a as an audit Functional
ements are trail for EDI functionally user roles functional trail for EDI acknowledg
used: transactions. describe the and description transactions. ements are
IS responsibiliti of standard EDI
department. es. application transactions
software. that tell
trading
partners
that their
electronic
documents
were
received.
Different
types of
functional
acknowledg
ments
provide
various
levels of
detail and,
therefore,
can act as an
audit trail
for EDI
transactions.
The other
choices are
not relevant
to the
description
of
To reduce A. B. C. D. A. Explanation:
the during data in transit to between during the during data During data
possibility of preparation. the related return of the preparation. preparation
losing data computer. computer data to the is the best
during runs. user answer,
processing, department. because it
the FIRST establishes
point at control at
which the earliest
control point.
totals should
be
implemente
d is:
editing/valid central central remote remote remote It is
ation of data processing processing processing processing processing important
entered at a site after site during site after site prior to site prior to that the data
remote site running the the running transmission transmission transmission entered
would be application of the of the data of the data of the data from a
performed system. application to the to the to the remote site
MOST system. central central central is edited and
effectively at processing processing processing validated
the: site. site. site. prior to
transmission
to the
central
processing
site.
Information A. B. C. D. B. Explanation:
for detecting console log transaction automated user error transaction The
unauthorize printout. journal. suspense file report. journal. transaction
d input from listing. journal
a terminal would
would be record all
BEST transaction
provided by activity,
the: which then
could be
compared to
the
authorized
source
documents
to identify
any
unauthorize
d input. A
console log
printout is
not the best,
because it
would not
record
activity from
a specific
terminal. An
automated
suspense file
listing would
only list
transaction
activity
Before A. B. C. D. A. Explanation:
implementin satisfy a do not are based on are satisfy a When
g controls, requirement reduce a cost- detective or requirement designing
managemen in productivity. benefit corrective. in controls, it is
t should addressing a analysis. addressing a necessary to
FIRST ensure risk issue. risk issue. consider all
that the the above
controls: aspects. In
an ideal
situation,
controls that
address all
these
aspects
would be
the best
controls.
Realistically,
it may not
be possible
to design
them all and
cost may be
prohibitive;
therefore, it
is necessary
to first
consider the
preventive
controls that
attack the
cause
of a threat.
of a integrity. authenticity. authorizatio nonrepudiati integrity. A checksum
checksum on n. on. calculated
an amount on an
field in an amount field
electronic and included
data in the EDI
interchange communicati
(EDI) on can be
communicati used to
on of identify
financial unauthorize
transactions d
is to ensure: modification
s.
Authenticity
and
authorizatio
n cannot be
established
by a
checksum
alone and
need other
controls.
Nonrepudia
tion can be
ensured by
using digital
signatures.
following Application Application Operations Database Application Production
situations programmer programmer support staff administrato programmer programs
would s are s are are rs are s are are used for
increase the implementin implementin implementin implementin implementin processing
likelihood of g changes to g changes to g changes to g changes to g changes to an
fraud? production test batch data production enterprise’s
programs. programs. schedules. structures. programs. datA. It is
imperative
that controls
on changes
to
production
programs
are
stringent.
Lack of
control in
this area
could result
in
application
programs
being
modified to
manipulate
the
data.Applica
tion
programmer
s are
required to
implement
changes to
following Estimation Confirmatio Extrapolatio Calculation Extrapolatio Direct
techniques of the actual n of the n of the of the n of the observation
would BEST end date target date overall end expected overall end of results is
help an IS based on the based on date based end date date based better than
auditor gain completion interviews on based on on estimations
reasonable percentages with completed current completed and
assurance and experienced work resources work qualitative
that a estimated managers packages and packages information
project can time to and staff and current remaining and current gained from
meet its complete, involved in resources available resources interviews
target date? taken from the project or
status completion budget status
reports of the reports.
project Project
deliverables managers
and involved
staff tend to
underestima
te the time
needed for
completion
and
the
necessary
time buffers
for
dependencie
s between
tasks, while
overestimati
ng the
completion
percentage
A manager A. B. C. D. C. Explanation:
of a project recommend recommend evaluate recommend evaluate It is
was not able that the that risks that the risks important to
to project be compensatin associated project associated evaluate
implement halted until g controls be with the manager with the what the
all audit the issues implemente unresolved reallocate unresolved exposure
recommend are resolved. d. issues. test issues. would be
ations by the resources to when audit
target date. resolve the recommend
The IS issues. ations have
auditor not been
should: completed
by the target
date. Based
on the
evaluation,
managemen
t can
accordingly
consider
compensatin
g controls,
risk
acceptance,
etc. All other
choices
might be
appropriate
only after
the risks
have been
assessed.
A project A. B. C. D. A. Explanation:
manager of what if the project if the project if the budget what Cost
a project amount of budget can could be savings can amount of performance
that is progress be reduced. brought in be applied progress of a project
scheduled to against ahead of to increase against cannot be
take 18 schedule has schedule. the project schedule has properly
months to been scope. been assessed in
complete achieved. achieved. isolation of
announces schedule
that the performance
project is in . Cost cannot
a healthy be assessed
financial simply in
position terms of
because, elapsed time
after 6 on a project.
months, only To properly
one-sixth of assess the
the budget project
has been budget
spent. The IS position it is
auditor necessary to
should FIRST know how
determine: much
progress has
actually
been made
and, given
this, what
level of
expenditure
would
be expected.
It is possible
A legacy A. B. C. D. D. Explanation:
payroll IS auditor Database Project Data owner Data owner During the
application administrato manager data
is migrated r conversion
to a new stage of a
application. project, the
Which of the data owner
following is primarily
stakeholders responsible
should be for
PRIMARILY reviewing
responsible and signing-
for off that the
reviewing data are
and signing- migrated
off on the completely,
accuracy and accurately
completenes and are
s of the data valid. An IS
before auditor is
going live? not
responsible
for
reviewing
and signing-
off on the
accuracy of
the
converted
datA.
However, an
IS auditor
should
ensure that
organization Project System Project User project Project A project
is sponsor developmen steering team (UPT) steering steering
implementin t project committee committee committee
g an team (SPDT) that
enterprise provides an
resource overall
planning direction for
(ERP) the
application enterprise
to meet its resource
business planning
objectives. (ERP)
Of the implementa
following, tion project
who is is
PRIMARILY responsible
responsible for
for reviewing
overseeing the project’s
the project progress to
in order to ensure that
ensure that it will deliver
it the
is expected
progressing results. A
in project
accordance sponsor is
with the typically the
project plan senior
and that it manager in
will deliver charge of
the expected the primary
results? business unit
reviewing an project be business project be project be business An IS auditor
active discontinued case be returned to completed case be should not
project, an IS . updated and the project and the updated and recommend
auditor possible sponsor for business possible discontinuin
observed corrective reapproval. case be corrective g or
that, actions be updated actions be completing
because of a identified. later. identified. the project
reduction in before
anticipated reviewing an
benefits updated
and business
increased case. The IS
costs, the auditor
business should
case was no recommend
longer valid. that the
The IS business
auditor case be kept
should current
recommend throughout
that the: the project
since it is a
key input to
decisions
made
throughout
the life of
any project.
following Function Earned value Cost budget Program Earned value Earned value
should an IS point analysis Evaluation analysis analysis
auditor analysis and Review (EVA) is an
review to Technique industry
understand standard
project method for
progress in measuring a
terms of project’s
time, budget progress at
and any given
deliverables point in
for early time,
detection of forecasting
possible its
overruns completion
and for date and
projecting final cost,
estimates at and
completion analyzing
(EACs)? variances in
the schedule
and budget
as the
project
proceeds. It
compares
the planned
amount of
work with
what has
actually
been
completed,
is assigned Report that Recommend Review the Review the Review the Before
to audit a the the project IT conduct of conduct of making any
software organization manager be governance the project the project recommend
developmen does not changed. structure. and the and the ations, an IS
t project have business business auditor
which is effective case. case. needs to
more than project understand
80 percent managemen the project
complete, t. and the
but factors that
has already have
overrun time contributed
by 10 to making
percent and the project
costs by 25 over budget
percent. and over
Which of the schedule.
following The
actions organization
should the IS may have
auditor effective
take? project
managemen
t practices
and sound
ITgovernanc
e and still be
behind
schedule or
over budget.
There is no
indication
that the
reviewing a increases in increases in decreases in decreases in increases in The three
project quality can quality are delivery time delivery time quality can primary
where be achieved, only can be can only be be achieved, dimensions
quality is a even if achieved if achieved, achieved if even if of a project
major resource resource even if quality is resource are
concern, an allocation is allocation is resource decreased. allocation is determined
IS auditor decreased. increased. allocation is decreased. by the
should use decreased. deliverables,
the project the allocated
managemen resources
t and the
triangle to delivery
explain that: time. The
area of the
project
managemen
t triangle,
comprised
of these
three
dimensions,
is fixed.
Depending
on the
degree of
freedom,
changes in
one
dimension
might be
compensate
d by
changing
evaluating effectiveness efficiency of effectiveness efficiency of effectiveness To be
software of the QA the QA of the the project of the QA effective the
developmen function function project manager function quality
t practices in because it because it manager because the because it assurance
an should should because the QA function should (QA)
organization, interact interact with project will need to interact function
an IS auditor between the project manager communicat between should be
notes that project implementa should e with the project independent
the quality managemen tion team. interact with project managemen of project
assurance t and user the QA implementa t and user managemen
(QA) managemen function. tion team. managemen t. The QA
function t t function
reports to should never
project interact with
managemen the project
t. The MOST implementa
important tion team
concern for since this
an IS auditor can impact
is the: effectiveness
. The
project
manager
does not
interact with
the QA
function,
which
should not
impact the
effectiveness
of the
project
invited to a stress the accept the offer to work inform the stress the The majority
developmen importance project with the risk project importance of project
t project of spending manager’s manager manager of spending risks can
meeting time at this position as when one is that the IS time at this typically be
notes that point in the the project appointed. auditor will point in the identified
no project project to manager is conduct a project to before a
risks have consider and accountable review of consider and project
been document for the the risks at document begins,
documented risks, and to outcome of the risks, and to allowing
. develop the project. completion develop mitigation/a
When the IS contingency of the contingency voidance
auditor plans. requirement plans. plans to be
raises this s definition put in place
issue, the phase of the to deal with
project project. these risks.
manager A project
responds should have
that it is too a clear link
early to back to
identify risks corporate
and that, strategy
if risks do and tactical
start plans to
impactingth support this
e project, a strategy. The
risk manager process of
will be hired. setting
The corporate
appropriate strategy,
response of setting
the IS objectives
auditor and
would be to: developing
has been complexity resources project a contract complexity Understandi
asked to and risks needed deliverables for external and risks ng
participate associated throughout have been parties associated complexity
in project with the the project identified. involved in with the and risk, and
initiation project have have been the project project have actively
meetings for been determined. has been been managing
a critical analyzed. completed. analyzed. these
project. The throughout
IS auditor’s a project are
MAIN critical to a
concern successful
should be outcome.
that the: The other
choices,
while
important
during the
course of
the project,
cannot be
fully
determined
at the time
the project
is initiated,
and are
often
contingent
upon the
risk and
complexity
of the
project.
At the A. B. C. D. B. Explanation:
completion Assessing Identifying Verifying the Ensuring Identifying A project
of a system risks that lessons controls in that test lessons team has
developmen may lead to learned that the data are learned that something
t project, a downtime may be delivered deleted may be to learn
postproject after the applicable to system are applicable to from each
review production future working future and every
should release projects projects project. As
include risk
which of the assessment
following? is a key issue
for
project
managemen
t, it is
important
for the
organization
to
accumulate
lessons
learned and
integrate
them into
future
projects. An
assessment
of potential
downtime
should be
made with
the
operations
group and
identifying whose sum that have that give the whose sum that have A critical
an earlier of activity zero slack longest of slack time zero slack path’s
project time is the time. possible is the time. activity time
completion shortest. completion shortest. is longer
time, which time. than that for
is to be any other
obtained by path
paying a through the
premium for network.
early This path is
completion, important
the activities because if
that should everything
be selected goes as
are those: scheduled,
its length
gives the
shortest
possible
completion
time for the
overall
project.
Activities on
the critical
path
become
candidates
for crashing,
i.e., for
reduction in
their time by
payment
To minimize A. B. C. D. C. Explanation:
the cost of a as close to primarily at continuously mainly at continuously While it is
software their writing project start- throughout project throughout important to
project, (i.e., point of up to ensure the project close-down the project properly
quality origination) that the with an to capture with an establish a
managemen as possible. project is emphasis on lessons emphasis on software
t techniques established finding and learned that finding and developmen
should be in fixing can be fixing t project,
applied: accordance defects applied to defects quality
with primarily future primarily managemen
organization during projects. during t should be
al testing to testing to effectively
governance maximize maximize practiced
standards. the defect the defect throughout
detection detection the project.
rate. rate. The major
source of
unexpected
costs on
most
software
projects is
rework. The
general rule
is thatthe
earlier in the
developmen
t life cycle
that a defect
occurs, and
the longer it
takes to find
and fix that
defect, the
following Project Policy Project Program Project A project
should an IS database documents portfolio organization portfolio portfolio
auditor database database database is
review to the basis for
gain an project
understandi portfolio
ng of the managemen
effectiveness t. It includes
of controls project data,
over the such as
managemen owner,
t of multiple schedules,
projects? objectives,
project type,
status and
cost. Project
portfolio
managemen
t requires
specific
project
portfolio
reports. A
project
database
may contain
the above
for one
specific
project and
updates to
various
parameters
following is a Not suitable Eliminates Prevents Separates Prevents Timebox
characteristi for the need for cost system and cost managemen
c of timebox prototyping a quality overruns user overruns t, by its
managemen or rapid process and delivery acceptance and delivery nature, sets
t? application delays testing delays specific time
developmen and cost
t (RAD) boundaries.
It is very
suitable for
prototyping
and RAD,
and
integrates
system and
user
acceptance
testing, but
does not
eliminate
the need for
a quality
process.
planning to The project The critical The length The The critical Since adding
add budget path for the of the personnel path for the resources
personnel to project remaining assigned to project may change
tasks tasks other tasks the route of
imposing the critical
time path, the
constraints critical path
on the must be
duration of a reevaluated
project, to
which of the ensure that
following additional
should be resources
revalidated will in fact
FIRST? shorten the
project
duration.
Given that
there may
be slack time
available on
some of the
other tasks
not on the
critical path,
factors such
as the
project
budget, the
length of
other tasks
and the
personnel
finds that a Program Counting Function White box Function Function
system evaluation source lines point testing point point
under review of code analysis analysis analysis is an
developmen technique (SLOC) indirect
t has 12 (PERT) method of
linked measuring
modules and the size of
each item of an
data can application
carry up by
to 10 considering
definable the number
attribute and
fields. The complexity
system of its inputs,
handles outputs and
several files. It is
million useful for
transactions evaluating
a year. complex
Which of applications.
these PERT is a
techniques project
could an IS managemen
auditor use t technique
to estimate that helps
the size of with both
the planning and
developmen control.
t effort? SLOC gives a
direct
measure of
program
Change A. B. C. D. B. Explanation:
control for iterative rapid pace of emphasis on lack of rapid pace of Changes in
business nature of modification reports and integrated modification requirement
application prototyping. s in screens. tools. s in s and design
systems requirement requirement happen so
being s and design. s and design. quickly that
developed they are
using seldom
prototyping documented
could be or approved.
complicated Choices A, C
by and D are
the: characteristi
cs of
prototyping,
but they do
not have an
adverse
effect on
change
control.
The reason A. B. C. D. C. Explanation:
for prevent indicate the require that provide the require that Projects
establishing further point at changes project changes often have a
a stop or changes to a which the after that managemen after that tendency to
freezing project in design is to point be t team with point be expand,
point on the process. be evaluated more control evaluated especially
design of a completed. for cost- over the for cost- during the
new system effectiveness project effectiveness requirement
is to: . design. . s definition
phase. This
expansion
often grows
to a point
where the
originally
anticipated
cost-benefits
are
diminished
because the
cost of the
project has
increased.
When this
occurs, it is
recommend
ed that the
project be
stopped or
frozen to
allow a
review of all
of the cost-
benefits and
Many IT A. B. C. D. B. Explanation:
projects Function PERT chart Rapid Object- PERT chart A PERT chart
experience point application oriented will help
problems analysis developmen system determine
because the t developmen project
developmen t duration
t time once all the
and/or activities
resource and the
requirement work
s are involved
underestima with those
ted. Which activities are
of the known.
following Function
techniques point
would analysis is a
provide the technique
GREATEST for
assistance in determining
developing the size of a
an developmen
estimate of t task
project based on the
duration? number of
function
points.
Function
points are
factors such
as inputs,
outputs,
inquiries,
logical
The most A. B. C. D. D. Explanation:
common user needs the growth the user user Lack of
reason for are of user hardware participation participation adequate
the failure of constantly requirement system limits in defining in defining user
information changing. s was the number the system’s the system’s involvement,
systems to forecast of requirement requirement especially in
meet the inaccurately. concurrent s was s was the system’s
needs of users. inadequate. inadequate. requirement
users is that: s phase, will
usually
result in a
system that
does not
fully or
adequately
address the
needs of the
user. Only
users can
define what
their needs
are, and
therefore
what the
system
should
accomplish.
following Scope creep Sign-off Software inadequate Scope creep A software
risks could delays integrity controls baseline is
result from violations the cut-off
inadequate point in the
software design and
baselining? developmen
t of a system
beyond
which
additional
requirement
s or
modification
s to the
design do
not or
cannot occur
without
undergoing
formal strict
procedures
for approval
based on a
business
cost-benefit
analysis.
Failure to
adequately
manage the
requirement
s of a
system
through
Documentati A. B. C. D. A. Explanation:
on of a the end of the project user the system is the end of A business
business the system’s is approved. acceptance in the system’s case can and
case used in life cycle. of the production. life cycle. should be
an IT system. used
developmen throughout
t project the life cycle
should be of the
retained product. It
until: serves as an
anchor for
new
(manageme
nt)
personnel,
helps to
maintain
focus and
provides
valuable
information
on estimates
vs. actuals.
Questions
like, ‘why do
we do
that,”what
was the
original
intent’ and
‘how did we
perform
against the
plan’ can
auditing the a clear corporate users will be the new a clear The first
proposed business security involved in system will business concern of
acquisition case has standards the meet all case has an IS auditor
of a new been will be met. implementa required been should be to
computer approved by tion plan. user approved by establish
system, an IS managemen functionality managemen that the
auditor t. . t. proposal
should FIRST meets the
establish needs of the
that: business,
and
this should
be
established
by a clear
business
case.
Although
compliance
with security
standards is
essential,
as is meeting
the needs of
the users
and having
users
involved in
the
implementa
tion process,
it is too early
in
following is Minimize Gather Establish Optimize Optimize An IT
the errors performance performance performance performance performance
PRIMARY data baselines measureme
objective of nt process
an IT can be used
performance to optimize
measureme performance
nt process? , measure
and manage
products/ser
vices, assure
accountabilit
y and make
budget
decisions.
Minimizing
errors is an
aspect of
performance
, but not the
primary
objective of
performance
managemen
t. Gathering
performance
data is a
phase of IT
measureme
nt process
and would
be used to
evaluate the
Before A. B. C. D. B. Explanation:
implementin deliver define key provide control IT define key A definition
g an IT effective and performance business expenses. performance of key
balanced efficient indicators. value to IT indicators. performance
scorecard, services. projects. indicators is
an required
organization before
must: implementin
g an IT
balanced
scorecard.
Choices
A, C and D
are
objectives.
The IT A. B. C. D. A. Explanation:
balanced financial customer internal innovation financial Financial
scorecard is results. satisfaction. process capacity. results. results have
a business efficiency. traditionally
governance been the
tool sole overall
intended to performance
monitor IT metric. The
performance IT balanced
evaluation scorecard
indicators (BSC)
other than: is an IT
business
governance
tool aimed
at
monitoring
IT
performance
evaluation
indicators
other than
financial
results. The
IT BSC
considers
other key
success
factors, such
as customer
satisfaction,
innovation
capacity
and
During an A. B. C. D. D. Explanation:
audit, an IS Create an IT Use No Establish Establish Establishing
auditor risk common recommend regular IT regular IT regular
notices that managemen industry ation is risk risk meetings is
the IT t standard necessary managemen managemen the best way
department department aids to since the t meetings t meetings to identify
of a and divide the current to identify to identify and assess
medium- establish an existing risk approach is and assess and assess risks in a
sized IT risk documentati appropriate risks, and risks, and medium-
organization framework on into for a create a create a sized
has no with the aid several medium- mitigation mitigation organization,
separate of external individual sized plan as plan as to
risk risk risks organization. input to the input to the address
managemen managemen which will be organization’ organization’ responsibiliti
t function, t experts. easier to s risk s risk es to the
and the handle. managemen managemen respective
organization’ t. t. managemen
s operational t and to
risk keep the risk
documentati list and
on only mitigation
contains a plans up to
few broadly date.
described IT A medium-
risks. What sized
is the MOST organization
appropriate would
recommend normally not
ation in this have a
situation? separate IT
risk
managemen
t
department.
who is Stricter No action is A clear desk A sound Stricter An
reviewing controls required policy backup controls employee
incident should be since such should be policy for all should be leaving an
reports implemente incidents implemente important implemente important
discovers d by both have not d and strictly office d by both document
that, in one the occurred in enforced in documents the on a desk
instance, an organization the past. the should be organization and the
important and the organization. implemente and the cleaning
document cleaning d. cleaning staff
left on agency. agency. removing it
an may result in
employee’s a
desk was serious
removed impact on
and put in the business.
the garbage Therefore,
by the the IS
outsourced auditor
cleaning should
staff. Which recommend
of the that strict
following controls be
should the IS implemente
auditor d by both
recommend the
to organization
managemen and the
t? outsourced
cleaning
agency. That
such
incidents
have not
PRIMARY alignment of enforcement implementa reduction of enforcement The major
benefit of the IT of the tion of the the cost for of the benefit of
implementin activities managemen chief IT security. managemen implementin
g a security with IS audit t of security information t of security g a security
program as recommend risks. security risks. program is
part of a ations. officer’s managemen
security (CISO) t’s
governance recommend assessment
framework ations. of risk and
is the: its mitigation
to
an
appropriate
level of risk,
and the
monitoring
of the
remaining
residual
risks.
Recommend
ations,
visions and
objectives of
the auditor
and the chief
information
security
officer
(CISO) are
usually
included
within a
following Process Performance Business risk Assurance Business risk Priority
should be maturity indicators reports should be
the MOST given to
important those areas
consideratio which
n when represent a
deciding known risk
areas of to the
priority for enterprise’s
IT operations.
governance The level of
implementa process
tion? maturity,
process
performance
and audit
reports will
feed into the
decision
making
process.
Those
areas that
represent
real risk to
the business
should be
given
priority.
As a driver A. B. C. D. A. Explanation:
of IT performance strategic value resource performance Performance
governance, measureme alignment. delivery. managemen measureme measureme
transparency nt. t. nt. nt includes
of IT’s cost, setting and
value and monitoring
risks is measurable
primarily objectives of
achieved what the IT
through: processes
need to
deliver
{process
outcome)
and how
they deliver
it (process
capability
and
performance
). Strategic
alignment
primarily
focuses on
ensuring
linkage of
business and
IT plans.
Value
delivery is
about
executing
the
value
following An An A A risk An Implementin
should be understandi understandi determinatio mitigation understandi g risk
considered ng of the ng of the risk n of risk strategy ng of the managemen
FIRST when organization’ exposures managemen sufficient to organization’ t, as one of
implementin s threat, and the t priorities keep risk s threat, the
g a risk vulnerability potential based on consequenc vulnerability outcomes of
managemen and risk consequenc potential es at an and risk effective
t program? profile es of consequenc acceptable profile information
compromise es level security
governance,
would
require a
collective
understandi
ng of the
organization’
s threat,
vulnerability
and risk
profile as a
first step.
Based
on this, an
understandi
ng of risk
exposure
and
potential
consequenc
es of
compromise
could be
determined.
is reviewing address all be tracked take into result in the take into When
an IT of the over time account the identificatio account the assessing IT
security risk network against the entire IT n of entire IT security risk,
managemen risks. IT strategic environment vulnerability environment it is
t program. plan. . tolerances. . important to
Measures of take into
security risk account the
should: entire IT
environment
. Measures
of
security risk
should focus
on those
areas with
the highest
criticality so
as to achieve
maximum
risk
reduction at
the lowest
possible
cost. IT
strategic
plans are not
granular
enough to
provide
appropriate
measures.
Objective
metrics must
reviewing identify the analyze the identify and evaluate the identify and Identificatio
the risk reasonable technical rank the effect of a rank the n and
assessment threats to and information potential information ranking of
process of the organization assets. security assets. information
an information al breach. assets-e.g.,
organization assets. vulnerabiliti data
should es. criticality,
FIRST: locations of
assets-will
set the tone
or scope
of how to
assess risk in
relation to
the
organization
al value of
the asset.
Second, the
threats
facing each
of the
organization’
s assets
should be
analyzed
according to
their value
to the
organization.
Third,
weaknesses
should
A poor A. B. C. D. A. Explanation:
choice of vulnerabiliti threats. probabilities. impacts. vulnerabiliti Vulnerabiliti
passwords es. es. es represent
and characteristi
transmission cs of
over information
unprotected resources
communicati that may be
ons lines are exploited by
examples of: a threat.
Threats are
circumstanc
es or events
with the
potential to
cause harm
to
information
resources.
Probabilities
represent
the
likelihood of
the
occurrence
of a threat,
while
impacts
represent
the outcome
or result of a
threat
exploiting a
vulnerability.
To address A. B. C. D. C. Explanation:
the risk of avoidance. transference mitigation. acceptance. mitigation. Mitigation is
operations . the strategy
staff’s failure that
to perform provides for
the daily the
backup, definition
managemen and
t requires implementa
that the tion of
systems controls to
administrato address the
r sign off on risk
the daily described.
backup. This Avoidance is
is an a strategy
example of that
risk: provides for
not
implementin
g certain
activities or
processes
that would
incur risk.
Transferenc
e is the
strategy that
provides for
sharing risk
with
partners or
taking
insurance
Assessing IT A. B. C. D. A. Explanation:
risks is BEST evaluating using the reviewing reviewing IT evaluating To assess IT
achieved by: threats firm’s past published control threats risks, threats
associated actual loss loss statistics weaknesses associated and
with existing experience from identified in with existing vulnerabiliti
IT assets and to comparable audit IT assets and es need to
IT projects. determine organization reports. IT projects. be evaluated
current s. using
exposure. qualitative
or
quantitative
risk
assessment
approaches.
Choices B, C
and D are
potentially
useful inputs
to the risk
assessment
process, but
by
themselves
are not
sufficient.Ba
sing an
assessment
on past
losses will
not
adequately
reflect
inevitable
changes to
following Threat Asset Impact Vulnerability Vulnerability The lack of
does a lack adequate
of adequate security
security controls
controls represents a
represent? vulnerability,
exposing
sensitive
information
and data to
the
risk of
malicious
damage,
attack or
unauthorize
d access by
hackers. This
could result
in a loss of
sensitive
information
and lead to
the loss of
goodwill for
the
organization.
A succinct
definition of
risk is
provided by
the
Guidelines
A team A. B. C. D. C. Explanation:
conducting a compute the calculate a apply a spend the apply a The
risk analysis amortization return on qualitative time needed qualitative common
is having of the investment approach. to define approach. practice,
difficulty related (ROI). exactly the when it is
projecting assets. loss amount. difficult to
the financial calculate the
losses that financial
could result losses, is to
from a risk. take a
To evaluate qualitative
the potential approach, in
losses, the which the
team should: manager
affected by
the risk
defines the
financial loss
in terms of a
weighted
factor {e.g.,
one is a
very low
impact to
the business
and five is a
very high
impact). An
ROI is
computed
when there
is
predictable
savings or
developing a Threat Classification Inventory of Criticality Inventory of Identificatio
risk assessment of data assets analysis assets n of the
managemen assets to be
t program, protected is
what is the the first step
FIRST in the
activity to be developmen
performed? t of a risk
managemen
t program. A
listing of the
threats that
can affect
the
performance
of these
assets and
criticality
analysis are
later steps in
the
process.
Data
classification
is required
for defining
access
controls and
in criticality
analysis.
following is a Security and Property and Audit and Contracts Security and Risks are
mechanism control liability certification and service control mitigated by
for practices insurance level practices implementin
mitigating agreements g
risks? (SLAs) appropriate
security and
control
practices.
Insurance is
a
mechanism
for
transferring
risk. Audit
and
certification
are
mechanisms
of risk
assurance,
while
contracts
and SLAs are
mechanisms
of risk
allocation.
was hired to Report the Examine e- Identify Check the Identify An IS auditor
review e- risks to the business threats and budget threats and must
business CIO and CEO application likelihood of available for likelihood of identify the
security. The immediately in occurrence risk occurrence assets, look
IS auditor’s developmen managemen for
first task was t t vulnerabiliti
to examine es, and then
each existing identify the
e-business threats and
application the
looking for likelihood of
vulnerabiliti occurrence.
es. What Choices A, B
would be and D should
the next be discussed
task? with the CIO,
and a report
should be
delivered to
the
CEO. The
report
should
include the
findings
along with
priorities
and costs.
The output A. B. C. D. C. Explanation:
of the risk business audit security software security The risk
managemen plans. charters. policy design policy managemen
t process is decisions. decisions. decisions. t process is
an input for about
making: making
specific,
security-
related
decisions,
such as the
level of
acceptable
risk. Choices
A, B and D
are not
ultimate
goals of the
risk
managemen
t process.
The risks A. B. C. D. C. Explanation:
associated destruction security archive audit policy. archive With a policy
with policy. policy. policy. policy. of well-
electronic archived e-
evidence mail records,
gathering access to or
would MOST retrieval of
likely be specific e-
reduced by mail records
an e-mail: is possible
without
disclosing
other
confidential
e-mail
records.
Security
and/or audit
policies
would not
address the
efficiency of
record
retrieval,
and
destroying
e-mails may
be an illegal
act.
following is meets or agrees to be has a good complies agrees to be It is critical
the MOST exceeds subject to market with security subject to that an
important IS industry external reputation policies of external independent
audit security security for service the security security
consideratio standards. reviews. and organization. reviews. review of an
n when an experience. outsourcing
organization vendor be
outsources a obtained
customer because
credit customer
review credit
system to a information
third-party will be kept
service there.
provider? Compliance
The with security
provider: standards or
organization
policies is
important,
but
there is no
way to verify
or prove
that that is
the case
without an
independent
review.
Though long
experience
in business
and good
organization documentati independent reporting reporting independent When the
has on of staff audit reports the year-to- staff audit reports functions of
outsourced background or full audit year turnover, or full audit an IS
its help desk checks. access. incremental developmen access. department
activities. An cost t or training. are
IS auditor’s reductions. outsourced,
GREATEST an IS auditor
concern should
when ensure that
reviewing a provision is
the madefor
contract and independent
associated audit reports
service level that cover all
agreement essential
(SLA) areas, or
between the that the
organization outsourcer
and vendor has full audit
should be access.
the Although it
provisions is necessary
for: to document
the fact that
background
checks are
performed,
this is not as
important as
provisions
for audits.
Financial
measures
following is Security Vendor best CERT Significant Significant Contractual
the BEST incident practices coordination contracts contracts requirement
information summaries center s are one of
source for the sources
managemen that should
t to use as be consulted
an aid in the to identify
identificatio the
n of requirement
assets that s for the
are subject managemen
to laws and t of
regulations? information
assets.
Vendor best
practices
provides a
basis for
evaluating
how
competitive
an
enterprise is,
while
security
incident
summaries
are a source
for assessing
the
vulnerabiliti
es
associated
conducting requirement contract other service outsourcer requirement Many
an audit of a for may be provider to will for countries
service protecting terminated whom work approach protecting have
provider, an confidentiali because has been the other confidentiali enacted
IS auditor ty of prior outsourced service ty of regulations
observes information permission is not provider information to protect
that the could be from the subject to directly for could be the
service compromise outsourcer audit. further compromise confidentiali
provider has d. was not work. d. ty of
outsourced a obtained. information
part of the maintained
work to in their
another countries
provider. and/or
Since the exchanged
work with other
involves countries.
confidential Where a
information, service
the IS provider
auditor’s outsources
PRIMARY part of its
concern services to
shouldbe another
that the: service
provider,
there is a
potential
risk that the
confidentiali
ty of the
information
will be
With respect A. B. C. D. A. Explanation:
to the Outsourced Periodic The Similar Outsourced An
outsourcing activities are renegotiatio outsourcing activities are activities are organization’
of IT core and n is specified contract fails outsourced core and s core
services, provide a in the to cover to more provide a activities
which of the differentiate outsourcing every action than one differentiate generally
following d advantage contract. required by vendor. d advantage should not
conditions to the the to the be
should be of organization. arrangement organization. outsourced,
GREATEST . because
concern to they are
an IS what the
auditor? organization
does best;
an IS auditor
observing
that should
be
concerned.
An IS auditor
should not
be
concerned
about the
other
conditions
because
specification
of periodic
renegotiatio
n in the
outsourcing
contract is a
best
has been That an That the SLA That the That at That the The
assigned to audit clause of each contractual contract contractual complexity
review IT is present in contract is warranties termination, warranties of IT
structures all contracts substantiate of the support is of the structures
and d by providers guaranteed providers matched by
activities appropriate support the by each support the the
recently KPIs business outsourcer business complexity
outsourced needs of the for new needs of the and
to various organization outsourcers organization interplay of
providers. responsibiliti
Which of the es and
following warranties
should the IS may
auditor affect or
determine void the
FIRST? effectiveness
of those
warranties
and the
reasonable
certainty
that the
business
needs will
be
met. All
other
choices are
important,
but not as
potentially
dangerous
as the
When an A. B. C. D. A. Explanation:
organization Accountabili Defining the Implementin Defining Accountabili Accountabili
is ty for the corporate g the security ty for the ty cannot be
outsourcing corporate security corporate procedures corporate transferred
their security policy security and security to external
information policy policy guidelines policy parties.
security Choices B, C
function, and D can be
which of the performed
following by outside
should be entities as
kept in long as
the accountabilit
organization y remains
? within the
organization.
To minimize A. B. C. D. B. Explanation:
costs and O/S and Gain-sharing Penalties for Charges tied Gain-sharing Because the
improve hardware performance noncomplian to variable performance outsourcer
service refresh bonuses ce cost metrics bonuses will share a
levels an frequencies percentage
outsourcer of the
should seek achieved
which of the savings,
following gain-sharing
contract performance
clauses? bonuses
provide a
financial
incentive to
go above
and beyond
the stated
terms of the
contract and
can lead to
cost
savings for
the client.
Refresh
frequencies
and
penalties for
noncomplian
ce would
only
encourage
the
outsourcer
to meet
should References Service level Maintenanc Conversion References An IS auditor
expect from other agreement e agreement plan from other should look
which of the customers (SLA) customers for an
following template independent
items to be verification
included in that the ISP
the request can perform
for proposal the tasks
(RFP) when being
IS is contracted
procuring for.
services References
from an from other
independent customers
service would
provider provide an
(ISP)? independent
, external
review and
verification
of
procedures
and
processes
the ISP
follows-
issues which
would be of
concern to
an IS
auditor.
Checking
references is
performing a There could Having a The auditing There could There could In the funds
review of be a provider process will be different be a transfer
the structure question abroad will be difficult auditing question process,
of an regarding cause because of norms. regarding when the
electronic the legal excessive the distance. the legal processing
funds jurisdiction. costs in jurisdiction. scheme is
transfer future centralized
(EFT) audits. in a different
system, an IS country,
auditor there could
observes be
that the legal issues
technologica of
l jurisdiction
infrastructur that might
e is based on affect the
a centralized right to
processing perform a
scheme that review in the
has been other
outsourced country. The
to a other
provider in choices,
another though
country. possible, are
Based on not as
this relevant as
information, the issue of
which of the legal
following jurisdiction.
conclusions
should be
the main
reviewing an hardware access ownership application ownership Of the
outsourcing configuratio control of developmen of choices, the
contract of n. software. intellectual t intellectual hardware
IT facilities property. methodolog property. and access
would y. control
expect it to software is
define the: generally
irrelevant as
long as the
functionality
,
availability
and security
can be
affected,
which are
specific
contractual
obligations.
Similarly, the
developmen
t
methodolog
y should be
of no real
concern. The
contract
must,
however,
specify who
owns the
intellectual
property
Is it A. B. C. D. A. Explanation:
appropriate Yes, because Yes, because No, because No, because Yes, because The primary
for an IS an IS auditor based on the the backup the service an IS auditor responsibilit
auditor from will evaluate plan, an IS to be bureau’s will evaluate y of an IS
a company the auditor will provided business the auditor is to
that is adequacy of evaluate the should be continuity adequacy of assure that
considering the service financial specified plan is the service the company
outsourcing bureau’s stability of adequately proprietary bureau’s assets are
its IS plan and the service in the information. plan and being
processing assist their bureau and contract. assist their safeguarded.
to request company its ability to company This is
and review a in fulfill the in true even if
copy of each implementin contract. implementin the assets
vendor’s ga ga do not
business complement complement reside on
continuity ary plan. ary plan. the
plan? immediate
premises.
Reputable
service
bureaus will
have a
welldesigne
d and tested
business
continuity
plan.
following is Ensuring Participating Renegotiatin Monitoring Monitoring In an
the MOST that invoices in systems g the the the outsourcing
important are paid to design with provider’s outsourcing outsourcing environment
function to the provider the provider fees provider’s provider’s , the
be performance performance company is
performed dependent
by IS on the
managemen performance
t when a of the
service has service
been provider.
outsourced? Therefore, it
is critical the
outsourcing
provider’s
performance
be
monitored
to ensure
that services
are
delivered to
the company
as required.
Payment of
invoices is a
finance
function,
which would
be
completed
per
contractual
After the A. B. C. D. B. Explanation:
merger of Project The The The new The The efforts
two managemen replacement resources of platform will replacement should be
organization t and effort each of the force the effort consolidated
s, multiple progress consists of organization business consists of to ensure
self- reporting is several s are areas of several alignment
developed combined in independent inefficiently both independent with the
legacy a project projects allocated organization projects overall
applications managemen without while they s to change without strategy of
from both t office integrating are being their work integrating the
companies which is the resource familiarized processes, the resource postmerger
are to driven by allocation with which allocation organization.
be replaced external in a portfolio the other will result in in a portfolio If resource
by a new consultants. managemen company’s extensive managemen allocation is
common t approach. legacy training t approach. not
platform. systems. needs. centralized,
Which of the the separate
following projects are
would be at risk of
the overestimati
GREATEST ng the
risk? availability
of key
knowledge
resources
for the in-
house
developed
legacy
applications.
In
postmerger
integration
programs, it
following Internal Information Investment Business risk Investment It is most
BEST control self- systems portfolio assessment portfolio desirable to
supports the assessment audit analysis analysis conduct an
prioritization (CSA) investment
of new IT portfolio
projects? analysis,
which will
present not
only a clear
focus on
investment
strategy, but
will provide
the rationale
for
terminating
nonperformi
ng IT
projects.
Internal
control
selfassessme
nt {CSA} may
highlight
noncomplian
ce to the
current
policy, but
may not
necessarily
be the best
source for
driving the
In the A. B. C. D. A. Explanation:
context of optimize implement a institute a implement a optimize In the
effective security standard set standards- continuous security context of
information investments of security based improvemen investments effective
security in support of practices. solution. t culture. in support of information
governance, business business security
the primary objectives. objectives. governance,
objective of value
value delivery is
delivery is implemente
to: d to ensure
optimization
of security
investments
in support of
business
objectives.
The tools
and
techniques
for
implementin
g value
delivery
include
implementa
tion of a
standard set
of security
practices,
institutionali
zation and
commoditiza
tion
A benefit of A. B. C. D. A. Explanation:
open system facilitates facilitates will be a allows for facilitates Open
architecture interoperabil the basis for the interoperabil systems are
is that it: ity. integration volume achievement ity. those for
of discounts of more which
proprietary from economies suppliers
components. equipment of scale for provide
vendors. equipment. components
whose
interfaces
are defined
by public
standards,
thus
facilitating
interoperabil
ity between
systems
made by
different
vendors. In
contrast,
closed
system
components
are built to
proprietary
standards so
that other
suppliers’
systems
cannot or
will not
interface
To assist an A. B. C. D. D. Explanation:
organization project an object- tactical enterprise enterprise Enterprise
in planning managemen oriented planning. architecture architecture architecture
for IT t tools. architecture. (EA). (EA). (EA) involves
investments, documentin
an IS auditor g the
should organization’
recommend s IT assets
the use of: and
processes in
a structured
manner to
facilitate
understandi
ng,
managemen
t and
planning for
IT
investments.
It involves
both a
current
state and a
representati
on of an
optimized
future state.
In
attempting
to complete
an EA,
organization
s can
An example A. B. C. D. D. Explanation:
of a direct enhanced enhanced the use of increased increased A
benefit to be reputation. staff morale. new market market comprehensi
derived from technology. penetration. penetration. ve business
a proposed case for any
IT-related proposed IT-
business related
investment business
is: investment
should have
clearly
defined
business
benefits to
enable the
expected
return to be
calculated.
These
benefits
usually fall
into two
categories:
direct and
indirect, or
soft.Direct
benefits
usually
comprise
the
quantifiable
financial
benefits that
the new
following Define a Consider Select Modify the Select Prioritization
should an IS balanced user projects yearly projects of projects
auditor scorecard satisfaction according to process of according to on the basis
recommend (BSC) for in the key business defining the business of their
to BEST measuring performance benefits and project benefits and expected
enforce performance indicators risks portfolio risks benefit(s) to
alignment of (KPIs) business,
an IT project and the
portfolio related risks,
with is the best
strategic measure for
organization achieving
al priorities? alignment of
the project
portfolio to
an
organization’
s strategic
priorities.
Modifying
the
yearly
process of
the projects
portfolio
definition
might
improve the
situation,
but only if
the portfolio
definition
process is
PRIMARY provide control align IT with implement provide Corporate
objective of strategic business business. best strategic governance
implementin direction. operations. practices. direction. is a set of
g corporate managemen
governance t practices to
by an provide
organization’ strategic
s direction,
managemen thereby
t is to: ensuring
that
goals are
achievable,
risks are
properly
addressed
and
organization
al resources
are properly
utilized.
Hence,
the primary
objective of
corporate
governance
is to provide
strategic
direction.
Based on the
strategic
direction,
business
following The number Coverage of The Periodic Periodic The
provides the of training at implementa reviews and reviews and adequacy of
best stakeholders all locations tion of comparison comparison security
evidence of including across the security with best with best awareness
the employees enterprise devices from practices practices content can
adequacy of trained at different best be
a security various vendors assessed by
awareness levels determining
program? whether it is
periodically
reviewed
and
compared to
industry best
practices.
Choices A, B
and C
provide
metrics for
measuring
various
aspects of a
security
awareness
program,
but do not
help assess
the content.
The initial A. B. C. D. C. Explanation:
step in developmen performance adoption of purchase of adoption of A policy
establishing t and of a a corporate security a corporate statement
an implementa comprehensi information access information reflects the
information tion of an ve security security control security intent and
security information control policy software. policy support
program is security review by statement. statement. provided by
the: standards the IS executive
manual. auditor. managemen
t for proper
security and
establishes a
starting
point for
developing
the security
program.
IT control A. B. C. D. A. Explanation:
objectives desired best IT techniques security desired An IT control
are useful to result or security for securing policy. result or objective is
IS auditors, purpose of control information. purpose of defined as
as they implementin practices implementin the
provide the g specific relevant to a g specific statement of
basis for control specific control the desired
understandi procedures. entity. procedures. result or
ng the: purpose to
be achieved
by
implementin
g control
procedures
in a
particular IT
activity.
They provide
the actual
objectives
for
implementin
g
controls and
may or may
not be the
best
practices.
Techniques
are the
means of
achieving an
objective,
and a
is reviewing technical parent bank security subsidiary parent bank Even
a project to platforms is authorized features are can join as a is authorized between
implement a between the to serve as a in place to co-owner of to serve as a parent and
payment two service segregate this payment service subsidiary
system companies provider. subsidiary system. provider. companies,
between a are trades. contractual
parent bank interoperabl agreement(s
and a e. ) should be
subsidiary. in place to
The IS conduct
auditor shared
should FIRST services.
verify that This is
the: particularly
important in
highly
regulated
organization
s such as
banking.
Unless
granted
to serve as a
service
provider, it
may not be
legal for the
bank to
extend
business to
the
subsidiary
companies.
finds that, in report that verify that recommend recommend recommend Although a
accordance the control user access changes to that activity changes to policy
with IS is operating rights have the IS policy logs of the IS policy provides a
policy, IDs of effectively been to ensure terminated to ensure reference
terminated since granted on a deactivation users be deactivation for
users are deactivation need-to- of user IDs reviewed on of user IDs performing
deactivated happens have basis. upon a regular upon IS audit
within 90 within the termination. basis. termination. assignments,
days of time frame an IS auditor
termination. stated in the needs to
The IS IS policy. review the
auditor adequacy
should: and the
appropriate
ness of the
policy. If, in
the opinion
of the
auditor, the
time frame
defined for
deactivation
is
inappropriat
e,the auditor
needs to
communicat
e this to
managemen
t and
recommend
changes
to the policy.
developing a Developing Defining a Specifying Defining Defining a Defining a
security security security an access roles and security security
architecture, procedures policy control responsibiliti policy policy for
which of the methodolog es information
following y and related
steps should technology
be executed is the first
FIRST? step toward
building a
security
architecture.
A security
policy
communicat
es a
coherent
security
standard to
users,
managemen
t and
technical
staff.
Security
policies will
often set the
stage in
terms of
what tools
and
procedures
are needed
for an
A retail A. B. C. D. A. Explanation:
outlet has Issues of Wavelength RFID tags RFID Issues of The
introduced privacy can be may not be eliminates privacy purchaser of
radio absorbed by removable line-of-sight an item will
frequency the human reading not
identificatio body necessarily
n (RFID) tags be aware of
to create the presence
unique serial of the tag. If
numbers for a tagged
all item is paid
products. for by
Which of the credit card,
following is it would be
the possible to
PRIMARY tie the
concern unique ID of
associated that item to
with this the identity
initiative? of the
purchaser.
Privacy
violations
are a
significant
concern
because
RFID can
carry unique
identifier
numbers. If
desired it
would be
possible for
following Time zone Telecommun Privacy laws Software Privacy laws Privacy laws
would MOST differences ications cost could developmen could prohibiting
likely could could be prevent t may prevent the cross-
indicate that impede much higher cross-border require cross-border border flow
a customer communicati in the first flow of more flow of of personally
data ons between year. information. detailed information. identifiable
warehouse IT teams. specification information
should s. would make
remain in- it impossible
house to
rather than locate a data
be warehouse
outsourced containing
to an customer
offshore information
operation? in another
country.
Time zone
differences
and higher
telecommun
ications
costs are
more
manageable.
Software
developmen
t typically
requires
more
detailedspec
ifications
when
A top-down A. B. C. D. A. Explanation:
approach to that they are that they are compliance that they are that they are Deriving
the consistent implemente with all reviewed consistent lower level
developmen across the d as a part of policies. periodically. across the policies from
t of organization. risk organization. corporate
operational assessment. policies {a
policies will top-down
help ensure: approach)
aids in
ensuring
consistency
across
the
organization
and
consistency
with other
policies. The
bottom-up
approach to
the
developmen
t of
operational
policies is
derived as a
result of risk
assessment.
A top-down
approach of
itself does
not ensure
compliance
and
To ensure an A. B. C. D. C. Explanation:
organization the IT organization legal and the legal and To ensure
is complying infrastructur al policies, regulatory adherence regulatory that the
with privacy e. standards requirement to requirement organization
requirement and s. organization s. is complying
s, an IS procedures. al policies, with privacy
auditor standards issues, an IS
should FIRST and auditor
review: procedures. should
address legal
and
regulatory
requirement
s first. To
comply with
legal and
regulatory
requirement
s,
organization
s need to
adopt the
appropriate
infrastructur
e. After
understandi
ng the legal
and
regulatory
requirement
s, an IS
auditor
should
evaluate
In an A. B. C. D. D. Explanation:
organization implementa compliance. documentati sufficiency. sufficiency. An IS auditor
where an IT tion. on. should first
security evaluate the
baseline has definition of
been the
defined, an minimum
IS auditor baseline
should FIRST level by
ensure: ensuring the
sufficiency
of
controls.
Documentati
on,
implementa
tion and
compliance
are further
steps.
comprehensi recovery. retention. rebuilding. reuse. retention. Besides
ve and being a good
effective e- practice,
mail policy laws and
should regulations
address the may require
issues of e- that an
mail organization
structure, keep
policy information
enforcement that has
, an impact on
monitoring the financial
and: statements.
The
prevalence
of lawsuits
in which e-
mail
communicati
on is held in
the
same regard
as the
officialform
of classic
‘paper*
makes the
retention of
corporate e-
mail a
necessity. All
e-mail
following is Assimilation Managemen Enforcement Stringent Assimilation Assimilation
MOST of the t support of security implementa of the of the
critical for framework and approval rules by tion, framework framework
the and intent of for the providing monitoring and intent of and intent of
successful a written implementa punitive and a written a written
implementa security tion and actions for enforcing of security security
tion and policy by all maintenance any violation rules by the policy by all policy by the
maintenance appropriate of a security of security security appropriate users of the
of a security parties policy rules officer parties system is
policy? through critical to
access the
control successful
software implementa
tion and
maintenance
of the
security
policy. A
good
password
system may
exist, but if
the users of
the system
keep
passwords
written on
their desk,
the
password is
of little
value.
Managemen
managemen Utilization of Mandating Installing an Training Training Utilizing an
t of an an intrusion the use of efficient user provided on provided on intrusion
organization detection passwords log system a regular a regular detection
has decided system to to access all to track the basis to all basis to all system to
to establish report software actions of current and current and report on
a security incidents each user new new incidents
awareness employees employees that occur is
program. an
Which of the implementa
following tion of a
would MOST security
likely be a program and
part of the is not
program? effective in
establishing
a security
awareness
program.
Choices B
and C do not
address
awareness.
Training is
the only
choice that
is directed at
security
awareness.
following is A cost- Identificatio Identificatio Creation of Identificatio Identificatio
the initial benefit n of network n of an n of network n of the
step in analysis of applications vulnerabiliti applications applications applications
creating a methods for to be es traffic matrix to be required
firewall securing the externally associated showing externally across the
policy? applications accessed with protection accessed network
network methods should be
applications identified
to be first. After
externally identificatio
accessed n,
depending
on the
physical
location of
these
applications
in the
network and
the network
model, the
person in
charge will
be able to
understand
the need for,
and possible
methods of,
controlling
access to
these
applications.
Identifying
following A list of key The basis for Identity of Relevant The basis for The security
should be IT resources access sensitive software access policy
included in to be authorizatio security security authorizatio provides the
an secured n features features n broad
organization’ framework
s IS security of security,
policy? as laid down
and
approved by
senior
managemen
t. It includes
a definition
of those
authorized
to grant
access and
the basis for
granting the
access.
Choices A, B
and C are
more
detailed
than that
which
should be
included in a
policy.
following Response Correction Detection Monitoring Response A sound IS
programs security
would a policy will
sound most likely
information outline a
security response
policy MOST program to
likely include handle
to handle suspected
suspected intrusions.
intrusions? Correction,
detection
and
monitoring
programs
are all
aspects of
information
security, but
will not
likely be
included in
an IS
security
policy
statement.
developmen IS security security board of board of Normally,
t of an IS department. committee. administrato directors. directors. the
security r. designing of
policy is an
ultimately information
the systems
responsibilit security
y of the: policy is the
responsibilit
y of top
managemen
t or the
board of
directors.
The IS
department
is
responsible
for the
execution of
the policy,
having no
authority in
framing the
policy. The
security
committee
also
functions
within the
broad
security
policy
finds that this lack of information IS audit the audit this lack of All
not all knowledge security is should finding will knowledge employees
employees may lead to not critical provide cause may lead to should be
are aware of unintentiona to all security managemen unintentiona aware of the
the l disclosure functions. training to t to provide l disclosure enterprise’s
enterprise’s of sensitive the continuous of sensitive information
information information. employees. training to information. security
security staff. policy to
policy. The IS prevent
auditor unintentiona
should l disclosure
conclude of sensitive
that: information.
Training is a
preventive
control.
Security
awareness
programs for
employees
can
prevent
unintentiona
l disclosure
of sensitive
information
to outsiders.
The rate of A. B. C. D. B. Explanation:
change in outsourcing implementin hiring meeting implementin Change
technology the IS g and personnel user g and requires that
increases function. enforcing willing to requirement enforcing good change
the good make a s. good managemen
importance processes. career processes. t processes
of: within the be
organization. implemente
d and
enforced.
Outsourcing
the IS
function is
not directly
related to
the rate of
technologica
l change.
Personnel in
a typical IS
department
are
highly
qualified and
educated;
usually they
do not feel
their jobs
are at risk
and are
prepared to
switch jobs
frequently.
Although
PRIMARY they are security and there is a duties are security and Business
objective of distributed control published appropriatel control orientation
an audit of and policies organization y policies should be
IT security available to support al chart with segregated. support the main
policies is to all staff. business and functional business and theme in
ensure that: IT objectives. descriptions. IT objectives. implementin
g security.
Hence, an IS
audit of IT
security
policies
should
primarily
focus on
whether the
IT and
related
security and
control
policies
support
business and
IT objectives.
Reviewing
whether
policies are
available to
all is an
objective,
but
distribution
does not
ensure
following is User Specific user Unauthorize Audit Unauthorize Without a
the managemen accountabilit d users may recommend d users may policy
GREATEST t y cannot be have access ations may have access defining who
risk of an coordination established. to originate, not be to originate, has the
inadequate does not modify or implemente modify or responsibilit
policy exist. delete data. d. delete data. y for
definition granting
for access to
ownership specific
of data and systems,
systems? there is an
increased
risk that one
could gain
(be given)
system
access when
they should
not have
authorizatio
n. By
assigning
authority to
grant access
to specific
users, there
is a better
chance that
business
objectives
will
beproperly
supported.
advantage of are are more will not ensure are more A bottom-up
a bottom-up developed likely to be conflict with consistency likely to be approach
approach to for the derived as a overall across the derived as a begins by
the organization result of a corporate organization. result of a defining
developmen as a whole. risk policy. risk operational-
t of assessment. assessment. level
organization requirement
al policies is s and
that the policies,
policies: which are
derived and
implemente
d as the
result of risk
assessments
. Enterprise-
level policies
are
subsequentl
y developed
based on
a synthesis
of existing
operational
policies.
Choices A, C
and D are
advantages
of a top-
down
approach for
developing
organization
reviewing an an actions to a listing of a description an An
organization’ assessment reduce approved of the assessment assessment
s strategic IT of the fit of hardware suppliers of technical of the fit of of how well
plan an IS the procuremen IT contract architecture the an
auditor organization’ t cost. resources. for the organization’ organization’
should s application organization’ s application s application
expect to portfolio s network portfolio portfolio
find: with perimeter with supports the
business security. business organization’
objectives. objectives. s business
objectives is
a key
component
of the
overall IT
strategic
planning
process. This
drives the
demand side
of IT
planning and
should
convert into
a set of
strategic IT
intentions.
Further
assessment
can then be
made of
how
well the
developing a establishme creation of a effective selection of effective The
formal nt of a security unit. support of a security support of executive
enterprise review an executive process an executive sponsor
security board. sponsor. owner. sponsor. would be in
program, the charge of
MOST supporting
critical the
success organization’
factor (CSF) s strategic
would be security
the: program,
and
would aid in
directing the
organization’
s overall
security
managemen
t activities.
Therefore,
support by
the
executive
level of
managemen
t is the most
critical
success
factor (CSF).
None of the
other
choices are
effective
reviewing incorporates addresses articulates specifies articulates The IT
the IT state of the the required the IT project the IT strategic
strategic art operational mission and managemen mission and plan must
planning technology. controls. vision. t practices. vision. include a
process, an clear
IS auditor articulation
should of the IT
ensure that mission and
the plan: vision. The
plan need
not address
the
technology,
operational
controls or
project
managemen
t practices.
To aid A. B. C. D. C. Explanation:
managemen control self- a business an IT business an IT An IT
t in assessments impact balanced process balanced balanced
achieving IT . analysis. scorecard. reengineerin scorecard. scorecard
and business g. (BSC)
alignment, provides the
an IS auditor bridge
should between IT
recommend objectives
the use of: and business
objectives by
supplementi
ng the
traditional
financial
evaluation
with
measures to
evaluate
customer
satisfaction,
internal
processes
and the
ability to
innovate.
Control self-
assessment
(CSA),
business
impact
analysis
(BIA) and
business
In an A. B. C. D. B. Explanation:
organization, Optimized Managed Defined Repeatable Managed Boards of
the directors
responsibiliti and
es for IT executive
security are managemen
clearly t can use the
assigned and information
enforced security
and an IT governance
security risk maturity
and impact model to
analysis is establish
consistently rankings for
performed. security in
This their
represents organization
which level s. The ranks
of ranking in are
the nonexistent,
information initial,
security repeatable,
governance defined,
maturity managed
model? and
optimized.
When the
responsibiliti
es for IT
security in
an
organization
are clearly
assigned and
reviewing IS has all the plans are uses its has plans are Determining
strategies, personnel consistent equipment sufficient consistent if the IS plan
an IS auditor and with and excess with is consistent
can BEST equipment it managemen personnel capacity to managemen with
assess needs. t strategy. efficiently respond to t strategy. managemen
whether IS and changing t strategy
strategy effectively. directions. relates IS/IT
supports the planning to
organization business
s’ plans.
business Choices A, C
objectives by and D are
determining effective
if IS: methods for
determining
the
alignment of
IS plans with
business
objectives
and the
organization’
s strategies.
reviewing an the existing the business the present current the business The IT
organization’ IT plan. IT budget. technology plan. strategic
s IT strategic environment trends. plan exists
plan should . to support
FIRST the
review: organization’
s business
plan. To
evaluate the
IT strategic
plan, an IS
auditor
would first
need to
familiarize
themselves
with the
business
plan.
following has been does not complies supports the supports the Strategic
would an IS approved by vary from with business business planning
auditor line the IS procuremen objectives of objectives of sets
consider to managemen department’ t the the corporate or
be the MOST t. s preliminary procedures. organization. organization. department
important budget. objectives
when into motion.
evaluating Both long-
an term and
organization’ short-term
s IS strategy? strategic
That it: plans should
be
consistent
with the
organization’
s broader
plans and
business
objectives
for attaining
these
goals. Choice
A is incorrect
since line
managemen
t prepared
the plans.
following Test a new Perform an Implement a Become the Become the Strategic
goals would accounting evaluation of new project supplier of supplier of planning
you expect package. information planning choice for choice for sets
to find in an technology system the product the product corporate or
organization’ needs. within the offered. offered. department
s strategic next 12 al objectives
plan? months. into motion.
Comprehens
ive planning
helps
ensure an
effective and
efficient
organization.
Strategic
planning is
time- and
project-
oriented,
but also
must
address and
help
determine
priorities to
meet
business
needs. Long-
and short-
range plans
should be
consistent
with the
following Allocating Keeping Conducting Evaluating Allocating The IS
would an IS resources current with control self- hardware resources department
auditor technology assessment needs should
consider the advances specifically
MOST consider the
relevant to manner in
short-term which
planning for resources
an IS are allocated
department in the short
? term.
Investments
in IT need to
be aligned
with top
managemen
t strategies,
rather than
focusing on
technology
for
technology’s
sake.
Conducting
control self-
assessments
and
evaluating
hardware
needs are
not as
critical as
allocating
In reviewing A. B. C. D. A. Explanation:
the IS short- there is an there is a a strategic the plan there is an The
range integration clear information correlates integration integration
(tactical) of IS and definition of technology business of IS and of IS and
plan, an IS business the IS planning objectives to business business
auditor staffs within mission and methodolog IS goals and staffs within staff in
should projects. vision. y is in place. objectives. projects. projects is
determine an
whether: operational
issue and
should be
considered
while
reviewing
the short-
range plan.
A strategic
plan would
provide a
framework
for the IS
short-range
plan.
Choices
B, C and D
are areas
covered by a
strategic
plan.
To support A. B. C. D. B. Explanation:
an a low-cost long- and leading-edge plans to long- and To ensure its
organization’ philosophy. short-range technology. acquire new short-range contribution
s goals, an IS plans. hardware plans. to the
department and realization of
should have: software. an
organization’
s overall
goals, the IS
department
should have
long- and
short-range
plans that
are
consistent
with the
organization’
s broader
plans for
attaining its
goals.
Choices A
and C are
objectives,
and plans
would be
needed to
delineate
how each of
the
objectives
would be
achieved.
following is Periodically Executing Granting and Approving Periodically The role of a
normally a reviewing user revoking access to reviewing chief
responsibilit and application user access data and and security
y of the chief evaluating and software to IT applications evaluating officer (CSO)
security the security testing and resources the security is to ensure
officer policy evaluation policy that the
(CSO)? corporate
security
policy and
controls are
adequate to
prevent
unauthorize
d access to
the company
assets,
including
data,
programs
and
equipment.
User
application
and other
software
testing and
evaluation
normally are
the
responsibilit
y of the staff
assigned
to
following is a Increases Does not One Does not One When cross-
risk of cross- the assist in employee help in employee training, it
training? dependence succession may know achieving a may know would be
on one planning all parts of a continuity of all parts of a prudent to
employee system operations system first assess
the risk of
any person
knowing all
parts of a
system and
what
exposures
this may
cause. Cross-
training has
the
advantage of
decreasing
dependence
on one
employee
and, hence,
can be part
of
succession
planning. It
also
provides
backup for
personnel in
the event of
absence
for any
following is Senior Job In No actual Job Inclusion in
the BEST managemen descriptions accordance incidents descriptions job
