Chapter 4: Identity and Access Management - Section A

Question 1

Introduction: Identification and authentication is important because it establishes what?

Answer 1

User Accountability

Question 2

Introduction: What is the first line of defense for most systems

Answer 2

Identification and authentication

Question 3

Introduction: Logical access can be implemented in a few ways (T or F)

Answer 3

False. It can be implemented in various ways

Question 4

Introduction: Logical security is often determined based on?

Answer 4

The job function of the users

Question 5

Introduction: The success of logical access controls is tied to the what?

Answer 5

Strength of the authentication method

Question 6

Introduction: What is usually the form of authorization?

Answer 6

Signatures either physical or electronic

Question 7

Introduction: The strength of the ________ is proportional to the quality of method used

Answer 7

Authentication

Question 8

System Access Permission: System access permission is the prerogative to act on a computer resources (T or F)

Answer 8

True

Question 9

System Access Permission: Usually refers to an administrative privilege (T or F)

Answer 9

False. Technical

Question 10

System Access Permission: It is established, managed, and controlled at the physical and not logical level (T or F)

Answer 10

False. Both levels

Question 11

System Access Permission: Logical system access controls built into what? Invoked by what? And Incorporated into what?

Answer 11

Operating system; Access control software, application programs

Question 12

System Access Permission: Physical or logical system access to any computerized information should be on what basis?

Answer 12

Need to know/ least privilege

Question 13

System Access Permission: What are the other considerations for granting access and must be used by IS auditors when determining the criteria for defining permissions.

Answer 13

Accountability and traceability

Question 14

System Access Permission: What are the four layers of logical security?

Answer 14

1. Networks
2. Platforms
3. Databases
4. Applications

Question 15

System Access Permission: The four layers of security for system access provides what to information resources?

Answer 15

Greater scope and granularity of control

Question 16

System Access Permission: Determine what layer of security is being described here

pervasive general
systems control over users authenticating into systems, system software

Answer 16

Network and platform layers

Question 17

System Access Permission: Determine what layer of security is being described here

generally provide a greater degree of
control over user activity within a particular business process by controlling
access to records, specific data fields and transactions

Answer 17

Database and application controls

Question 18

System Access Permission: The information owner who’s responsible for the information should provide what? And handed over to who?

Answer 18

Written authorization for users; security administrators

Question 19

System Access Permission: Which principles should the IS auditor take into account when determining access to systems

Answer 19

Need to know, least privilege, SoD

Question 20

System Access Permission: Who implements logical access capabilities

Answer 20

Security Administrator

Question 21

System Access Permission: Reviews of access authorization must be what? To ensure the validity

Answer 21

Evaluated regularly

Question 22

System Access Permission: Personnel and departmental changes, malicious efforts, and
just plain carelessness result in authentication creep (T or F)

Answer 22

False. Authorization

Question 23

System Access Permission: What is a good practice when it comes to avoiding authorization creep

Answer 23

Integrating review of access rights with human resource processes.

Question 24

System Access Permission: Non Employees with access to corporate IS resources should also be held responsible for security compliance and be accountable for security breaches despite not being part of the organization (T or F)

Answer 24

True

Question 25

Mandatory and Discretionary Access Controls: are logical access control filters used to validate access credentials that cannot be controlled or modified by normal users or data owners;

Answer 25

Mandatory Access Controls

Question 26

Mandatory and Discretionary Access Controls: MAC acts by default (T or F)

Answer 26

True

Question 27

Mandatory and Discretionary Access Controls: Controls that may be configured or modified by the users or data owners

Answer 27

Discretionary access controls

Question 28

Mandatory and Discretionary Access Controls: MACs only allow management to change the category of a resource (T or F)

Answer 28

False. Administrators ang dapat magpalit

Question 29

Mandatory and Discretionary Access Controls: MACs are extremely prohibitive in nature. Only those explicitly and implicitly stated in the access are allowed (T or F)

Answer 29

False. Only explicitly permitted are allowed

Question 30

Mandatory and Discretionary Access Controls: DACs cannot override MACs even if owners allow it (T or F)

Answer 30

True. DACs can never overried MACs

Question 31

Mandatory and Discretionary Access Controls: MACs are a good choice to enforce a middle level of critical security without possible exception, if this is required by corporate security policies or other security rules. (T or F)

Answer 31

False. good choice to enforce ground level dapat

Question 32

are the primary means used to manage and protect information assets

Answer 32

Logical Access controls

Question 33

Logical Access: Logical access controls substantiate what?

