Chapter 8

Question 1

the Trust Services Framework reliability principle that states that users must be able to enter, update and retrieve data during agreed upon times is known as

Answer 1

availability

Question 2

According to the Trust Services Framework, the reliability principle of integrity is achieved when the system produces data that

Answer 2

is complete, accurate, and valid

Question 3

The three fundamental information security concepts

Answer 3

1. security is a technology issue based on prevention
2. the idea of defense in depth employs multiple layers of controls
3. the time based model of security focuses on the relationship between preventive, detective and corrective controls

Question 4

some of the essential criteria for successfully implementing each of the principle that contribute to systems reliability, as discussed in the Trust Services Framework

Answer 4

1. developing and documenting policies
2. designing and employing appropriate control procedures to implement policies
3. monitoring the system and taking corrective action to maintain compliance with policies

Question 5

Who was a part below who was involved with developing the Trust Services Framework

Answer 5

AICPA (American Institute of CPAs)

Question 6

information security procedures protect information integrity by

Answer 6

preventing fictitious transactions

Question 7

identify one aspect of systems reliability that is not a source of concern with regards to a public cloud

Answer 7

efficiency

Question 8

identify the primary means of protecting data stored in a cloud from unauthorized access

Answer 8

authentication

Question 9

Virtualization refers to the ability of

Answer 9

running multiple systems simultaneously on one physical computer

Question 10

True or False: Cloud computing can potentially generate significant cost savings for an organization

Answer 10

True

Question 11

True or False: Cloud computing is traditionally more secure than traditional computing

Answer 11

False

Question 12

The Trust Services Framework reliability principle that states sensitive information be protected from unauthorized disclosure is known as

Answer 12

confidentiality

Question 13

The Trust Services Framework reliability principle that stats personal information should be protected from unauthorized disclosure is known as

Answer 13

privacy

Question 14

The Trust Services Framework reliability principle that states access to the system and its data should be controlled and restricted to legitimate users is known as

Answer 14

security

Question 15

What is not a useful way to control procedure regarding access to system outputs

Answer 15

allowing visitors to move through the building without supervision

Question 16

verifying the identity of the person or device attempting to access the system is an example of

Answer 16

authentication

Question 17

restricting access of users to specific portions of the system as well as specific tasks, is an example of

Answer 17

authorization

Question 18

this is an example of a preventative control

Answer 18

encryption

Question 19

this is an example of a detective control

Answer 19

log analysis

Question 20

what is an example of a corrective control

Answer 20

incident response teams

Question 21

multi factor authentication

Answer 21

involves the use of two or more basic authentication methods

Question 22

identify the best description of an access control matrix below

Answer 22

is a table specifying which portions of the system users are permitted to access

Question 23

perimeter defense is an example of which preventative controls that are necessary to provide adequate security

Answer 23

controlling remote access

Question 24

which preventative controls are necessary to provide adequate security for social engineering threats

Answer 24

awareness training

Question 25

a special purpose hardware device or software running on a general purpose computer, which filters information that is allowed to enter and leave the organization’s information system, is known as a

Answer 25

firewall

Question 26

this protocol specifies the procedures for dividing files and documents into packets to be sent over the Internet.

Answer 26

transmission control protocol

Question 27

This protocol specifies the structure of packets sent over the internet and the route to get the to the proper destination

Answer 27

internet protocol

Question 28

This network access control determines which IP packets are allowed entry to a network and which are dropped

Answer 28

access control list

Question 29

a list of authorized users, programs, and data files the users are authorized to access or manipulate, compatibility tests utilize this

Answer 29

access control matrix

Question 30

the process that screens individual IP packets based solely on the contents of the source and/or destination fields in the packet header is known as

Answer 30

static packet filtering

Question 31

the process of maintaining a table listing all established connections between the organization’s computers and the internet to determine whether an incoming packet is part of an ongoing communication initiated by an internal computer is known as

Answer 31

stateful packet filtering

Question 32

the process that allows a firewall to be more effective by examining the data in the body of an IP packet, instead of just the header, is known as

Answer 32

deep packet inspection

Question 33

the security technology that evaluates P packet traffic patterns in order to identify attacks against a system is known as

Answer 33

an intrusion prevention system

Question 34

this is used to identify rogue modems (or by hackers to identify targets)

Answer 34

war dialing

Question 35

the process of turning off unnecessary features in the system is known as

Answer 35

hardening

Question 36

the most common input related vulnerability is

Answer 36

buffer overflow attack

Question 37

this keeps a record of the network traffic permitted to pass through the firewall

Answer 37

intrusion detection system

Question 38

the process that uses automate tools to identify whether a system possesses any well known security problems is known as

Answer 38

vulnerability scan

Question 39

an authorized attempt by an internal audit team or an external security consultant to attempt to break into the organization’s information system

Answer 39

penetration test

Question 40

this person disseminates information about fraud, errors, breaches and other improper system uses and their consequences

Answer 40

chief security officer

Question 41

hiring a security firm to attempt to compromise a computer network and being successful at entering the system without being detected and then presented an analysis of the vulnerabilities that had been found is an example of a

Answer 41

detective control

Question 42

this commonly true of the default settings for most commercially available wireless access points

Answer 42

security is set to the lowest level that the device is capable of

Question 43

in recent years, many of the attacks carrie out by hackers have relied on this type of vulnerability in computer software

Answer 43

buffer overflow

Question 44

Each employee is provided with a name badge with a photo and embedded computer chip that is used to gain entry to the facility. this is an example of an

Answer 44

authentication control

Question 45

When new employees are hired by Pacific technologies, they are assigned user names and appropriate permissions are entered into the information system’s access control matrix. This is an example of a

Answer 45

authorization control

Question 46

the most effective way to protect network resources that are exposed to the internet, yet reside outside of a network is

Answer 46

a demilitarized zone

Question 47

All employees of E.C. Hoxy are required to pass through a gate and present their photo identification cards to the guard before they are admitted. Entry to secure areas, such as the Information Technology Department offices, requires further procedures. This is an example of a

Answer 47

physical access control

Question 48

Identify three ways users can be authenticated and give an example of each

Answer 48

1. something they know (password)
2. something hey have (smart card or ID)
3. something they are (biometric identification of fingerprint

Question 49

describe four requirements of effective passwords

Answer 49

1. Strong passwords should be at least 8 characters
2. Passwords should use a mixture of upper and lowercase letters, numbers and characters
3. Passwords should be random and not words found in dictionaries
4. Passwords should be changed frequently

Question 50

connects an organization’s information system to the internet

Answer 50

border router

Question 51

permits controlled access from the internet to selected resources

Answer 51

a demilitarized zone

Question 52

the most important element of any preventive control is

Answer 52

the people