Information Asset Security and Controls 1.0 Flashcards
What concern is being primarily addressed when upgrading an existing virtual private network to support Voice-over Internet Protocol communication via tunneling?
Reliability and Quality of service (QoS)
i.e. Voice communications require consistent levels of service, which may be provided through QoS and class of service controls
WHAT would be considered an effective control for restricting access to unauthorized Internet sites in an organization?
Routing outbound Internet traffic through a content-filtering proxy server
i.e. this will effectively monitor user access to Internet sites and block access to unauthorized web sites
What is a secure and economical method for connecting a private network over the Internet in a small- to medium-sized organization?
A Virtual Private Network (VPN)
i.e. this method allows data to travel securely from a private network to the Internet
What risk is increased when an entity replaces its existing wired local area network with a wireless infrastructure (to accommodate the increased use of mobile devices)?
War Driving
i.e. This attack uses a wireless Ethernet card, set in promiscuous mode, and a powerful antenna to penetrate wireless systems from outside
WHAT is the “ BEST” way to minimize unauthorized access to unattended end-user PC systems?
Enforcing the use of a password-protected screen saver
WHAT is a Major factor with regard to the privacy of the accounting data (when dealing with a new cloud-based accounting service provider)?
Return or destruction of information
i.e. The most important consideration with regard to the privacy of the data is the clause concerning the return or secure destruction of information at the end of the contract
How does a Secure Socket Layer (SSL) ensure confidentiality of a message?
BY using symmetric encryption
WHAT would be considered a significant threat for an IS auditor when reviewing the logical access to an application?
The file storing the application ID password is in cleartext in the production code
- Compromise of the application ID password can result in untraceable, unauthorized changes to production data
What type of control will most effectively detect the presence of bursts of errors in network transmissions?
Cyclic redundancy check (CRC)
i.e. CRC can detect all single-bit and double-bit errors
What type of IS attack is the “Replay” attack?
One that uses residual biometric information to gain unauthorized access
E.g. Residual biometric characteristics, such as fingerprints left on a biometric capture device, may be reused by an attacker to gain unauthorized access
WHAT is an effective control to ensure accountability for users accessing sensitive data in an human resource management system (HRMS)?
Audit trails
I.e. This capture which user, at what time, and date, along with other details, has performed a transaction
What is the difference between the Encapsulating Security Payload protocol and the authentication header protocol?
The Encapsulating Security Payload protocol provides confidentiality via encryption
What would allow for the automated assurance that proper data files are being used during processing?
File header record
What type of firewalls provides the greatest degree of control (and level of granularity)?
Application Gateway
WHAT is the purpose of having a voltage regulator at a data center from an IS audit perspective?
To ensure hardware is protected against power surges.
i.e. this protects against short-term power fluctuations
