CISA Revision

Question 1

Audit Charter

Answer 1

The audit charter should state management’s objectives for and delegation of authority to IS audit. Should be approved at the highest levels of management, and should outline the overall authority scope, and responsibilities of the audit function. Should not significantly change over time.

Question 2

IT Balanced Scorecard

Answer 2

An IT business governance tool aimed at monitoring IT performance evaluation indicators OTHER THAN financial results. It considers other key success factors such as customer satisfaction, innovation capacity, and processing.

Question 3

Stop or Freezing Point during New System Design

Answer 3

Requires that changes made after that point be evaluated for cost-effectiveness. Used to allow for a review of the cost-benefits and the payback period.

Question 4

Clustered Server Setup

Answer 4

Makes the entire network vulnerable to natural disasters or other disruptive events. Not recommended for high-availability network configurations.

Question 5

Logical Access Controls

Answer 5

The PRIMARY safeguard for securing software and data within an information processing facility.

Question 6

The most important criterion when selecting a location for an offsite storage facility for IS backup files.

Answer 6

The offsite facility must be PHYSICALLY SEPARATED from the data center and not subject to the same risks as the primary data center.

Question 7

Attribute Sampling

Answer 7

The primary sampling method used for compliance testing. AS is used to estimate the rate of occurance of a specific quality (attribute) AND is used in compliance testing to confirm whether the quality exists.

Question 8

Monitoring an outsourced provider’s performance.

Answer 8

The MOST important function to be performed by IS management when a service has been outsourced. This is critical to ensure that services are delivered to the company as required.

Question 9

Parallel Run

Answer 9

The system and data conversion strategy that provides the GREATEST redundancy. The safest and the most expensive approach.

Question 10

Adequate and most appropriate compensating control to track after-hours database changes.

Answer 10

Use the DBA user account to make changes. Log the changes and review the change log the following day.

Question 11

Intrusion Detection System (IDS)

Answer 11

Gathers evidence on intrusive attack or penetration attempt activity.

Question 12

Business Continuity Plan (BCP) covers only critical processes. The IT auditor should:

Answer 12

Revisit and/or update the Business Impact Analysis (BIA) to assess the risk of not covering all processes in the plan.

Question 13

Audit Planning : Assessment of Risk

Answer 13

Should be made to provide REASONABLE ASSURANCE that the audit will cover MATERIAL items.

Question 14

Training provided on a regular basis to all current and new employees.

Answer 14

The MOST LIKELY element of a security awareness program.

Question 15

Function Point Analysis

Answer 15

An indirect method of measuring the size of an application by considering the number and complexity of its inputs, outputs, and files. Is useful for evaluating complex applications.

Question 16

PERT (Program evaluation review technique)

Answer 16

A project management technique that helps with both planning and control.

Question 17

SLOC (Counting source lines of code)

Answer 17

A direct measure of program size. Does NOT allow for the complexity that may be caused by having multiple, linked modules and a variety of inputs and outputs.

Question 18

White Box Testing

Answer 18

Involves a detailed review of the behavior of program code, and is a quality assurance technique suited to simpler applications during the design and build stage of development.

Question 19

Security patch installations

Answer 19

Should always be part of a good change management process.

Question 20

Degaussing obsolete magnetic tapes

Answer 20

The best way to remove data from magnetic tapes. Leaves a very low residue of magnetic induction. Overwriting or erasing tapes may cause magnetic errors but may not remove the data completely. Tape label initialization does not remove the data that follows the label.

Question 21

The MOST important concern when auditing backup, recovery, and the offsite storage vault

Answer 21

That the data files stored in the vault are synchronized.

Question 22

When evaluating the collective effort of preventive, detective, or corrective controls within a process, an IS auditor should be aware of:

Answer 22

The point at which controls are EXERCISED as data flow through the system.

Question 23

The BEST audit technique to use to determine whether there have been unauthorized program changes since the last authorized program update

Answer 23

Automated code comparision: automated, efficient technique to determine whether the two versions correspond. Test data runs only allow for processing verification. Code review will only detect potential errors or inefficient statements.

Question 24

IT Control Objectives

Answer 24

The statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity.

Question 25

The PRIMARY purpose for conducting parallel testing is:

Answer 25

To ensure that the implementation of a new system will meet user requirements.

Question 26

An analysis of peaking/saturated WAN links should result in:

Answer 26

Analysis to establish whether this is a regular pattern and what causes this behavior before expenditure on a larger line capacity is recomended.

