Self Test | SSCP Study Guide and DVD Training System

A Quick Answer Key follows the Self Test questions. For complete questions, answers, and epxlanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.

1.	You are a senior security administrator in a national organization, and have been instructed by management to provide an audit report that provides sufficient evidence that the security of the organization is up to standard with the international security standard ISO 17799. Your first step in this process will be: Review ISO 17799 to see what it involves. Purchase or program a CAAT to facilitate the gathering of data. Call the internal audit company that you use and tell them you need an audit based on ISO 17799. Call the external audit company that you use and tell them you need an audit based on ISO 17799.
2.	Which of the following is an advantage of a continuous auditing approach? It tests cumulative effects over the course of the time period where the audit is active. Findings are more relevant and significant. Audit results are used in decision making. It allows for better integration with IS/IT personnel.
3.	You are asked to perform an audit of several site locations within an organization of several hundred employees. While conducting the audit, you have determined that there are many potential sources for security issues. Which of the following is not a source for potential problems? Unauthorized hardware/software purchases are evident High staff turnover is evident End-user work requests are significantly backlogged Employees have cluttered their desks with personal effects
4.	You work for a large company and are asked to audit the Electronic Data Interchange (EDI) infrastructure. Which of the following is not a recommended audit criterion for this audit? Verify that only authorized users can access their respective database records. Verify that only authorized trading partners can access their respective database records. Verify that operations personnel and programmers can authorize individual transactions. Verify that EDI transactions comply with organizational policy, are authorized, and are validated.
5.	You are asked to perform an audit of an organization's UNIX environment, and discover that the remote access policies have no specifications for security. After consulting with the IS/IT departments, you learn that the system administrators only need shell access. Choose the best answer for your recommendations: Telnet offers good authentication for secure remote shell. SSH offers good encryption for secure remote shell. A VPN offers good encryption for secure remote shell. SSH and Telnet through a VPN are both good options for secure remote shell, but Telnet alone should not be permitted.
6.	Enabling the logging features of an information system and sending them to a central server for analysis is one method of establishing an audit trail. In the event of an incident, these logs would be used to reconstruct a sequence of activities that could help determine exactly how the attacker progresses through systems and services to accomplish their goals. Sometimes, active analyses will be performed on these logs by software that monitors system activities. What type of control is activated by enabling logging features and utilizing monitoring software? Detective Corrective Defective Selective
7.	The main difference between compliance testing and substantive testing is: Compliance testing is gathering evidence to test against organizational control procedures, whereas substantive testing is evidence gathering to evaluate the integrity of data and transactions. Compliance testing is meant to test organizational compliance with federal statutes, and substantive testing is to substantiate a claim. Substantive testing affirms organizational control procedures, and compliance testing evaluates the integrity of transactions and data. Compliance testing is subjective and substantive test is objective.
8.	Which one of the following is not associated with the concept of separation of duties? No access to sensitive combinations of capabilities No nepotism allowed per organization polices Prohibit conversion and concealment Same person cannot originate and approve transaction
9.	Which of the following is the most significant feature of a security audit log? Verification of successful operation procedures such as data restore Verification of security policy compliance Accountability for actions Archival information
10.	You are asked to perform an audit of an organization and discover that network administrators are connected remotely using a Telnet session. What recommendation would you recommend? Telnet is sufficient for remote administration SSH should be used for remote administration Telnet is fine as long as you run it through a VPN tunnel B and C are both correct
11.	When preparing an audit trail, which of the following is not recommended as the key query criteria for the resulting report? By a particular User ID By a particular server name By a particular Internet Protocol (IP) address By a particular exploit
12.	You are auditing a real estate office and are asked to perform a substantive test. Which of the following is the best example of a substantive test for auditing purposes? Creation of baseline testing criteria to reduce the likelihood of false positives. Preventative controls such as a firewall to provide network segmentation. Interviews with former employees to discover previously known security exploits. By rerunning financial calculations. For example, choose a sample of accounts and house sales closing costs to see if the formulas work as expected and resulting data matches.
13.	You are asked to perform an audit of several site locations within an organization of several hundred employees. Which of the following are considered flags for potential problems during an audit? (Choose all that apply.) Unauthorized hardware/software purchases are evident High staff turnover is evident End user work requests are significantly backlogged Employees have cluttered their desks with personal effects
14.	You are asked to audit a relatively small organization with an IS staff of less than five people. If complete separation of duties is not feasible in this organization, which two of the following at a minimum should not be combined? Transaction correction Transaction authorization Transaction origination Transaction recording
15.	A relatively small organization of less than 50 employees is considering outsourcing data processing and Web services. You are asked to review the Service Level Agreements of the HSP for this organization. Which of the following should you consider first from an information security audit perspective? That the legal agreement includes a "Right to Audit" clause That specific security controls are outlined in the services agreement That cost of services aligns with industry standards That the services being offered align with business needs

