Practice Exam Flashcards

1
Q

Corporate IT governance is the responsibility of:

(a) The board and management.
(b) The IS manager.
(c) The IS auditor.
(d) The audit committee.

A

(a) The board and management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Organizations develop change control procedures to ensure that:

(a) Changes are controlled by the Change Controller.
(b) All changes are requested, scheduled, and completed on time.
(c) All changes are authorized, tested, and recorded.
(d) Management is advised of changes made to system.

A

(c) All changes are authorized, tested, and recorded.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Control problems during business process change would typically include:

(a) Poor control over file conversions.
(b) Changing effectiveness of existing control structures.
(c) Employee uncertainty and lack of cooperation.
(d) Changing control objectives.

A

(a) Poor control over file conversions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Risk is commonly expressed as a function of the:

(a) Systems vulnerabilities and the cost to mitigate.
(b) Likelihood that the harm will occur and its potential impact.
(c) Types of countermeasures needed and the system’s vulnerabilities.
(d) Computer system-related assets and their costs.

A

(b) Likelihood that the harm will occur and its potential impact.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Overall business risk for a particular threat can be expressed as:
A. a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability.
B. the magnitude of the impact should a threat source successfully exploit the vulnerability.
C. the likelihood of a given threat source exploiting a given vulnerability.
D. the collective judgment of the risk assessment team.

A

A. a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

To ensure that audit resources deliver the best value to the organization, the FIRST step would be to:
A. schedule the audits and monitor the time spent on each audit.
B. train the IS audit staff on current technology used in the company.
C. develop the audit plan on the basis of a detailed risk assessment.
D. monitor progress of audits and initiate cost control measures.

A

C. develop the audit plan on the basis of a detailed risk assessment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Passwords should be all of the following except:

(a) Hard to guess
(b) Easy to remember
(c) Written down
(d) Frequently changed

A

(c) Written down

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A digital signature uses similar technology to:

(a) Symmetric encryption
(b) MACing
(c) Asymmetric encryption
(d) None of the above

A

(c) Asymmetric encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A firewall provides an organization with:

(a) A mechanism for implementing and enforcing network access security policies
(b) A transformation of directive of discretionary controls into preventative controls
(c) Control over access to and from a given network
(d) All of the above

A

(d) All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Where a disaster would result in conspicuous interruption of IT Services, potentially result in loss of business, disaster preparedness would typically be classified as:

(a) Poor
(b) Weak
(c) Adequate
(d) Good

A

(b) Weak

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Risks specific to portable computers include all of the following except:

(a) Accidental damage in transit
(b) Ease of theft
(c) Unauthorized access
(d) Lost in transit

A

(c) Unauthorized access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
Which of the following would BEST support 24/7 availability?
A. Daily backup
B. Offsite storage
C. Mirroring
D. Periodic testing
A

C. Mirroring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following is the MOST important criterion when selecting a location for an offsite storage facility for IS backup files? The offsite facility must be:
A. physically separated from the data center and not subject to the same risks.
B. given the same level of protection as that of the computer data center.
C. outsourced to a reliable third party.
D. equipped with surveillance capabilities.

A

A. physically separated from the data center and not subject to the same risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The PRIMARY purpose of compliance tests is to verify whether:

a. controls are implemented as prescribed.
b. documentation is accurate and current.
c. access to users is provided as specified.
d. data validation procedures are provided.

A

a. controls are implemented as prescribed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following concerns about the security of an electronic message would be addressed by digital signatures?

a. Unauthorized reading
b. Theft
c. Unauthorized copying
d. Alteration

A

d. Alteration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The MOST effective method for limiting the damage of an attack by a software virus is:*

a. software controls.
b. policies, standards and procedures.
c. logical access controls.
d. data communication standards.

A

a. software controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which of the following would be MOST appropriate to ensure the confidentiality of transactions initiated via the Internet?

a. Digital signature
b. Data encryption standard (DES)
c. Virtual private network (VPN)
d. Public key encryption

A

d. Public key encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

The PRIMARY objective of a firewall is to protect:

a. internal systems from exploitation by external threats.
b. external systems from exploitation by internal threats.
c. internal systems from exploitation by internal threats.
d. itself and attached systems against being used to attack other systems.