Question 27

Immunizers

Answer 27

Defends against viruses by appending sections of themselves to files. They continuously check the file for changes and report changes as possible viral behavior.

Question 28

Behavior blockers

Answer 28

Focus on detecting potentially abnormal behavior, such as writing to the boot sector or MBR, or making changes to EXEs.

Question 29

CRCs (Cyclical Redundancy Checkers)

Answer 29

Compute a binary number on a known virus-free program that is then stored in a database file. When that program is subsequently called to be executed, the checkers look for changes to the files, compare them to the database, and report possible infection if changes have occurred.

Question 30

Active Monitors

Answer 30

Interpret DOS and ROM BIOS calls, looking for virus-like actions.

Question 31

The DR/Continuity Plan component that provides the GREATEST assurance of post-disaster recovery:

Answer 31

That an alternate facility will be available until the original information processing facility is restored.

Question 32

Email systems have become a useful source of litigation evidence BECAUSE:

Answer 32

Multiple cycles of backup files remain available, and documents that have been deleted could potentially be recovered from these files.

Question 33

By evaluating application development projects against the Capability Maturity Model (CMM), an IS auditor should be able to verify that:

Answer 33

Stable, predictable software processes are being followed. However, CMM does NOT guarantee a reliable product, nor does it evaluate technical processes, security requirements, or other application controls.

Question 34

The MOST IMPORTANT element for the successful implementation of IT governance is:

Answer 34

The identification of organizational strategies. This is necessary to ensure the alignment between IT and corporate governance. The KEY objective of IT governance is to support the business.

Question 35

Stress testing

Answer 35

Is carried out to ensure that a system can cope with production workloads. A test environment should always be used to avoid damaging the production environment - testing should never take place in a production enviroment. Live workloads should always be used, however, to ensure that the system was stress tested adequately.

Question 36

Periodic checking of hard drives.

Answer 36

The MOST effective way to detect and identify the loading of illegal software packages onto a network.

Question 37

Which control best mitigates the risk of undetected and unauthorized program changes being made in the production environment by developers?

Answer 37

Hash key generation. The matching of hash keys over time would allow detection of changes to files.

Question 38

Naming conventions for system resources are important for access control because they:

Answer 38

Reduce the number of rules required to adequately protect resources. This facilitates security administration and maintenance efforts, and allows for the grouping of resources and files by application.

Question 39

When faced with multiple minor control weaknesses, the IS auditor’s audit report should:

Answer 39

Record the observations and the risk arising from the COLLECTIVE effect of the weaknesses.

Question 40

It IS appropriate for an IT auditor to request and review a copy of a BCP from each vendor that provides outsourced services.

Answer 40

TRUE: An IS auditor will evaluate the adequacy of the service bureau’s BCP and assist their company in implementing a complementary plan. The primary responsibility of an IS auditor is to assure that the company assets are being safeguarded, even if the assets do not reside on the immediate premises.

Question 41

The PRIMARY concern with using RFID (radio frequency identification) is:

Answer 41

Issues of privacy. The purchaser (P) may not be aware of the tags, and credit card purchases may be able to be tied back to the identity of P. Because RFID can carry unique identifers, it could be possible for a firm to track Ps who purchase items containing RFIDs.

Question 42

A proprietary software application purchase contract SHOULD provide for:

Answer 42

A source code agreement that provides for the placement of the source code into escrow, ensuring that the purchaser will have the opportunity to modify the software should the vendor cease to be in business.

Question 43

When faced with control weaknesses, the IS auditor should stress that:

Answer 43

A comprehensive system control framework is necessary. Ex. effective access controls may not sufficiently compensate for other detective control weaknesses. The IS auditor has a FUNDAMENTAL obligation to point out control weaknesses that give rise to unacceptable risks to the organization, and work with management to have these corrected.

Question 44

Simultaneous duplication of logs onto a write-once disk, helps to:

Answer 44

Detect changes made by unauthorized intruders to systems/platforms.

Question 45

Application-level Gateway

Answer 45

Provides the BEST protection against hacking attempts. It can define with detail rules that describe the type of user or connection that is or is not permitted. Analyzes ALL layers of the OSI. Remote Access servers require a user name/password, but can still be mapped or scanned. Proxy servers provide protection based on an IP adresses and ports, and can be complex or difficult to configure for multiple applications. Port scanning doesn’t help with controlling Internet content, or when all ports need to be controlled.

