Domain 5 Notes

Question 1

Process ownership assignment does not have a feature to

Answer 1

track the completion percentage of deliverables.

Question 2

Whether the design cost of test cases will be optimized is not determined from

Answer 2

the assignment of process ownership. It may help to some extent; however, there are many other factors involved in the design of test cases.

Question 3

For gap minimization, a specific requirements analysis framework should be in place and then applied; however, a gap may be found between the design and the as-built system that could lead to

Answer 3

system functionality not meeting requirements. This will be identified during user acceptance testing (UAT). Process ownership alone does not have the capability to minimize requirement gaps.

Question 4

The involvement of process owners will ensure

Answer 4

that the system will be designed according to the needs of the business processes that depend on system functionality.

Question 5

A sign-off on the design by the process owners is crucial before

Answer 5

development begins.

Question 6

To ensure proper segregation of duties, developers should

Answer 6

be restricted to the development environment only

Question 7

If code needs to be modified after user acceptance testing (UAT),

Answer 7

the process must be restarted in development.

Question 8

While security controls should be a requirement for any application, the primary focus of the enterprise architecture (EA) is

Answer 8

to ensure that new applications are consistent with enterprise standards.

Question 9

When selecting an application, the business requirements as well as the suitability of the application for the IT environment

Answer 9

must be considered.

Question 10

If the business units selected their application without IT involvement, they would be more likely to choose a solution that

Answer 10

fit their business process the best with less emphasis on how compatible and supportable the solution would be in the enterprise, and this would not be a concern.

Question 11

The primary focus of the EA is to ensure that technology investments are

Answer 11

consistent with the platform, data and development standards of the IT organization.

Question 12

The EA defines both a current and future state in areas such as

Answer 12

the use of standard platforms, databases or programming languages.

Question 13

If a business unit selected an application using a database or operating system (OS) that is not part of the EA for the business, this would

Answer 13

increase the cost and complexity of the solution and ultimately deliver less value to the business.

Question 14

While any new software implementation may create support issues, the primary benefit of the EA is

Answer 14

ensuring that the IT solutions deliver value to the business.

Question 15

Decreased support costs may be a benefit of the EA, but the lack of IT involvement

Answer 15

would not affect the support requirements.

Question 16

Directive controls, such as IT policies and procedures, would not apply in a case

Answer 16

of automated control.

Question 17

Corrective controls are designed to

Answer 17

correct errors, omissions and unauthorized uses and intrusions, when they are detected

Question 18

Corrective controls provide

Answer 18

a mechanism to detect when malicious events have happened and correct the situation.

Question 19

A compensating control is used

Answer 19

where other controls are not sufficient to protect the system.

Question 20

A corrective control in place, like ab antivirus system which automatically determines if the latest signatures files are up to date, will

Answer 20

will effectively protect the system from access via an unpatched device.

Question 21

Detective controls exist to

Answer 21

detect and report when errors, omissions and unauthorized uses or entries occur

Question 22

Although missing a component of a release is indicative of a process deficiency, it is of more concern that the missed change

Answer 22

was promoted into the production environment without management approval.

Question 23

Management approval of changes mitigates

Answer 23

the risk of unauthorized changes being introduced to the production environment.

Question 24

Unauthorized changes might result in

Answer 24

disruption of systems or fraud.

Question 25

It is imperative to ensure that

Answer 25

each change has appropriate management approval.

Question 26

Most release/change control errors are discovered

Answer 26

during postimplementation review.

Question 27

It is of greater concern that the change was promoted

Answer 27

without management approval after it was discovered.

Question 28

Using the same change order number is not a relevant

Answer 28

concern.

Question 29

A host-based intrusion prevention system (IPS) prevents unauthorized changes to the host. If a malware attack attempted to install a rootkit,

Answer 29

the IPS would refuse to permit the installation without the consent of an administrator.

Question 30

A network-based intrusion detection system (IDS) relies on attack signatures based on known exploits and attack patterns. If the IDS is not kept up to date with the latest signatures, or the attacker is able to create or gain access to an exploit unknown to the IDS,

Answer 30

it will go undetected.

Question 31

A web server exploit performed through the web application itself, such as a structured query language (SQL) injection attack, would

Answer 31

not appear to be an attack to the network-based IDS.

Question 32

A firewall by itself does not protect a web server because the ports required for users to access the web server must be open in the firewall. Web server attacks are typically performed over the same ports that are open for normal web traffic. Therefore,

Answer 32

a firewall does not protect the web server.

Question 33

Operating system (OS) patching will make exploitation of the server more difficult for the attacker and less likely. However, attacks on the web application and server OS may succeed based on issues unrelated to any unpatched server vulnerabilities, and the host-based IPS should

Answer 33

detect any attempts to change files on the server, regardless of how access was obtained.

Question 34

While an intrusion detection system (IDS) can be installed on the local network to ensure that systems are not subject to internal attacks, a company’s public web server would not normally be installed on the local network, but rather in

Answer 34

the demilitarized zone (DMZ).

Question 35

It is not unusual to place a network IDS outside of the firewall just to watch the traffic that is reaching the firewall, but this would

Answer 35

not be used to specifically protect the web application.

Question 36

Network-based IDSs detect attack attempts by monitoring network traffic. A public web server is typically placed on the protected network segment known as the demilitarized zone (DMZ). An IDS installed in the DMZ detects and reports on malicious activity originating from the Internet as well as the internal network, thus allowing

Answer 36

the administrator to take action.

