Practice Exam

Question 1

Corporate IT governance is the responsibility of:

(a) The board and management.
(b) The IS manager.
(c) The IS auditor.
(d) The audit committee.

Answer 1

(a) The board and management.

Question 2

Organizations develop change control procedures to ensure that:

(a) Changes are controlled by the Change Controller.
(b) All changes are requested, scheduled, and completed on time.
(c) All changes are authorized, tested, and recorded.
(d) Management is advised of changes made to system.

Answer 2

(c) All changes are authorized, tested, and recorded.

Question 3

Control problems during business process change would typically include:

(a) Poor control over file conversions.
(b) Changing effectiveness of existing control structures.
(c) Employee uncertainty and lack of cooperation.
(d) Changing control objectives.

Answer 3

(a) Poor control over file conversions.

Question 4

Risk is commonly expressed as a function of the:

(a) Systems vulnerabilities and the cost to mitigate.
(b) Likelihood that the harm will occur and its potential impact.
(c) Types of countermeasures needed and the system’s vulnerabilities.
(d) Computer system-related assets and their costs.

Answer 4

(b) Likelihood that the harm will occur and its potential impact.

Question 5

Overall business risk for a particular threat can be expressed as:
A. a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability.
B. the magnitude of the impact should a threat source successfully exploit the vulnerability.
C. the likelihood of a given threat source exploiting a given vulnerability.
D. the collective judgment of the risk assessment team.

Answer 5

A. a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability.

Question 6

To ensure that audit resources deliver the best value to the organization, the FIRST step would be to:
A. schedule the audits and monitor the time spent on each audit.
B. train the IS audit staff on current technology used in the company.
C. develop the audit plan on the basis of a detailed risk assessment.
D. monitor progress of audits and initiate cost control measures.

Answer 6

C. develop the audit plan on the basis of a detailed risk assessment.

Question 7

Passwords should be all of the following except:

(a) Hard to guess
(b) Easy to remember
(c) Written down
(d) Frequently changed

Answer 7

(c) Written down

Question 8

A digital signature uses similar technology to:

(a) Symmetric encryption
(b) MACing
(c) Asymmetric encryption
(d) None of the above

Answer 8

(c) Asymmetric encryption

Question 9

A firewall provides an organization with:

(a) A mechanism for implementing and enforcing network access security policies
(b) A transformation of directive of discretionary controls into preventative controls
(c) Control over access to and from a given network
(d) All of the above

Answer 9

(d) All of the above

Question 10

Where a disaster would result in conspicuous interruption of IT Services, potentially result in loss of business, disaster preparedness would typically be classified as:

(a) Poor
(b) Weak
(c) Adequate
(d) Good

Answer 10

(b) Weak

Question 11

Risks specific to portable computers include all of the following except:

(a) Accidental damage in transit
(b) Ease of theft
(c) Unauthorized access
(d) Lost in transit

Answer 11

(c) Unauthorized access

Question 12

Which of the following would BEST support 24/7 availability?
A. Daily backup
B. Offsite storage
C. Mirroring
D. Periodic testing

Answer 12

C. Mirroring

Question 13

Which of the following is the MOST important criterion when selecting a location for an offsite storage facility for IS backup files? The offsite facility must be:
A. physically separated from the data center and not subject to the same risks.
B. given the same level of protection as that of the computer data center.
C. outsourced to a reliable third party.
D. equipped with surveillance capabilities.

Answer 13

A. physically separated from the data center and not subject to the same risks.

Question 14

The PRIMARY purpose of compliance tests is to verify whether:

a. controls are implemented as prescribed.
b. documentation is accurate and current.
c. access to users is provided as specified.
d. data validation procedures are provided.

Answer 14

a. controls are implemented as prescribed.

Question 15

Which of the following concerns about the security of an electronic message would be addressed by digital signatures?

a. Unauthorized reading
b. Theft
c. Unauthorized copying
d. Alteration

Answer 15

d. Alteration

Question 16

The MOST effective method for limiting the damage of an attack by a software virus is:*

a. software controls.
b. policies, standards and procedures.
c. logical access controls.
d. data communication standards.

Answer 16

a. software controls.