Question 46

Which is the MOST effective and environmentally friendly method of supressing a fire in a data center?

Answer 46

Dry-pipe water sprinkers, with an automatic power shut-off system. The pipes must be dry-pipe so as to avoid leakage. Halon is efficient and doesn’t threaten human life, but it is environmentally damaging and very expensive. Carbon Dioxide threatens human life (but is safe for the environment), and therefore cannot be set to automatic release.

Question 47

Which finding would be MOST critical during an audit of a BCP?

Answer 47

Absence of a backup for the network backbone. This failure will impact the ability of all users to access information on the network.

Question 48

The SUCCESS of control self-assessment (CSA) depends highly on:

Answer 48

Having line managers assume a portion of the responsibility for control monitoring. The primary objective of a CSA program is to leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional area line managers.

Question 49

1. Non-existent 2. Initial 3. Repeatable 4. Defined 5. Managed 6.Optimized

Answer 49

These are rankings used by the Information Security Governance Maturity Model. When responsibilites for IT security are clearly assigned and enforced, and an IT Security Risk and Impact Analysis is consistently performed, it is said to be managed and measurable.

Question 50

Which type of testing would confirm that a new or modified system can operate in its target environment without adversely impacting EXISTING systems?

Answer 50

SOCIABILITY testing. PARALLEL testing is the process of feeding data into 2 systems and comparing the results. PILOT testing takes place first at one location and then is extended to other locations. INTERFACE/INTEGRATION testing is a HW or SW test that evaluates the connection of 2 or more components that pass info from one area to another.

Question 51

Documentation of a business case used in an IT development project should be retained until:

Answer 51

The end of the system’s life cycle.

Question 52

Which type of firewall provides the GREATEST degree and granularity of control?

Answer 52

The APPLICATION GATEWAY firewall - it has specific proxies for each TCP/IP service, and filters traffic across OSI L3-L7. A Screening Router and a Packet Filter works at the protocol, service and/or port level (L3-L4). A Circuit Gateway is based on a proxy or program that acts as an intermediary between external and internal accesses (L3/L4).

Question 53

To ensure message integrity, confidentiality, and nonrepudiation between 2 parties, the MOST effective method would be to create a message digest by applying a cryptographic hashing algorithm against:

Answer 53

The ENTIRE message, enciphering the MESSAGE DIGEST using the SENDER’S PRIVATE KEY (nonrepudiation), enciphering the MESSAGE with a SYMMETRIC KEY, and enciphering the KEY by using the RECEIVER’S PUBLIC KEY (confidentiality and receiver nonrepudiation).

Question 54

What is the initial step in creating a firewall policy?

Answer 54

Identification of network applications to be externally accessed.

Question 55

In a BCP, the MAJOR risk with not defining the point at which a situation could be declared a crisis is:

Answer 55

That execution of the DRP/BCP could be impacted.

Question 56

A top-down approach to the development of operational policies will help ensure:

Answer 56

That they are consistent across the organization. A bottom-up approach would be derived as a result of risk assessment.

Question 57

Which approach will BEST ensure the successful offshore development of business applications?

Answer 57

Detailed and correctly applied specifications.

Question 58

The FIRST step in managing the risk of a cyberattack is to:

Answer 58

Identify critical information assets. After this, the next steps include identifying the threats and vulnerabilities, and calculating potential damages.

Question 59

Which component of network architecture acts as a decoy to detect active Internet attacks?

Answer 59

HONEYPOTS - these are computer systems that are expressly set up to attract and trap individuals who attempt to penetrate others individuals’ computer systems. They can provide data on methods used to attack systems. FIREWALLS are basically preventative measures. TRAPDOORS create a vulnerability that provides an opportunity for the insertion of unauthorized code into a system. TRAFFIC ANALYSIS is a type of passive attack.

Question 60

NEURAL networks are effective in detecting FRAUD because they can:

Answer 60

Attack problems that require consideration of a large number of input variables. They can capture relationships and patterns, BUT NOT new trends. Neural networks will not work well at solving problems for which sufficiently large and general sets of training data are not obtainable.

Question 61

Which computers would be of the MOST concern to an IS auditor reviewing a VPN implementation?

Answer 61

The at-home computers of employees who connect via VPN. These are least subject to corporate security policies, and are, therefore, high-risk.

Question 62

When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ENSURE that:

Answer 62

Vulnerabilities and threats are indentified. This will determine the areas to be audited and the extent of coverage.