A

a. internal systems from exploitation by external threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

An IS auditor has just completed a review of an organization that has a mainframe and a client-server environment where all production data reside. Which of the following weaknesses would be considered the MOST serious?

a. The security officer also serves as the database administrator (DBA.)
b. Password controls are not administered over the client/server environment.
c. There is no business continuity plan for the mainframe system’s non-critical applications.
d. Most LANs do not back up file server fixed disks regularly.

A

b. Password controls are not administered over the client/server environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

A B-to-C e-commerce web site as part of its information security program wants to monitor, detect and prevent hacking activities and alert the system administrator when suspicious activities occur. Which of the following infrastructure components could be used for this purpose?

a. Intrusion prevention systems
b. Firewalls
c. Routers
d. Asymmetric encryption

A

a. Intrusion prevention systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

An IS auditor discovers that an organization’s business continuity plan provides for an alternate processing site that will accommodate fifty percent of the primary processing capability. Based on this, which of the following actions should the IS auditor take?

a. Do nothing, because generally, less than twenty-five percent of all processing is critical to an organization’s survival and the backup capacity, therefore is adequate.
b. Identify applications that could be processed at the alternate site and develop manual procedures to backup other processing.
c. Ensure that critical applications have been identified and that the alternate site could process all such applications.
d. Recommend that the information processing facility arrange for an alternate processing site with the capacity to handle at least seventy-five percent of normal processing.

A

c. Ensure that critical applications have been identified and that the alternate site could process all such applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which of the following components of a business continuity plan is PRIMARILY the responsibility of an organization’s IS department?

a. Developing the business continuity plan
b. Selecting and approving the strategy for business continuity plan
c. Declaring a disaster
d. Restoring the IS systems and data after a disaster

A

d. Restoring the IS systems and data after a disaster

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

In an audit of a business continuity plan, which of the following findings is of MOST concern?

a. There is no insurance for the addition of assets during the year.
b. BCP manual is not updated on a regular basis.
c. Testing of the backup of data has not been done regularly.
d. Records for maintenance of access system have not been maintained.

A

c. Testing of the backup of data has not been done regularly.

24
Q

Which of the following is the best reason to separate duties in a manual system?

a. to avoid collusion between the programmer and the computer operator
b. to ensure that supervision is not required
c. to prevent the record keeper from authorizing transactions
d. to enable the firm to function more efficiently

A

c. to prevent the record keeper from authorizing transactions

25
Q

Which statement is not true?

a. Auditors must maintain independence.
b. IT auditors attest to the integrity of the computer system.
c. IT auditing is independent of the general financial audit.
d. IT auditing can be performed by both external and internal auditors.

A

c. IT auditing is independent of the general financial audit.

26
Q

Which of the following is not an essential feature of a disaster recovery plan?

a. off-site storage of backups
b. computer services function
c. second site backup
d. critical applications identified

A

b. computer services function

27
Q

The least important item to store off-site in case of an emergency is

a. backups of systems software
b. backups of application software
c. documentation and blank forms
d. results of the latest test of the disaster recovery program

A

d. results of the latest test of the disaster recovery program

28
Q

Which of the following is considered an unintentional threat to the integrity of the operating system?

a. a hacker gaining access to the system because of a security flaw
b. a hardware flaw that causes the system to crash
c. a virus that formats the hard drive
d. the systems programmer accessing individual user files

A

b. a hardware flaw that causes the system to crash

29
Q

Which method will render useless data captured by unauthorized receivers? *

a. echo check
b. parity bit
c. public key encryption
d. message sequencing

A

c. public key encryption

30
Q

Firewalls are

a. special materials used to insulate computer facilities
b. a system that enforces access control between two networks
c. special software used to screen Internet access
d. none of the above

A

b. a system that enforces access control between two networks

31
Q

A distributed denial of service (DDoS) attack

a. is more intensive that a Dos attack because it emanates from single source
b. may take the form of either a SYN flood or smurf attack
c. is so named because it effects many victims simultaneously, which are distributed across the internet
d. turns the target victim’s computers into zombies that are unable to access the Internet
e. none of the above is correct

A

b. may take the form of either a SYN flood or smurf attack

32
Q

A digital signature is

a. the encrypted mathematical value of the message sender’s name
b. derived from the digest of a document that has been encrypted with the sender’s private key
c. the computed digest of the sender’s digital certificate
d. allows digital messages to be sent over analog telephone lines

A

b. derived from the digest of a document that has been encrypted with the sender’s private key

33
Q

When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that:

a. controls needed to mitigate risks are in place.
b. vulnerabilities and threats are identified.
c. audit risks are considered.
d. a gap analysis is appropriate.