performance t is aware of contain clear with the have contain clear descriptions
criterion for critical statements degree of occurred statements of security
evaluating information of risk and that have of responsibiliti
the assets and accountabilit business caused a loss accountabilit es is a form
adequacy of demonstrate y for impact, or a public y for of security
an s an information there is embarrassm information training and
organization’ adequate security. adequate ent. security. helps ensure
s concern for funding for that staff
security their security and
awareness protection. efforts. managemen
training? t are aware
of their roles
with respect
to
information
security. The
other three
choices are
not
criterion for
evaluating
security
awareness
training.
Awareness is
a criterion
for
evaluating
the
importance
that
To gain an A. B. C. D. B. Explanation:
understandi enterprise IT balanced IT historical IT balanced The IT
ng of the data model. scorecard organization financial scorecard balanced
effectiveness (BSC). al structure. statements. (BSC). scorecard
of an (BSC) is a
organization’ tool that
s planning provides the
and bridge
managemen between IT
t of objectives
investments and business
in objectives by
IT assets, an supplementi
IS auditor ng the
should traditional
review the: financial
evaluation
with
measures to
evaluate
customer
satisfaction,
internal
processes
and the
abilityto
innovate. An
enterprise
data model
is a
document
defining the
data
structure of
following Deleting Implementin Monitoring Defining Deleting Since
activities database g database database backup and database database
performed activity logs optimization usage recovery activity logs activity logs
by a tools procedures record
database activities
administrato performed
r (DBA) by the
should be database
performed administrato
by a r (DBA),
different deleting
person? them
should be
performed
by an
individual
other than
the DBA.
This is a
compensatin
g control to
aid in
ensuring an
appropriate
segregation
of duties and
is associated
with the
DBA’s role. A
DBA should
perform the
other
activities as
following Compliance Promoting Security Effective Security Because
reduces the with ethical awareness performance awareness social
potential regulatory understandi programs incentives programs engineering
impact of requirement ng is based on
social s deception of
engineering the user, the
attacks? best
countermea
sure or
defense is a
security
awareness
program.
The other
choices are
not user-
focused.
An IS auditor A. B. C. D. D. D.
reviewing an dependency inadequate one person a disruption a disruption a disruption
organization on a single succession knowing all of of of
that uses person. planning. parts of a operations. operations. operations.
cross- Overlapping Boundary system. QUESTION QUESTION QUESTION
training controls controls Access 348 348 348
practices controls Which of the Which of the Which of the
should following following following
assess the controls controls controls
risk of: would an IS would an IS would an IS
auditor look auditor look auditor look
for in an for in an for in an
environment environment environment
where duties where duties where duties
cannot be cannot be cannot be
appropriatel appropriatel appropriatel
y y y
segregated? segregated? segregated?
Compensati Compensati Compensati
ng controls ng controls ng controls
segregation Restricting Reviewing Performing Locking user Reviewing Only
of duties physical transaction background sessions transaction reviewing
concerns access to and checks prior after a and transaction
exist computing application to hiring IT specified application and
between IT equipment logs staff period of logs application
support staff inactivity logs directly
and end addresses
users, what the threat
would be a posed by
suitable poor
compensatin segregation
g control? of
duties. The
review is a
means of
detecting
inappropriat
e behavior
and also
discourages
abuse,
because
people
who may
otherwise be
tempted to
exploit the
situation are
aware of the
likelihood of
being
caught.
Inadequate
should be monitors reviews assesses the recommend monitors The
concerned systems network impact of s network systems responsibiliti
when a performance load the network balancing performance es of a
telecommun and tracks requirement load on procedures and tracks telecommun
ication problems s in terms of terminal and problems ications
analyst: resulting current and response improvemen resulting analyst
from future times and ts. from include
program transaction network program reviewing
changes. volumes. data transfer changes. network
rates. load
requirement
s in terms of
current and
future
transaction
volumes
{choice B),
assessing
the impact
of network
load or
terminal
response
times and
network
data
transferrates
(choice C),
and
recommendi
ng network
balancing
procedures
A long-term A. B. C. D. D. Explanation:
IS employee length of age, as IS ability, as an ability, as an Independenc
with a strong service, training in knowledge, IS auditor, to IS auditor, to e should be
technical since this audit since this be be continually
background will help techniques will bring independent independent assessed by
and broad ensure may be enhanced of existing IS of existing IS the auditor
managerial technical impractical. credibility to relationships relationships and
experience competence. the audit . . managemen
has applied function. t. This
for assessment
a vacant should
position in consider
the IS audit such factors
department. as changes
Determining in personal
whether to relationships
hire this , financial
individual interests,
for this and prior job
position assignments
should and
be based on responsibiliti
the es. The fact
individual’s that the
experience employee
and: has worked
in IS for
many years
may not in
itself ensure
credibility.
The audit
department’
s needs
A local area A. B. C. D. C. Explanation:
network having end- reporting to having being having A LAN
(LAN) user the end-user programmin responsible programmin administrato
administrato responsibiliti manager. g for LAN g r should not
r normally es. responsibiliti security responsibiliti have
would be es. administrati es. programmin
restricted on. g
from: responsibiliti
es but may
have end-
user
responsibiliti
es. The
LAN
administrato
r may report
to the
director of
the IPF or, in
a
decentralize
d operation,
to the end-
user
manager. In
small
organization
s, the LAN
administrato
r may also
be
responsible
for security
administrati
Many A. B. C. D. B. Explanation:
organization ensure the reduce the provide eliminate reduce the Required
s require an employee opportunity proper the potential opportunity vacations/ho
employee to maintains a for an cross- disruption for an lidays of a
take a good quality employee to training for caused employee to week or
mandatory of life, which commit an another when an commit an more in
vacation will lead to improper or employee. employee improper or duration in
(holiday) of a greater illegal act. takes illegal act. which
week or productivity. vacation one someone
more to: day at a other than
time. the regular
employee
performs
the job
function is
often
mandatory
for sensitive
positions, as
this reduces
the
opportunity
to commit
improper or
illegal acts.
During this
time it may
be possible
to discover
any
fraudulent
activity that
was taking
place.
When an A. B. C. D. D. Explanation:
employee is hand over all complete a notify other disable the disable the There is a
terminated of the backup of employees employee’s employee’s probability
from service, employee’s the of the logical logical that a
the MOST files to employee’s termination. access. access. terminated
important another work. employee
action is to: designated may misuse
employee. access
rights;
therefore,
disabling the
terminated
employee’s
logical
access is the
most
important
action to
take. All the
work of the
terminated
employee
needs
to be
handed over
to a
designated
employee;
however,
this should
be
performed
after
implementin
following Background References Bonding Qualification Background A
would BEST screening s listed on a screening background
provide resume screening is
assurance of the primary
the integrity method for
of new staff? assuring the
integrity of a
prospective
staff
member.
are
important
and would
need to be
verified, but
they are not
as reliable as
background
screening.
Bonding is
directed at
due-
diligence
compliance,
not at
integrity,
and
qualification
s listed on a
resume may
not
be accurate.
From a A. B. C. D. D. Explanation:
control provide are current, communicat establish establish From a
perspective, instructions documented e responsibilit responsibilit control
the key on how to and readily managemen y and y and perspective,
element in do the job available to t’s specific accountabilit accountabilit a job
job and define the job y for the y for the description
descriptions authority. employee. performance employee’s employee’s should
is that they: expectations actions. actions. establish
. responsibilit
y and
accountabilit
y. This will
aid in
ensuring
that users
are given
system
access in
accordance
with their
defined job
responsibiliti
es. The
other
choices are
not directly
related to
controls.
Providing
instructions
on how to
do the job
and defining
authority
identifies User Organization Standard Managemen Organization This choice
that reports acceptance al data software t sign-off on al data directly
on product testing (UAT) governance tools be requirement governance addresses
profitability occur for all practices be used for s for new practices be the problem.
produced by reports put in place report reports put in place An
an before developmen organization
organization’ release into t wide
s finance production approach is
and needed to
marketing achieve
departments effective
give managemen
different t of data
results. assets. This
Further includes
investigation enforcing
reveals that standard
the product definitions
definition of data
being used elements,
by the two which is part
departments of a
is different. data
What should governance
the IS initiative.
auditor The other
recommend choices,
? while sound
developmen
t practices,
do not
address the
root
Responsibilit A. B. C. D. D. Explanation:
y for the IT strategy chief audit board of board of Governance
governance committee. information committee. directors. directors. is the set of
of IT should officer (CIO). responsibiliti
rest with es and
the: practices
exercised by
the board
and
executive
managemen
t with
the goal of
providing
strategic
direction,
ensuring
that
objectives
are
achieved,
ascertaining
that risks are
managed
appropriatel
y and
verifying
that the
enterprise’s
resources
are used
responsibly.
The audit
committee,
What is the A. B. C. D. B. Explanation:
lowest level Repeatable Defined Managed Optimized Defined Defined
of the IT but Intuitive and (level 3) is
governance Measurable the lowest
maturity level at
model which an IT
where an IT balanced
balanced scorecard is
scorecard defined.
exists?
The ultimate A. B. C. D. A. Explanation:
purpose of encourage reduce IT decentralize centralize encourage IT
IT optimal use costs. IT resources control of IT. optimal use governance
governance of IT. across the of IT. is intended
is to: organization. to specify
the
combination
of decision
rights and
accountabilit
y that is best
for the
enterprise. It
is different
for every
enterprise.
Reducing IT
costs may
not be the
best IT
governance
outcome for
an
enterprise.
Decentralizi
ng IT
resources
across the
organization
is not always
desired,
although it
may be
desired in a
implementin IT alignment accountabilit value enhancing IT alignment The goals of
g an IT with the y. realization the return with the IT
governance business. with IT. on IT business. governance
framework investments. are to
in an improve IT
organization performance
the MOST , to deliver
important optimum
objective is: business
value and to
ensure
regulatory
compliance.
The key
practice in
support of
these goals
is the
strategic
alignment of
IT with the
business
{choice A).
To achieve
alignment,
all other
choices need
to be tied to
business
practices
and
strategies.
The MAJOR A. B. C. D. C. Explanation:
consideratio IT budget. existing IT business investment business One of the
n for an IS environment plan. plan. plan. most
auditor . important
reviewing an reasons for
organization’ which
s IT project projects get
portfolio is funded is
the: how well a
project
meets an
organization’
s
strategic
objectives.
Portfolio
managemen
t takes a
holistic view
of a
company’s
overall IT
strategy. IT
strategy
should be
aligned with
the business
strategy and,
hence,
reviewing
the business
plan should
be the major
consideratio
following is Implementin Identifying Performing a Creating a Identifying The key
the MOST g an IT organization risk formal organization objective of
important scorecard al strategies assessment security al strategies an IT
element for policy governance
the program is
successful to support
implementa the business,
tion of IT thus the
governance? identificatio
n of
organization
al strategies
is necessary
to ensure
alignment
between IT
and
corporate
governance.
Without
identificatio
n of
organization
al
strategies,th
e remaining
choices-even
if
implemente
d-would be
ineffective.
Effective IT A. B. C. D. D. Explanation:
governance the the business IT the IT the IT Effective IT
requires organization’ strategy is governance strategy strategy governance
organization s strategies derived from is separate extends the extends the requires that
al structures and an IT and distinct organization’ organization’ board and
and objectives strategy. from the s strategies s strategies executive
processes to extend the overall and and managemen
ensure that: IT strategy. governance. objectives. objectives. t extend
governance
to IT and
provide
the
leadership,
organization
al structures
and
processes
that ensure
that the
organization’
s IT sustains
and
extends the
organization’
s
strategiesan
d objectives,
and that the
strategy is
aligned with
business
strategy.
Choice A is
incorrect
following IT Supplier and A knowledge A structure Top Top Top
governance partner risks base on is provided managemen managemen managemen
best are customers, that t mediate t mediate t mediating
practices managed. products, facilitates between the between the between the
improves markets and the creation imperatives imperatives imperatives
strategic processes is and sharing of business of business of business
alignment? in place. of business and and and
information. technology. technology. technology
is an IT
strategic
alignment
best
practice.
Supplier and
partner risks
being
managed is a
risk
managemen
t best
practice. A
knowledge
base
on
customers,
products,
markets and
processes
being in
place is an IT
value
delivery best
practice. An
As an A. B. C. D. A. Explanation:
outcome of security baseline institutionali an security Information
information requirement security zed and understandi requirement security
security s driven by following commoditize ng of risk s driven by governance,
governance, enterprise best d solutions. exposure. enterprise when
strategic requirement practices. requirement properly
alignment s. s. implemente
provides: d, should
provide four
basic
outcomes:
strategicalig
nment,
value
delivery, risk
managemen
t and
performance
measureme
nt. Strategic
alignment
provides
input
for security
requirement
s driven by
enterprise
requirement
s. Value
delivery
provides a
standard set
of security
practices,
IT A. B. C. D. B. Explanation:
governance chief board of IT steering audit board of IT
is PRIMARILY executive directors. committee. committee. directors. governance
the officer. is primarily
responsibilit the
y of the: responsibilit
y of the
executives
and
shareholders
{as
represented
by the board
of
directors).
The chief
executive
officer is
instrumental
in
implementin
g IT
governance
per the
directions of
the
board of
directors.
The IT
steering
committee
monitors
and
facilitates
Establishing A. B. C. D. B. Explanation:
the level of quality senior the chief the chief senior Senior
acceptable assurance business information security business managemen
risk is the managemen managemen officer. officer. managemen t should
responsibilit t. t. t. establish the
y of: acceptable
risk level,
since they
have the
ultimate or
final
responsibilit
y for the
effective and
efficient
operation of
the
organization.
Choices A, C
and D should
act as
advisors to
senior
managemen
t in
determining
an
acceptable
risk level.
Effective IT A. B. C. D. A. Explanation:
governance business audit plan. security investment business To govern IT
will ensure plan. plan. plan. plan. effectively,
that the IT IT and
plan is business
consistent should be
with the moving in
organization’ the same
s: direction,
requiring
that the IT
plans
arealigned
with an
organization’
s business
plans. The
audit and
investment
plans are not
part of the IT
plan, while
the security
plan should
be at a
corporate
level.
Involvement A. B. C. D. A. Explanation:
of senior strategic IS policies. IS standards strategic Strategic
managemen plans. procedures. and plans. plans
t is MOST guidelines. provide the
important in basis for
the ensuring
developmen that the
t of: enterprise
meets its
goals and
objectives.
Involvement
of
senior
managemen
t is critical to
ensuring
that the plan
adequately
addresses
the
established
goals and
objectives. IS
policies,
procedures,
standards
and
guidelines
are all
structured
to support
the overall
strategic
An IS A. B. C. D. C. Explanation:
steering include a ensure that have formal be briefed have formal It is
committee mix of IS security terms of about new terms of important to
should: members policies and reference trends and reference keep
from procedures and products at and detailed
different have been maintain each maintain steering
departments executed minutes of meeting by a minutes of committee
and staff properly. its meetings. vendor. its meetings. minutes to
levels. document
the
decisions
and
activities of
the IS
steering
committee,
and the
board of
directors
should be
informed
about those
decisions on
a timely
basis.
Choice A is
incorrect
because only
senior
managemen
t or high-
level staff
members
should be on
following is a Monitoring Ensuring a Approving Liaising Approving The IS
function of vendor- separation and between the and steering
an IS controlled of duties monitoring IS monitoring committee
steering change within the major department major typically
committee? control and information’ projects, the and the end projects, the serves as a
testing s processing status of IS users status of IS general
environment plans and plans and review
budgets budgets board for
major IS
projects and
should not
become
involved in
routine
operations;
therefore,
one of its
functions is
to approve
and monitor
major
projects,
the status of
IS plans and
budgets.
Vendor
change
control is an
outsourcing
issue and
should be
monitored
by
likely effect a lack of a lack of a technology an absence technology A steering
of the lack of investment methodolog not aligning of control not aligning committee
senior in y for with the over with the should exist
managemen technology. systems organization’ technology organization’ to ensure
t developmen s objectives. contracts. s objectives. that the IT
commitment t. strategies
to IT support the
strategic organization’
planning is: s goals. The
absence of
an
information
technology
committee
or a
committee
not
composed of
senior
managers
would be
an indication
of a lack of
top-level
managemen
t
commitment
. This
condition
would
increase the
risk that IT
would not
An IT A. B. C. D. A. Explanation:
steering whether IT if proposed the stability the whether IT The role of
committee processes system of existing complexity processes an IT
should support functionality software. of installed support steering
review business is adequate. technology. business committee is
information requirement requirement to ensure
systems s. s. that the IS
PRIMARILY department
to assess: is in
harmony
with the
organization’
s
mission and
objectives.
To ensure
this, the
committee
must
determine
whether IS
processes
support the
business
requirement
s. Assessing
proposed
additional
functionality
and
evaluating
software
stability and
the
following is Managemen Audit Improved Internal Managemen The
the key t ownership expenses are fraud auditors can t ownership objective of
benefit of of the reduced detection shift to a of the control self-
control self- internal when the since consultative internal assessment
assessment controls assessment internal approach by controls is to have
(CSA)? supporting results are business using the supporting business
business an input to staff are results of business managemen
objectives is external engaged in the objectives is t become
reinforced. audit work. testing assessment. reinforced. more aware
controls of the
importance
of internal
control and
their
responsibilit
y in terms of
corporate
governance.
Reducing
audit
expenses is
not a key
benefit of
control self-
assessment
(CSA).
improved
fraud
detection is
important,
but not
as important
as
following is Broad Auditors are Limited Policy driven Broad The control
an attribute stakeholder the primary employee stakeholder self-
of the involvement control participation involvement assessment
control self- analysts (CSA)
assessment approach
(CSA) emphasizes
approach? managemen
t of and
accountabilit
y for
developing
and
monitoring
the controls
of an
organization’
s business
processes.
The
attributes of
CSA include
empowered
employees,
continuous
improvemen
t, extensive
employee
participation
and training,
at! of which
are
representati
ons of broad
The success A. B. C. D. A. Explanation:
of control having line assigning the the having line The primary
self- managers staff implementa implementa managers objective of
assessment assume a managers tion of a tion of assume a a CSA
(CSA) highly portion of the stringent supervision portion of program is
depends on: the responsibilit control and the the to leverage
responsibilit y for policy and monitoring responsibilit the internal
y for control building, but rule-driven of controls y for control audit
monitoring. not controls. of assigned monitoring. function by
monitoring, duties. shifting
controls. some of the
control
monitoring
responsibiliti
es to the
functional
area line
managers.
The success
of a control
self-
assessment
(CSA)
program
depends on
the degree
to which line
managers
assume
responsibilit
y for
controls-
Choices B, C
and D are
A PRIMARY A. B. C. D. A. Explanation:
benefit can identify allows IS can be used allows can identify CSA is
derived from high-risk auditors to as a managemen high-risk predicated
an areas that independent replacement t to areas that on the
organization might need ly assess for relinquish might need review of
employing a detailed risk. traditional responsibilit a detailed high-risk
control self- review later. audits. y for control. review later. areas that
assessment either need
(CSA) immediate
techniques attention or
is that a more
it: thorough
review at a
later date.
Choice B is
incorrect,
because CSA
requires the
involvement
of auditors
and line
managemen
t. What
occurs is
that the
internal
audit
function
shifts some
of the
control
monitoring
responsibiliti
es to the
The final A. B. C. D. C. Explanation:
decision to audit auditee’s IS auditor. CEO of the IS auditor. The IS
include a committee. manager. organization auditor
material should make
finding in an the final
audit report decision
should be about what
made by to include or
the: exclude
from the
audit report.
The other
choices
would limit
the
independenc
e of the
auditor.
preparing an statements workpapers an sufficient sufficient ISACA’s
audit report from IS of other organization and and standard on
the IS managemen auditors. al control appropriate appropriate ‘reporting’
auditor t. self- audit audit requires the
should assessment. evidence. evidence. IS auditor
ensure that have
the results sufficient
are and
supported appropriate
by: audit
evidence to
support
the reported
results.
Statements
from IS
managemen
t provide a
basis for
obtaining
concurrence
on matters
that cannot
be verified
with
empirical
evidence.
The report
should be
based on
evidence
collected
during the
During an A. B. C. D. B. Explanation:
exit ask the elaborate on report the accept the elaborate on If the
interview, in auditee to the disagreemen auditee’s the auditee
cases where sign a significance t to the audit position significance disagrees
there is release form of the committee since they of the with the
disagreemen accepting finding and for are the finding and impact of a
t regarding full legal the risks of resolution. process the risks of finding, it is
the impact responsibilit not owners. not important
of a finding, y. correcting it. correcting it. for an IS
an IS auditor auditor to
should: elaborate
and clarify
the
risks and
exposures,
as the
auditee may
not fully
appreciate
the
magnitude
of the
exposure.
The goal
should
be to
enlighten
the auditee
or uncover
new
information
of which an
IS auditor
may not
During an A. B. C. D. C. Explanation:
implementa record the advise the record the apprise the record the Individually
tion review observations manager of observations department observations the
of a separately probable and the risk al heads and the risk weaknesses
multiuser with the risks without arising from concerned arising from are minor;
distributed impact of recording the with each the however,
application, each of the collective observation collective together
an IS auditor them observations weaknesses. and properly weaknesses. they have
finds minor marked , as the document it the potential
weaknesses against each control in the to
in respective weaknesses report. substantially
three areas- finding. are weaken the
the initial minor ones. overall
setting of control
parameters structure.
is Choices A
improperly and D reflect
installed, a failure on
weak the part of
passwords an IS auditor
are being to recognize
used and the
some combined
vital reports affect of the
are not control
being weakness.
checked Advising the
properly. local
While manager
preparing without
the audit reporting
report, the the facts and
IS auditor observations
should: would
Corrective A. B. C. D. A. Explanation:
action has include the not include not include include the include the Including the
been taken finding in the finding the finding finding in finding in finding in
by an the final in the final in the final the closing the final the final
auditee report, report, report, meeting for report, report is a
immediately because the because the because discussion because the generally
after the IS auditor is audit report corrective purposes IS auditor is accepted
identificatio responsible should action can only. responsible audit
n of a for an include only be verified for an practice. If
reportable accurate unresolved by the IS accurate an action is
finding. The report of all findings. auditor report of all taken after
auditor findings. during findings. the audit
should: the audit. started and
before it
ended, the
audit report
should
identify the
finding and
describe the
corrective
action taken.
An audit
report
should
reflect the
situation, as
it existed at
the start of
the audit. All
corrective
actions
taken by
the auditee
conducting a Personally Inform the Report the Take no Report the The use of
review of delete all auditee of use of the action, as it use of the unauthorize
software copies of the the unauthorize is a unauthorize d or illegal
usage and unauthorize unauthorize d software commonly d software software
licensing d software. d software, and the accepted and the should be
discovers and follow need to practice and need to prohibited
that up to prevent operations prevent by an
numerous confirm recurrence managemen recurrence organization.
PCs contain deletion. to auditee t is to auditee Software
unauthorize managemen responsible managemen piracy
d software. t. for t. results in
Which of the monitoring inherent
following such use. exposure
actions and can
should the IS result in
auditor severe fines.
take? An IS auditor
must
convince the
user and
user
managemen
t
of the risk
and the
need to
eliminate
the risk. An
IS auditor
should not
assume the
role of the
enforcing
who was decline the inform inform the communicat communicat Communica
involved in assignment. managemen business e the e the ting the
designing an t of the continuity possibility of possibility of possibility of
organization’ possible planning conflict of conflict of a conflict of
s business conflict of (BCP) team interest to interest to interest to
continuity interest of the managemen managemen managemen
plan (BCP) after possible t prior to t prior to t prior to
has been completing conflict of starting the starting the starting the
assigned to the audit interest assignment. assignment. assignment
audit the assignment. prior to is the
plan. The IS beginning correct
auditor the answer. A
should: assignment. possible
conflict of
interest,
likely to
affect the
auditor’s
independenc
e, should be
brought to
the attention
of
managemen
t prior to
starting the
assignment.
Declining
the
assignment
is not the
correct
answer
collection of Dumping the Generating Rebooting Removing Rebooting Rebooting
forensic memory disk images the system the system the system the system
evidence, content to a of the from the may result in
which of the file compromise network a change in
following d system the system
actions state and
would MOST the loss of
likely result files and
in the important
destruction evidence
or stored in
corruption memory.
of evidence The other
on a choices are
compromise appropriate
d system? actions for
preserving
evidence.
change Recommend Gain more Recommend Document Gain more A change
control audit redesigning assurance that the finding assurance managemen
of a the change on the program and present on the t process is
production managemen findings migration be it to findings critical to IT
system, an IS t process. through root stopped managemen through root production
auditor finds cause until the t. cause systems.
that the analysis. change analysis. Before
change process is recommendi
managemen documented ng that the
t process . organization
is not take any
formally other action
documented (e.g.,
and that stopping
some migrations,
migration redesigning
procedures the change
failed. What managemen
should the IS t process),
auditor do the IS
next? auditor
should gain
assurance
that the
incidents
reported are
related to
deficiencies
in the
change
managemen
t
process and
following System log Compliance Forensic Analytical Compliance Determining
would an IS analysis testing analysis review testing that only
auditor use authorized
to modification
determine if s are made
unauthorize to
d production
modification programs
s were made would
to require the
production change
programs? managemen
t process be
reviewed to
evaluate the
existence of
a trail of
documentar
y evidence.
Compliance
testing
would help
to verify that
the change
managemen
t process has
been applied
consistently.
It is unlikely
that the
system log
analysis
would
following Reviewing a Reviewing Building a Examining Building a Since the
would be report of the program to recent program to objective is
the MOST security complexities identify access rights identify to identify
effective rights in the of conflicts in violation conflicts in violations in
audit system authorizatio authorizatio cases authorizatio segregation
technique n objects n n of duties, it
for is necessary
identifying to define the
segregation logic that
of duties will
violations in identify
a new conflicts in
enterprise authorizatio
resource n. A program
planning could be
(ERP) developed
implementa to identify
tion? these
conflicts. A
report of
security
rights in the
enterprise
resource
planning
(ERP) system
would be
voluminous
and time
consuming
to review;
therefore,
this
following Attribute Generalized Test data Integrated Generalized Generalized
should an IS sampling audit test facility audit audit
auditor use software (ITF) software software
to detect (GAS) (GAS) (GAS) would
duplicate enable the
invoice auditor to
records review the
within an entire
invoice invoice file
master file? to look for
those
items that
meet the
selection
criteriA.
Attribute
sampling
would aid in
identifying
records
meeting
specific
conditions,
but would
not compare
one record
to another
to identify
duplicates.
To detect
duplicate
invoice
records the
After initial A. B. C. D. A. Explanation:
investigation expand report the report the consult with expand An IS
, an IS activities to matter to possibility of external activities to auditor’s
auditor has determine the audit fraud to top legal counsel determine responsibiliti
reasons to whether an committee. managemen to whether an es for
believe that investigation t and ask determine investigation detecting
fraud may is how they the course is fraud
be present. warranted. would like to of action to warranted. include
The IS proceed. be taken. evaluating
auditor fraud
should: indicators
and deciding
whether any
additional
action is
necessary or
whether an
investigation
should be
recommend
ed. The IS
auditor
should notify
the
appropriate
authorities
within the
organization
only if it has
determined
that the
indicators of
fraud are
sufficient to
important comply with provide a ensure perform the provide a The scope of
reason for regulatory basis for complete audit basis for an IS audit is
an IS auditor requirement drawing audit according to drawing defined by
to obtain s. reasonable coverage. the defined reasonable its
sufficient conclusions. scope. conclusions. objectives.
and This involves
appropriate identifying
audit control
evidence is weaknesses
to: relevant to
the scope of
the audit.
Obtaining
sufficient
and
appropriate
evidence
assists the
auditor in
not only
identifying
control
weaknesses
but also
documentin
g and
validating
them.
Complying
with
regulatory
requirement
s,
While A. B. C. D. D. Explanation:
reviewing audit trail of approval of access rights confidentiali confidentiali Encryption
sensitive the the audit to the work ty of the ty of the provides
electronic versioning of phases. papers. work papers. work papers. confidentiali
work papers, the work ty for the
the IS papers. electronic
auditor work papers.
noticed that Audit trails,
they were audit phase
not approvals
encrypted. and access
This to the work
could papers do
compromise not, of
the: themselves,
affect the
confidentiali
ty but are
part of the
reason for
requiring
encryption.
Though A. B. C. D. B. Explanation:
managemen include the identify reconfirm discuss the identify When there
t has stated statement of whether with issue with whether is an
otherwise, managemen such managemen senior such indication
an IS auditor t in the audit software is, t the usage managemen software is, that an
has reasons report. indeed, of the t since indeed, organization
to believe being used software. reporting being used might be
that the by the this could by the using
organization organization. have a organization. unlicensed
is using negative software,
software impact on the IS
that is not the auditor
licensed. In organization. should
this obtain
situation, sufficient
the IS evidence
auditor before
should: including it
in the
report. With
respect to
this matter,
representati
ons obtained
from
managemen
t cannot be
independent
ly verified. If
the
organization
is using
software
that is not
following Test data Code review Automated Review of Automated An
audit run code code code automated
techniques comparison migration comparison code
would BEST procedures comparison
aid an is the
auditor in process of
determining comparing
whether two versions
there have of the same
been program to
unauthorize determine
d program whether the
changes two
since the last correspond.
authorized It is an
program efficient
update? technique
because it is
an
automated
procedure.
Test data
runs
permit the
auditor to
verify the
processing
of
preselected
transactions,
but provide
no evidence
about
PRIMARY confirm that gain receive test the gain The primary
purpose for the auditors agreement feedback on structure of agreement purpose for
meeting did not on the the the final on the meeting
with overlook any findings. adequacy of presentation findings. with
auditees important the audit . auditees
prior to issues. procedures. prior to
formally formally
closing a closing a
review is to: review is to
gain
agreement
on the
findings. The
other
choices,
though
related to
the formal
closure of an
audit, are of
secondary
importance.
In the A. B. C. D. A. Explanation:
process of examine detect a confirm that ensure that examine An IS auditor
evaluating source source the control all changes source has an
program program program copy is the made in the program objective,
change changes change current current changes independent
controls, an without made version of source copy without and
IS auditor information between the are information relatively
would use from IS acquiring a production detected. from IS complete
source code personnel. copy of the program. personnel. assurance of
comparison source and program
software to: the changes
comparison because
run. the source
code
comparison
will identify
changes.
Choice B is
incorrect,
because the
changes
made since
the
acquisition
of the copy
are not
included in
the copy of
the
software.
Choice C is
incorrect, as
an IS auditor
will
PRIMARY understand comply with identify plan understand Understandi
reason an IS the business auditing control substantive the business ng the
auditor process. standards. weakness. testing. process. business
performs a process is
functional the first step
walkthrough an IS auditor
during the needs to
preliminary perform.
phase of an Standards
audit do not
assignment require
is to: an IS auditor
to perform a
process walk
through.
Identifying
control
weaknesses
is not the
primary
reason for
the walk
through and
typically
occurs at a
later stage in
the audit,
while
planning for
substantive
testing is
performed
at a later
issues an professional organization technical professional professional When an IS
audit report independenc al competence. competence. independenc auditor
pointing out e independenc e recommend
the lack of e. s a specific
firewall vendor, they
protection compromise
features at professional
the independenc
perimeter e.Organizati
network onal
gateway and independenc
recommend e has no
s a vendor relevance to
product to the content
address this of an audit
vulnerability. report and
The IS should be
auditor has considered
failed to at
exercise: the time of
accepting
the
engagement
. Technical
and
professional
competence
is not
relevant to
the
requirement
of
independenc
interviewing conclude expand the place suspend the expand the If the
a payroll that the scope to greater audit. scope to answers
clerk finds controls are include reliance on include provided to
that the inadequate. substantive previous substantive an IS
answers do testing. audits. testing. auditor’s
not support questions
job are not
descriptions confirmed
and by
documented documented
procedures. procedures
Under these or job
circumstanc descriptions,
es, the IS the IS
auditor auditor
should: should
expand the
scope of
testing the
controls and
include
additional
substantive
tests. There
is no
evidence
that
whatever
controls
might exist
are either
inadequate
or adequate.
performing a analysis. evaluation. preservation disclosure. preservation Preservation
computer . . and
forensic documentati
investigation on of
, in regard to evidence for
the evidence review by
gathered, an law
IS auditor enforcement
should be and judicial
MOST authorities
concerned are of
with: primary
concern
when
conducting
an
investigation
. Failure to
properly
preserve the
evidence
could
jeopardize
the
acceptance
of the
evidence in
legal
proceedings.
Analysis,
evaluation
and
disclosure
substantive determining determining conducting a checking if conducting a A
test to verify whether bar whether the physical receipts and physical substantive
that tape code readers movement count of the issues of count of the test includes
library are installed. of tapes is tape tapes are tape gathering
inventory authorized. inventory. accurately inventory. evidence to
records are recorded. evaluate the
accurate is: integrity of
individual
transactions,
data or
other
information.
Conducting a
physical
count of the
tape
inventory is
a
substantive
test. Choices
A, B and D
are
compliance
tests.
conducting Observe the Clear the Inform Ensure Inform The first
an audit, an response virus from appropriate deletion of appropriate thing an IS
IS auditor mechanism. the network. personnel the virus. personnel auditor
detects the immediately immediately should do
presence of . . after
a virus. detecting
What should the virus is
be the IS to alert the
auditor’s organization
next to its
step? presence,
then
wait for
their
response.
Choice A
should be
taken after
choice C.
This will
enable an IS
auditor to
examine the
actual
workability
and
effectiveness
of the
response
system. An
IS auditor
should not
make
assessing topology bandwidth traffic bottleneck topology The first step
the design of diagrams. usage. analysis locations. diagrams. in assessing
network reports. network
monitoring monitoring
controls, an controls
IS auditor should be
should FIRST the review
review of the
network: adequacy of
network
documentati
on,
specifically
topology
diagrams. If
this
information
is not up to
date, then
monitoring
processes
and the
ability to
diagnose
problems
will not be
effective.
following Embedded Integrated Snapshots Audit hooks Audit hooks The audit
online audit test facility hook
auditing module technique
techniques involves
is most embedding
effective for code in
the early application
detection of systems for
errors or the
irregularities examination
? of selected
transactions.
This helps an
IS auditor to
act before
an error or
an
irregularity
gets out of
hand. An
embedded
audit
module
involves
embedding
specially-
written
software in
the
organization’
s host
application
system so
In an audit A. B. C. D. A. Explanation:
of an Testing Tracing Comparing Reviewing Testing To
inventory whether purchase receiving the whether determine
application, inappropriat orders to a reports to application inappropriat purchase
which e personnel computer purchase documentati e personnel order
approach can change listing order details on can change validity,
would application application testing
provide the parameters parameters access
BEST controls will
evidence provide the
that best
purchase evidence.
orders Choices B
are valid? and C
are based on
after-the-
fact
approaches,
while choice
D does not
serve the
purpose
because
what is in
the
system
documentati
on may not
be the same
as what is
happening.
performing a efficiency of impact of business application’s impact of An
review of an the any processes optimization any application
application’s application exposures served by . exposures control
controls in meeting discovered. the discovered. review
would the business application. involves the
evaluate processes. evaluation of
the: the
application’s
automated
controls and
an
assessment
of any
exposures
resulting
from the
control
weaknesses.
The other
choices may
be
objectives of
an
application
audit but are
not part of
an audit
restricted to
a review of
controls.
method of detailed recreating preparing automatic preparing Preparing
proving the visual review program simulated flowcharting simulated simulated
accuracy of a and analysis logic using transactions and analysis transactions transactions
system tax of the generalized for of the for for
calculation is source code audit processing source code processing processing
by: of the software to and of the and and
calculation calculate comparing calculation comparing comparing
programs monthly the results programs. the results the results
totals. to to to
predetermin predetermin predetermin
ed results. ed results. ed results is
the best
method for
proving
accuracy of a
tax
calculation.
Detailed
visual
review,
flowcharting
and analysis
of source
code are not
effective
methods,
and monthly
totals would
not address
the accuracy
of individual
tax
calculations.
evaluates Design Identify Examine Document Examine An IS auditor
the test further tests variables some of the the results some of the should next
results of a of the that may test cases to and prepare test cases to examine
modification calculations have caused confirm the a report of confirm the cases where
to a system that are in the test results. findings, results. incorrect
that deals error. results to be conclusions calculations
with inaccurate. and occurred
payment recommend and confirm
computation ations. the results.
. The After
auditor finds the
that 50 calculations
percent of have been
the confirmed,
calculations further tests
do not can be
match conducted
predetermin and
ed totals. reviewed.
Which of the Report
following preparation,
would findings and
MOST likely recommend
be the next ations would
step in the notbe made
audit? until all
results are
confirmed.
following is It uses actual Periodic It validates The need to Periodic An
an master files testing does application prepare test testing does integrated
advantage of or dummies not require systems and data is not require test facility
an and the IS separate tests the eliminated. separate creates a
integrated auditor does test ongoing test fictitious
test facility not have to processes. operation of processes. entity in the
(ITF)? review the the system. database to
source of process test
the transactions
transaction. simultaneou
sly
with live
input. Its
advantage is
that periodic
testing does
not require
separate
test
processes.
However,
careful
planning is
necessary,
and test
data must
be isolated
from
production
data.
attempting evaluate the interview compare review data interview Asking
to record programmer utilization file access programmer programmer
determine retention s about the records to records to s about the s about the
whether plans for off- procedures operations test the procedures procedures
access to premises currently schedules. librarian currently currently
program storage. being function. being being
documentati followed. followed. followed is
on is useful in
restricted to determining
authorized whether
persons access to
would MOST program
likely: documentati
on is
restricted to
authorized
persons.
Evaluating
the record
retention
plans for
offpremises
storage tests
the recovery
procedures,
not the
access
control over
program
documentati
on. Testing
utilization
records or
is Availability Support of Handling file Performance Availability Network
performing of online terminal transfer managemen of online operating
an audit of a network access to between t, audit and network system user
network documentati remote hosts and control documentati features
operating on hosts interuser on include
system. communicati online
Which of the ons availability
following is a of network
user feature documentati
the on. Other
IS auditor features
should would be
review? user access
to various
resources of
network
hosts, user
authorizatio
n to access
particular
resources,
and the
network and
host
computers
used
without
special user
actions or
commands.
Choices B, C
and D are
examples of
reviews an an investigating understandi investigating understandi An
organization understandi various ng the the network ng the organization
al chart ng of communicati responsibiliti connected responsibiliti al chart
PRIMARILY workflows. on channels. es and to different es and provides
for: authority of employees. authority of information
individuals. individuals. about the
responsibiliti
es and
authority of
individuals
in the
organization.
This helps an
IS auditor to
know if
there is a
proper
segregation
of functions.
A workflow
chart
would
provide
information
aboutthe
roles of
different
employees.
A network
diagram will
provide
information
about the
following An oral The results An internally A A Evidence
forms of statement of a test generated confirmation confirmation obtained
evidence for from the performed computer letter letter from outside
the auditor auditee by an IS accounting received received sources is
would be auditor report from an from an usually more
considered outside outside reliable than
the MOST source source that
reliable? obtained
from within
the
organization.
Confirmatio
n letters
received
from outside
parties, such
as those
used to
verify
accounts
receivable
balances,
are usually
highly
reliable.
Testing
performed
by an
auditor may
not be
reliable, if
the auditor
did not have
Data flow A. B. C. D. C. Explanation:
diagrams are order data highlight graphically portray step- graphically Data flow
used by IS hierarchicall high-level summarize by-step summarize diagrams are
auditors to: y. data data paths details of data paths used as aids
definitions. and storage. data and storage. to graph or
generation. chart data
flow and
storage.
They trace
the data
from its
origination
to
destination,
highlighting
the paths
and storage
of datA.
They do not
order data in
any
hierarchy.
The flow of
the data will
not
necessarily
match any
hierarchy or
data
generation
order.
integrated is a cost- enables the compares provides the compares An
test facility is efficient financial and processing IS auditor processing integrated
considered a approach to IS auditors output with with a tool output with test facility is
useful audit auditing to integrate independent to analyze a independent considered a
tool because application their audit ly calculated large range ly calculated useful audit
it: controls. tests. data. of data. tool because
information it uses the
same
programs to
compare
processing
using
independent
ly calculated
datA. This
involves
setting up
dummy
entities on
an
application
system and
processing
test or
production
data against
the entity as
a means of
verifying
processing
accuracy.
following Test library Source Program Production Production The best
would be listings program change library library source from
the BEST listings requests listings listings which to
population draw any
to take a sample or
sample from test of
when testing system
program information
changes? is the
automated
system. The
production
libraries
represent
executables
that are
approved
and
authorized
to process
organization
al datA.
Source
program
listings
would be
timeintensiv
e. Program
change
requests are
the
documents
used to
During a A. B. C. D. C. Explanation:
review of a test data to test data to generalized generalized generalized Since the
customer validate data determine audit audit audit name is not
master file, input. system sort software to software to software to the same
an IS auditor capabilities. search for search for search for {due to
discovered address field account field address field name
numerous duplications. duplications. duplications. variations),
customer one method
name to detect
duplications duplications
arising from would be to
variations in compare
customer other
first names. common
To fields, such
determine as
the extent of addresses. A
the subsequent
duplication, review to
the IS determine
auditor common
would customer
use: names at
these
addresses
could then
be
conducted.
Searching
for duplicate
account
numbers
would not
likely
Which audit A. B. C. D. C. Explanation:
technique Discussion Review of Observation Testing of Observation By observing
provides the with the and user access and the IS staff
BEST managemen organization interviews rights interviews performing
evidence of t chart their tasks,
the an IS auditor
segregation can identify
of duties in whether
an IS they are
department performing
? any
incompatible
operations,
and by
interviewing
the IS staff,
the auditor
can get an
overview of
the
tasksperfor
med. Based
on the
observations
and
interviews
the auditor
can evaluate
the
segregation
of duties.
Managemen
t may not be
aware of the
evaluating The point at Only Corrective Classification The point at An IS auditor
the which preventive controls can allows an IS which should focus
collective controls are and only be auditor to controls are on when
effect of exercised as detective regarded as determine exercised as controls are
preventive, data flow controls are compensatin which data flow exercised as
detective or through the relevant g controls are through the data flow
corrective system missing system through a
controls computer
within a system.
process, an Choice B
IS is incorrect
auditor since
should be corrective
aware of controls may
which of the also be
following? relevant.
Choice C is
incorrect,
since
corrective
controls
remove or
reduce the
effects of
errors or
irregularities
and are
exclusively
regarded as
compensatin
g controls.
Choice D is
incorrect
following A Assurance Trend data Ratio A Evidence
would confirmation from line obtained analysts confirmation obtained
normally be letter managemen from World developed letter from
the MOST received t that an Wide Web by the IS received independent
reliable from a third application (Internet) auditor from from a third third parties
evidence for party is working as sources reports party almost
an auditor? verifying an designed supplied by verifying an always is
account line account considered
balance managemen balance to be the
t most
reliable.
Choices
B, C and D
would not
be
considered
as reliable.
following Lack of Failure to Lack of Lack of Lack of Not
should be of reporting of notify police periodic notification reporting of reporting an
MOST a successful of an examination to the public a successful intrusion is
concern to attack on the attempted of access of an attack on the equivalent
an IS network intrusion rights intrusion network to an IS
auditor? auditor
hiding a
malicious
intrusion,
which would
be a
professional
mistake.
Although
notification
to the police
may be
required and
the lack of a
periodic
examination
of access
rights might
be a
concern,
they do not
represent as
big a
concern as
the failure to
report the
attack.
Reporting to
In the course A. B. C. D. D. Explanation:
of identify and identify disclose the identify and identify and It is
performing a assess the information threats and evaluate the evaluate the important
risk analysis, risk assets and impacts to existing existing for an IS
an IS auditor assessment the managemen controls. controls. auditor to
has process used underlying t. identify and
identified by systems. evaluate the
threats and managemen existing
potential t. controls and
impacts. security
Next, the once the
IS auditor potential
should: threats and
possible
impacts are
identified.
Upon
completion
of an audit
an IS auditor
should
describe and
discuss with
managemen
t the threats
and
potential
impacts on
the assets.
security create the terminate conduct identify and identify and One of the
audit of IT procedures the audit. compliance evaluate evaluate main
processes, document. testing. existing existing objectives of
an IS auditor practices. practices. an audit is to
found that identify
there were potential
no risks;
documented therefore,
securityproc the most
edures. The proactive
IS auditor approach
should: would
be to
identify and
evaluate the
existing
security
practices
being
followed by
the
organization.
IS auditors
should
not prepare
documentati
on, as doing
so could
jeopardize
their
independenc
e.
Terminating
The vice A. B. C. D. B. Explanation:
president of Test data Generalized Integrated Embedded Generalized Generalized
human audit test facility audit audit audit
resources software module software software
has features
requested include
an audit to mathematic
identify al
payroll computation
overpaymen s,
ts for the stratification
previous , statistical
year. Which analysis,
would be sequence
the BEST checking,
audit duplicate
technique to checking and
use in this recomputati
situation? ons. An IS
auditor,
using
generalized
audit
software,
could design
appropriate
tests
torecomput
e the
payroll,
thereby
determining
if there were
overpaymen
has matching sorting the reviewing filtering data matching Matching
imported control data to the printout for different control control
data from totals of the confirm of the first categories totals of the totals of the
the client’s imported whether the 100 records and imported imported
database. data to data are in of original matching data to data with
The next control the same data with them to the control control
step- totals of the order as the the first 100 original data. totals of the totals of the
confirming original data. original data. records of original data. original data
whether the imported is the next
imported data. logical step,
data as this
are confirms the
complete-is completenes
performed s of the
by: imported
datA. It is
not possible
to confirm
completenes
s by sorting
the
imported
data,
because the
original data
may not be
in sorted
order.
Further,
sorting does
not provide
control
totals for
following is The Time and Efficiency Ability to The The primary
the preservation cost savings and search for preservation objective of
PRIMARY of the chain effectiveness violations of of the chain forensic
advantage of of custody intellectual of custody software is
using for property for to preserve
computer electronic rights electronic electronic
forensic evidence evidence evidence to
software for meet the
investigation rules of
s? evidence.
Choice B,
time and
cost savings,
and choice
C, efficiency
and
effectiveness
, are
legitimate
concerns
that
differentiate
good from
poor
forensic
software
packages.
Choice D,
the ability to
search for
intellectual
property
rights
is evaluating There are a Users can Network Many user Many user Exploitation
a corporate number of install monitoring IDs have IDs have of a known
network for external software on is very identical identical user ID and
a possible modems their limited. passwords. passwords. password
penetration connected desktops. requires
by to the minimal
employees. network. technical
Which of the knowledge
following and exposes
findings the network
should give resources to
the IS exploitation.
auditor the The
GREATEST technical
concern? barrier is
low and the
impact can
be very high;
therefore,
the fact that
many user
IDs have
identical
passwords
represents
the greatest
threat.
External
modems
represent a
security
risk, but
exploitation
In an IS audit A. B. C. D. D. Explanation:
of several CASE tools Embedded Heuristic Trend/varian Trend/varian Trend/varian
critical data scanning ce detection ce detection ce detection
servers, the collection tools tools tools tools look
IS auditor tools for
wants to anomalies in
analyze user or
audit trails system
to discover behavior, for
potential example,
anomalies in determining
user or whether
system the numbers
behavior. for
Which of the prenumbere
following d documents
tools are are
MOST sequential
suitable for or
performing increasing.
that task? CASE tools
are used to
assist
software
developmen
t. Embedded
(audit) data
collection
software is
used for
sampling
and to
provide
production
is Issue an Seek an Review the Expand the Expand the Audit
performing audit finding explanation classification sample of sample of standards
an audit of a from IS s of data logs logs require that
remotely managemen held on the reviewed reviewed an IS auditor
managed t server gather
server sufficient
backup. The and
IS auditor appropriate
reviews the audit
logs for evidence.
one day and The auditor
finds one has
case where found a
logging on a potential
server has problem and
failed with now needs
the result to
that backup determine if
restarts this is an
cannot be isolated
confirmed. incident or a
What should systematic
the auditor control
do? failure. At
this stage it
is too
preliminary
to issue an
audit finding
and seeking
an
explanation
from
PRIMARY to the to assess the to the Choice B
purpose of participate systematic correctness determine systematic describes a
an IT in collection of of an that there collection of forensic
forensic investigation evidence organization’ has been evidence audit. The
audit is: s related to after a s financial criminal after a evidence
corporate system statements activity. system collected
fraud. irregularity. irregularity. could then
be used in
judicial
proceedings.
Forensic
audits are
not limited
to corporate
fraud.
Assessing
the
correctness
of an
organization’
s financial
statements
is not the
purpose of a
forensic
audit.
Drawing a
conclusion
as to
criminal
activity
would be
part of a
evaluating document test controls evaluate the obtain an obtain an When
logical the controls over the security understandi understandi evaluating
access applied to access paths environment ng of the ng of the logical
controls the potential to in relation to security risks security risks access
should access paths determine if written to to controls, an
FIRST: to the they are policies and information information IS auditor
system. functional. practices processing. processing. should first
obtain an
understandi
ng of the
security risks
facing
information
processing
by reviewing
relevant
documentati
on, by
inquiries,
and by
conducting a
risk
assessment.
Documentati
on
andevaluatio
n is the
second step
in assessing
the
adequacy,
efficiency
and
selecting sufficient all significant all material audit costs sufficient Procedures
audit evidence will deficiencies weaknesses will be kept evidence will are
procedures, be collected. identified will be at a be collected. processes an
an IS auditor will be identified. minimum IS auditor
should use corrected level. may follow
professional within a in an audit
judgment to reasonable engagement
ensure that: period. . In
determining
the
appropriate
ness
of any
specific
procedure,
an IS auditor
should use
professional
judgment
appropriate
to the
specific
circumstanc
es.
Professional
judgment
involves a
subjective
and often
qualitative
evaluation of
conditions
arising in the
planning address collect specify minimize address ISACA
stage of an audit sufficient appropriate audit audit auditing
IS audit, the objectives. evidence. tests. resources. objectives. standards
PRIMARY require that
goal of an IS an IS auditor
auditor is to: plan the
audit work
to address
the audit
objectives.
Choice
B is incorrect
because the
auditor does
not collect
evidence in
the planning
stage of an
audit.
Choices C
and D
are incorrect
because
theyare not
the primary
goals of
audit
planning.
The activities
described in
choices B, C
and D are all
undertaken
should use the the auditor generalized the tolerable the Given an
statistical probability wishes to audit error rate probability expected
sampling of error avoid software is cannot be of error error rate
and not must be sampling unavailable. determined. must be and
judgment objectively risk. objectively confidence
(nonstatistic quantified. quantified. level,
al) sampling, statistical
when: sampling is
an objective
method of
sampling,
which helps
an IS auditor
determine
the sample
size and
quantify the
probability
of error
(confidence
coefficient).
Choice B is
incorrect
because
sampling risk
is the risk of
a sample not
being
representati
ve of the
population.
This risk
exists for
planning an reasonable definite reasonable sufficient reasonable The ISACA IS
audit, an assurance assurance assurance assurance assurance Auditing
assessment that the that material that all items that all items that the Guideline
of risk audit will items will be will be will be audit will G15 on
should be cover covered covered by covered cover planning the
made to material during the the audit. during the material IS audit
provide: items. audit work. audit work. items. states, ‘An
assessment
of risk
should be
made
to provide
reasonable
assurance
that material
items will be
adequately
covered
during the
audit work.
This
assessment
should
identify
areas with a
relatively
high risk of
the
existence of
material
problems.’
Definite
assurance
The extent A. B. C. D. D. Explanation:
to which availability auditor’s auditee’s purpose and purpose and The extent
data will be of critical familiarity ability to scope of the scope of the to which
collected and required with the find relevant audit being audit being data will be
during an IS information. circumstanc evidence. done. done. collected
audit should es. during an IS
be audit should
determined be related
based on directly to
the: the scope
and purpose
of the audit.
An audit
with a
narrow
purpose and
scope would
result most
likely in less
data
collection,
than an
audit with a
wider
purpose and
scope. The
scope of an
IS audit
should not
be
constrained
by the ease
of
obtaining
In planning A. B. C. D. A. Explanation:
an audit, the areas of high skill sets of test steps in time allotted areas of high When
MOST risk. the audit the audit. for the risk. designing an
critical step staff. audit. audit plan, it
is the is important
identificatio to identify
n of the: the areas of
highest risk
to
determine
the areas to
be
audited. The
skill sets of
the audit
staff should
have been
considered
before
deciding and
selecting the
audit.
Test steps
for the
auditare not
as critical as
identifying
the areas of
risk, and the
time allotted
for an audit
isdetermine
d by the
areas to be
is evaluating the controls the the the the One of the
managemen already in effectiveness mechanism threats/vuln threats/vuln key factors
t’s risk place. of the for erabilities erabilities to be
assessment controls in monitoring affecting the affecting the considered
of place. the risks assets. assets. while
information related to assessing
systems. The the assets. the risks
IS auditor related to
should the use of
FIRST various
review: information
systems is
the threats
and
vulnerabiliti
es affecting
the assets.
The risks
related to
the use of
information
assets
should be
evaluated in
isolation
from the
installed
controls.
Similarly, the
effectiveness
of the
controls
should be
organization’ short- and objectives detailed role of the IS role of the IS An IS audit
s IS audit long-term and scope of training plan audit audit charter
charter plans for IS IS audit for the IS function. function. establishes
should audit engagement audit staff. the role of
specify the: engagement s. the
s information
systems
audit
function.
The charter
should
describe
the overall
authority,
scope, and
responsibiliti
es of the
audit
function. It
should be
approved by
the highest
level
of
managemen
t and, if
available, by
the audit
committee.
Short-term
and long-
term
planning is
To ensure A. B. C. D. C. Explanation:
that audit schedule the train the IS develop the monitor develop the Monitoring
resources audits and audit staff audit plan progress of audit plan the time
deliver the monitor the on current on the basis audits and on the basis (choice A)
best value to time spent technology of a detailed initiate cost of a detailed and audit
the on each used in the risk control risk programs
organization, audit. company. assessment. measures. assessment. {choice D),
the FIRST as well as
step would adequate
be to: training
(choice B),
will
improve the
IS audit
staff’s
productivity
(efficiency
and
performance
), but that
which
delivers
value to the
organization
are the
resources
and efforts
being
dedicated
to, and
focused on,
the higher-
risk areas.
developing a controls vulnerabiliti audit risks a gap vulnerabiliti In
risk-based needed to es and are analysis is es and developing a
audit mitigate threats are considered. appropriate. threats are risk-based
strategy, an risks are in identified. identified. audit
IS auditor place. strategy, it is
should critical that
conduct a the risks and
risk vulnerabiliti
assessment es be
to ensure understood.
that: This will
determine
the areas to
be audited
and the
extent of
coverage.
Understandi
ng whether
appropriate
controls
required to
mitigate
risksare in
place is a
resultant
effect of an
audit. Audit
risks are
inherent
aspects of
auditing, are
directly
PRIMARY improve establish improve the provide establish Enabling
purpose of response accountabilit operational useful accountabilit audit trails
audit trails is time for y and efficiency of information y and helps in
to: users. responsibilit the system. to auditors responsibilit establishing
y for who may y for the
processed wish to track processed accountabilit
transactions. transactions transactions. y and
responsibilit
y of
processed
transactions
by
tracing
transactions
through the
system. The
objective of
enabling
software to
provide
audit trails is
not to
improve
system
efficiency,
since it often
involves
additional
processing
which may
in fact
reduce
response
PRIMARY does not requires the can improve does not can improve The use of
advantage of require an IS IS auditor to system depend on system continuous
a continuous auditor to review and security the security auditing
audit collect follow up when used complexity when used techniques
approach is evidence on immediately in time- of an in time- can improve
that it: system on all sharing organization’ sharing system
reliability information environment s computer environment security
while collected. s that systems. s that when used
processing is process a process a in time-
taking place. large large sharing
number of number of environment
transactions. transactions. s that
process a
large
number of
transactions,
but leave a
scarce paper
trail. Choice
A is incorrect
since the
continuous
audit
approach
oftendoes
require an IS
auditor to
collect
evidence on
system
reliability
while
processing is
is assigned implemente designed an participated provided implemente Independenc
to perform a d a specific embedded as a member consulting d a specific e may be
postimplem control audit of the advice control impaired if
entation during the module application concerning during the an IS auditor
review of an developmen exclusively system application developmen is, or has
application t of the for auditing project system best t of the been,
system. application the team, but practices. application actively
Which of the system. application did not have system. involved in
following system. operational the
situations responsibiliti developmen
may have es. t, acquisition
impaired the and
independenc implementa
e of the IS tion of the
auditor? The application
IS auditor: system.
Choices B
and C are
situations
that do not
impair an IS
auditor’s
independenc
e. Choice D
isincorrect
because an
IS auditor’s
independenc
e is not
impaired by
providing
advice
on known
following is Multiple Access Data Within the Multiple Backup files
the MOST cycles of controls classification enterprise, a cycles of containing
likely reason backup files establish regulates clear policy backup files documents
why e-mail remain accountabilit what for using e- remain that
systems available. y for e-mail information mail ensures available. supposedly
have activity. should be that have been
become a communicat evidence is deleted
useful ed via e- available. could be
source of mail. recovered
evidence from these
for files.
litigation? Access
controls may
help
establish
accountabilit
y for the
issuance of a
particular
document,
but this does
not
provide
evidence of
the e-mail.
Data
classification
standards
may be in
place with
regards to
what should
be
following Attribute Variable Stratified Difference Attribute Attribute
sampling sampling sampling mean per estimation sampling sampling is
methods is unit the primary
MOST useful sampling
when testing method
for used for
compliance? compliance
testing.
Attribute
sampling is a
sampling
model that is
used to
estimate the
rate of
occurrence
of a specific
quality
(attribute) in
a population
and is used
in
compliance
testingto
confirm
whether the
quality
exists. The
other
choices are
used in
substantive
testing,
The MAJOR A. B. C. D. C. Explanation:
advantage of information a basic level appropriate an equal appropriate Full risk
the risk assets are of protection levels of proportion levels of assessment
assessment overprotecte is applied protection of resources protection determines
approach d. regardless of are applied are devoted are applied the level of
over the asset value. to to protecting to protection
baseline information all information most
approach to assets. information assets. appropriate
information assets. to a given
security level of risk,
managemen while the
t is that it baseline
ensures: approach
merely
applies a
standard set
of protection
regardless of
risk. There is
a cost
advantage in
not
overprotecti
ng
information.
However, an
even bigger
advantage is
making sure
that no
information
assets
are over- or
underprotec
An audit A. B. C. D. D. Explanation:
charter be dynamic clearly state document outline the outline the An audit
should: and change audit the audit overall overall charter
often to objectives procedures authority, authority, should state
coincide for, and the designed to scope and scope and managemen
with the delegation achieve the responsibiliti responsibiliti t’s objectives
changing of, authority planned es of the es of the for and
nature of to the audit audit audit delegation
technology maintenance objectives. function. function. of authority
and the and review to IS audit.
audit of internal This charter
profession. controls. should not
significantly
change over
time and
should be
approved at
the highest
level of
managemen
t. An audit
charter
would not
be at a
detailed
level and,
therefore,
would not
include
specific
audit
objectives or
procedures.
following is a scheduling budgets are staff will be resources resources The risk-
benefit of a may be more likely exposed to a are allocated are allocated based
risk-based performed to be met by variety of to the areas to the areas approach is
approach to months in the IS audit technologies of highest of highest designed to
audit advance. staff. . concern concern ensure audit
planning? time is spent
Audit: on the areas
of highest
risk. The
developmen
t of an audit
schedule is
not
addressed
by a risk-
based
approach.
Audit
schedules
may be
prepared
months in
advance
using various
schedulingm
ethods. A
risk
approach
does not
have a direct
correlation
to the audit
staff
following is a Checking a Ensuring Using a Reviewing Using a A
substantive list of approval for statistical password statistical substantive
test? exception parameter sample to history sample to test
reports changes inventory reports inventory confirms the
the tape the tape integrity of
library library actual
processing.
A
substantive
test would
determine if
the tape
library
records are
stated
correctly. A
compliance
test
determines
if controls
are being
applied in a
manner that
is consistent
with
managemen
t policies
and
procedures.
Checking the
authorizatio
n of
exception
Overall A. B. C. D. A. Explanation:
business risk a product of the the the a product of Choice A
for a the magnitude likelihood of collective the takes into
particular probability of the a given judgment of probability consideratio
threat can and impact threat the risk and n the
be magnitude should a source assessment magnitude likelihood
expressed of the threat exploiting a team. of the and
as: impact if a source given impact if a magnitude
threat successfully vulnerability. threat of the
successfully exploit the successfully impact and
exploits a vulnerability. exploits a provides the
vulnerability. vulnerability. best
measure of
the risk to an
asset. Choice
B provides
only the
likelihood of
a threat
exploiting a
vulnerability
in the asset
but
does not
provide the
magnitude
of the
possible
damage to
the asset.
Similarly,
choice C
considers
only the
decisions Inherent Detection Control Business Detection Detection
and actions risks are
of an IS directly
auditor are affected by
MOST likely the auditor’s
to affect selection of
which of the audit
following procedures
risks? and
techniques.
Inherent
risks
are not
usually
affected by
an IS
auditor.
Control risks
are
controlled
by the
actions of
the
company’s
managemen
t. Business
risks are not
affected by
an IS
auditor.
is reviewing variable substantive compliance stop-or-go compliance Compliance
access to an sampling. testing. testing. sampling. testing. testing
application determines
to whether
determine controls are
whether the being
10 most applied in
recent “new compliance
user” forms with policy.
were This includes
correctly tests
authorized. to
This is an determine
example of: whether
new
accounts
were
appropriatel
y authorized.
Variable
sampling is
used to
estimate
numerical
values, such
as dollar
values.
Substantive
testing
substantiate
s the
integrity of
actual
is using a Substantive Compliance Integrated Continuous Substantive Using a
statistical audit statistical
sample to sample to
inventory inventory
the tape the tape
library. What library is an
type of test example of a
would this substantive
be test.
considered?
Database A. B. Explanation: A.
snapshots True False Database True
can provide snapshots
an excellent can provide
audit trail an excellent
for an IS audit trail
auditor. True for an IS
or false? auditor.
What is a A. B. C. D. C. Explanation:
data Accuracy Completene Reasonablen Redundancy Reasonablen A
validation check ss check ess check check ess check reasonablen
edit control ess check is
that a data
matches validation
input data to edit control
an that
occurrence matches
rate? input data to
Choose the an
BEST occurrence
answer. rate.
Processing A. B. C. D. B. Explanation:
controls Documented Authorized Accepted Approved Authorized Processing
ensure that routines routines routines routines routines controls
data is ensure that
accurate and data is
complete, accurate and
and is complete,
processed and is
only through processed
which of the only through
following? authorized
Choose the routines.
BEST
answer.
Data edits A. B. C. D. D. Explanation:

are Deterrent Detective Corrective Preventative Preventative Data edits
implemente integrity integrity integrity integrity integrity are
d before controls controls controls controls controls implemente
processing d before
and are processing
considered and are
which of the considered
following? preventive
Choose the integrity
BEST controls.
answer.
What is used A. B. C. D. C. Explanation:

as a control Redundancy Reasonablen Hash totals Accuracy Hash totals Hash totals
to detect check ess check check are used as a
loss, control to
corruption, detect loss,
or corruption,
duplication or
of data? duplication
of datA.
__________ A. B. C. D. A. Explanation:
______ (fill Control Authenticati Parity bits Authorizatio Control Control
in the blank) totals on controls n controls totals totals should
should be be
implemente implemente
d as early as d as early as
data data
preparation preparation
to support to support
data data
integrity at integrity at
the earliest the earliest
point point
possible. possible.
should an Before Immediately During run- Before an Before an An
application- transaction after an EFT to-run total EFT is EFT is application-
level edit completion is initiated testing initiated initiated level edit
check to check to
verify that verify
availability availability
of funds was of funds
completed should be
at the completed
electronic at the
funds electronic
transfer funds
(EFT) transfer
interface? (EFT)
interface
before an
EFT is
initiated.
Whenever A. B. Explanation: A.
business True False Whenever True
processes business
have been processes
re- have been
engineered, re-
the IS engineered,
auditor the IS
attempts to auditor
identify and should
quantify the attempt to
impact of identify and
any controls quantifythe
that might impact of
have been any controls
removed, or that might
controls that have been
might not removed, or
work as controls that
effectively might not
after work as
business effectively
process afterbusines
changes. s process
True or changes.
false?
Business A. B. C. D. A. Explanation:
process re- Increased; a Increased; a Less; a fewer Increased; Increased; a Business
engineering greater fewer the same greater process re-
often results engineering
in often results
__________ in increased
____ automation,
automation, which
which results in a
results in greater
__________ number of
___ number people using
of people technology.
using
technology.
Fill in the
blanks.

