Chapter 11. Answer Key 2


1.

A

2.

B

3.

C

4.

C

5.

D

6.

D

7.

B

8.

A

9.

B

10.

A

11.

A

12.

B

13.

C

14.

A

15.

D

16.

B

17.

C

18.

A

19.

A

20.

B

21.

A

22.

A

23.

B

24.

D

25.

B

26.

C

27.

C

28.

A

29.

A

30.

B

31.

A

32.

C

33.

D

34.

B

35.

A

36.

C

37.

C

38.

D

39.

A

40.

B

41.

A

42.

C

43.

C

44.

A

45.

B

46.

A

47.

C

48.

B

49.

C

50.

A

51.

B

52.

B

53.

C

54.

B

55.

A

56.

A

57.

D

58.

B

59.

A

60.

C

61.

B

62.

B

63.

B

64.

A

65.

B

66.

A

67.

D

68.

C

69.

D

70.

D

71.

B

72.

C

73.

A

74.

D

75.

A

76.

B

77.

D

78.

A

79.

A

80.

A

81.

B

82.

B

83.

B

84.

A

85.

A

86.

C

87.

B

88.

C

89.

D

90.

B

91.

A

92.

A

93.

D

94.

A

95.

C

96.

D

97.

A

98.

B

99.

C

100.

A

Question 1

Answer A is correct. Using a statistical sample to inventory the tape library is an example of a substantive test.

Question 2

Answer B is correct. If proper identification and authentication are not performed during access control, no accountability can exist for any action performed.

Question 3

Answer C is correct. In planning an audit, the most critical step is identifying the areas of high risk.

Question 4

Answer C is correct. When evaluating the collective effect of preventive, detective, or corrective controls within a process, an IS auditor should be aware of the point at which controls are exercised as data flows through the system.

Question 5

Answer D is correct. When implementing continuous-monitoring systems, an IS auditor's first step is to identify high-risk areas within the organization.

Question 6

Answer D is correct. Inherent risk is associated with authorized program exits (trap doors).

Question 7

Answer B is correct. Generalized audit software can be used to search for address field duplications.

Question 8

Answer A is correct. Lack of reporting of a successful attack on the network is a great concern to an IS auditor.

Question 9

Answer B is correct. An integrated test facility is considered a useful audit tool because it compares processing output with independently calculated data.

Question 10

Answer A is correct. It is true that an advantage of a continuous audit approach is that it can improve system security when used in time-sharing environments that process a large number of transactions.

Question 11

Answer A is correct. An IS auditor's primary responsibility is to advise senior management of the risk involved in not implementing proper segregation of duties, such as having the security administrator perform an operations function.

Question 12

Answer B is correct. Business unit management is responsible for implementing cost-effective controls in an automated system.

Question 13

Answer C is correct. The primary reason an IS auditor reviews an organization chart is to better understand the responsibilities and authority of individuals.

Question 14

Answer A is correct. Ensuring that security and control policies support business and IT objectives is a primary objective of an IT security policies audit.

Question 15

Answer D is correct. When auditing third-party service providers, an auditor should be concerned with ownership of programs and files, a statement of due care and confidentiality, and the capability for continued service of the service provider in the event of a disaster.

Question 16

Answer B is correct. When performing an IS strategy audit, an IS auditor should review both short-term (one-year) and long-term (three- to five-year) IS strategies, interview appropriate corporate management personnel, and ensure that the external environment has been considered.

Question 17

Answer C is correct. IS assessment methods allow IS management to determine whether the activities of the organization differ from the planned or expected levels.

Question 18

Answer A is correct. Reviewing an audit client's business plan should be performed before reviewing an organization's IT strategic plan.

Question 19

Answer A is correct. Allowing application programmers to directly patch or change code in production programs increases risk of fraud.

Question 20

Answer B is correct. Security administrators are usually responsible for network security operations.

Question 21

Answer A is correct. Proper segregation of duties does not prohibit a quality-control administrator from also being responsible for change control and problem management.

Question 22

Answer A is correct. Layering perimeter network protection by configuring the firewall as a screened host in a screened subnet behind the bastion host provides a higher level of protection from external attack than all other answers.

Question 23

Answer B is correct. The directory system of a database-management system describes the location of data and the access method.

Question 24

Answer D is correct. Improper file access becomes a greater risk when implementing a database system.

Question 25

Answer B is correct. To properly protect against unauthorized disclosure of sensitive data, hard disks should be demagnetized before disposal or release.

Question 26

Answer C is correct. When reviewing print systems spooling, an IS auditor is most concerned with the potential for unauthorized printing of report copies.

Question 27

Answer C is correct. Functioning as a protocol-conversion gateway for wireless TLS to Internet SSL, the WAP gateway is a component warranting critical concern and review for the IS auditor when auditing and testing controls that enforce message confidentiality.

Question 28

Answer A is correct. Proper segregation of duties prevents a computer operator (user) from performing security administration duties.