Question 17

Which of the following would be MOST appropriate to ensure the confidentiality of transactions initiated via the Internet?

a. Digital signature
b. Data encryption standard (DES)
c. Virtual private network (VPN)
d. Public key encryption

Answer 17

d. Public key encryption

Question 18

The PRIMARY objective of a firewall is to protect:

a. internal systems from exploitation by external threats.
b. external systems from exploitation by internal threats.
c. internal systems from exploitation by internal threats.
d. itself and attached systems against being used to attack other systems.

Answer 18

a. internal systems from exploitation by external threats.

Question 19

An IS auditor has just completed a review of an organization that has a mainframe and a client-server environment where all production data reside. Which of the following weaknesses would be considered the MOST serious?

a. The security officer also serves as the database administrator (DBA.)
b. Password controls are not administered over the client/server environment.
c. There is no business continuity plan for the mainframe system’s non-critical applications.
d. Most LANs do not back up file server fixed disks regularly.

Answer 19

b. Password controls are not administered over the client/server environment.

Question 20

A B-to-C e-commerce web site as part of its information security program wants to monitor, detect and prevent hacking activities and alert the system administrator when suspicious activities occur. Which of the following infrastructure components could be used for this purpose?

a. Intrusion prevention systems
b. Firewalls
c. Routers
d. Asymmetric encryption

Answer 20

a. Intrusion prevention systems

Question 21

An IS auditor discovers that an organization’s business continuity plan provides for an alternate processing site that will accommodate fifty percent of the primary processing capability. Based on this, which of the following actions should the IS auditor take?

a. Do nothing, because generally, less than twenty-five percent of all processing is critical to an organization’s survival and the backup capacity, therefore is adequate.
b. Identify applications that could be processed at the alternate site and develop manual procedures to backup other processing.
c. Ensure that critical applications have been identified and that the alternate site could process all such applications.
d. Recommend that the information processing facility arrange for an alternate processing site with the capacity to handle at least seventy-five percent of normal processing.

Answer 21

c. Ensure that critical applications have been identified and that the alternate site could process all such applications.

Question 22

Which of the following components of a business continuity plan is PRIMARILY the responsibility of an organization’s IS department?

a. Developing the business continuity plan
b. Selecting and approving the strategy for business continuity plan
c. Declaring a disaster
d. Restoring the IS systems and data after a disaster

Answer 22

d. Restoring the IS systems and data after a disaster

Question 23

In an audit of a business continuity plan, which of the following findings is of MOST concern?

a. There is no insurance for the addition of assets during the year.
b. BCP manual is not updated on a regular basis.
c. Testing of the backup of data has not been done regularly.
d. Records for maintenance of access system have not been maintained.

Answer 23

c. Testing of the backup of data has not been done regularly.

Question 24

Which of the following is the best reason to separate duties in a manual system?

a. to avoid collusion between the programmer and the computer operator
b. to ensure that supervision is not required
c. to prevent the record keeper from authorizing transactions
d. to enable the firm to function more efficiently

Answer 24

c. to prevent the record keeper from authorizing transactions

Question 25

Which statement is not true?

a. Auditors must maintain independence.
b. IT auditors attest to the integrity of the computer system.
c. IT auditing is independent of the general financial audit.
d. IT auditing can be performed by both external and internal auditors.

Answer 25

c. IT auditing is independent of the general financial audit.

Question 26

Which of the following is not an essential feature of a disaster recovery plan?

a. off-site storage of backups
b. computer services function
c. second site backup
d. critical applications identified

Answer 26

b. computer services function

Question 27

The least important item to store off-site in case of an emergency is

a. backups of systems software
b. backups of application software
c. documentation and blank forms
d. results of the latest test of the disaster recovery program

Answer 27

d. results of the latest test of the disaster recovery program

Question 28

Which of the following is considered an unintentional threat to the integrity of the operating system?

a. a hacker gaining access to the system because of a security flaw
b. a hardware flaw that causes the system to crash
c. a virus that formats the hard drive
d. the systems programmer accessing individual user files

Answer 28

b. a hardware flaw that causes the system to crash

Question 29

Which method will render useless data captured by unauthorized receivers? *

a. echo check
b. parity bit
c. public key encryption
d. message sequencing

Answer 29

c. public key encryption

Question 30

Firewalls are

a. special materials used to insulate computer facilities
b. a system that enforces access control between two networks
c. special software used to screen Internet access
d. none of the above

Answer 30

b. a system that enforces access control between two networks

Question 31

A distributed denial of service (DDoS) attack

a. is more intensive that a Dos attack because it emanates from single source
b. may take the form of either a SYN flood or smurf attack
c. is so named because it effects many victims simultaneously, which are distributed across the internet
d. turns the target victim’s computers into zombies that are unable to access the Internet
e. none of the above is correct