following Exposures Threats Hazards Insufficient Threats Threats
exploit controls exploit
vulnerabiliti vulnerabiliti
es to cause es to cause
loss or loss or
damage to damage to
the the
organization organization
and its and its
assets? assets.
primary Transaction Transaction Transaction Transaction Transaction Transaction
security authenticati completenes accuracy authorizatio authorizatio authorizatio
concern for on s n n n is the
EDI primary
environment security
s? Choose concern for
the BEST EDI
answer. environment
s.
identifying To evaluate To To perform a To To perform a After
potential potential implement business immediately business identifying
security countermea effective impact advise senior impact potential
vulnerabiliti sures and countermea analysis of managemen analysis of security
es, what compensato sures and the threats t of the the threats vulnerabiliti
should be ry controls compensato that would findings that would es, the IS
the IS ry controls exploit the exploit the auditor’s
auditor’s vulnerabiliti vulnerabiliti next step is
next step? es es to perform a
business
impact
analysis of
the threats
that would
exploit the
vulnerabiliti
es.
Authenticati A. B. C. D. B. Explanation:
on Unsynchroni Unauthorize Inaccurate Incomplete Unauthorize Authenticati
techniques zed d transactions transactions d on
for sending transactions transactions transactions techniques
and for sending
receiving and
data receiving
between EDI data
systems is between EDI
crucial to systems are
prevent crucial to
which of prevent
the unauthorize
following? d
Choose the transactions.
BEST
answer.
Input/output A. B. C. D. C. Explanation:
controls The The sending Both the Output on Both the Input/output
should be receiving application sending and the sending sending and controls
implemente application receiving application receiving should be
d for which applications and input on applications implemente
applications the receiving d for both
in an application the sending
integrated and
systems receiving
environment applications
? in an
integrated
systems
environment
Above A. B. C. D. A. Explanation:
almost all Failing to Lack of user Lack of Insufficient Failing to Above
other perform training for software unit, perform almost all
concerns, user the new documentati module, and user other
what often acceptance system on and run systems acceptance concerns,
results in the testing manuals testing testing failing to
greatest perform
negative user
impact on acceptance
the testing often
implementa results in the
tion of greatest
new negative
application impact on
software? the
implementa
tion of new
application
software.
should plans In the In the In the design In the In the Plans for
for testing requirement feasibility phase of the developmen requirement testing for
for user s definition phase of the systems- t phase of s definition user
acceptance phase of the systems- developmen the systems- phase of the acceptance
be systems- developmen t project developmen systems- are usually
prepared? developmen t project t project developmen prepared in
Choose the t project t project the
BEST requirement
answer. s definition
phase of the
systemsdeve
lopment
project.
Who is A. B. C. D. B. Explanation:
responsible The project The project Senior The project The project The project
for the sponsor steering managemen team leader steering steering
overall committee t committee committee is
direction, responsible
costs, and for the
timetables overall
for systems- direction,
developmen costs, and
t projects? timetables
for
systemsdeve
lopment
projects.