Question 63

AFTER a review applications (assets) and making a vulnerability assessment, the next task(s) would be to:

Answer 63

(1) Identify threats, and (2) estimate the liklihood of a threat’s occurrence.

Question 64

Which of the following backup techniques is the MOST appropriate where an organization requires extremely granular data restore points, as defined by the recovery point objective (RPO)?

Answer 64

Continuous data backup - this process happens online, and in real-time.

Question 65

An organization is using an enterprise resource management (ERP) application. Which type of controls would be the MOST effective?

Answer 65

Role-based access controls (RBAC). RBAC controls the system access by defining roles for a group of users. Users are assigned to the various roles and the access is granted based on the user’s role. User-level permissions would create larger administrative overhead. Fine-grained access control is difficult to implement and maintain in large enterprises. Discretionary access control may create inconsistencies in the access control management.

Question 66

When reviewing an implementation of a VoIP system over a corporate WAN, an IS auditor should expect to find:

Answer 66

Traffic engineering. This is a statistical technique that helps to ensure that quality of service requirements are achieved by minimizing packet loss, latency, and/or jitter.

Question 67

An IS auditor doing penetration testing during an audit of Internet connections would:

Answer 67

Use tools and techniques available to a hacker.

Question 68

The GREATEST advantage of using web services for the exchange of information between two systems is:

Answer 68

Efficient interfacing. Web services facilitate the exchange of information between two systems regardless of the OS or progamming language used. Communication, however, will not necessarily securer or faster, and there is no documentation benefit in using web services.

Question 69

What reduces the potential impact of social engineering attacks?

Answer 69

Security awareness programs.

Question 70

Which of the following should an IS auditor review to gain an understanding of the effectiveness of controls over the management of multiple projects?

Answer 70

A project portfolio database. This is the basis for project portfolio management, and includes detailed project data. Project portfolio management requires specific project portfolio reports.

Question 71

Which of the following online auditing techniques is MOST effective for the early detection of errors or irregularities?

Answer 71

AUDIT HOOKS. The audit hook technique involves embedding code in application systems for the examination of selected transactions. This helps the IS auditor to act before an error or an irregularity gets out of hand. An EMBEDDED AUDIT MODULE involves embedding specially-written software in the organization’s host application system so that application systems are monitored on a selective basis. An INTEGRATED TEST FACILITY is used when it is not practical to use test data. SNAPSHOTS are used when an audit trail is required.

Question 72

If coding standards are not enforced and code reviews are rarely carried out, this will MOST increase the likelihood of a successful:

Answer 72

BUFFER OVERFLOW ATTACK (especially in web-based applications). BRUTE FORCE attacks are used to crack passwords. DDOS attacks are used to flood and overwhelm its targets, preventing them from responding to legitimate requests. WAR DIALING uses modem-scanning tools to hack PBXs.

Question 73

A BENEFIT of open system architecture is that it:

Answer 73

Facilitates operability between systems made by different vendors. Closed system components are, in contrast, built to proprietary standards and cannot (or will not) interface with existing systems.

Question 74

Web and email filtering tools are PRIMARILY valuable to an organization because they:

Answer 74

Protect the organization from viruses, spam, mail chains, recreational surfing and email, and other nonbusiness materials.

Question 75

The PRIMARY objective of service-level management (SLM) is to:

Answer 75

Define, negotiate, agree, document and record, and manage the required levels of service in the manner in which the customer requires those services. This doesn’t necessarily ensure high availability, or that costs will be minimized.

Question 76

An IS auditor performing a telecommunications access control review should be concerned PRIMARILY with the:

Answer 76

Preventative control of authorization and authentication of a user prior to granting access to system resources. Weak controls at this level can affect all other aspects of the system.

Question 77

Which IT governance best practice IMPROVES strategic alignment?

Answer 77

Top management mediating between the imperatives of business and technology. Managing supplier and partner risks is a RISK MANAGEMENT best practice. A knowledge base on customers, products, markets and processes is an IT VALUE DELIVERY best practice. An infrastructure being provided to facilitate the creation and sharing of business information is an IT VALUE DELIVERY and a RISK MANAGEMENT best practice.

Question 78

At the completion of a system development project, a postproject review SHOULD include:

Answer 78

Identifying LESSONS LEARNED that may be applicable to future projects.

Question 79

If no project risks have been identified during the early stages of a development project, the IS auditor SHOULD:

Answer 79

Stress the importance of spending time at THIS point in the project to consider and document risks, and to develop contingency plans. The IS auditor has an obligation to the project sponsor and the organization to advise on appropriate project management practices.