Answer 31

b. may take the form of either a SYN flood or smurf attack

Question 32

A digital signature is

a. the encrypted mathematical value of the message sender’s name
b. derived from the digest of a document that has been encrypted with the sender’s private key
c. the computed digest of the sender’s digital certificate
d. allows digital messages to be sent over analog telephone lines

Answer 32

b. derived from the digest of a document that has been encrypted with the sender’s private key

Question 33

When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that:

a. controls needed to mitigate risks are in place.
b. vulnerabilities and threats are identified.
c. audit risks are considered.
d. a gap analysis is appropriate.

Answer 33

b. vulnerabilities and threats are identified.

Question 34

An IS auditor issues an audit report pointing out the lack of firewall protection features at the perimeter network gateway and recommends a vendor product to address this vulnerability. The IS auditor has failed to exercise:

a. professional independence.
b. organizational independence.
c. technical competence.
d. professional competence.

Answer 34

a. professional independence.

Question 35

Which network device is capable of blocking network connections that are identified as potentially malicious?
A. Intrusion detection system (IDS)
B. Intrusion prevention system (IPS)
C. Demilitarized zone (DMZ)
D. Web server

Answer 35

B. Intrusion prevention system (IPS)

Question 36

Which tool can capture the packets transmitted between systems over a network?
A. Wardialer
B. OS fingerprinter
C. Port scanner
D. Protocol analyzer

Answer 36

D. Protocol analyzer

Question 37

Which term describes an action that can damage or compromise an asset?
A. Risk
B. Vulnerability
C. Countermeasure
D. Threat

Answer 37

D. Threat

Question 38

Which password attack is typically used specifically against password files that contain cryptographic hashes?
A. Brute-force attacks
B. Dictionary attacks
C. Birthday attacks
D. Social engineering attacks

Answer 38

C. Birthday attacks

Question 39

Barry discovers that an attacker is running an access point in a building adjacent to his company. The access point is broadcasting the security set identifier (SSID) of an open network owned by the coffee shop in his lobby. Which type of attack is likely taking place?
A. Evil twin
B. Wardriving
C. Bluesnarfing
D. Replay attack

Answer 39

A. Evil twin

Question 40

Alan is developing a business impact assessment for his organization. He is working with business units to determine the maximum allowable time to recover a particular function. What value is Alan determining?
A. Recovery time objective (RTO)
B. Recovery point objective (RPO)
C. Business recovery requirements
D. Technical recovery requirements

Answer 40

A. Recovery time objective (RTO)

Question 41

Dawn is selecting an alternative processing facility for her organization's primary data center. She would like to have a facility that balances cost and switchover time. What would be the best option in this situation?
A. Hot site
B. Warm site
C. Cold site
D. Primary site

Answer 41

B. Warm site

Question 42

Which one of the following is the best example of an authorization control?
A. Biometric device
B. Digital certificate
C. Access control lists
D. One-time password

Answer 42

C. Access control lists

Question 43

Alan is evaluating different biometric systems and is concerned that users might not want to subject themselves to retinal scans due to privacy concerns. Which characteristic of a biometric system is he considering?
A. Accuracy
B. Reaction time
C. Dynamism
D. Acceptability

Answer 43

D. Acceptability

Question 44

Which of the following is NOT a benefit of cloud computing to organizations?
A. On-demand provisioning
B. Improved disaster recovery
C. No need to maintain a data center
D. Lower dependence on outside vendors

Answer 44

D. Lower dependence on outside vendors

Question 45

In what type of attack does the attacker send unauthorized commands directly to a database?
A. Cross-site scripting
B. SQL injection
C. Cross-site request forgery
D. Database dumping

Answer 45

B. SQL injection

Question 46

What is the correct order of steps in the change control process?
A. Request, approval, impact assessment, build/test, monitor, implement
B. Request, impact assessment, approval, build/test, implement, monitor
C. Request, approval, impact assessment, build/test, implement, monitor
D. Request, impact assessment, approval, build/test, monitor, implement

Answer 46

B. Request, impact assessment, approval, build/test, implement, monitor

Question 47

Jacob is conducting an audit of the security controls at an organization as an independent reviewer. Which question would NOT be part of his audit?
A. Is the level of security control suitable for the risk it addresses?
B. Is the security control in the right place and working well?
C. Is the security control effective in addressing the risk it was designed to address?
D. Is the security control likely to become obsolete in the near future?