most Lack of Inadequate Inadequate Poor IT Inadequate Inadequate
common funding user senior strategic user user
reason for participation managemen planning participation participation
information during t during during
systems to system participation system system
fail to meet requirement during requirement requirement
the needs of s definition system s definition s definition
users? requirement is the most
Choose the s definition common
BEST reason for
answer. information
systems to
fail to meet
the needs of
users.
following PERT Rapid Function GANTT Rapid Rapid
uses a application point application application
prototype developmen analysis developmen developmen
that can be t (RAD) (FPA) t (RAD) t (RAD) uses
updated a prototype
continually that can be
to meet updated
changing continually
user or to meet
business changing
requirement user
s? or business
requirement
s.
What kind of A. B. C. D. A. Explanation:

testing Unit, Module Unit testing Regression Unit, Programmer
should module, and testing testing module, and s should
programmer full full perform
s perform regression regression unit,
following testing testing module, and
any changes full
to an regression
application testing
or system? following
any changes
to an
application
or system.
Test and A. B. Explanation: A.
developmen True False Test and True
t developmen
environment t
s should be environment
separated. s should be
True or separated,
false? to control
the stability
of the test
environment
.
What is used A. B. C. D. A. Explanation:

to develop Rapid GANTT PERT Decision Rapid Rapid
strategically application trees application application
important developmen developmen developmen
systems t (RAD) t (RAD) t (RAD) is
faster, used to
reduce develop
developmen strategically
t costs, and important
still maintain systems
high quality? faster,
Choose the reduce
BEST developmen
answer. t costs, and
still maintain
high quality.
should After After After As early as As early as Application
application application application applications possible, possible, controls
controls be unit testing module systems even in the even in the should be
considered testing testing developmen developmen considered
within the t of the t of the as early as
system- project’s project’s possible in
developmen functional functional the system-
t process? specification specification developmen
s s t process,
even
in the
developmen
t of the
project’s
functional
specification
s.

following Develop test Baseline Define the Program and Baseline Procedures
processes plans. procedures need that test the new procedures to prevent
are to prevent requires system. The to prevent scope creep
performed scope creep. resolution, tests verify scope creep. are
during the and map to and validate baselined in
design phase the major what has the design
of the requirement been phase of the
systemsdeve s of the developed. systems-
lopment solution. developmen
life cycle t life
(SDLC) cycle (SDLC)
model? model.
should Meet Enforce data Be culturally Be Meet An IS auditor
carefully business security feasible financially business should
review the objectives feasible objectives carefully
functional review the
requirement functional
s in a requirement
systems- s in a
developmen systems-
t project to developmen
ensure t project to
that the ensure
project is that the
designed to: project is
designed to
meet
business
objectives.
regression Contrived Independent Live data Data from Data from Regression
testing use data ly created previous previous testing
to obtain data tests tests should use
accurate data from
conclusions previous
regarding tests to
the effects obtain
of changes accurate
or conclusions
corrections regarding
to a the effects
program, of
and ensuring changes or
that those corrections
changes and to a
corrections program,
have not and ensuring
introduced that those
new errors? changes and
corrections
have not
introduced
new errors.
Who is A. B. C. D. A. Explanation:
ultimately The project The project The project The project The project The project
responsible sponsor members leader steering sponsor sponsor is
for providing committee ultimately
requirement responsible
specification for providing
s to the requirement
software- specification
developmen s to the
t team? software-
developmen
t team.
protects an Assigning Program Source code Internal Source code Source code
application copyright to back doors escrow programmin escrow escrow
purchaser’s the g expertise protects an
ability to fix organization application
or change an purchaser’s
application ability to fix
in case the or change an
application application
vendor in case the
goes out of application
business? vendor goes
out of
business.
What uses A. B. C. D. B. Explanation:

questionnair Logic trees Decision Decision Logic Decision Decision
es to lead trees algorithms algorithms trees trees use
the user questionnair
through a es to lead
series of the user
choices to through a
reach a series of
conclusion? choices to
Choose the reach a
BEST conclusion.
answer.
Why is a A. B. C. D. D. Explanation:
clause for To segregate To protect To ensure To ensure To ensure A clause for
requiring systems the that that the that the requiring
source code developmen organization sufficient source code source code source code
escrow in an t and live from code is remains remains escrow in an
application environment copyright available available available application
vendor s disputes when even if the even if the vendor
agreement needed application application agreement is
important? vendor goes vendor goes important to
out of out of ensure that
business business the
source code
remains
available
even if the
application
vendor goes
out of
business.
Off-site data A. B. C. D. D. Explanation:
backup and Accept Eliminate Transfer Mitigate Mitigate Off-site data
storage backup and
should be storage
geographical should be
ly separated geographical
so as to ly separated,
__________ to mitigate
______ (fill the risk of a
in the blank) widespread
the risk of a physical
widespread disaster such
physical as a
disaster such hurricane or
as a an
hurricane or earthquake.
earthquake.
What is an A. B. C. D. C. Explanation:
acceptable Off-site Electronic Shadow file Storage area Shadow file Shadow file
recovery remote vaulting processing network processing processing
mechanism journaling can be
for implemente
extremely d as a
time- recovery
sensitive mechanism
transaction for
processing? extremely
time-
sensitive
transaction
processing.
Off-site data A. B. C. D. D. Explanation:
storage Financial Sales Inventory Transaction Transaction Off-site data
should be reporting reporting reporting processing processing storage
kept should be
synchronize kept
d when synchronize
preparing d when
for recovery preparing
of time- for the
sensitive recovery of
data such as timesensitiv
that e data such
resulting as that
from which resulting
of the from
following? transaction
Choose the processing.
BEST
answer.
Mitigating A. B. Explanation: A.
the risk and True False Mitigating True
impact of a the risk and
disaster or impact of a
business disaster or
interruption business
usually takes interruption
priority over usually takes
transference priority over
of transferring
risk to a risk toa third
third party party such as
such as an an insurer.
insurer. True
or false?
How can A. B. C. D. B. Explanation:
minimizing By By By retaining By preparing By Minimizing
single points implementin geographical onsite data BCP and DRP geographical single points
of failure or g redundant ly dispersing backup in documents ly dispersing of failure or
vulnerabiliti systems and resources fireproof for resources vulnerabiliti
es of a applications vaults commonly es of a
common onsite identified common
disaster best disasters disaster is
be mitigated by
controlled? geographical
ly
dispersing
resources.

