Review Flashcards
The success of control self-assessment depends highly on:
line managers assuming a portion of the responsibility for control monitoring.
The primary objective of a control self-assessment (CSA) program is to leverage the internal audit function by
shifting some of the control monitoring responsibilities to the functional area line managers. The success of a CSA program depends on the degree to which line managers assume responsibility for controls. This enables line managers to detect and respond to control errors promptly.
Which of the following is MOST important for the auditor to ensure continued alignment with the enterprise’s security requirements?
The vendor agrees to provide annual external audit reports in the contract is correct. The only way to ensure that any potential risk is mitigated today and in the future is to include a clause within the contract that the vendor will provide future external audit reports. Without the audit clause the vendor can choose to forego future audits.
Without a(n) ____________ clause in the contract, an agreement to implement controls does not provide assurance that controls will continue to be implemented in alignment with the enterprise
audit
the purpose of using data flow diagrams
graphically summarize data paths and storage.
Data flow diagrams are used as aids to graph or chart data flow and storage.
They trace data from their origination to destination, highlighting the paths and storage of data.
The MOST serious challenge in the operation of an intrusion detection system is
filtering false positive alerts.
Because of the configuration and the way intrusion detection system (IDS) technology operates, the main problem in operating IDSs is the recognition (detection) of events
that are not really security incidents—false positives, the equivalent of a false alarm. An IS auditor needs to be aware of this and should check for implementation of related controls (such as IDS tuning) and incident handling procedures (such as the screening process) to know if an event is a security incident or a false positive.
Blocking suspicious connections is a characteristic of intrusion prevention systems, which are different type of network security systems than
IDS (Intrusion detection system)
A company’s development team does not follow generally accepted system development life cycle practices. Which of the following is MOST likely to cause problems for software development projects?
Project responsibilities are not formally defined at the beginning of a project.
Errors or lack of attention in the initial phases of a project may cause
costly errors and inefficiencies in later phases. Proper planning is required at the beginning of a project.
Prototypes are verified
by users.
User acceptance testing is seldom completely successful. If errors are not critical,
they may be corrected after implementation without seriously affecting usage.
Lack of adequate program documentation, while a concern, is
not as big a risk as the lack of assigned responsibilities during the initial stages of the project.
the MOST important skill that an IS auditor should develop to understand the constraints of conducting an audit?
Project management
Audits often involve resource management, deliverables, scheduling and deadlines that are similar to
project management good practices.
Which of the following BEST helps prioritize the recovery of IT assets when planning for a disaster?
Business impact analysis
Incorporating the business impact analysis (BIA) into the IT disaster recovery planning process is critical to ensure
that IT assets are prioritized to align with the business.
An incident response plan is an organized approach to addressing and managing
a security breach or attack.
An incident response plan
defines what constitutes an incident and the process to follow when an incident occurs.
An incident response plan
does NOT prioritize recovery during a disaster.
Identifying threats and analyzing risk to the business is an important part of disaster planning, but it does NOT determine the priority of recovery.
determine the priority of recovery.
The recovery time objective (RTO) is
the amount of time allowed for the recovery of a business function or resource after a disaster occurs.
The recovery time objective (RTO) is
is included as part of the BIA and used to represent the prioritization of recovery.
An IS auditor reviewing an outsourcing contract of IT facilities expects it to define the:
ownership of intellectual property.
An outsourcing contract must specify
who owns the intellectual property (i.e., information being processed and application programs). Ownership of intellectual property is a significant cost and is a key aspect to be defined in an outsourcing contract.
Stakeholders PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live?
Data owner
An IS auditor
should ensure that there is a review and sign-off by the data owner during the data conversion stage of the project.
A database administrator’s primary responsibility is to
maintain the integrity of the database and make the database available to users. A database administrator is not responsible for reviewing migrated data.
A project manager provides
day-to-day management and leadership of the project but is not responsible for the accuracy and integrity of the data.
Senior management should
establish the acceptable risk level because they have the ultimate or final responsibility for the effective and efficient operation of the organization as a senior manager of the business process. The person can be the quality assurance (QA), chief information officer (CIO), or the chief security officer (CSO), but the responsibility rests with the business manager.
Quality assurance management is
is concerned with reliability and consistency of processes. The QA team is not responsible for determining an acceptable risk level.
Establishing the level of acceptable risk is the responsibility of:
senior business management.
The CIO is the
most senior official of the enterprise who is accountable for IT advocacy; aligning IT and business strategies; and planning, resourcing and managing the delivery of IT services, information and the deployment of associated human resources. The CIO is rarely the person that determines acceptable risk levels because this could be a conflict of interest unless the CIO is the senior business process owner.
The chief security officer is
responsible for enforcing the decisions of the senior management team unless the CIO is the business process manager.