Answer 33

The management designed policies and procedures

Question 34

Logical Access Exposures: technical exposures exist due to?

Answer 34

Accidental or Intentional exploitation

Question 35

Logical Access: What should the IS auditor analyze?

Answer 35

The effectiveness of logical access controls in achieving information security objectives

Question 36

Logical Access Exposures: Intentional exploitation might lead to?

Answer 36

Computer crime

Question 37

Logical Access Exposures: All computer crimes exploit technical exposures (T or F)

Answer 37

False. Not all computer crimes exploit technical exposures

Question 38

Logical Access Exposures: are the unauthorized activities interfering with normal processing

Answer 38

Technical exposures

Question 39

Logical Access Exposures: Involves siphoning or leaking information out of the compute

Answer 39

Data Leakage

Question 40

Logical Access Exposures: data leakage may become undetected because it leaves the originical copy (T or F)

Answer 40

True

Question 41

Logical Access Exposures: Computer shutdown can be initiated online and via the internet (T or F)

Answer 41

True

Question 42

Logical Access Exposures: Which individuals can initiate a shutdown process

Answer 42

People who know a high-level log on ID

Question 43

Logical Access Exposures: What are the limitations of the High level log on ID security measures for computer shutdown

Answer 43

It is only effective if proper security access controls are in place

Question 44

Familiarization With the Enterprise’s IT Environment: For IS auditors to effectively assess logical access controls within their organization, they first need to

Answer 44

gain a technical and organizational understanding of the organization’s IT environment.

Question 45

Familiarization With the Enterprise’s IT Environment: Includes reviewing the?

Answer 45

Network, OS platform, database, and application security layers

Question 46

Paths of Logical Access: Points of entry to an organization can be through multiple avenues (T or F)

Answer 46

True

Question 47

Paths of Logical Access: When does a direct path of access (mainframe) happen?

Answer 47

1. IS environment is under the direct control of the main systems 2. Uses are locally known 3. Well defined access profiles

Question 48

Paths of Logical Access: Direct access related to a LAN is simpler (T or F)

Answer 48

False

Question 49

Paths of Logical Access: The resources in a LAN have similar access paths (T or F)

Answer 49

False. Different paths

Question 50

Paths of Logical Access: What is the most common configuration?

Answer 50

A combination of direct, local, and remote.

Question 51

Paths of Logical Access: How do you increase the complexity?

Answer 51

Intermediate devices

Question 52

Paths of Logical Access: Examples of access path through common nodes are?

Answer 52

Back end and front end interconnected network

Question 53

Paths of Logical Access: Which is used for untrusted networks front or back end?

Answer 53

Front end

Question 54

Paths of logical access: Can front end networks be internally based?

Answer 54

Yes

Question 55

General points of entry: General points of entry control the access from

Answer 55

The organizations infrastructure to its information resources

Question 56

General points of entry: Connectivity in this environment needs to be controlled through a smaller set of __ ___ ___ (servers), which enable a user to obtain access to specific __ ___ __(e.g., application servers and databases)

Answer 56

primary domain controllers secondary points of entry

Question 57

General points of entry: The approach is based on

Answer 57

Client - Server model

Question 58

General points of entry: network management devices examples

Answer 58

Firewalls and routers

Question 59

General points of entry: Linking PC to an organization’s network infrastructure

Answer 59

Network Connectivity

Question 60

General points of entry: At a minimum, access to a segment of an organization's network infrastructure needs?

Answer 60

Identification and authentication to a domain controlling server

Question 61

General points of entry: In remote access, complete access to view all network resources usually requires

Answer 61

Virtual Private Network

Question 62

General points of entry: Remote access points of entry can be extensive and should be ?

Answer 62

Centrally controlled

Question 63

General points of entry: Organization should know all the points of entry into the information resource infrastructure (T or F)

Answer 63

True

Question 64

General points of entry: IS auditors should do what?

Answer 64

1. IF all points of entry are identified 2. Support management to identify all access paths