Answer 47

D. Is the security control likely to become obsolete in the near future?

Question 48

Which audit data collection method helps ensure that the information-gathering process covers all relevant areas?
A. Checklist
B. Interviews
C. Questionnaires
D. Observation

Answer 48

A. Checklist

Question 49

Which security testing activity uses tools that scan for services running on systems?
A. Reconnaissance
B. Penetration testing
C. Network mapping
D. Vulnerability testing

Answer 49

C. Network mapping

Question 50

Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario?
A. Discretionary access control (DAC)
B. Mandatory access control (MAC)
C. Rule-based access control
D. Role-based access control (RBAC)

Answer 50

A. Discretionary access control (DAC)

Question 51

For disaster recovery purposes, what criteria are used to identify an application or data as critical? (5 marks)

Answer 51

Critical application and files are those that impact the short-run survival of the firm. Critical items impact cash flows, legal obligations, and customer relations.

Question 52

Indicate at least 5 benefits of the IT Risk Framework (10 marks).

Answer 52

• An accurate view of significant current and near future IT related risks throughout the extended enterprise
• End to end guidance on how to manage IT related risks
• Understanding how to capitalize in IT investment made in IT internal control
• Understanding how effective IT risk management enables business process efficiency
• When assessing and managing IT risk, integration with the overall risk and compliance structures within the enterprise
• A common framework language to help communication and understanding amongst business, IT, risk and audit management
• Promotion of risk responsibility and its acceptance throughout the enterprise
• A complete risk profile to better understand the enterprise’s full exposure as a better way to utilize resources

Question 53

What are the key objectives of information security? (5 marks)

Answer 53

• Confidentiality — Preserving authorized restrictions on access and disclosure, including means for protecting privacy and proprietary information
• Integrity — Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity
• Availability — Ensuring timely and reliable access to and use of information

Question 54

Describe a disaster recovery plan and components. In preparing the plan, what criteria are used to identify an application or data as critical? Also, describe two tests that an auditor would perform to ensure that the disaster recovery plan is adequate. (10 marks)

Answer 54

A disaster recovery plan is a comprehensive statement of all actions to be taken before, during, and after a disaster, along with documented, tested procedures that will ensure the continuity of operations. The essential features are: providing second site backup, identifying critical applications, backup and off-site storage procedures, creating a disaster recovery team, and testing the disaster recovery plan.

The auditor can perform a review of a second site backup plan, critical application list, and offsite backups of critical libraries, applications and data files; ensure that backup supplies, source documents and documentation are located off-site; review which employees are members of disaster recovery team.

Critical application and files are those that impact the short-run survival of the firm. Critical items impact cash flows, legal obligations, and customer relations.

Question 55

What are some typical problems with passwords? Explain what are the key features of the one-time password technique and mention the main reason for you to recommend this technique in an information system. (10 marks)

Answer 55

Typical problems with passwords include:
users failing to remember passwords; failure to change passwords frequently; displaying passwords where others can see them; using simple, easy-to-guess passwords.

Key features of the one-time password technique include:
The user’s password changes continuously.
This technology employs a credit card-sized smart card that contains a microprocessor programmed with an algorithm that generates, and electronically displays, a new and unique password every 60 seconds.
The card works in conjunction with special authentication software located on a mainframe or network server computer. Each user’s card is synchronized to the authentication software, so that at any point in time both the smart card and the network software are generating the same password for the same user.

This type of technology should be used in information systems with the problems associated with reusable passwords such as people sharing passwords, people forgetting passwords, passwords easy to guess and other problems discussed before.

Question 56

Contrast the Private Encryption Standard approach with the Public Key Encryption approach to controlling access to telecommunication messages. What problem is common to all private key encryption techniques? (10 marks)

Answer 56

In the Private Encryption Standard approach, both the sender and the receiver use the same key to encode and decode the message. In the Public Key Encryption approach all senders receive a copy of the key used to send messages; the receiver is the only one with access to the key to decode the message.

The main problem with the private key is being able to distribute the key in an unsecure environment like the internet. The more individuals who need to know the private key, the greater the probability of it falling into the wrong hands. If a perpetrator discovers the key, he or she can intercept and decipher coded messages unlike the public keys that are useless if intercepted for decipher coded messages purposes.