5.14/5.14.1 Testing Technique For Security Controls

Question 1

What can an auditor do to test confidentiality ?

Answer 1

He could attempt to guess password of sample of employees
Walk into staff offices to check whether password is not written on a paper or wtv

Question 2

What can an auditor do to test encryption ?

Answer 2

View the password table and check if the password are encrypted

Question 3

What an auditor can do to test access authorisation ?

Answer 3

Review a sample of access authorisation to determine if proper authority has been provided and if the authorisation was correctly granted

Question 4

How an auditor can test for the disabling of inactive logon IDs ?

Answer 4

Obtain an extract of active logon IDs and match it with the list of current employees, ensure there are no discrepancies

Question 5

How an auditor can test for password syntaxe ?

Answer 5

The auditor should attempt to create a password in a format that is invalid (too short, too long , repeat from previous password etc)

Question 6

How an auditor can test the control over production environnement ?

Answer 6

Work with software analyst and operation manager to determine if access is on a need to know basis. Working with security admin to determine who can access the resource and to do what

Question 7

How an auditor can test for the reporting of access violation ?

Answer 7

Auditor should attempt to access computer unauthorised transactions or data. The attempt should be unsuccessful and identified on security report. The auditor should also assess the effectiveness of security admin to response to access violation

Question 8

What an auditor can do it is review access controls and password admin?

Answer 8

Ensure procedures are existing
Ensure password cannot be easily guess
Ensure password are periodically changed
Regular review of access capabilities