A

b. vulnerabilities and threats are identified.

34
Q

An IS auditor issues an audit report pointing out the lack of firewall protection features at the perimeter network gateway and recommends a vendor product to address this vulnerability. The IS auditor has failed to exercise:

a. professional independence.
b. organizational independence.
c. technical competence.
d. professional competence.

A

a. professional independence.

35
Q
Which network device is capable of blocking network connections that are identified as potentially malicious?
A. Intrusion detection system (IDS)
B. Intrusion prevention system (IPS)
C. Demilitarized zone (DMZ)
D. Web server
A

B. Intrusion prevention system (IPS)

36
Q
Which tool can capture the packets transmitted between systems over a network?
A. Wardialer
B. OS fingerprinter
C. Port scanner
D. Protocol analyzer
A

D. Protocol analyzer

37
Q
Which term describes an action that can damage or compromise an asset?
A. Risk
B. Vulnerability
C. Countermeasure
D. Threat
A

D. Threat

38
Q
Which password attack is typically used specifically against password files that contain cryptographic hashes?
A. Brute-force attacks
B. Dictionary attacks
C. Birthday attacks
D. Social engineering attacks
A

C. Birthday attacks

39
Q
Barry discovers that an attacker is running an access point in a building adjacent to his company. The access point is broadcasting the security set identifier (SSID) of an open network owned by the coffee shop in his lobby. Which type of attack is likely taking place?
A. Evil twin
B. Wardriving
C. Bluesnarfing
D. Replay attack
A

A. Evil twin

40
Q
Alan is developing a business impact assessment for his organization. He is working with business units to determine the maximum allowable time to recover a particular function. What value is Alan determining?
A. Recovery time objective (RTO)
B. Recovery point objective (RPO)
C. Business recovery requirements
D. Technical recovery requirements
A

A. Recovery time objective (RTO)

41
Q
Dawn is selecting an alternative processing facility for her organization's primary data center. She would like to have a facility that balances cost and switchover time. What would be the best option in this situation?
A. Hot site
B. Warm site
C. Cold site
D. Primary site
A

B. Warm site

42
Q
Which one of the following is the best example of an authorization control?
A. Biometric device
B. Digital certificate
C. Access control lists
D. One-time password
A

C. Access control lists

43
Q
Alan is evaluating different biometric systems and is concerned that users might not want to subject themselves to retinal scans due to privacy concerns. Which characteristic of a biometric system is he considering?
A. Accuracy
B. Reaction time
C. Dynamism
D. Acceptability
A

D. Acceptability

44
Q
Which of the following is NOT a benefit of cloud computing to organizations?
A. On-demand provisioning
B. Improved disaster recovery
C. No need to maintain a data center
D. Lower dependence on outside vendors
A

D. Lower dependence on outside vendors

45
Q
In what type of attack does the attacker send unauthorized commands directly to a database?
A. Cross-site scripting
B. SQL injection
C. Cross-site request forgery
D. Database dumping
A

B. SQL injection

46
Q

What is the correct order of steps in the change control process?
A. Request, approval, impact assessment, build/test, monitor, implement
B. Request, impact assessment, approval, build/test, implement, monitor
C. Request, approval, impact assessment, build/test, implement, monitor
D. Request, impact assessment, approval, build/test, monitor, implement

A

B. Request, impact assessment, approval, build/test, implement, monitor

47
Q

Jacob is conducting an audit of the security controls at an organization as an independent reviewer. Which question would NOT be part of his audit?
A. Is the level of security control suitable for the risk it addresses?
B. Is the security control in the right place and working well?
C. Is the security control effective in addressing the risk it was designed to address?
D. Is the security control likely to become obsolete in the near future?