An IS auditor reviewing the process of log monitoring wants to evaluate the organization’s manual review process. Which of the following audit techniques would the auditor MOST likely employ to fulfill this purpose?
Walk-through
Walk-through procedures include
a combination of inquiry, observation, inspection of relevant documentation and reperformance of controls. A walk-through of the manual log review process follows the manual log review process from start to finish to gain a thorough understanding of the overall process and identify potential control weaknesses.
Inspection
is just one component of a walk-through and by itself does not supply enough information to provide a full understanding of the overall process and identify potential control weaknesses.
Inquiry
provides only general information on how the control is executed. It does not necessarily enable the IS auditor to determine whether the control performer has an in-depth understanding of the control.
Reperformance of the control is carried out by
the IS auditor and does not provide assurance of the competency of the auditee.
An IS auditor reviewing a cloud computing environment that is managed by a third party should be MOST concerned when
the service level agreement does not address the responsibility of the vendor in the case of a security breach
The ultimate purpose of IT governance is to:
encourage optimal use of IT.
IT governance is intended to
specify the combination of decision rights and accountability that is best for the enterprise. It is different for every enterprise.
Parallel operation is designed to
provide assurance that a new system meets its functional requirements. This is the safest form of system conversion testing because, if the new system fails, the old system is still available for production use. In addition, this form of testing allows the application developers and administrators to simultaneously run operational tasks (e.g., batch jobs and backups) on both systems, to ensure that the new system is reliable before unplugging the old system.
Parallel operation provides a high level of assurance that the new system functions properly compared to the old system. Parallel operation is generally expensive and does not provide a cost savings over most other testing approaches. In many cases, parallel operation is the most
expensive form of system testing due to the need for dual data entry, dual sets of hardware, dual maintenance and dual backups—it is twice the amount of work as running a production system and, therefore, costs more time and money.
The IS auditor is reviewing a recently completed conversion to a new enterprise resource planning system. In the final stage of the conversion process, the organization ran the old and new systems in parallel for 30 days before allowing the new system to run on its own. What is the MOST significant advantage to the organization by using this strategy?
Assurance that the new system meets functional requirements
Parallel operation is designed to test the application’s effectiveness and integrity of application data, not
hardware compatibility.
a responsibility of the chief information security officer?
Periodically reviewing and evaluating the security policy
The role of the chief information security officer is to ensure that the corporate
security policy and controls are adequate to prevent unauthorized access to the enterprise assets, including data, programs and equipment.
User application and other software testing and evaluation normally are the responsibility of the
staff assigned to development and maintenance.
Granting and revoking user access to IT resources
is usually a function of system, network or database administrators.
Approval of access to data and applications is
the duty of the data or application owner.
Which type of penetration test simulates a real attack and is used to test incident handling and response capability of the target?
Double-blind testing
Double-blind testing is also known as
zero-knowledge testing. This refers to a test where the penetration tester is not given any information and the target organization is not given any warning—both parties are “blind” to the test. This is the best scenario for testing response capability because the target will react as if the attack were real.
Blind testing is
also known as black-box testing.
Black-box testing
refers to a test where the penetration tester is not given any information and is forced to rely on publicly available information. This test simulates a real attack, except that the target organization is aware of the test being conducted.
Targeted testing is
also known as white-box testing
White-box testing
refers to a test where the penetration tester is provided with information and the target organization is also aware of the testing activities. In some cases, the tester is also provided with a limited-privilege account to be used as a starting point.
External testing
refers to a test where an external penetration tester launches attacks on the target’s network perimeter from outside the target network (typically from the Internet).
A company has decided to implement an electronic signature scheme based on a public key infrastructure. The user’s private key will be stored on the computer’s hard drive and protected by a password. The MOST significant risk of this approach is:
use of the user’s electronic signature by another person if the password is compromised.
Creating a digital signature with another user’s private key would indicate that the message
from a different person, and therefore, the true user’s credentials would not be forged.
Impersonation of a user by substitution of the user’s public key with another person’s public key
would require the modification of the certificate issued by the certificate authority. This is very difficult and least likely.
Forgery by substitution of another person’s private key on the computer i
would not work because the digital signature would be validated with the original user’s public key.
Regarding a PIN, what is the MOST important rule to be included in a security policy?
Users should never write down their PIN
If a user writes their PIN on a slip of paper, an individual with the token, the slip of paper, and the computer could access the corporate network. A token and the PIN is a two-factor authentication method.
The purpose of code signing is to provide assurance that:
the software has not been subsequently modified.
Code signing ensures that the executable code came from a reputable source and
has not been modified after being signed.
Code signing will provide assurance of the source but will not ensure that the source is
trusted. The code signing will, however, ensure that the code has not been modified.