following is To protect To mitigate To eliminate To transfer To protect Although the
the human life the risk and the risk and the risk and human life primary
dominating impact of a impact of a impact of a business
objective of business business business objective of
BCP and interruption interruption interruption BCP and DRP
DRP? is to mitigate
the risk and
impact of a
business
interruption,
the
dominating
objective
remains the
protection of
human life.
An off-site A. B. Explanation: B.
processing True False An off-site False
facility processing
should be facility
easily should not
identifiable be easily
externally identifiable
because externally
easy because
identificatio easy
n helps identificatio
ensure nwould
smoother create an
recovery. additional
True or vulnerability
false? for
sabotage.
If a database A. B. C. D. B. Explanation:
is restored The system The system The system The system The system If a database
from should be should be should be should be should be is restored
information restarted restarted restarted at restarted on restarted from
backed up after the last before the the first the last before the information
before the transaction. last transaction. transaction. last backed up
last system transaction. transaction. before the
image, last system
which of the image, the
following is system
recommend should be
ed? restarted
before the
last
transaction
because the
final
transaction
must be
reprocessed.
The purpose A. B. C. D. B. Explanation:
of business Transfer the Mitigate, or Accept the Eliminate Mitigate, or The primary
continuity risk and reduce, the risk and the risk and reduce, the purpose of
planning and impact of a risk and impact of a impact of a risk and business
disaster- business impact of a business business impact of a continuity
recovery interruption business interruption business planning and
planning is or disaster interruption or disaster interruption disaster-
to: or disaster or disaster recovery
planning is
to mitigate,
or
reduce, the
risk and
impact of a
business
interruption
or disaster.
Total
elimination
of risk is
impossible.
Organization A. B. C. D. C. Explanation:
s should use Confidentiali Integrity Redundancy Concurrency Redundancy Redundancy
off-site ty is the best
storage answer
facilities to because it
maintain provides
__________ both
_______ (fill integrity and
in the blank) availability.
of current Organization
and critical s should use
information offsite
within storage
backup files. facilities to
Choose the maintain
BEST redundancy
answer. of current
and critical
information
within
backup files.
If a A. B. Explanation:I A.
programmer True False fa True
has update programmer
access to a has update
live system, access to a
IS auditors live system,
are more IS auditors
concerned are more
with the concerned
programmer with the
’s programmer
ability to ’sability to
initiate or initiate or
modify modify
transactions transactions
and the and the
ability to ability to
access access
production production
than with than with
the the
programmer programmer
’s ability to ’s ability
authorize toauthorize
transactions. transactions.
True or
false?
Rather than A. B. Explanation:I B.
simply True False nstead of False
reviewing simply
the reviewing
adequacy of the
access effectiveness
control, and
appropriate utilization of
ness of assets, an IS
access auditor is
policies, and more
effectiveness concerned
of withadequat
safeguards e access
and control,
procedures, appropriate
the IS access
auditor is policies, and
more effectiveness
concerned of
with safeguards
effectiveness and
and procedures.
utilization of
assets. True
or false?
What are A. B. C. D. D. Explanation:

intrusion- To identify To prevent Forensic To identify To identify Intrusion-
detection AND prevent intrusion incident intrusion intrusion detection
systems intrusion attempts to response attempts to attempts to systems
(IDS) attempts to a network a network a network (IDS) are
primarily a network used to
used for? identify
intrusion
attempts on
a network.
following is Users’ ability Users’ ability Users’ ability Users’ ability Users’ ability A major IS
of greatest to directly to submit to indirectly to directly to directly audit
concern modify the queries to modify the view the modify the concern is
when database the database database database database users’ ability
performing to directly
an IS audit? modify the
database.

following is Adopting Implementin Implementin Inoculating Adopting Adopting
the most and g antivirus g antivirus systems with and and
fundamental communicati protection content antivirus communicati communicati
step in ng a software on checking at code ng a ng a
preventing comprehensi users’ all network- comprehensi comprehensi
virus ve antivirus desktop to-Internet ve antivirus ve antivirus
attacks? policy computers gateways policy policy is the
most
fundamental
step in
preventing
virus
attacks. All
other
antivirus
prevention
efforts rely
upon
decisions
established
and
communicat
ed via policy.
should Within five Prior to No sooner Immediately Prior to Systems
systems business installation than five following installation administrato
administrato days business installation rs should
rs first following days always
assess the installation following assess the
impact of installation impact of
applications patches
or systems before
patches? installation.
Using the A. B. C. D. C. Explanation:

OSI Transport Session layer Session and Data link Session and User
reference layer transport layer transport applications
model, what layers layers often
layer(s) encrypt and
is/are used encapsulate
to encrypt data using
data? protocols
within the
OSI session
layer or
farther
down in the
transport
layer.
What should A. B. C. D. B. Explanation:

IS auditors That That That That That IS auditors
always check deleting password password password password should
when password files are files are not files are files are always check
auditing files is encrypted accessible archived encrypted to ensure
password protected over the that
files? network password
files are
encrypted.
following Systems logs Access Application Error logs Access IS auditors
should an IS control lists logs control lists should
auditor (ACL) (ACL) review
review to access-
determine control lists
user (ACL) to
permissions determine
that have user
been permissions
granted for a that have
particular been
resource? granted for a
Choose the particular
BEST resource.
answer.
What is A. B. C. D. A. Explanation:
often Database Database Database Database Database Database
assured integrity synchroniza normalcy accuracy integrity integrity is
through tion most often
table link ensured
verification through
and table link
reference verification
checks? and
reference
checks.
What A. B. C. D. D. Explanation:
process is Identificatio Nonrepudia Authorizatio Authenticati Authenticati Authenticati
used to n tion n on on on is used to
validate a validate a
subject’s subject’s
identity? identity.
determines A A A Initial input A The strength
the strength combination combination combination vectors and combination of a secret
of a secret of key of key of key length the of key key within a
key within a length, length, initial and the complexity length, initial symmetric
symmetric degree of input complexity of the data- input key
key permutation vectors, and of the data- encryption vectors, and cryptosyste
cryptosyste , and the the encryption algorithm the m is
m? complexity complexity algorithm that uses the complexity determined
of the data- of the data- that uses the key of the data- by a
encryption encryption key encryption combination
algorithm algorithm algorithm of key
that that that length,
uses the key uses the key uses the key initial input
vectors, and
the
complexity
of the data-
encryption
algorithm
that uses the
key.
What is used A. B. C. D. C. Explanation:
to provide An A user A website Authenticod A website A website
authenticati organization certificate certificate e certificate certificate is
on of the al certificate used to
website and provide
can also be authenticati
used to on of the
successfully website and
authenticate can also be
keys used to
used for successfully
data authenticate
encryption? keys used
for data
encryption.

following Biometrics Password Token PIN Biometrics Although
provides the biometrics
BEST single- provides
factor only single-
authenticati factor
on? authenticati
on, many
consider it
to be an
excellent
method for
user
authenticati
on.
Digital A. B. Explanation: B.
signatures False True Digital True
require the signatures
sender to require the
“sign” the sender to
data by “sign” the
encrypting data by
the data encrypting
with the the data
sender’s with the
public key, sender’s
to private key,
then be tothen be
decrypted decrypted
by the by the
recipient recipient
using the using the
recipient’s sender’s
private key. public key.
True or
false?
What type of A. B. C. D. A. Explanation:
fire- A dry-pipe A deluge A wet-pipe A halon A dry-pipe A dry-pipe
suppression sprinkler sprinkler system sprinkler sprinkler sprinkler
system system system system system system
suppresses suppresses
fire via fire via
water that is water that is
released released
from a main from a main
valve to be valve to be
delivered via delivered via
a system of a
dry pipes system of
installed dry pipes
throughout installed
the throughout
facilities? the facilities.
callback It is a It is a It is a It is a It is a A callback
system? remote- remote- remote- remote- remote- system is a
access access access access access remote-
system system control control control access
whereby the whereby the whereby the whereby the whereby the control
remote- user’s user initially user initially user initially whereby the
access application connects to connects to connects to user initially
server automaticall the network the network the network connects to
immediately y redials the systems via systems via systems via the network
calls the remoteacces dial-up dial-up dial-up systems via
user back at s server if access, access, access, dial-up
a the initial only to have only to have only to have access, only
predetermin connection the initial the initial the initial to have the
ed number if attempt connection connection connection initial
the dial-in fails. terminated terminated terminated connection
connection by the by the by the terminated
fails. server, server, server, by the
which then which then which then server,
subsequentl subsequentl subsequentl which then
y dials the y allows the y dials the subsequentl
user user user y dials the
back at a to call back back at a user back at
predetermin at an predetermin a
ed number approved ed number predetermin
stored in the number for stored in the ed number
server’s a limited server’s stored in the
configuratio period of configuratio server’s
n database. time. n database. configuratio
n database.
following Halon gas Deluge Dry-pipe Wet-pipe Dry-pipe Although
fire- sprinklers sprinklers sprinklers sprinklers many
suppression methods of
methods is fire
considered suppression
to be the exist, dry-
most pipe
environment sprinklers
ally friendly? are
considered
to be the
most
environment
ally friendly.

following is a Traffic SYN flood Denial of Distributed Traffic Traffic
passive analysis service (DoS) denial of analysis analysis is a
attack service (DoS) passive
method attack
used by method
intruders to used by
determine intruders to
potential determine
network potential
vulnerabiliti network
es? vulnerabiliti
es. All
others are
active
attacks.
What can be A. B. C. D. B. Explanation:
used to Access Intrusion- Syslog Antivirus Intrusion- Intrusion-
gather control lists detection reporting programs detection detection
evidence of (ACL) systems systems systems
network (IDS) (IDS) (IDS) are
attacks? used to
gather
evidence of
network
attacks.
What is/are A. B. C. D. A. Explanation:

used to Network Network Syslog IT strategic Network Network
measure and performance component reporting planning performance performance
ensure -monitoring redundancy -monitoring -monitoring
proper tools tools tools are
network used to
capacity measure and
managemen ensure
t and proper
availability network
of services? capacity
Choose the managemen
BEST t
answer. and
availability
of services.
What are A. B. C. D. D. Explanation:
trojan horse A common Malicious Malicious A common A common Trojan horse
programs? form of programs programs form of form of programs
Choose the internal that require that can run Internet Internet are a
BEST attack the aid of a independent attack attack common
answer. carrier ly and can form of
program propagate Internet
such as without the attack.
email aid of a
carrier
program
such
as email
common Assigning Lack of Improperly Configuring Improperly Improperly
vulnerability, access to employee configured firewall configured configured
allowing users awareness routers and access rules routers and routers and
denial-of- according to of router router router
service the principle organization access lists access lists access lists
attacks? of least al security are a
privilege policies common
vulnerability
for denial-
of-service
attacks.
following Inbound Using access Outbound Recentralizin Outbound Outbound
help(s) traffic control lists traffic g distributed traffic traffic
prevent an filtering (ACLs) to filtering systems filtering filtering can
organization’ restrict help prevent
s systems inbound an
from connection organization’
participating attempts s systems
in a from
distributed participating
denial- in a
ofservice distributed
(DDoS) denial-
attack? ofservice
Choose the (DDoS)
BEST attack.
answer.
What is an A. B. C. D. A. Explanation:
effective Creating Creating Creating Creating a Creating Creating
control for user permanent user single user user
granting accounts guest accounts shared accounts accounts
temporary that accounts for that restrict vendor that that
access to automaticall temporary logon access administrato automaticall automaticall
vendors and y expire by a use to certain r account on y expire by a y expire by a
external predetermin hours of the the basis of predetermin predetermin
support ed date day least- ed date ed date is an
personnel? privileged effective
Choose access control for
the BEST granting
answer. temporary
access to
vendors and
external
support
personnel.
following Automated Data Data Parallel Data Data
provide(s) electronic mirroring mirroring processing mirroring mirroring
near- journaling and parallel and parallel and parallel
immediate and parallel processing processing processing
recoverabilit processing are both
y for time- used to
sensitive provide
systems and near-
transaction immediate
processing? recoverabilit
y for time-
sensitive
systems and
transaction
processing.

following Superfluous Increasing Inefficient Inefficient Inefficient Inefficient
can degrade use of traffic and and and and
network redundant collisions superfluous superfluous superfluous superfluous
performance load-sharing due to host use of use of use of use of
? Choose the gateways congestion network network network network
BEST by creating devices such devices such devices such devices such
answer. new collision as switches as hubs as hubs as hubs can
domains degrade
network
performance
.
What type(s) A. B. C. D. C. Explanation:
of firewalls A first- A circuit- An An An An
provide(s) generation level application- application- application- application-
the greatest packet- gateway layer layer layer layer
degree of filtering gateway, or gateway, or gateway, or gateway, or
protection firewall proxy proxy proxy proxy
and control firewall, and firewall, but firewall, and firewall, and
because stateful- not stateful- stateful- stateful-
both firewall inspection inspection inspection inspection
technologies firewalls firewalls firewalls firewalls
inspect all provide the
seven OSI greatest
layers of degree of
network protection
traffic? and control
because
both firewall
technologies
inspect all
seven OSI
layers of
networktra
ffic.
What A. B. C. D. A. Explanation:
supports Diverse Dual routing Alternate Redundant Diverse Diverse
data routing routing routing routing routing
transmission supports
through split data
cable transmission
facilities or through split
duplicate cable
cable facilities, or
facilities? duplicate
cable
facilities.
following are Expert Neural Integrated Multitasking Neural Neural
effective in systems networks synchronize applications networks networks
detecting d systems are effective
fraud in detecting
because fraud
they have because
the they have
capability to the
consider a capability to
large consider a
number of large
variables number of
when trying variables
to resolve a when trying
problem? to resolve a
Choose the problem.
BEST
answer.
How do A. B. C. D. A. Explanation:
modems Modems Modems Modems Modems Modems Modems
(modulation convert encapsulate convert encapsulate convert (modulation
/demodulati analog analog digital digital analog /demodulati
on) function transmission transmission transmission transmission transmission on) convert
to facilitate s to digital, s within s to analog, s within s to digital, analog
analog and digital digital, and and analog analog, and and digital transmission
transmission transmission digital transmission analog transmission s to digital,
s to enter a to analog. transmission s to digital. transmission to analog. and digital
digital s within s within transmission
network? analog. digital. s to
analog, and
are required
for analog
transmission
s to enter a
digital
network.
Proper A. B. Explanation: A.
segregation True False Proper True
of duties segregation
prevents a of duties
computer prevents a
operator computer
(user) from operator
performing (user) from
security performing
administrati securityadmi
on nistration
duties. True duties.
or false?
Why is the A. B. C. D. C. Explanation:
WAP WAP is often WAP WAP WAP often WAP Functioning
gateway a configured provides functions as interfaces functions as as a
component by default weak a protocol- critical IT a protocol- protocol-
warranting settings and encryption conversion systems. conversion conversion
critical is thus for wireless gateway for gateway for gateway for
concern and insecure. traffic. wireless TLS wireless TLS wireless TLS
review for to Internet to Internet to Internet
the IS SSL. SSL. SSL, the
auditor WAP
when gateway is a
auditing component
and testing warranting
controls critical
enforcing concern and
message review for
confidentiali the IS
ty? auditor
when
auditing and
testing
controls that
enforce
message
confidentiali
ty.
reviewing The The The The The When
print potential for potential for potential for potential for potential for reviewing
systems unauthorize unauthorize unauthorize unauthorize unauthorize print
spooling, an d deletion of d d printing of d editing of d printing of systems
IS auditor is report modification report report report spooling, an
MOST copies of report copies copies copies IS auditor is
concerned copies most
with which concerned
of the with the
following potential for
vulnerabiliti unauthorize
es? d
printing of
report
copies.
In order to A. B. C. D. B. Explanation:
properly The data The data The data The data The data To properly
protect should be should be should be should be should be protect
against deleted and demagnetize low-level deleted. demagnetize against
unauthorize overwritten d. formatted. d. unauthorize
d disclosure with binary d disclosure
of sensitive 0s. of sensitive
data, how data, hard
should hard disks should
disks be be
sanitized? demagnetize
d before
disposal or
release.
How is the A. B. C. D. D. Explanation:
risk of Risk varies. Risk is Risk is not Risk is Risk is Improper file
improper file reduced. affected. increased. increased. access
access becomes a
affected greater risk
upon when
implementin implementin
g a database g a database
system? system.
directory The access The location The location Neither the The location The
system of a method to of data AND of data location of of data AND directory
database- the data the access data NOR the access system of a
managemen method the access method database-
t system method managemen
describes: t system
describes
the location
of data and
the access
method.
What can be A. B. C. D. A. Explanation:
implemente Layering Configuring Configuring Configuring Layering Layering
d to provide perimeter the firewall the firewall two load- perimeter perimeter
the highest network as a as the sharing network network
level of protection screened protecting firewalls protection protection
protection by host behind bastion host facilitating by by
from configuring a router VPN access configuring configuring
external the firewall from the firewall the firewall
attack? as a external as a as a
screened hosts to screened screened
host in a internal host in a host in a
screened hosts screened screened
subnet subnet subnet
behind the behind the behind the
bastion host bastion host bastion host
provides a
higher level
of protection
from
external
attack than
all other
answers.
does not of duties
prohibit a does not
quality prohibit a
control quality-
administrato control
r from also administrato
being r from also
responsible being
for responsible
change forchange
control and control and
problem problem
managemen managemen
t. True or t.
false?
Who should A. B. C. D. B. Explanation:

be Business Security Network IS auditors Security Security
responsible unit administrato administrato administrato administrato
for network managers rs rs rs rs are
security usually
operations? responsible
for network
security
operations.
Allowing A. B. Explanation: A.
application True False Allowing True
programmer application
s to directly programmer
patch or s to directly
change code patch or
in change code
production in
programs production
increases programs
risk of fraud. increasesrisk
True or of fraud.
false?
should Reviewing Reviewing Reviewing Reviewing Reviewing Reviewing
reviewing an an audit an audit an audit an audit an audit an audit
audit client’s client’s client’s client’s client’s client’s client’s
business business business business business business business
plan be plan should plan should plan should plan should plan should plan should
performed be be be be be be
relative to performed performed performed performed performed performed
reviewing an before after during the without before before
organization’ reviewing an reviewing an review of an regard to an reviewing an reviewing an
s IT organization’ organization’ organization’ organization’ organization’ organization’
strategic s IT s IT s IT strategic s IT s IT s IT strategic
plan? strategic strategic plan. strategic strategic plan.
plan. plan. plan. plan.
process Business Risk IS Key IS IS
allows IS impact assessment assessment performance assessment assessment
managemen assessment methods indicators methods methods
t to (KPIs) allow IS
determine managemen
whether the t to
activities of determine
the whether the
organization activities of
differ from the
the organization
planned or differ
expected from the
levels? planned or
Choose the expected
BEST levels.
answer.
When A. B. Explanation: B.
performing True False When False
an IS performing
strategy an IS
audit, an IS strategy
auditor audit, an IS
should auditor
review both should
short-term review both
(one-year) short-term
and long- (one-year)
term and long-
(three-to term(three-
five-year) IS to five-year)
strategies, IS strategies,
interview interview
appropriate appropriate
corporate corporate
managemen managemen
t personnel, t personnel,
and ensure and ensure
that the that
external theexternal
environment environment
has been has been
considered. considered.
The auditor
should
especially
focus on
procedures
in an audit
of IS
strategy.
auditing Ownership A statement A statement Ownership Ownership When
third-party of the of due care of due care of programs of programs auditing
service programs and and files, a and files, a third-party
providers, an and files confidentiali statement of statement of service
IS auditor ty, and the due care and due care and providers, an
should be capability for confidentiali confidentiali auditor
concerned continued ty, and the ty, and the should be
with which service of capability for capability for concerned
of the the service continued continued with
following? provider service of service of ownership
Choose the in the event the service the service of programs
BEST of a disaster provider in provider in and
answer. the event of the event of files, a
a disaster a disaster statement of
due care and
confidentiali
ty, and the
capability for
continued
service of
the service
provider
in the event
of a disaster.
Ensuring A. B. C. D. A. Explanation:
that security An IT A processing A software A An IT Ensuring
and control security audit audit vulnerability security that security
policies policies assessment policies and control
support audit audit policies
business and support
IT objectives business and
is a primary IT objectives
objective of: is a primary
objective of
an IT
security
policies
audit.
Why does an A. B. C. D. C. Explanation:

IS auditor To optimize To control To better To identify To better The primary
review an the the understand project understand reason an IS
organization responsibiliti responsibiliti the sponsors the auditor
chart? es and es and responsibiliti responsibiliti reviews an
authority of authority of es and es and organization
individuals individuals authority of authority of chart is to
individuals individuals better
understand
the
responsibiliti
es and
authority of
individuals.
Who is A. B. C. D. B. Explanation:
responsible Security Business Senior Board of Business Business
for policy unit managemen directors unit unit
implementin administrato managemen t managemen managemen
g cost- rs t t t is
effective responsible
controls in for
an implementin
automated g cost-
system? effective
controls in
an
automated
system.
If an IS A. B. C. D. A. Explanation:
auditor finds To advise To reassign To Segregation To advise An IS
evidence of senior job functions implement of duties is senior auditor’s
risk involved managemen to eliminate compensato an managemen primary
in not t. potential r controls. administrati t. responsibilit
implementin fraud. ve control y is to advise
g proper not senior
segregation considered managemen
of duties, by an IS t of the risk
such as auditor. involved in
having not
the security implementin
administrato g
r perform an proper
operations segregation
function, of duties,
what is the such as
auditor’s having the
primary security
responsibilit administrato
y? r perform an
operations
function.
An A. B. Explanation:I A.
advantage of True False t is true that True
a continuous an
audit advantage of
approach is a continuous
that it can audit
improve approach is
system that it can
security improve
when used system
in time- security
sharing when used
environment intime-
s that sharing
process a environment
large s that
number of process a
transactions. large
True or number of
false? transactions.
An A. B. Explanation: B.
integrated True False An False
test facility is integrated
not test facility is
considered a considered a
useful audit useful audit
tool because tool because
it cannot it compares
compare processing
processingo output
utput with withindepen
independent dently
ly calculated calculated
datA. True datA.
or false?
following is Failure to Failure to Failure to Failure to Failure to Lack of
of greatest report a prevent a recover from detect a report a reporting of
concern to successful successful a successful successful successful a successful
the IS attack on the attack on the attack on the attack on the attack on the attack on the
auditor? network network network network network network is a
great
concern to
an IS
auditor.

following is Text search Generalized Productivity Manual Generalized Generalized
best suited forensic audit audit review audit audit
for searching utility software software software software can
for address software be used to
field search for
duplications address field
? duplications.
What type of A. B. C. D. D. Explanation:

risk is Business risk Audit risk Detective Inherent risk Inherent risk Inherent risk
associated risk is associated
with with
authorized authorized
program program
exits (trap exits (trap
doors)? doors).
Choose the
BEST
answer.
recommend Document Perform Establish a Identify Identify When
ed initial existing compliance controls- high-risk high-risk implementin
step for an IS internal testing on monitoring areas within areas within g
auditor to controls internal steering the the continuous-
implement controls committee organization organization monitoring
continuous- systems, an
monitoring IS auditor’s
systems? first step is
to identify
highrisk
areas within
the
organization.
To properly A. B. C. D. C. Explanation:
evaluate the The business The effect of The point at Organization The point at When
collective objectives of segregation which al control which evaluating
effect of the of duties on controls are policies controls are the
preventative organization internal exercised as exercised as collective
, detective, controls data flows data flows effect of
or corrective through the through the preventive,
controls system system detective, or
within a corrective
process, an controls
IS auditor within a
should be process, an
aware of IS
which of the auditor
following? should be
Choose the aware of the
BEST point at
answer. which
controls are
exercised as
data flows
through the
system.

following is Implementin Identifying Identifying Testing Identifying In planning
the MOST g a current high-risk controls high-risk an audit, the
critical step prescribed controls audit targets audit targets most critical
in planning auditing step is
an audit? framework identifying
such as the areas of
COBIT high risk.
following Proper Proper Proper Proper Proper If proper
would authenticati identificatio identificatio identificatio identificatio identificatio
prevent on n AND n n, n AND n and
accountabilit authenticati authenticati authenticati authenticati
y for an on on, AND on on are not
action authorizatio performed
performed, n during
thus access
allowing control, no
nonrepudiati accountabilit
on? y can
exist for any
action
performed.
traditional Implemento Facilitator Developer Sponsor Facilitator The
role of an IS r traditional
auditor in a role of an IS
control self- auditor in a
assessment control self-
(CSA) should assessment
be that of (CSA) should
a(n): be that of a
facilitator.
Parity bits A. B. C. D. B. Explanation:

are a control Data Data Data source Data Data Parity bits
used to authenticati completenes accuracy completenes are a control
validate: on s s used to
validate data
completenes
s.
A check digit A. B. C. D. B. Explanation:
is an Detect data- Detect data- Detect data- Detect data- Detect data- A check digit
effective transcription transpositio transpositio transpositio transpositio is an
edit check errors n and n, n errors n and effective
to: transcription transcription transcription edit check to
errors , and errors detect data-
substitution transpositio
errors n and
transcription
errors.
When are A. B. C. D. C. Explanation:

benchmarki In the design In the In the In the In the Benchmarki
ng partners stage testing stage research developmen research ng partners
identified stage t stage stage are
within the identified in
benchmarki the research
ng process? stage of the
benchmarki
ng process.
An A. B. Explanation: B.
intentional True False An False
or intentional
unintentiona or
l disclosure unintentiona
of a l disclosure
password is of a
likely to be password is
evident not likely to
within be evident
control logs. within
True or control logs.
false?
transaction Deletion Input Access Duplication Input A
journal transaction
provides the journal
information provides the
necessary information
for detecting necessary
unauthorize for detecting
d unauthorize
__________ d input from
___ a terminal.
(fill in the
blank) from
a terminal.
What is an A. B. C. D. A. Explanation:
edit check to Completene Accuracy Redundancy Reasonablen Completene A
determine ss check check check ess check ss check completenes
whether a s check is an
field edit check to
contains determine
valid data? whether a
field
contains
valid data.
following Redundancy Completene Accuracy Parity check Redundancy A
can help check ss check check check redundancy
detect check can
transmission help detect
errors by transmission
appending errors by
specially appending
calculated especially
bits onto the calculated
end bits onto the
of each end of
segment of each
data? segment of
data.
storing data The data The data The data The data The data When
archives off- must be must be must be must be must be storing data
site, what normalized. validated. parallel- synchronize synchronize archives off-
must be tested. d. d. site, data
done with must be
the data to synchronize
ensure data d to ensure
completenes data
s? completenes
s.
first step in a Identifying Forming a Defining the Reviewing Defining the Defining the
business current BPR steering scope of the scope of scope of
process re- business committee areas to be organization areas to be areas to be
engineering processes reviewed al strategic reviewed reviewed is
project? plan the first step
in a business
process re-
engineering
project.
What must A. B. C. D. C. Explanation:

an IS auditor The Application Relative Relevant Relative An IS auditor
understand potential risks must business application business must first
before business first be processes. risks. processes. understand
performing impact of identified. relative
an application business
application risks. processes
audit? before
Choose the performing
BEST an
answer. application
audit.
__________ A. B. C. D. A. Explanation:
____ risk Quantitative Qualitative; Residual; Quantitative Quantitative Quantitative
analysis is ; qualitative quantitative subjective ; subjective ; qualitative risk analysis
not always is not always
possible possible
because the because the
IS auditor is IS auditor is
attempting attempting
to calculate to calculate
risk risk using
using nonquantifia
nonquantifia ble threats
ble threats and
and potential
potential losses. In
losses. In this event, a
this event, a qualitative
__________ risk
____ risk assessment
assessment is more
is more appropriate.
appropriate.
Fill in the
blanks.
Network A. B. Explanation: A.
environment True False Network True
s often add environment
to the s often add
complexity to the
of program- complexity
to-program of program-
communicati to-program
on, making communicati
the on, making
implementa applications
tion and ystems
maintenance implementa
of tion and
application maintenance
systems more
more difficult.
difficult.
True or
false?
What can be A. B. C. D. C. Explanation:

used to help Postmortem Reasonablen Data-mining Expert Data-mining Data-mining
identify and review ess checks techniques systems techniques techniques
investigate can be used
unauthorize to help
d identify and
transactions investigate
? Choose the unauthorize
BEST d
answer. transactions.
__________ A. B. C. D. B. Explanation:
______ (fill Data The board of IT security Business The board of The board of
in the blank) custodians directors administrati unit directors directors
is/are are and on managers and and
ultimately executive executive executive
accountable officers officers officers are
for the ultimately
functionality accountable
, reliability, for the
and functionality
security , reliability,
within IT and
governance. security
Choose the within IT
BEST governance.
answer.
Run-to-run A. B. C. D. B. Explanation:
totals can Initial Various Final Output Various Run-to-run
verify data totals can
through verify data
which through
stage(s) of various
application stages of
processing? application
processing.
Fourth- A. B. Explanation: A.
Generation True False Fourth- True
Languages generation
(4GLs) are languages(4
most GLs) are
appropriate most
for designing appropriate
the for designing
application’s the
graphical application’s
user graphical
interface userinterfac
(GUI). They e (GUI). They
are are
inappropriat inappropriat
e for e for
designing designing
any any
intensive intensive
data- data-
calculation calculation
procedures. procedures.
True or
false?
What often A. B. C. D. A. Explanation:
results in Inadequate Insufficient Inaccurate Project Inadequate Inadequate
project software strategic resource delays software software
scope creep baselining planning allocation baselining baselining
when often results
functional in project
requirement scope creep
s are not because
defined as functional
well as they requirement
could s are
be? not defined
as well as
they could
be.
If an IS A. B. C. D. C. Explanation:
auditor Lack of IT The auditor The auditor The auditor The auditor If an IS
observes documentati should at should at should at should at auditor
that an IS on is not least least least least observes
department usually document document document document that an IS
fails to use material to the informal the informal the informal the informal department
formal the controls standards standards standards standards fails to use
documented tested in an and policies. and policies, and policies, and policies, formal
methodologi IT audit. Furthermore and test for and test for and test for documented
es, policies, , the IS compliance. compliance. compliance. methodologi
and auditor Furthermore Furthermore Furthermore es, policies,
standards, should , the IS , the IS , the IS and
what should create auditor auditor auditor standards,
the auditor formal should should should the auditor
do? Choose documented recommend create recommend should at
the BEST policies to to formal to least
answer. be managemen documented managemen document
implemente t that formal policies to t that formal the informal
d. documented be documented standards
policies be implemente policies be and policies,
developed d. developed and test for
and and compliance.
implemente implemente Furthermore
d. d. , the IS
auditor
should
recommend
to
managemen
t that formal
documented
policies be
developed
and
following is a Function GANTT Rapid PERT PERT PERT is a
program Point Application program-
evaluation Analysis Developmen evaluation
review (FPA) t (RAD) review
technique technique
that that
considers considers
different different
scenarios for scenarios for
planning planning and
and control control
projects? projects.
What is a A. B. C. D. A. Explanation:
reliable Function Feature GANTT PERT Function A function
technique point point point point
for analysis analysis analysis analysis
estimating (FPA) (FPA) (FPA) (FPA) is a
the scope reliable
and cost of a technique
software- for
developmen estimating
t project? the scope
and cost of a
softwaredev
elopment
project.
When A. B. Explanation: B.
participating True False When False
in a systems- participating
developmen in a systems-
t project, an developmen
IS auditor t project, an
should focus IS auditor
on system should also
controls strive to
rather than ensure that
ensuring adequatean
that d complete
adequate documentati
and on exists for
complete all projects.
documentati
on exists for
all projects.
True or
false?
If an IS A. B. C. D. B. Explanation:
auditor Documentati Comprehens Full unit Full Comprehens If an IS
observes on ive testing regression ive auditor
that developmen integration testing integration observes
individual t testing testing that
modules of a individual
system modules of a
perform system
correctly in perform
developmen correctly in
t project developmen
tests, the t project
auditor tests, the
should auditor
inform should
managemen inform
t of the managemen
positive t of the
results and positive
recommend results and
further: recommend
further
comprehensi
ve
integration
testing.
Who A. B. C. D. A. Explanation:
assumes User Project IT Systems User User
ownership managemen steering managemen developers managemen managemen
of a systems- t committee t t t assumes
developmen ownership
t project and of a systems-
the resulting developmen
system? t project and
the resulting
system.
Function A. B. Explanation: B.
Point True False Function False
Analysis point
(FPA) analysis
provides an (FPA)
estimate of provides an
the size of estimate of
an the size of
information an
system information
based only system
on the based on the
number and numberand
complexity complexity
of a system’s of a system’s
inputs and inputs,
outputs. outputs, and
True or files.
false?
The quality A. B. C. D. B. Explanation:

of the Often hard The most Independent Of The most The quality
metadata to important of the secondary important of the
produced determine consideratio quality of importance consideratio metadata
from a data because the n the to data n produced
warehouse data is warehoused warehouse from a data
is derived from databases content warehouse
__________ a is the most
_____ in the heterogeneo important
warehouse’s us data consideratio
design. environment n in the
Choose the warehouse’s
BEST design.
answer.
Whenever A. B. C. D. B. Explanation:
an Interface The entire All Mission- The entire Whenever
application systems with program, programs, critical program, an
is modified, other including including functions including application
what should applications any interface interface and any any interface is modified,
be tested to or systems systems with systems with interface systems with the entire
determine other other systems with other program,
the full applications applications other applications including
impact of or systems or systems applications or systems any interface
the change? or systems systems with
Choose other
the BEST applications
answer. or systems,
should be
tested to
determine
the full
impact of
the change.
primary To ensure To ensure To ensure To ensure To ensure A primary
high-level that that proper that that projects that high-level
goal for an programmin approval for business are business goal for an
auditor who g and the project objectives monitored objectives auditor who
is reviewing processing has been are achieved and are achieved is reviewing
a system environment obtained administrate a systems-
developmen s are d effectively developmen
t project? segregated t project is
to ensure
that
business
objectives
are
achieved.
This
objective
guides all
other
systems
developmen
t objectives.
What is A. B. C. D. C. Explanation:
often the Configuring Planning Determining Configuring Determining Determining
most software security time and hardware time and time and
difficult part resource resource resource
of initial requirement requirement requirement
efforts in s s s for an
application application-
developmen developmen
t? Choose t project is
the BEST often the
answer. most
difficult
part of initial
efforts in
application
developmen
t.
When is A. B. C. D. A. Explanation:
regression In program In program In program In change In program Regression
testing used developmen feasibility developmen managemen developmen testing is
to t and change studies t t t and change used in
determine managemen managemen program
whether t t developmen
new t and change
application managemen
changes t to
have determine
introduced whether
any errors in new
the changes
remaining have
unchanged introduced
code? any errors in
the
remaining
unchanged
code.
Library A. B. C. D. A. Explanation:
control Read-only Write-only Full access Read-write Read-only Library
software access access access access control
restricts software
source code restricts
to: source code
to read-only
access.
Obtaining A. B. Explanation: A.
user True False Obtaining True
approval of user
program approval of
changes is program
very changes is
effective for very
controlling effective for
application controlling
changes and application
maintenance changes
. True or andmainten
false? ance.
Although A. B. C. D. C. Explanation:
BCP and DRP Security Systems Board of Financial Board of Although
are often administrato auditor directors auditor directors BCP and DRP
implemente r are often
d and tested implemente
by middle d and tested
managemen by middle
t and end managemen
users, the t and end
ultimate users, the
responsibilit ultimate
y and responsibilit
accountabilit y and
y for the accountabilit
plans remain y for the
with plans remain
executive with
managemen executive
t, such as managemen
the t, such as
__________ the
_____. (fill- board of
in-the-blank) directors.
Any changes A. B. C. D. B. Explanation:
in systems IT strategic Business Business Incident Business Any changes
assets, such plan continuity impact response continuity in systems
as plan analysis plan plan assets, such
replacement as
of hardware, replacement
should be of hardware,
immediately should be
recorded immediately
within the recorded
assets within the
inventory of assets
which of the inventory of
following? a business
Choose the continuity
BEST plan.
answer.
Of the three A. B. C. D. A. Explanation:

major types Cold site Hot site Alternate Warm site Cold site A cold site is
of off-site site often an
processing acceptable
facilities, solution for
what type is preparing
often an for recovery
acceptable of
solution for noncritical
preparing systems and
for recovery datA.
of
noncritical
systems and
data?
With the A. B. Explanation: A.
objective of True False With the True
mitigating objective of
the risk and mitigating
impact of a the risk and
major impact of a
business major
interruption, business
a interruption,
disasterreco a disaster-
very plan recovery
should planshould
endeavor to endeavor to
reduce the reduce the
length of length of
recovery recovery
time time
necessary, necessary
as well as and the
costs costs
associated associated
with with
recovery. recovery.Alt
Although hough DRP
DRP results results in an
in an increase of
increase of pre-and
pre-and post-
postincident
incident operational
operational costs, the
costs, the extra costs
extra costs are more
are more thanoffset
Of the three A. B. C. D. A. Explanation:
major types Cold site Alternate Hot site Warm site Cold site Of the three
of off-site site major types
processing of off-site
facilities, processing
what type is facilities
characterize (hot, warm,
d by at least and cold), a
providing for cold site is
electricity characterize
and HVAC? d by at
least
providing for
electricity
and HVAC. A
warm site
improves
upon this by
providing for
redundant
equipment
and software
that can be
made
operational
within a
short time.
influences The business Internal The business The business The business Criticality of
decisions criticality of corporate criticality of impact criticality of assets is
regarding the data to politics the data to analysis the data to often
criticality of be protected be be influenced
assets? protected, protected, by the
and the and the business
scope of the scope of the criticality of
impact upon impact upon the data to
the the be protected
organization organization and by the
as a as a scope of
whole whole the impact
upon the
organization
as a whole.
For example,
the loss of a
network
backbone
creates a
much
greater
impact on
the
organization
as a whole
than the loss
of data on a
typical user’s
workstation.
Which type A. B. C. D. C. Explanation:
of major BCP Parallel Preparednes Walk- Paper Walk- Of the three
test only s thorough thorough major types
requires of BCP tests
representati (paper,
ves from walk-
each through, and
operational preparednes
area to meet s), a walk-
to review through test
the requires
plan? only that
representati
ves from
each
operational
area meet to
review the
plan.

following Cold-site Disaster Diverse Disaster Disaster Disaster
typically facilities recovery for processing recovery for recovery for recovery for
focuses on networks systems systems systems
making typically
alternative focuses on
processes making
and alternative
resources processes
available for and
transaction resources
processing? available for
transaction
processing.
What type of A. B. C. D. B. Explanation:
BCP test Paper Preparednes Walk- Parallel Preparednes Of the three
uses actual s through s major types
resources to of BCP tests
simulate a (paper,
system crash walk-
and validate through, and
the plan’s preparednes
effectiveness s), only the
? preparednes
s
test uses
actual
resources to
simulate a
system crash
and validate
the plan’s
effectiveness
.

following is End-user Senior Security IS auditing End-user End-user
MOST is involvement managemen administrati involvement involvement involvement
critical t on is critical
during the involvement involvement during the
business business
impact impact
assessment assessment
phase of phase of
business business
continuity continuity
planning? planning.
Establishing A. B. C. D. D. Explanation:
data Assigning Developing Creating Classifying Classifying To properly
ownership is user access organization roles and data data implement
an important privileges al security responsibiliti data
first step for policies es classification
which of the , establishing
following data
processes? ownership is
Choose the an important
BEST first step.
answer.
Who is A. B. C. D. C. Explanation:
ultimately Systems Data Data owners Information Data owners Data owners
responsible security custodians systems are
and administrato auditors ultimately
accountable rs responsible
for and
reviewing accountable
user access for
to systems? reviewing
user access
to systems.
following is FAR EER ERR FRR EER When
used to evaluating
evaluate biometric
biometric access
access controls, a
controls? low equal
error rate
(EER) is
preferred.
EER is also
called the
crossover
error rate
(CER).

following is Data Skimming Data Salami Data Data
BEST diddling corruption attack diddling diddling
characterize involves
d by modifying
unauthorize data before
d or during
modification systems data
of data entry.
before or
during
systems
data entry?
key Hashing Hashing Encryption Encryption Hashing A key
distinction algorithms algorithms algorithms algorithms algorithms distinction
between ensure data are ensure data are not are between
encryption confidentiali irreversible. integrity. irreversible. irreversible. encryption
and hashing ty. and hashing
algorithms? algorithms is
that hashing
algorithms
are
irreversible.
What can A. B. C. D. C. Explanation:

ISPs use to OSI Layer 2 Virtual Access Point-to- Access ISPs can use
implement switches Private Control Lists Point Control Lists access
inbound with packet Networks (ACL) Tunneling (ACL) control lists
traffic filtering Protocol to
filtering as a enabled implement
control to inbound
identify IP traffic
packets filtering as a
transmitted control to
from identify IP
unauthorize packets
d sources? transmitted
Choose the from
BEST unauthorize
answer. d sources.
effective Employee Administrato Screensaver Close Screensaver Screensaver
countermea security r alerts passwords supervision passwords passwords
sure for the awareness are an
vulnerability training effective
of data entry control to
operators implement
potentially as a
leaving their countermea
computers sure for the
without vulnerability
logging off? of data entry
Choose the operators
BEST potentially
answer. leaving their
computers
without
logging off.

following Sign-in logs Dynamic Key Biometrics Biometrics Biometrics
provides the passwords verification can be used
strongest to provide
authenticati excellent
on for physical
physical access
access control.
control?
following is An An A circuit- A first- An Application-
an effective application- application- level generation application- layer
method for layer layer gateway packet- layer gateways, or
controlling gateway, or gateway, or filtering gateway, or proxy
downloading proxy proxy firewall proxy firewalls, are
of files via firewall, but firewall firewall an effective
FTP? Choose not stateful method for
the BEST inspection controlling
answer. firewalls downloading
of files via
FTP. Because
FTP is an OSI
application-
layer
protocol, the
most
effective
firewall
needs to be
capable of
inspecting
through the
application
layer.
following A monitored A monitored A monitored A one-way A monitored A monitored
BEST double- turnstile doorway door that double- double-
characterize doorway entry system entry system does not doorway doorway
s a mantrap entry system allow exit entry system entry
or deadman after entry system, also
door, which referred to
is used as a as a mantrap
deterrent or deadman
control for door, is used
the as a
vulnerability deterrent
of control for
piggybacking the
? vulnerability
of
piggybacking
.

following is Honeypots CCTV VPN VLAN Honeypots Honeypots
often used are often
as a used as a
detection detection
and and
deterrent deterrent
control control
against against
Internet Internet
attacks? attacks.
What are A. B. C. D. B. Explanation:
often the Administrati Logical Physical Detective Logical Logical
primary ve access access access access access access
safeguards controls controls controls controls controls controls are
for systems often the
software and primary
data? safeguards
for systems
software and
datA. Q89

following A mantrap- Host-based Network- A fingerprint A fingerprint A fingerprint
would monitored intrusion based scanner scanner scanner
provide the entryway to detection intrusion facilitating facilitating facilitating
highest the server combined detection biometric biometric biometric
degree of room with CCTV access access access
server control control control can
access provide a
control? very high
degree of
server
access
control.
Regarding A. B. C. D. C. Explanation:
digital A digital A digital A digital A digital A digital A digital
signature signature is signature is signature is signature is signature is signature is
implementa created by created by created by created by created by created by
tion, which the sender the sender the sender the sender the sender the sender
of the to prove to prove to prove to prove to prove to prove
following message message message message message message
answers is integrity by integrity by integrity by integrity by integrity by integrity by
correct? encrypting encrypting initially using encrypting initially using initially using
the message the message a hashing the message a hashing a hashing
with the with the algorithm with the algorithm algorithm to
sender’s recipient’s to produce a sender’s to produce a produce a
private key. public key. hash value public key. hash value hash value,
Upon Upon or message Upon or message or message
receiving the receiving the digest from receiving the digest from digest, from
data, the data, the the entire data, the the entire the entire
recipient can recipient can message recipient can message message
decrypt the decrypt the contents. decrypt the contents. contents.
data using data using Upon data using Upon Upon
the sender’s the receiving the the receiving the receiving the
public recipient’s data, the recipient’s data, the data, the
key. public recipient can private recipient can recipient can
key. independent key. independent independent
ly create it. ly create it. ly create its
own
message
digest from
the data for
comparison
and data
integrity
validation.
Public and
private are
following do Authenticati Authenticati Confidentiali Authenticati Authenticati The primary
digital on and on and ty and on and on and purpose of
signatures integrity of confidentiali integrity of availability integrity of digital
provide? data ty of data data of data data signatures is
to provide
authenticati
on and
integrity of
datA.
What does A. B. C. D. C. Explanation:
PKI use to A A A A A PKI uses a
provide combination combination combination combination combination combination
some of the of public-key of public-key of public-key of digital of public-key of public-key
strongest cryptograph cryptograph cryptograph certificates cryptograph cryptograph
overall y and digital y and two- y and digital and two- y and digital y and digital
control over certificates factor certificates factor certificates certificates
data and two- authenticati authenticati to provide
confidentiali factor on on some of the
ty, reliability, authenticati strongest
and on overall
integrity for control over
Internet data
transactions confidentiali
? ty, reliability,
and integrity
for Internet
transactions.
following is a Implementin Access is Implementin Classifying Access is Logical
guiding best g the Biba granted on a g the Take- data granted on a access
practice for Integrity least- Grant access according to least- controls
implementin Model privilege control the subject’s privilege should be
g logical basis, per model requirement basis, per reviewed to
access the s the ensure that
controls? organization’ organization’ access is
s data s data granted on a
owners owners least-
privilege
basis, per
the
organization’
s data
owners.

following is a Personal File File Host-based File File
good control firewall encapsulatio encryption intrusion encryption encryption is
for n detection a good
protecting control for
confidential protecting
data residing confidential
on a PC? data residing
on a PC.
following are Concurrency Reasonablen Time stamps Referential Time stamps Time stamps
effective controls ess checks integrity are an
controls for controls effective
detecting control for
duplicate detecting
transactions duplicate
such as transactions
payments such as
made or payments
received? made or
received.
What are A. B. C. D. A. Explanation:

used as the Information Organization Access Organization Information Information
framework systems al security Control Lists al charts for systems systems
for security policies (ACL) identifying security security
developing policies roles and policies policies are
logical responsibiliti used as the
access es framework
controls? for
developing
logical
access
controls.
How does A. B. C. D. D. Explanation:
the SSL Through Through Through Through Through The SSL
network symmetric asymmetric asymmetric symmetric symmetric protocol
protocol encryption encryption encryption encryption encryption provides
provide such as RSA such as Data such as such as Data such as Data confidentiali
confidentiali Encryption Advanced Encryption Encryption ty through
ty? Standard, or Encryption Standard, or Standard, or symmetric
DES Standard, or DES DES encryption
AES such as Data
Encryption
Standard, or
DES.

cryptosyste With public- With public- With shared- With shared- With public- With public
m is key key key key key key
characterize encryption, encryption, encryption, encryption, encryption, encryption
d by data or or or or or or
being symmetric asymmetric symmetric asymmetric asymmetric asymmetric
encrypted encryption encryption encryption encryption encryption encryption,
by the data is
sender using encrypted
the by the
recipient’s sender using
public the
key, and the recipient’s
data then public key;
being the data is
decrypted then
using the decrypted
recipient’s using the
private key? recipient’s
private key.
initial step in Assigning Determining Identifying Configuring Identifying Identifying
creating a access to appropriate network firewall network network
proper users firewall applications access rules applications applications
firewall according to hardware such as mail, such as mail, such as mail,
policy? the principle and software web, or FTP web, or FTP web, or FTP
of least servers servers servers to be
privilege externally
accessed is
an initial
step in
creating a
proper
firewall
policy.

following Malicious Programmin Malicious Malicious Malicious Worms are
best programs g code programs programs programs malicious
characterize that can run errors that that require that that can run programs
s “worms”? independent cause a the aid of a masquerade independent that can run
ly and can program to carrier as common ly and can independent
propagate repeatedly program applications propagate ly and can
without the dump data such as such as without the propagate
aid of a email screensavers aid of a without the
carrier or macro- carrier aid of a
program enabled program carrier
such Word such program
as email documents as email such as
email.
increases A long A long A long A long Data A long A long
encryption symmetric asymmetric Advance Encryption asymmetric asymmetric
overhead encryption encryption Encryption Standard encryption encryption
and cost the key key Standard (DES) key key key (public
most? (AES) key key
encryption)
increases
encryption
overhead
and cost. All
other
answers are
single
shared
symmetric
keys.
What are A. B. C. D. A. Explanation:

used as a Referential Normalizatio Concurrency Run-to-run Referential Concurrency
countermea integrity n controls controls totals integrity controls are
sure for controls controls used as a
potential countermea
database sure for
corruption potential
when two database
processes corruption
attempt to when two
simultaneou processes
sly edit or attempt to
update the simultaneou
same sly edit or
information? update the
Choose the same
BEST information.
answer.
What can be A. B. C. D. B. Explanation:
very helpful Network- A system Administrati Help-desk A system A system
to an IS monitoring downtime on activity utilization downtime downtime
auditor software log reports trend log log can be
when reports very helpful
determining to an IS
the efficacy auditor
of a systems when
maintenance determining
program? the efficacy
Choose the of a systems
BEST maintenance
answer. program.
What A. B. C. D. D. Explanation:
benefit does The software The software It allows It allows It allows Using
using can produces users to managemen managemen capacity-
capacity- dynamically nice reports properly t to properly t to properly monitoring
monitoring readjust that really allocate allocate allocate software to
software to network impress resources resources resources monitor
monitor traffic managemen and ensure and ensure and ensure usage
usage capabilities t. continuous continuous continuous patterns and
patterns and based upon efficiency of efficiency of efficiency of trends
trends current operations. operations. operations. enables
provide to usage. managemen
managemen t to properly
t? Choose allocate
the BEST resources
answer. and ensure
continuous
efficiency of
operations.
most A virtual A virtual A virtual A virtual A virtual A virtual
common private private private private private private
purpose of a network network network network network network
virtual (VPN) helps (VPN) helps (VPN) helps (VPN) helps (VPN) helps (VPN) helps
private to secure to secure to secure to secure to secure to secure
network access access access access access access
implementa between an between an within an between an between an between an
tion? enterprise enterprise enterprise enterprise enterprise enterprise
and its and its when and its and its and its
partners partners communicati partners partners partners
when when ng over a when when when
communicati communicati dedicated T1 communicati communicati communicati
ng over an ng over a connection ng over a ng over an ng over an
otherwise dedicated T1 between wireless otherwise otherwise
unsecured connection. network connection. unsecured unsecured
channel such segments channel such channel such
as the within the as the as the
Internet. same Internet. Internet.
facility.
How is risk A. B. C. D. B. Explanation:

affected if Risk of Risk of Risk of Risk of Risk of If users have
users have unauthorize unauthorize unauthorize unauthorize unauthorize direct access
direct access d access d and d access d and d and to a
to a increases, untraceable decreases, untraceable untraceable database at
database at but risk of changes to but risk of changes to changes to the system
the system untraceable the database untraceable the database the database level, risk of
level? changes to increases. changes to decreases. increases. unauthorize
the database the database d and
decreases. increases. untraceable
changes to
the database
increases.
What is A. B. C. D. C. Explanation:
essential for Security Systems logs A graphical Administrato A graphical A graphical
the IS administrato of all hosts map of the r access to map of the interface to
auditor to r access to providing network systems network the map of
obtain a systems application topology topology the network
clear services topology is
understandi essential for
ng of the IS
network auditor to
managemen obtain a
t? clear
understandi
ng of
network
managemen
t.
Why does A. B. C. D. C. Explanation:

the IS To get To get To To get To When trying
auditor evidence of evidence of determine evidence of determine to
often review password data copy the password the determine
the system spoofing activities existence of sharing existence of the
logs? unauthorize unauthorize existence of
d access to d access to unauthorize
data by a data by a d access to
user or user or data by a
program program user or
program, the
IS auditor
will
often review
the system
logs.
Atomicity A. B. Explanation: A.
enforces True False Atomicity True
data enforces
integrity by data
ensuring integrity by
that a ensuring
transaction that a
is either transaction
completed is either
in its entirely completed
or not at all. in its entirely
Atomicity is or not at
part of the all.Atomicity
ACID test is part of the
reference ACID test
for reference
transaction for
processing. transaction
True or processing.
false?
What would A. B. C. D. B. Explanation:

an IS auditor Evidence of System Evidence of Evidence of System An IS auditor
expect to password errors data copy password errors can expect
find in the spoofing activities sharing to find
console log? system
Choose the errors to be
BEST detailed in
answer. the console
log.
How is the A. B. C. D. A. Explanation:
time EDI usually EDI usually Cannot be EDI does not EDI usually Electronic
required for decreases increases determined. affect the decreases data
transaction the time the time time the time interface
processing necessary necessary necessary necessary (EDI)
review for review. for review. for review. for review. supports
usually intervendor
affected by communicati
properly on while
implemente decreasing
d the time
Electronic necessary
Data for
Interface review
(EDI)? because it is
usually
configured
to readily
identify
errors
requiring
follow-up.
What kind of A. B. C. D. B. Explanation:

protocols Nonconnecti Connection- Session- Nonsession- Connection- The
does the OSI on-oriented oriented oriented oriented oriented transport
Transport protocols protocols protocols protocols protocols layer of the
Layer of the TCP/IP
TCP/IP protocol
protocol suite
suite provide provides for
to ensure connection-
reliable oriented
communicati protocols to
on? ensure
reliable
communicati
on.
usually Evidence Evidence Evidence Evidence Evidence An IS auditor
places more collected collected collected collected collected usually
reliance on through through through through through places more
evidence personal systems logs surveys transaction personal reliance on
directly observation provided by collected reports observation evidence
collected. the from provided by directly
What is an organization’ internal staff the collected,
example of s security organization’ such as
such administrati s IT through
evidence? on administrati personal
on observation.
topology A star A mesh A bus A ring A mesh A mesh
provides the network network network network network network
greatest topology topology topology topology topology topology
redundancy with packet with packet provides a
of routes forwarding forwarding point-to-
and the enabled at enabled at point link
greatest each host each host between
network every
fault network
tolerance? host. If each
host is
configured
to route and
forward
communicati
on, this
topology
provides the
greatest
redundancy
of routes
and the
greatest
network
fault
tolerance.
following Lack of Failure to A Lack of Lack of Lack of
could lead to employee comply with momentary security employee employee
an awareness a company’s lapse of policy awareness awareness
unintentiona of a information reason enforcement of a of a
l loss of company’s security procedures company’s company’s
confidentiali information policy information information
ty? Choose security security security
the BEST policy policy policy could
answer. lead to an
unintentiona
l
loss of
confidentiali
ty.
If senior A. B. C. D. C. Explanation:
managemen IT cannot be More likely. Less likely. Strategic Less likely. A company’s
t is not implemente planning implementa
committed d if senior does not tion of IT will
to strategic managemen affect the be less likely
planning, t is not success of a to succeed if
how likely is committed company’s senior
it that a to strategic implementa managemen
company’s planning. tion of IT. t is not
implementa committed
tion of to
IT will be strategic
successful? planning.
Key A. B. C. D. A. Explanation:
verification Data is Only Input is Database Data is Key
is one of the entered authorized authorized indexing is entered verification
best controls correctly cryptographi performed correctly is one of the
for ensuring c keys are properly best controls
that: used for ensuring
that data is
entered
correctly.
Batch A. B. C. D. D. Explanation:
control Detective Corrective Preventative Compensato Compensato Batch
reconciliatio ry ry control
n is a reconciliatio
__________ ns is a
__________ compensato
_ (fill in the ry control
blank) for
control for mitigating
mitigating risk of
risk of inadequate
inadequate segregation
segregation of
of duties. duties.
A core A. B. C. D. D. Explanation:
tenant of an Be Be protected Protect Support the Support the Above all
IS strategy is inexpensive as sensitive information business business else, an IS
that it must: confidential confidentiali objectives of objectives of strategy
information ty, integrity, the the must
and organization organization support the
availability business
objectives of
the
organization.
Proper A. B. Explanation: B.
segregation True False Proper False
normally of duties
does not normally
prohibit a prohibits a
LAN LAN
administrato administrato
r from also r from also
having having
programmin programmin
g gresponsibili
responsibiliti ties.
es. True or
false?
ultimately The board of Middle Security Network The board of The board of
accountable directors managemen administrato administrato directors directors is
for the t rs rs ultimately
developmen accountable
t of an IS for the
security developmen
policy? t of an IS
security
policy.
an IS auditor Advise Create Assign Recommend Recommend If an IS
do if he or senior project- project to to auditor
she observes managemen approval leaders managemen managemen observes
that project- t to invest in procedures t that formal t that formal that project-
approval project- for future approval approval approval
procedures managemen project procedures procedures procedures
do not exist? t training for implementa be adopted be adopted do not exist,
the staff tions and and the IS
documented documented auditor
should
recommend
to
managemen
t that formal
approval
procedures
be adopted
and
documented
.
prohibits a of duties
system prohibits a
analyst from system
performing analyst from
quality- performing
assurance quality-
functions. assurance
True or functions.
false?
accountable Data and Data and Data and Data and Data and Data and
for systems systems systems systems systems systems
maintaining owners users custodians auditors owners owners are
appropriate accountable
security for
measures maintaining
over appropriate
information security
assets? measures
over
information
assets.