Question 37

A host-based IDS would be installed on the web server, but a network-based IDS

Answer 37

would not.

Question 38

Although a hot site enables a business to meets its recovery point objective (RPO) and recovery time objective (RTO), the cost to maintain a hot site is more than the cost to maintain a warm site, which

Answer 38

could also meet the objectives.

Question 39

A cold site, although providing basic infrastructure, lacks the

Answer 39

required hardware to meet the business objectives.

Question 40

A mirrored site provides fully redundant facilities with real-time data replication. It can meet the business objectives, but it is not

Answer 40

as cost-effective a solution as a warm site.

Question 41

A warm site is the most appropriate solution because it provides basic infrastructure and most of the required IT equipment to affordably meet the business requirements. The remainder of the equipment needed can be provided through vendor agreements within a few days.

Answer 41

A warm site is the most appropriate solution because The RTO is the amount of time allowed for the recovery of a business function or resource after a disaster occurs. The RPO is determined based on the acceptable data loss in case of a disruption of operations. The RPO indicates the earliest point in time that is acceptable to recover the data, and it effectively quantifies the permissible amount of data loss in case of interruption.

Question 42

Secret key encryption would require sharing of the same key at the source and destination and

Answer 42

involve an additional step for encrypting and decrypting data at each end.

Question 43

Using a dynamic Internet protocol (IP) address and port is not an effective control

Answer 43

because an attacker could easily find the new address using the domain name system (DNS)

Question 44

While the use of a cryptographic hash function may be helpful to validate the integrity of data files,

Answer 44

it would not be useful for a production support team connecting remotely.

Question 45

As ABC and XYZ are communicating over the Internet, which is an untrusted network, establishing

Answer 45

an encrypted virtual private network (VPN) tunnel would best ensure that the transmission of information was secure.

Question 46

Single sign-on authentication provides a single access point to system resources. It would not be best

Answer 46

in all situations.

Question 47

While password complexity requirements would help prevent unauthorized access, two-factor authentication

Answer 47

is a more effective control.

Question 48

Two-factor authentication is the best method to provide a secure connection because it uses two factors, typically

Answer 48

“what you have” (for example, a device to generate one-time-passwords), “what you are” (for example, biometric characteristics) or “what you know” (for example, a personal identification number [PIN] or password).

Question 49

Internet protocol (IP) addresses can always change or be spoofed and

Answer 49

therefore, are not the best form of authentication.

Question 50

The most important aspect in a signature-based intrusion
detection system (IDS) is its ability to

Answer 50

protect against known (signature) intrusion patterns. Such signatures are provided
by the vendor and are critical to protecting an enterprise
from outside attacks.

Question 51

One of the key disadvantages of IDS is its inherent inability

Answer 51

to scan for vulnerabilities at the application level.

Question 52

An IDS cannot break

Answer 52

encrypted data packets to identify the

source of the incoming traffic.

Question 53

A demilitarized zone is an internal network segment in which systems (e.g., a web server) accessible to the public are housed.
In order to provide the greatest security and efficiency, an IDS
should

Answer 53

be placed behind the firewall so that it will detect only those attacks/intruders that enter the firewall.

Question 54

Logging access to personal information is a good control in that it will allow access to be analyzed

Answer 54

analyzed if there is concern of unauthorized access. However, it will not prevent access.

Question 55

Restricting access to sensitive transactions will restrict

Answer 55

access only to some of the data. It will not prevent access to other data.

Question 56

The server and system security should be defined to allow

Answer 56

only authorized staff members access to information about

the staff whose records they handle on a day-to-day basis.

Question 57

System access restricted to business hours only restricts when

Answer 57

unauthorized access can occur and would not prevent such access at other times. It is important to consider that the data owner is responsible for determining who is allowed access via the written software access rules.

Question 58

The security officer serving as the database administer, while a control weakness, does not carry the same disastrous impact as the absence of

Answer 58

password controls.

Question 59

The absence of password controls on the two database servers, where production data reside, is

Answer 59

the most critical weakness.

Question 60

Having no business continuity plan for the mainframe system’s noncritical applications, while a control weakness, does not

Answer 60

carry the same disastrous impact as the absence of password controls.

Question 61

Most local area networks not backing-up regularly, while a

control weakness, does not carry the

Answer 61

same disastrous impact as

the absence of password controls.

Question 62

If a password is disclosed when single sign-on is enabled, there is a risk

Answer 62

that unauthorized access to all systems will be possible.

Question 63

User access rights should remain unchanged by single sign-on, as additional security parameters

Answer 63

are not implemented necessarily.

Question 64

One of the intended benefits of single sign-on is

Answer 64

the simplification of security administration.

Question 65

One of the intended benefits of single sign-on is the

Answer 65

unlikelihood of an increased workload.

Question 66

The standard bandwidth of an integrated services digital network data link would not

Answer 66

provide the quality of services required for corporate Voice-over Internet Protocol (VoIP) services.

Question 67

To ensure that quality of service requirements are achieved, the VoIP service over the wide area network should be protected from

Answer 67

packet losses, latency or jitter. To reach this objective, the network performance can be managed to provide quality of service and class of service support using statistical techniques, such as traffic engineering.

Question 68

Wired equivalent privacy is an encryption scheme related

Answer 68

to wireless networking.

Question 69

The VoIP phones are usually connected to a

Answer 69

corporate local area network and are not analog.

Question 70

Benefits of cloud computing are redundancy and the ability

Answer 70

to access systems and data in the event of a technical failure.