Domain II – Information Security - Section A: Information Protection

Question 1

IT governance

Answer 1

consists of the leadership, organizational structures, and processes that ensure that the enterprise’s information technology supports the organization’s strategies and objectives.

Question 2

Computer‐Based Information Systems (CBIS)

Answer 2

is a system for collecting data, processing it into information, and storing the information for future reference and output. The system consists of six components:

a. Hardware
b. Software
c. Data/information
d. Procedures
e. People
f. Connectivity

Question 3

The four major phases of activity in a CBIS are:

Answer 3

a. Input phase during which data is captured electronically and converted to a form that can be processed by a computer.
b. Processing phase during which data is converted into an appropriate form of information.
c. Output phase during which the user makes use of information to perform and manage business activities and for decision‐making.
d. Storage phase during which data, information, and processing instructions are stored in a computer‐usable form.

Question 4

The IIA’s glossary defines IT controls

Answer 4

are controls that support business management
and governance as well as provide general and technical controls over information technology infrastructure such as applications, information, infrastructure, and people.

Question 5

Physical access and environmental controls (General IT Controls)

Answer 5

are controls to physically protect the information systems hardware and software. These controls are appropriate to consider during the physical design of a data center.

Question 6

Logical access controls (General IT Control)

Answer 6

are mainly implemented through the use of special security software and/or by utilizing features of other applications software.

Question 7

Security software

Answer 7

is software that controls the logical access to information systems.
=> It typically includes user authentication, granting access in accordance with predefined rules, and monitoring, logging and reporting usage.

Question 8

Data diddling

Answer 8

is the changing of the data prior to its input to the computer.

Question 9

Trojan horse

Answer 9

is a malicious fraudulent code hidden in an authorized program that is executed every time the authorized program is executed.

Question 10

Viruses

Answer 10

include a variety of malicious program codes that are inserted into other programs or data files.

Question 11

Worms

Answer 11

are malicious programs that destroy data or utilize significant computer and communication resources.

Question 12

Rounding down

Answer 12

involves drawing small amounts of money from a computerized transaction or account and depositing them in the perpetrator’s account.

Question 13

Salami techniques

Answer 13

involve the slicing down of small amounts of money from a computerized transaction.

Question 14

Logic bombs

Answer 14

are malicious codes similar to computer viruses, but they do not replicate themselves.

Question 15

Asynchronous attacks

Answer 15

are attacks that change data while available to be transmitted.

Question 16

Trap doors

Answer 16

are exits from an authorized program that permits the insertion of unauthorized logic.

Question 17

Data leakage

Answer 17

is acquiring information out of the computer system in an unauthorized manner or in an authorized manner but by an unauthorized individual.

Question 18

Piggybacking

Answer 18

is the act of following an authorized person physically through a door or electronically through a connection to gain unauthorized access.

Question 19

Wire‐tapping

Answer 19

is the eavesdropping on information being transmitted over a telecommunications line.

Question 20

Denial of Service

Answer 20

is a malicious attack that disrupts or completely denies service to legitimate users.

Question 21

Authentication

Answer 21

refers to the use of security measures to authenticate identity.
=> Authentication protects against fraudulent logon activities by identifying and verifying the identity of the users and the users’ access authorizations.

Question 22

Single‐factor (basic) Authentication

Answer 22

usually refers to password‐based authentication that is associated with a user’s unique identity.

Question 23

Multi‐factor Authentication

Answer 23

refers to the use of multiple factors to identify the users; typically a user id, with a password, and a token (e.g. smart cards, biometric info, pins generated by device) that is in the physical possession of the user.

Question 24

Cryptographic Authentication

Answer 24

uses additional methods for authentication primarily relying on encrypting and decrypting the sensitive information used for authentication such as public key authentication, password permutations, and digital signatures.

Question 25

Application controls

Answer 25

are controls over the input, processing, and output functions of a computer‐based information system.

Question 26

Input controls

Answer 26

are techniques and procedures used to validate, verify, and edit data to ensure that only authorized and correct data are input into the system for processing.

Question 27

Processing controls

Answer 27

are procedures to provide reasonable assurance that data input is processed as authorized and master files are updated in a complete and accurate manner.

Question 28

Output controls

Answer 28

are controls to ensure that output from the information system is accurate, complete, and distributed only to authorized individuals.

Question 29

Integrity controls

Answer 29

are controls to ensure the integrity of data during the various phases to ensure consistency and validity.

Question 30

Audit trail

Answer 30

are controls that enable management and/or the auditor to track individual transactions throughout the system from their source to their output and vice versa. The trail is intended to disclose who did what and when to the data to highlight the source and/or reason for any errors and/or irregularities.