approach to Bottom-up Top-down Comprehens Integrated Top-down A bottom-up
the ive approach to
developmen the
t of developmen
organization t of
al policies is organization
often driven al policies is
by risk often driven
assessment? by risk
assessment.
A primary A. B. C. D. C. Explanation:
benefit Identify Reduce Reduce Increase Reduce A primary
derived from high-risk audit costs audit time audit audit time benefit
an areas that accuracy derived from
organization might need an
employing a detailed organization
control self- review later employing
assessment control self-
(CSA) assessment
techniques (CSA)
is that it techniques
can: is that it
can identify
high-risk
areas that
might need
a detailed
review later.
risk results Business risk Detection Residual risk Inherent risk Detection Detection
when an IS risk risk risk results
auditor uses when an IS
an auditor uses
inadequate an
test inadequate
procedure test
and procedure
concludes and
that material concludes
errors do that material
not exist errors
when errors do not exist
actually when errors
exist? actually
exist.

statistical Detection Business risk Controls risk Compliance Detection The use of
sampling risk risk risk statistical
procedures sampling
helps procedures
minimize: helps
minimize
detection
risk.
After an IS A. B. C. D. A. Explanation:
auditor has Identify and Conduct a Report on Propose new Identify and After an IS
identified evaluate the business existing controls evaluate the auditor has
threats and existing impact controls existing identified
potential controls analysis controls threats and
impacts, the (BIA) potential
auditor impacts, the
should: auditor
should then
identify and
evaluate the
existing
controls.
How does A. B. C. D. B. Explanation:

the process Controls Auditing Auditing risk Controls Auditing Allocation of
of systems testing starts resources is reduced. testing is resources auditing
auditing earlier. are allocated more are allocated resources to
benefit from to the areas thorough. to the areas the areas of
using a risk- of highest of highest highest
based concern. concern. concern is a
approach to benefit of a
audit risk-based
planning? approach to
audit
planning.
PRIMARY To To correct To establish To prevent To establish The primary
purpose of document data accountabilit unauthorize accountabilit purpose of
audit trails? auditing integrity y and d access to y and audit trails is
efforts errors responsibilit data responsibilit to establish
y for y for accountabilit
processed processed y and
transactions transactions responsibilit
y for
processed
transactions.
As compared A. B. C. D. C. Explanation:
to The same Greater Lesser value. Prior audit Lesser value. Prior audit
understandi value. value. reports are reports are
ng an not relevant. considered
organization’ of lesser
s IT process value to an
from IS auditor
evidence attempting
directly to gain an
collected, understandi
how ng
valuable are of an
prior audit organization’
reports as s IT process
evidence? than
evidence
directly
collected.
controls, A. B. Explanation:I A.
they True False S auditors True
conclude are most
that control likely to
risks are perform
within the compliance
acceptable tests of
limits. True internal
or false? controls if,
after their
initial
evaluation of
thecontrols,
they
conclude
that control
risks are
within the
acceptable
limits. Think
of it this
way: If any
reliance
isplaced on
internal
controls,
that reliance
must be
validated
through
compliance
testing. High
control risk
resultsin
primary Enhancemen Elimination Replacemen Integrity of Enhancemen Audit
objective of t of the audit of the audit t of the audit the audit t of the audit responsibilit
a control responsibilit responsibilit responsibilit responsibilit responsibilit y
self- y y y y y enhancemen
assessment t is an
(CSA) objective of
program? a control
self-
assessment
(CSA)
program.
A control A. B. C. D. C. Explanation:
that detects reasonablen parity check. redundancy check digits. redundancy A
transmission ess check. check. check. redundancy
errors by check
appending detects
calculated transmission
bits onto the errors by
end of each appending
segment of calculated
data is bits onto the
known as a: end of each
segment of
data.
Incorrect
answers:
A:
A
reasonablen
ess check
compares
data to
predefined
reasonability
limits or
occurrence
rates
established
for
the data.
B:
A parity
check is a
hardware
control that
following is a Hash totals Reasonablen Online Before and Reasonablen A
data ess checks access after image ess checks reasonablen
validation controls reporting ess check is
edit and a data
control? validation
edit and
control,
used to
ensure that
data
conforms to
predetermin
ed criteria.
Incorrect
answers:
A:
A hash total
is a total of
any numeric
data field or
series of
data
elements in
a data file.
This total is
checked
against a
control total
of the same
field or fields
to ensure
completenes
s of
key registration issuing subject CA. policy registration A RA is an
infrastructur authority certification managemen authority entity that is
e (PKI), the (RA). authority t authority. (RA). responsible
authority (CA). for
responsible identificatio
for the n and
identificatio authenticati
n and on of
authenticati certificate
on of an subjects, but
applicant for the RA does
a digital not sign or
certificate issue
(i.e., certificates.
certificate The
subjects) is certificate
the: subject
usually
interacts
with the RA
for
completing
the process
of
subscribing
to the
services of
the
certification
authority in
terms of
getting
identity
Company.co A. B. C. D. B. Explanation:
m has Acceptance A quality Not all Prototyping A quality A quality
contracted testing is to plan is not business is being used plan is not plan is an
with an be managed part of the functions to confirm part of the essential
external by users. contracted will be that the contracted element of
consulting deliverables. available on system deliverables. all projects.
firm to initial meets It is critical
implement a implementa business that the
commercial tion. requirement contracted
financial s. supplier be
system to required to
replace its produce
existing in- such a plan.
house The quality
developed plan for the
system. In proposed
reviewing developmen
the t contract
proposed should be
developmen comprehensi
t approach, ve and
which of the encompass
following all phases of
would be of the
GREATEST developmen
concern? t and include
which
business
functions
will be
included and
when.
Acceptance
is normally
The IS A. B. C. D. B. Explanation:
auditor Relocate the Install Escort Log Install A protective
learns that shut off protective visitors. environment protective cover over
when switch. covers. al failures. covers. the switch
equipment would allow
was brought it to be
into the data accessible
center by a and visible,
vendor, the but would
emergency prevent
power accidentalac
shutoff tivation.
switch was Incorrect
accidentally Answers:
pressed and A:
the UPS was Relocating
engaged. the shut off
Which of the switch
following would
audit defeat the
recommend purpose of
ations having it
should the IS readily
auditor accessible.
suggest? C:
Escorting the
personnel
moving the
equipment
may not
have
prevented
this incident.
D:
following is a Paper test Post test Preparednes Walk- Preparednes A
continuity s test through s test preparednes
plan test s test is a
that uses localized
actual version of a
resources to full test,
simulate a wherein
system crash resources
to are
costeffective expended in
ly obtain the
evidence simulation of
about the a
plan’s system
effectiveness crash. This
? test is
performed
regularly on
different
aspects of
the plan and
can be a
cost-
effective
way
to gradually
obtain
evidence
about the
plan’s
effectiveness
. It also
provides a
organization Full Preparednes Paper test Regression Preparednes A
having a operational s test test s test preparednes
number of test s test is
offices performed
across a by each local
wide office/area
geographical to test the
area has adequacy of
developed a the
disaster preparednes
recovery s of local
plan (DRP). operations
Using actual for the
resources, disaster
which of the recovery.
following is Incorrect
the MOST answers:
costeffective A:
test of the A full
DRP? operational
test is
conducted
after the
paper and
preparednes
s test.
C:
A paper test
is a
structured
walkthrough
of the DRP
and should
A malicious A. B. C. D. D. Explanation:
code that logic bomb. stealth virus. trojan horse. polymorphic polymorphic A
changes virus. virus. polymorphic
itself with virus has the
each file it capability of
infects is changing its
called a: own code,
enabling it
to have
many
different
variants.
Since they
have no
consistent
binary
pattern,
such viruses
are hard to
identify.
Incorrect
answers:
A:
A logic bomb
is code that
is hidden in
a program or
system
which will
cause
something
to happen
when the
user
The initial A. B. C. D. C. Explanation:
step in developmen performance adoption of purchase of adoption of A policy
establishing t and of a a corporate security a corporate statement
an implementa comprehensi information access information reflects the
information tion of an ve security security control security intent and
security information control policy software. policy support
program is security review by statement. statement. provided by
the: standards the IS executive
manual. auditor. managemen
t for proper
security and
establishes a
starting
point for
developing
the security
program.
For which of A. B. C. D. A. Explanation:

the Point-of-sale Corporate Regulatory Department Point-of-sale A point-of-
following system planning reporting al system sale system
applications chargeback is a critical
would rapid online
recovery be system that
MOST when
crucial? inoperable
will
jeopardize
the ability of
Company.co
m to
generate
revenue and
track
inventory
properly.
A hardware A. B. C. D. D. Explanation:
control that duplicate table validity parity check. parity check. A parity
helps to check. lookup. check. check will
detect errors help to
when data detect data
are errors when
communicat data are
ed from one read from
computer to memory or
another is communicat
known as a: ed from one
computer to
another. A
one-bit digit
(either 0 or
1) is added
to a data
item to
indicate
whether the
sum of that
data item’s
bit is odd or
even. When
the parity bit
disagrees
with the
sum of the
other bits,
an error
report is
generated.
Incorrect
answers:
following A neural Database Managemen Computer A neural A neural
systems- network managemen t assisted network network will
based t software information audit monitor and
approaches systems techniques learn
would a patterns,
financial reporting
processing exceptions
company for
employ to investigation
monitor .
spending Incorrect
patterns to answers:
identify B:
abnormal Database
patterns and managemen
report t software is
them? a method of
storing and
retrieving
datA.
C:
Managemen
t
information
systems
provide
managemen
t statistics
but do not
normally
have a
monitoring
and
following is a Multiplexer Modem Protocol Concentrato Modem A modem is
telecommun converter r a device that
ication translates
device that data from
translates digital to
data from analog and
digital form back to
to analog digital.
form and
back to
digital?
A LAN A. B. C. D. C. Explanation:
administrato having end- reporting to having being having A LAN
r normally user the end-user programmin responsible programmin administrato
would be responsibiliti manager. g for LAN g r should not
restricted es. responsibiliti security responsibiliti have
from: es. administrati es. programmin
on. g
responsibiliti
es but may
have end-
user
responsibiliti
es. The
LAN
administrato
r may report
to the
director of
the IPF or, in
a
decentralize
d operation,
to the end-
user
manager. In
small
organization
s, the LAN
administrato
r also may
be
responsible
for security
administrati
A hub is a A. B. C. D. D. Explanation:
device that two LANs a LAN with a a LAN with a two two A hub is a
connects: using WAN. metropolita segments of segments of device that
different n area a single LAN. a single LAN. connects
protocols. network two
(MAN). segments of
a single LAN.
A hub is a
repeater. It
provides
transparent
connectivity
to users on
all segments
of the same
LAN. It is a
level 1
device.
Incorrect
answers:
A:
A bridge
operates at
level 2 of the
OSI layer
and is used
to connect
two LANs
using
different
protocols
(e.g.,
joining an
ethernet and
following Specific Business All phases of No need to All phases of A global
BEST developmen requirement the develop a the enterprise
describes ts only s only installation customer installation product
the must be specific must be reengineerin
necessary documented documentati documented g (EPR)
documentati on software
on for an package can
enterprise be applied
product to a business
reengineerin to replace,
g simplify and
(EPR) improve the
software quality of IS
installation? processing.
Documentati
on is
intended to
help
understand
how, why
and
which
solutions
that have
been
selected and
implemente
d, and
therefore
must be
specific to
the project.
Documentati
following Gateway Protocol Front-end Concentrato Gateway A gateway
translates e- converter communicati r/multiplexo performs
mail formats on processor r the job of
from one translating
network to e-mail
another so formats
that the from one
message can network to
travel another so
through all messages
the can make
networks? their way
through all
the
networks.
Incorrect
answers:
B:
A protocol
converter is
a hardware
device that
converts
between
two
different
types of
transmission
s, such
as
asynchronou
s and
synchronous
The use of a A. B. C. D. A. Explanation:
GANTT chart aid in determine ensure direct the aid in A GANTT
can: scheduling project documentati post- scheduling chart is used
project checkpoints. on implementa project in project
tasks. standards. tion review. tasks. control. It
may aid in
the
identificatio
n of needed
checkpoints
but its
primary
use is in
scheduling.
It will not
ensure the
completion
of
documentati
on nor will it
provide
direction for
the
postimplem
entation
review.
following Spool Cluster Protocol Front end Front end A front-end
hardware controller converter processor processor processor is
devices a hardware
relieves the device that
central connects all
computer communicati
from on lines to a
performing central
network computer to
control, relieve the
format central
conversion computer.
and message
handling
tasks?
A critical A. B. C. D. B. Explanation:
function of a special device for server used proxy server device for A firewall is
firewall is to router that preventing to connect to increase preventing a set of
act as a: connects the authorized authorized the speed of authorized related
Internet to a users from users to access to users from programs,
LAN. accessing private authorized accessing located at a
the LAN. trusted users. the LAN. network
network gateway
resources. server, that
protects the
resources of
a
private
network
from users
of other
networks.
An
enterprise
with an
intranet that
allows its
workers
access to
the wider
Internet
installs a
firewall to
prevent
outsiders
from
accessing its
own private
data
A sequence A. B. C. D. C. Explanation:
of bits digest electronic digital hash digital A digital
appended to signature. signature. signature. signature. signature. signature
a digital through the
document private
that is used cryptographi
to secure an c key
e-mail sent authenticate
through the sa
Internet is transmission
called a: from a
sender
through
the private
cryptographi
c key. It is a
string of bits
that
uniquely
represent
another
string of bits,
a digital
document.
An
electronic
signature
refers to the
string of bits
that digitally
represents a
handwritten
signaturecap
tured by a
To affix a A. B. C. D. A. Explanation:
digital the entire any arbitrary the entire the entire the entire A digital
signature to message and part of the message and message and message and signature is
a message, thereafter message and thereafter thereafter thereafter a
the sender enciphering thereafter enciphering enciphering enciphering cryptographi
must first the message enciphering the message the message the message c method
create a digest using the message using the along with digest using that ensures
message the sender’s digest using sender’s the message the sender’s data
digest by private key. the sender’s private key. digest using private key. integrity,
applying a private the authenticati
cryptographi key. sender’s on of the
c hashing private key. message,
algorithm and
against: non-
repudiation.
To ensure
these, the
sender first
creates a
message
digest by
applying a
cryptographi
c
hashing
algorithm
against the
entire
message and
thereafter
enciphers
the message
digest using
the sender’s
reviewing defining the defining liaising with mapping mapping A DBA only
the key roles conceptual security and users in data model data model in rare
and schemA. integrity developing with the with the instances
responsibiliti checks. data model. internal internal should be
es of the schemA. schemA. mapping
database data
administrato elements
r (DBA) is from the
LEAST likely data model
to to the
expect the internal
job schema
description (physical
of the DBA data storage
to include: definitions).
To do so
would
eliminate
data
independenc
e for
application
systems.
Mapping of
the data
model
occurs with
the
conceptual
schema
since the
conceptual
schema
A database A. B. C. D. C. Explanation:
administrato defining establishing creating the establishing creating the A database
r is data operational logical and ground rules logical and administrato
responsible ownership. standards physical for ensuring physical r is
for: for the data database. data database. responsible
dictionary. integrity and for creating
security. and
controlling
the logical
and physical
database.
Defining
data
ownership
resides with
the head of
the user
department
or top
managemen
t if the data
is common
to the
organization.
IS
managemen
t and the
data
administrato
r are
responsible
for
establishing
operational
A data A. B. C. D. B. Explanation:
administrato maintaining defining developing developing defining A data
r is database data physical data data administrato
responsible system elements, database dictionary elements, r is
for: software. data names structures. system data names responsible
and their software. and their for defining
relationship. relationship. data
elements,
data names
and their
relationship.
Choices A, C
and D are
functions of
a database
administrato
r (DBA)
following A A A A A A
tests is an IS substantive compliance compliance substantive compliance compliance
auditor test of test of test of the test of the test of test
performing program program program program program determines
when a library library compiler compiler library if controls
sample of controls controls controls controls controls are
programs is operating as
selected to designed
determine if and are
the source being
and object applied in a
versions are manner that
the same? complies
with
managemen
t policies
and
procedures.
For example,
if the IS
auditor is
concerned
whether
program
library
controls are
working
properly, the
IS auditor
might select
a sample of
programs to
determine if
following Check digit Existence Completene Reasonablen Completene A
types of data check ss check ess check ss check completenes
validation s check is
editing used to
checks is determine if
used to a field
determine if contains
a field data and not
contains zeros or
data, and blanks.
not zeros or Incorrect
blanks? answers:
A:
A check digit
is a digit
calculated
mathematic
ally to
ensure
original data
was not
altered.
B:
An existence
check also
checks
entered data
for
agreement
to
predetermin
ed criteriA.
D:
following Bus Ring Star Completely Completely A completely
network connected connected connected
configuratio (mesh) (mesh) mesh
n options configuratio
contains a n creates a
direct link direct link
between any between any
two host two host
machines? machines.
Incorrect
answers:
A:
A bus
configuratio
n links all
stations
along one
transmission
line.
B:
A ring
configuratio
n forms a
circle, and
all stations
are attached
to a point on
the
transmission
circle.
D:
In a star
configuratio
significant testing evaluation maintenance early stages early stages Company.co
level of stage. stage. stage. of planning. of planning. m in the
effort for early stages
business of a BCP will
continuity incur the
planning most
(BCP) significant
generally is level of
required program
during the: developmen
t effort,
which will
level out as
the BCP
moves into
maintenance
, testing and
evaluation
stages. It is
during the
planning
stage that an
IS auditor
will play an
important
role in
obtaining
senior
managemen
t’s
commitment
to resources
and
In an EDI A. B. C. D. A. Explanation:
process, the communicati EDI application EDI communicati A
device which ons handler. translator. interface. interface. ons handler. communicati
transmits ons handler
and receives transmits
electronic and receives
documents electronic
is the: documents
between
trading
partners
and/or wide
area
networks
(WANs).
Incorrect
answers:
B:
An EDI
translator
translates
data
between the
standard
format and a
trading
partner’s
proprietary
format.
C:
An
application
interface
moves
A number of A. B. C. D. B. Explanation:
system Unit testing Integration Design walk- Configuratio Integration A common
failures are testing throughs n testing system
occurring managemen maintenance
when t problem is
corrections that errors
to previously are often
detected corrected
errors are quickly
resubmitted (especially
for when
acceptance deadlines
testing. This are tight),
would units are
indicate that tested by
the the
maintenance programmer
team is , and then
probably not transferred
adequately to the
performing acceptance
which test areA.
of the This often
following results in
types of system
testing? problems
that should
have been
detected
during
integration
or system
testing.
Integration
information cold site. warm site. dial-up site. duplicate cold site. A cold site is
processing processing ready to
facility facility. receive
having equipment
electrical but does not
wiring, air offer any
conditioning components
and flooring, at the site in
but no advance of
computer the need.
or Incorrect
communicati answers:
ons B:
equipment is A warm site
a: is an offsite
backup
facility that
is configured
partially
with
network
connections
and selected
peripheral
equipment,
such as disk
and tape
units,
controllers
and CPUs, to
operate an
information
processing
following Range check Check digit Validity Duplicate Check digit A check digit
data check check is a numeric
validation value that is
edits is calculated
effective in mathematic
detecting ally and is
transpositio appended to
n and data to
transcription ensure that
errors? the
original data
have not
been altered
or an
incorrect,
but valid,
value
substituted.
This control
is effective
in
detecting
transpositio
n and
transcription
errors.
Incorrect
answers:
A:
A range
check is
checking
data that
Structured A. B. C. D. B. Explanation:
programmin provides reduces the makes the controls the reduces the A
g is BEST knowledge maintenance readable coding and maintenance characteristi
described as of program time of coding testing of time of c of
a technique functions to programs by reflect as the high- programs by structured
that: other the use of closely as level the use of programmin
programmer small-scale possible the functions of small-scale g is smaller,
s via peer program dynamic the program program workable
reviews. modules. execution of in the modules. units.
the program. developmen Structured
t process. programmin
g has
evolved
because
smaller,
workable
units are
easier to
maintain.
Structured
programmin
g is a style of
programmin
g
which
restricts the
kinds of
control
structures.
This
limitation is
not
crippling.
Any program
A call-back A. B. C. D. A. Explanation:
system dials back to dials back to waits for a waits for a dials back to A call-back
requires that the user the user redial back redial back the user system in a
a user with machine machine from the from the machine net centric
an id and based on the based on the user user based on the environment
password user id and user id and machine for machine for user id and would mean
call a remote password password reconfirmati reconfirmati password that a user
server using a using a on and then on and then using a with an id
through a telephone telephone verifies the verifies the telephone and
dial-up line, number number user id and user id and number password
then the from its provided by password password from its calls a
server database. the user using its using the database. remote
disconnects during this database. sender’s server
and: connection. database. through a
dial-up line
first, and
then the
server
disconnects
and dials
back to the
user
machine
based on
the user id
and
password
using a
telephone
number
from its
database.
Although the
server can
following is a Provide an Can be used Permit Allow call Provide an A callback
using switchboard user mobility hooks into
devices? control
software and
logs all
authorized
and
unauthorize
d access
attempts,
permitting
the follow-
up and
further
review of
potential
breaches.
Call
forwarding
(choice D) is
a
means of
potentially
bypassing
callback
control. By
dialing
through an
authorized
phone
number
following Router Bridge Repeater Gateway Bridge A bridge
devices connects
extends the two
network and separate
has the networks to
capacity to form a
store frames logical
and act as a network
storage (e.g., joining
and forward an ethernet
device? and token
network)
and has the
storage
capacity to
store frames
and act as a
storage and
forward
device.
Bridges
operate at
the
OSI data link
layer by
examining
the media
access
control
header of a
data packet.
Incorrect
answers:
following is An increased Significant A weaker Increased An increased A BPR
MOST likely number of cost savings, organization information number of project more
to result people using through a al structures protection people using often leads
from a technology reduction in and less (IP) risk will technology to an
business the accountabilit increase increased
process complexity y number of
reengineerin of people using
g (BPR) information technology,
project? technology and this
would be a
cause
for concern.
Incorrect
answers:
B:
As BPR is
often
technology
oriented,
and this
technology
is usually
more
complex and
volatile than
in the
past, cost
savings do
not often
materialize
in this areA.
D:
There is no
following is a Blackbox Desk Structured Design and Blackbox A blackbox
dynamic test checking walk- code test test is a
analysis tool through dynamic
for the analysis tool
purpose of for testing
testing software
software modules.
modules? During the
testing of
software
modules
a blackbox
test works
first in a
cohesive
manner as
one single
unit/entity,
consisting of
numerous
modules and
second, with
the user
data that
flows across
software
modules. In
some cases,
this even
drives the
software
behavior.
Incorrect
IS A. B. C. D. D. C.
managemen Inadequate Complex Lack of Inability to Inability to Lack of
t has screen/repor programmin portability perform perform portability
decided to t design g language across data data across
rewrite a facilities subsets operating intensive intensive operating
legacy Field checks Control systems operations operations systems
customer totals Portability is A before- A before- Portability is
relations also one of and-after and-after also one of
system using the main maintenance maintenance the main
fourth advantages report report advantages
generation of 4GLs. of 4GLs.
languages QUESTION 2 QUESTION 2
(4GLs). Which of the Which of the
Which of the following following
following would be would be
risks is the BEST the BEST
MOST often method for method for
associated ensuring ensuring
with system that critical that critical
developmen fields in a fields in a
t using master master
4GLs? record have record have
been been
updated updated
properly? properly?
Reasonablen Reasonablen
ess checks ess checks

Cisa V3

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisa V3

Uploaded by

Copyright:

Available Formats

question optionA optionB optionC optionD rightAnswer explaination

The ability of A. B. C. E. C. Explanation:

Active radio A. B. C. D. B. Explanation:

Which of the A. B. C. D. B. Explanation:

When using A. B. C. D. C. Explanation:

Which of the A. B. C. D. C. Explanation:

When two A. B. C. D. C. Explanation:

Data edits A. B. C. D. D. Explanation:

What is used A. B. C. D. C. Explanation:

Which of the A. B. C. D. B. Explanation:

What is the A. B. C. D. B. Explanation:

What kind of A. B. C. D. A. Explanation:

What is used A. B. C. D. A. Explanation:

Which of the A. B. C. D. B. Explanation:

What uses A. B. C. D. B. Explanation:

Which of the A. B. C. D. A. Explanation:

What are A. B. C. D. D. Explanation:

Which of the A. B. C. D. A. Explanation:

Using the A. B. C. D. C. Explanation:

What should A. B. C. D. B. Explanation:

Which of the A. B. C. D. A. Explanation:

Which of the A. B. C. D. A. Explanation:

What is/are A. B. C. D. A. Explanation:

Which of the A. B. C. D. D. Explanation:

Who should A. B. C. D. B. Explanation:

Why does an A. B. C. D. C. Explanation:

Which of the A. B. C. D. B. Explanation:

What type of A. B. C. D. D. Explanation:

Which of the A. B. C. D. C. Explanation:

Parity bits A. B. C. D. B. Explanation:

When are A. B. C. D. C. Explanation:

What must A. B. C. D. C. Explanation:

What can be A. B. C. D. C. Explanation:

The quality A. B. C. D. B. Explanation:

Of the three A. B. C. D. A. Explanation:

Which of the A. B. C. D. D. Explanation:

Which of the A. B. C. D. A. Explanation:

Which of the A. B. C. D. A. Explanation:

What can A. B. C. D. C. Explanation:

Which of the A. B. C. D. D. Explanation:

Which of the A. B. C. D. A. Explanation:

Which of the A. B. C. D. D. Explanation:

Which of the A. B. C. D. C. Explanation:

What are A. B. C. D. A. Explanation:

What type of A. B. C. D. B. Explanation:

Which of the A. B. C. D. A. Explanation:

What are A. B. C. D. A. Explanation:

How is risk A. B. C. D. B. Explanation:

Why does A. B. C. D. C. Explanation:

What would A. B. C. D. B. Explanation:

What kind of A. B. C. D. B. Explanation:

What type of A. B. C. D. B. Explanation:

The use of A. B. C. D. A. Explanation:

How does A. B. C. D. B. Explanation:

For which of A. B. C. D. A. Explanation:

You might also like