Question 80

An IS auditor reviewing an organization’s data file control procedures finds that transactions are applied to the most current data files, while restart procedures use earlier versions. The IS auditor should recommend the implementation of:

Answer 80

VERSION USAGE CONTROL when it is essential that the proper version of a file is used.

Question 81

If an IS auditor finds that the risk of data being intercepted to and from remote sites is very high, the MOST effective and secure control that he can recommend to reduce this exposure is:

Answer 81

ENCRYPTION

Question 82

If an IS auditor finds that conference rooms have active network ports, it is MOST important to ensure that:

Answer 82

That part of the network is ISOLATED from the corporate network.

Question 83

Which represents the GREATEST risk created by a reciprocal agreement for disaster recovery between two companies?

Answer 83

That future developments may result in hardware and software incompatibility.

Question 84

An Internet-based attack using password sniffing CAN:

Answer 84

Be used to gain access to systems containing proprietary information. SPOOFING attacks can be used to enable one party to act as if they are by another party. DATA MODIFICATION attacks can be used to modify the contents of certain transactions. REPUDIATION OF TRANSACTIONS can cause major problems with billing systems and transaction processing agreements.

Question 85

What type of controls would an IS auditor look for in an environment where duties cannot be appropriately segregated?

Answer 85

COMPENSATING controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated. OVERLAPPING controls are two controls addressing the same control objective or exposure. BOUNDARY controls establish the interface between the would-be user of a computer system and the computer system itself, and are individual-based

Question 86

Which of the following is a concern when data are transmitted through Secure Socket Layer (SSL) encryption, implemented on a trading partner’s server?

Answer 86

That the organization doesn’t have control over encryption. The SSL security protocol provides data encryption, server authentication, message integrity, and optional client authentication. Simply installing a digital certificate turns on SSL capabilities, and SSL encrypts the datum whicle it is being transmitted over the Internet - there is no PW to remember b/c the encryption is done in the background.

Question 87

Where a business system accesses a corporate database using a single ID and PW embedded in a program, what would provide efficient access control over the organization’s data?

Answer 87

The best compensating control would be role-based permissions within the application system to ensure that access to data is granted based on a user’s role. The issue is with permissions, not authentication.

Question 88

What would have the HIGHEST priority in a business continuity plan (BCP)?

Answer 88

The resumption of critical processes has the highest priority since it enables business processes to begin immediately after the interruption and not later than the declared mean time between failure (MTBF).

Question 89

A company has decided to implement an electronic signature scheme based on PKI. The user’s private key will be stored on the computer’s HDD and protected by a PW. The MOST significant risk of this approach is:

Answer 89

That a compromise of the PW would enable access to the signature, which could result in the impersonation of the user by substitution of the user’s public key with another person’s public key.

Question 90

If an IS auditor notes that an organization has adequate BCPs for each individual process, but not a comprehensive BCP for the entire organization, the IS auditor should:

Answer 90

Determine whether the BCPs are consistent with one another in order to provide a viable BCP strategy.

Question 91

To protect a VoIP infrastructure against a DoS attack, it is MOST important to secure the:

Answer 91

SESSION BORDER CONTROLLERS. SBCs enhance the security in the access network (AN) and in the core. In the AN, they hide a user’s real addressand provide a managed public address. SBCs permit access to clients behind FWs while maintaining the FW’s effectiveness. In the core, SBCs protect the users and the network.They hide network topology and user’s real addresses. They can also monitor bandwidth and QoS.

Question 92

A web server is attacked and compromised. What should be performed FIRST to handle the incident?

Answer 92

Disconnect the web server from the network to contain the damage and prevent more actions by the attacker.

Question 93

When developing a BCP, which tools shoud be used to gain an understanding of the organization’s business processes?

Answer 93

RISK ASSESSMENT (RA) and BUSINESS IMPACT ASSESSMENT (BIA) are tools for understanding business-for-business continuity planning. BUSINESS CONTINUITY SELF-AUDIT is a tool for evaluating the adequacy of a BCP. RESOURCE RECOVERY ANALYSIS is a tool for identifying a business resumption strategy. GAP ANALYSIS can be used to identify deficiencies in a BCP plan.

Question 94

What would be a considered a weakness, with regard to an organzation that uses PKI with digital certificates?