Question 29

Answer A is correct. Modems (modulation/demodulation) convert analog transmissions to digital, and digital transmissions to analog, and are required for analog transmissions to enter a digital network.

Question 30

Answer B is correct. Neural networks are effective in detecting fraud because they have the capability to consider a large number of variables when trying to resolve a problem.

Question 31

Answer A is correct. Diverse routing supports data transmission through split cable facilities, or duplicate cable facilities.

Question 32

Answer C is correct. An application-layer gateway, or proxy firewall, and stateful-inspection firewalls provide the greatest degree of protection and control because both firewall technologies inspect all seven OSI layers of network traffic.

Question 33

Answer D is correct. Inefficient and superfluous use of network devices such as hubs can degrade network performance.

Question 34

Answer B is correct. Data mirroring and parallel processing are both used to provide near-immediate recoverability for time-sensitive systems and transaction processing.

Question 35

Answer A is correct. Creating user accounts that automatically expire by a predetermined date is an effective control for granting temporary access to vendors and external support personnel.

Question 36

Answer C is correct. Outbound traffic filtering can help prevent an organization's systems from participating in a distributed denial-of-service (DDoS) attack.

Question 37

Answer C is correct. Improperly configured routers and router access lists are a common vulnerability for denial-of-service attacks.

Question 38

Answer D is correct. Trojan horse programs are a common form of Internet attack.

Question 39

Answer A is correct. Network performance-monitoring tools are used to measure and ensure proper network capacity management and availability of services.

Question 40

Answer B is correct. Intrusion-detection systems (IDS) are used to gather evidence of network attacks.

Question 41

Answer A is correct. Traffic analysis is a passive attack method used by intruders to determine potential network vulnerabilities. All others are active attacks.

Question 42

Answer C is correct. Although many methods of fire suppression exist, dry-pipe sprinklers are considered to be the most environmentally friendly.

Question 43

Answer C is correct. A callback system is a remote-access control whereby the user initially connects to the network systems via dial-up access, only to have the initial connection terminated by the server, which then subsequently dials the user back at a predetermined number stored in the server's configuration database.

Question 44

Answer A is correct. A dry-pipe sprinkler system suppresses fire via water that is released from a main valve to be delivered via a system of dry pipes installed throughout the facilities.

Question 45

Answer B is correct. Digital signatures require the sender to "sign" the data by encrypting the data with the sender's private key, to then be decrypted by the recipient using the sender's public key.

Question 46

Answer A is correct. Although biometrics provides only single-factor authentication, many consider it to be an excellent method for user authentication.

Question 47

Answer C is correct. A website certificate is used to provide authentication of the website and can also be used to successfully authenticate keys used for data encryption.

Question 48

Answer B is correct. The strength of a secret key within a symmetric key cryptosystem is determined by a combination of key length, initial input vectors, and the complexity of the data-encryption algorithm that uses the key.

Question 49

Answer D is correct. Authentication is used to validate a subject's identity.

Question 50

Answer A is correct. Database integrity is most often ensured through table link verification and reference checks.

Question 51

Answer B is correct. IS auditors should review access-control lists (ACL) to determine user permissions that have been granted for a particular resource.

Question 52

Answer B is correct. IS auditors should always check to ensure that password files are encrypted.

Question 53

Answer C is correct. User applications often encrypt and encapsulate data using protocols within the OSI session layer or farther down in the transport layer.

Question 54

Answer B is correct. Systems administrators should always assess the impact of patches before installation.

Question 55

Answer A is correct. Adopting and communicating a comprehensive antivirus policy is the most fundamental step in preventing virus attacks. All other antivirus prevention efforts rely upon decisions established and communicated via policy.

Question 56

Answer A is correct. A major IS audit concern is users' ability to directly modify the database.

Question 57

Answer D is correct. Intrusion-detection systems (IDS) are used to identify intrusion attempts on a network.

Question 58

Answer B is correct. Instead of simply reviewing the effectiveness and utilization of assets, an IS auditor is more concerned with adequate access control, appropriate access policies, and effectiveness of safeguards and procedures.

Question 59

Answer A is correct. If a programmer has update access to a live system, IS auditors are more concerned with the programmer's ability to initiate or modify transactions and the ability to access production than with the programmer's ability to authorize transactions.

Question 60

Answer C is correct. Redundancy is the best answer because it provides both integrity and availability. Organizations should use off-site storage facilities to maintain redundancy of current and critical information within backup files.

Question 61

Answer B is correct. The primary purpose of business continuity planning and disaster-recovery planning is to mitigate, or reduce, the risk and impact of a business interruption or disaster. Total elimination of risk is impossible.

Question 62

Answer B is correct. If a database is restored from information backed up before the last system image, the system should be restarted before the last transaction because the final transaction must be reprocessed.

Question 63

Answer B is correct. An off-site processing facility should not be easily identifiable externally because easy identification would create an additional vulnerability for sabotage.