A

D. Is the security control likely to become obsolete in the near future?

48
Q
Which audit data collection method helps ensure that the information-gathering process covers all relevant areas?
A. Checklist
B. Interviews
C. Questionnaires
D. Observation
A

A. Checklist

49
Q
Which security testing activity uses tools that scan for services running on systems?
A. Reconnaissance
B. Penetration testing
C. Network mapping
D. Vulnerability testing
A

C. Network mapping

50
Q
Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario?
A. Discretionary access control (DAC)
B. Mandatory access control (MAC)
C. Rule-based access control
D. Role-based access control (RBAC)
A

A. Discretionary access control (DAC)

51
Q

For disaster recovery purposes, what criteria are used to identify an application or data as critical? (5 marks)

A

Critical application and files are those that impact the short-run survival of the firm. Critical items impact cash flows, legal obligations, and customer relations.

52
Q

Indicate at least 5 benefits of the IT Risk Framework (10 marks).

A
  • An accurate view of significant current and near future IT related risks throughout the extended enterprise
  • End to end guidance on how to manage IT related risks
  • Understanding how to capitalize in IT investment made in IT internal control
  • Understanding how effective IT risk management enables business process efficiency
  • When assessing and managing IT risk, integration with the overall risk and compliance structures within the enterprise
  • A common framework language to help communication and understanding amongst business, IT, risk and audit management
  • Promotion of risk responsibility and its acceptance throughout the enterprise
  • A complete risk profile to better understand the enterprise’s full exposure as a better way to utilize resources
53
Q

What are the key objectives of information security? (5 marks)

A
  • Confidentiality — Preserving authorized restrictions on access and disclosure, including means for protecting privacy and proprietary information
  • Integrity — Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity
  • Availability — Ensuring timely and reliable access to and use of information
54
Q

Describe a disaster recovery plan and components. In preparing the plan, what criteria are used to identify an application or data as critical? Also, describe two tests that an auditor would perform to ensure that the disaster recovery plan is adequate. (10 marks)

A

A disaster recovery plan is a comprehensive statement of all actions to be taken before, during, and after a disaster, along with documented, tested procedures that will ensure the continuity of operations. The essential features are: providing second site backup, identifying critical applications, backup and off-site storage procedures, creating a disaster recovery team, and testing the disaster recovery plan.

The auditor can perform a review of a second site backup plan, critical application list, and offsite backups of critical libraries, applications and data files; ensure that backup supplies, source documents and documentation are located off-site; review which employees are members of disaster recovery team.

Critical application and files are those that impact the short-run survival of the firm. Critical items impact cash flows, legal obligations, and customer relations.

55
Q

What are some typical problems with passwords? Explain what are the key features of the one-time password technique and mention the main reason for you to recommend this technique in an information system. (10 marks)

A

Typical problems with passwords include:
users failing to remember passwords; failure to change passwords frequently; displaying passwords where others can see them; using simple, easy-to-guess passwords.

Key features of the one-time password technique include:
The user’s password changes continuously.
This technology employs a credit card-sized smart card that contains a microprocessor programmed with an algorithm that generates, and electronically displays, a new and unique password every 60 seconds.
The card works in conjunction with special authentication software located on a mainframe or network server computer. Each user’s card is synchronized to the authentication software, so that at any point in time both the smart card and the network software are generating the same password for the same user.

This type of technology should be used in information systems with the problems associated with reusable passwords such as people sharing passwords, people forgetting passwords, passwords easy to guess and other problems discussed before.

56
Q

Contrast the Private Encryption Standard approach with the Public Key Encryption approach to controlling access to telecommunication messages. What problem is common to all private key encryption techniques? (10 marks)

A

In the Private Encryption Standard approach, both the sender and the receiver use the same key to encode and decode the message. In the Public Key Encryption approach all senders receive a copy of the key used to send messages; the receiver is the only one with access to the key to decode the message.

The main problem with the private key is being able to distribute the key in an unsecure environment like the internet. The more individuals who need to know the private key, the greater the probability of it falling into the wrong hands. If a perpetrator discovers the key, he or she can intercept and decipher coded messages unlike the public keys that are useless if intercepted for decipher coded messages purposes.