Answer 94

If the organization is also the owner of the certificate authority (CA), this could potentially create a perceived conflict of interest if customers wanted to allege fraud during a transaction repudiation.

Question 95

The PRIMARY role of the certificate authority (CA) as a third party is to:

Answer 95

Confirm the identity of an entity owning a certificate issued by that CA. The primary activity of a CA is to issue certificates. The CA can contribute to authenticating communicating partners, but is not involved in the communication stream itself.

Question 96

An IS auditor reviewing wireless network security determines that DHCP is disabled at all WAPs. This practice:

Answer 96

Reduces the risk of unauthorized access to the network.

Question 97

The PRIMARY objective of testing a BCP is to:

Answer 97

Identify and provide evidence of any limitations of the current BCP.

Question 98

What method might an IS auditor use to test wireless security at branch office locations?

Answer 98

WAR DRIVING - this is a technique for locating and gaining access to wireless networks by driving or walking with a wireless equipped computer around a building. WAR DIALING is a technique for gaining access to a computer or network through the dialing of defined blocks of telephone numbers, with the hope of getting an answer from a modem. SOCIAL ENGINEERING is a techniqueused to gather info that can assist an attacker in gaining logical or physical access to data or resources. PASSWORD CRACKERS are tools used to guess users’ PWs by trying combinations and dictionary words.

Question 99

Confidentiality of data transmitted in a WLAN is BEST protected if the session is:

Answer 99

Encrypted using DYNAMIC KEYS. With dynamic keys, the encryption key is changed frequently, thus reducing the risk of key compromise and unauthorized message decryption.

Question 100

DDoS attacks on Internet sites are typically evoked by hackers by using:

Answer 100

TROJAN HORSES - these are malicious or damaging code hidden within an authorized computer program. Hackers use Trojans to mastermind DDoS attacks from multiple ccomputers simultaneously. LOGIC BOMBS are programs designed to destroy or modify data at a specific time in the future. PHISHING is an attack, normally via email, pretending to be an authorized person or organization requesting information. SPYWARE is a program that picks up information from PC drives by making copies of their contents.

Question 101

Which anti-spam filtering technique would BEST prevent a valid, variable-length email message containing a heavily-weighted spam keyword from being labeled as spam?

Answer 101

BAYESIAN (STATISTICAL) FILTERING - BF applies statistical modeling to messages by performing a frequency analysis on each word within the message and then evaluating the message as a whole. It can ignore a suspicious keyword if the entire message is within normal bounds. HEURISTIC FILTERING is less effective since new exception rules may need to be defined when a valid message is labeled as spam. SIGNATURE-BASED FILTERING is useless against variable-length messages because the calculated MD5 hash changes all the time. PATTERN MATCHING is actually a degraded rule-based technique where the rules operate at the word level using wildcards, and not at higher levels.

Question 102

When determining the ACCEPTABLE time period for the RESUMPTION of critical business processes:

Answer 102

BOTH downtime AND recovery costs need to be evaluated. The outcome of a BIA should be a recovery strategy that represents the optimal balance,

Question 103

Where a mix of access points cannot be upgraded to stronger or more advanced wireless security, a recommendation to replace the access points is BEST justified by the argument that:

Answer 103

The organization’s security would only be as strong as its weakest points. Affordability, performance, and product manageability is NOT the IS auditor’s concern in this situation.

Question 104

From a control perspective, the PRIMARY objective of classifying information assets is to:

Answer 104

Establish guidelines for the level of access controls that should be assigned. Information has varying degrees of sensitivity and criticality in meeting business objectives. By assigning classes or levels of sensitivity and criticality to information resources, management can establish guidelines for the level of access controls that should be assigned. End user management and the security administrator will use these classifications in their risk assessment (RA) process to assign a given class to each asset.

Question 105

Which biometric has the HIGHEST RELIABILITY and the LOWEST FALSE-ACCEPTANCE RATE (FAR)?

Answer 105

RETINA SCAN. Retina scan uses optical technology to map the capillary pattern of an eye’s retina. This is highly reliable and has the lowest FAR among the current biometric methods. PALM SCANNING entails placing a hand on a scanner where the palm’s physical characteristics are captured. HAND GEOMETRY measures the physical characteristics of the user’s hands and fingers from a 3-D perspective. Both the palm and hand biometric techniques lack uniqueness in the geometry data. With FACE RECOGNITION, a reader analyzes the images captured for general facial characteristics. Though natural and friendly, face biometrics lack uniqueness which means that people who look alike can fool the device.