Question 64

Answer A is correct. Although the primary business objective of BCP and DRP is to mitigate the risk and impact of a business interruption, the dominating objective remains the protection of human life.

Question 65

Answer B is correct. Minimizing single points of failure or vulnerabilities of a common disaster is mitigated by geographically dispersing resources.

Question 66

Answer A is correct. Mitigating the risk and impact of a disaster or business interruption usually takes priority over transferring risk to a third party such as an insurer.

Question 67

Answer D is correct. Off-site data storage should be kept synchronized when preparing for the recovery of time-sensitive data such as that resulting from transaction processing.

Question 68

Answer C is correct. Shadow file processing can be implemented as a recovery mechanism for extremely time-sensitive transaction processing.

Question 69

Answer D is correct. Off-site data backup and storage should be geographically separated, to mitigate the risk of a widespread physical disaster such as a hurricane or an earthquake.

Question 70

Answer D is correct. A clause for requiring source code escrow in an application vendor agreement is important to ensure that the source code remains available even if the application vendor goes out of business.

Question 71

Answer B is correct. Decision trees use questionnaires to lead the user through a series of choices to reach a conclusion.

Question 72

Answer C is correct. Source code escrow protects an application purchaser's ability to fix or change an application in case the application vendor goes out of business.

Question 73

Answer A is correct. The project sponsor is ultimately responsible for providing requirement specifications to the software-development team.

Question 74

Answer D is correct. Regression testing should use data from previous tests to obtain accurate conclusions regarding the effects of changes or corrections to a program, and ensuring that those changes and corrections have not introduced new errors.

Question 75

Answer A is correct. An IS auditor should carefully review the functional requirements in a systems-development project to ensure that the project is designed to meet business objectives.

Question 76

Answer B is correct. Procedures to prevent scope creep are baselined in the design phase of the systems-development life cycle (SDLC) model.

Question 77

Answer D is correct. Application controls should be considered as early as possible in the system-development process, even in the development of the project's functional specifications.

Question 78

Answer A is correct. Rapid application development (RAD) is used to develop strategically important systems faster, reduce development costs, and still maintain high quality.

Question 79

Answer A is correct. Test and development environments should be separated, to control the stability of the test environment.

Question 80

Answer A is correct. Programmers should perform unit, module, and full regression testing following any changes to an application or system.

Question 81

Answer B is correct. Rapid application development (RAD) uses a prototype that can be updated continually to meet changing user or business requirements.

Question 82

Answer B is correct. Inadequate user participation during system requirements definition is the most common reason for information systems to fail to meet the needs of users.

Question 83

Answer B is correct. The project steering committee is responsible for the overall direction, costs, and timetables for systems-development projects.

Question 84

Answer A is correct. Plans for testing for user acceptance are usually prepared in the requirements definition phase of the systems-development project.

Question 85

Answer A is correct. Above almost all other concerns, failing to perform user acceptance testing often results in the greatest negative impact on the implementation of new application software.

Question 86

Answer C is correct. Input/output controls should be implemented for both the sending and receiving applications in an integrated systems environment

Question 87

Answer B is correct. Authentication techniques for sending and receiving data between EDI systems are crucial to prevent unauthorized transactions.

Question 88

Answer C is correct. After identifying potential security vulnerabilities, the IS auditor's next step is to perform a business impact analysis of the threats that would exploit the vulnerabilities.

Question 89

Answer D is correct. Transaction authorization is the primary security concern for EDI environments.

Question 90

Answer B is correct. Threats exploit vulnerabilities to cause loss or damage to the organization and its assets.

Question 91

Answer A is correct. Business process re-engineering often results in increased automation, which results in a greater number of people using technology.

Question 92

Answer A is correct. Whenever business processes have been re-engineered, the IS auditor should attempt to identify and quantify the impact of any controls that might have been removed, or controls that might not work as effectively after business process changes.

Question 93

Answer D is correct. An application-level edit check to verify availability of funds should be completed at the electronic funds transfer (EFT) interface before an EFT is initiated.

Question 94

Answer A is correct. Control totals should be implemented as early as data preparation to support data integrity at the earliest point possible.

Question 95

Answer C is correct. Hash totals are used as a control to detect loss, corruption, or duplication of data.

Question 96

Answer D is correct. Data edits are implemented before processing and are considered preventive integrity controls.

Question 97

Answer A is correct. In small office environments, it is not always possible to maintain proper segregation of duties for programmers. If a programmer has access to production data or applications, compensatory controls such as the review of transaction results to approved input might be necessary.

Question 98

Answer B is correct. Processing controls ensure that data is accurate and complete, and is processed only through authorized routines.

Question 99

Answer C is correct. A reasonableness check is a data validation edit control that matches input data to an occurrence rate.

Question 100

Answer A is correct. Database snapshots can provide an excellent audit trail for an IS auditor.



Exam Cram 2. CISA
Cisa Exam Cram 2
ISBN: B001EEFNHG
EAN: N/A
Year: 2005
Pages: 146

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net