| 1. | Which of the following controls is MOST effective for protecting software and access to sensitive data? 
| A. | Security policies |
| B. | Biometric physical access control for the server room |
| C. | Fault tolerance with complete systems and data redundancy |
| D. | Logical access controls for the operating systems, applications, and data |
|
| A1: | Answer: D. Logical access controls are often the primary safeguards for authorized access to systems software and data. All the other controls complement logical access control to applications and data. |
| 2. | Which of the following would an IS auditor review to BEST determine user access to systems or data?
| A. | Access-control lists (ACLs) |
| B. | User account management |
| C. | Systems logs |
| D. | Applications logs |
|
| A2: | Answer: A. IS auditors should review access-control lists (ACLs) to determine user permissions that have been granted for a particular resource. |
| 3. | Which of the following is ultimately accountable for protecting and securing sensitive data?
| A. | Data users |
| B. | Security administrators |
| C. | Data owners |
| D. | Data custodians |
|
| A3: | Answer: C. Data owners, such as corporate officers, are ultimately responsible and accountable for access control of data. Although security administrators are indeed responsible for securing data, they do so at the direction of the data owners. A security administrator is an example of a data custodian. Data users access and utilize the data for authorized tasks. |
| 4. | A review of logical access controls is performed primarily to:
| A. | Ensure that organizational security policies conform to the logical access design and architecture |
| B. | Ensure that the technical implementation of access controls is performed as intended by security administration |
| C. | Ensure that the technical implementation of access controls is performed as intended by the data owners |
| D. | Understand how access control has been implemented |
|
| A4: | Answer: C. Logical access controls should be reviewed to ensure that access is granted on a least-privilege basis, per the organization's data owners. Logical access design and architecture should conform to policies, not vice versa. Understanding how access control has been implemented is an essential element of a logical access controls review, but the ultimate purpose of the review is to make sure that access controls adequately support and protect the organizational needs of the data owners. |
| 5. | Authorization is BEST characterized as:
| A. | Providing access to a resource according to the principle of least privilege |
| B. | A user providing an identity and a password |
| C. | Authenticating a user's identity with a password |
| D. | Certifying a user's authority |
|
| A5: | Answer: A. Authorization is the process of providing a user with access to a resource based upon the specific needs of the user to perform an authorized task. This process relies upon a verified understanding of the user's identity. Therefore, a user must provide a claim of identity, which is then verified through an authentication process. Following the authentication process, access can be authorized according to the principle of least privilege. |
| 6. | Data classification must begin with:
| A. | Determining specific data sensitivity according to organizational and legal requirements for data confidentiality and integrity |
| B. | Determining data ownership |
| C. | A review of organizational security policies |
| D. | A review of logical access controls |
|
| A6: | Answer: B. Data classification is a process that allows an organization to implement appropriate controls according to data sensitivity. Before data sensitivity can be determined by the data owners, data ownership must be established. Logical access controls and organizational security policies are controlled and driven by the data owners. |
| 7. | Which of the following firewalls can be configured to MOST reliably control FTP traffic between the organization's network and the Internet?
| A. | Packet-filtering firewall |
| B. | Application-layer gateway or a stateful inspection firewall |
| C. | A router configured as a firewall with access-control lists |
| D. | Circuit-level firewall |
|
| A7: | Answer: B. FTP is a network protocol that operates at the application layer of the OSI model. Of the choices available, only an application-layer gateway or a stateful inspection firewall can reliably filter all the way through to the application layer. The remaining answers are examples of a firewall that can reliably filter only through OSI Layer 3, the network layer. |
| 8. | An IS auditor wants to ensure that the organization's network is adequately protected from network-based intrusion via the Internet and the World Wide Web. A firewall that is properly configured as a gateway to the Internet protects against such intrusion by:
| A. | Preventing external users from accessing the network via internal rogue modems |
| B. | Preventing unauthorized access to the Internet by internal users |
| C. | Preventing unauthorized access to the network by external users via ad-hoc wireless networking |
| D. | Preventing unauthorized access by external users to the internal network via the firewalled gateway |
|
| A8: | Answer: D. Firewalls are used to prevent unauthorized access to the internal network from the Internet. Firewalls provide little protection from users who do not need to access the network via the firewall, such as via internal rogue modems or via peer-to-peer ad-hoc wireless network connections. Preventing unauthorized access to the Internet by internal users is the opposite of the goal stated in the question. |
| 9. | Various cryptosystems offer differing levels of compromise between services provided versus computational speed and potential throughput. Which of the following cryptosystems would provide services including confidentiality, authentication, and nonrepudiation at the cost of throughput performance?
| A. | Symmetric encryption |
| B. | Asymmetric encryption |
| C. | Shared-key cryptography |
| D. | Digital signatures |
|
| A9: | Answer: B. Through the use of key pairs, asymmetric encryption algorithms can provide confidentiality and authentication. By providing authentication, nonrepudiation is also supported. Symmetric encryption, also known as shared-key cryptography, uses only a single shared key. Because the key is shared, there is no sole ownership of the key, which precludes its use as an authentication tool. Digital signatures are used to verify authenticity and data integrity only. |
| 10. | The organization desires to ensure integrity, authenticity, and nonrepudiation of emails for sensitive communications between security administration and network administration personnel through the use of digitally signed emails. Which of the following is a valid step in signing an email with keys from a digital certificate?
| A. | The sender encrypts the email using the sender's public key. |
| B. | The sender creates a message digest of the email and attachments using the sender's private key. |
| C. | The sender creates a message digest of the email and attachments using a common hashing algorithm, such as DSA. |
| D. | The sender encrypts the message digest using the sender's public key. |
|
| A10: | Answer: C. A digital signature provides the recipient with a mechanism for validating the integrity of the email and its attachments by creating a message digest as a result of the application of a common hashing algorithm such as MD5 or DSA. The message digest is then "signed" by encrypting it with the sender's private key. The recipient uses the sender's public key to decrypt the message digest and then uses the same hashing algorithm as the sender of the email and attachments. If the decrypted message digest matches that created independently by the recipient, the recipient can rest assured that the message has not been tampered with since transmission by the sender. |