Answers

1.	þ Answer A is correct. Before committing to any actions, you must know as much as possible about the audit that will need to be performed. ISO standards can be very long and complex, and without a good understanding of what needs to be done, you will probably waste a lot of time. ý Answers B is incorrect. Although it is a valid activity if the audit were to be performed by the IS/IT group, or if the internal audit department requested this of IS/IT, but before purchasing or creating a CAAT, one must know what is going to be involved in the audit. Answer C is incorrect. It is a possible activity to be performed, but only once you are aware of what is involved in the audit. You were given the responsibility for the security audit, as you are the senior security administrator. Remember that internal auditors will not often (if ever) be security experts, and you will have to be involved with and direct a lot of their activities in order to ensure that they have interpreted standards and gathered the correct information for each type of information system. Answer D is incorrect. This would only come into play if you were specifically directed to use an external auditor, if the internal audit department is not capable of performing the audit, or if a review of policy mandates that this type of security audit be performed by a neutral third party.
2.	þ Answer A is correct. A continuous audit tests cumulative effects over the course of the time period where the audit is active. ý Answer B is incorrect. A continuous audit will not come up with more significant and relevant findings, as the audit criteria are the same for a single audit. An analysis of the result of a continuous audit can be put into a potentially more relevant situation, but that is beyond the scope of the questions. Answer C is incorrect. While a correct statement in principle, it is not an advantage of a continuous audit. Answer D is incorrect. A continuous audit has nothing specific to do with IS/IT personnel.
3.	þ Answer D is correct. Personal effects cluttering desks is not a security risk to company information. It is, however, a risk to productivity as personnel could be easily distracted. ý Answer A is incorrect. Unauthorized purchases can lead to personnel appropriating company resources, and a loss in any areas that would benefit from the knowledge of where moneys are spent. Answer B is incorrect. High staff turnover can cause problems in two areas. First, many people departing at once can make it difficult to take over in some job functions. Second, there is a loss of money in that constantly training new personnel will take additional resources. Answer C is incorrect. Backlogged user requests (typically in the support departments) are definitely an issue that needs to be resolved
4.	þ Answer C is correct. Separation of duties requires that that the person who originates a transaction cannot also authorize transactions. Therefore, to reduce the possibility of collusion or fraud, operations personnel and programmers who have access to data must not have authorization responsibilities as well. ý Answer A is incorrect. Unauthorized users should not be able to access files for which permission was not granted. Answer B is incorrect. Trading partners should not have access to each other's data. Answer D is incorrect. EDI transactions should comply with organizational policy and testing should be done to ensure that authorized parties can process transactions.
5.	þ Answer D is correct. SSH has inherent security for both authentication and encryption. A VPN will encrypt all traffic going through it for an insecure Telnet session. Telnet alone has no security features. ý Answer A is incorrect. Telnet has no authentication features itself, but it does allow you to access a system remotely and then authenticate on that system. Answer B is incorrect. SSH is a good option, and this answer does make sense, but the question states to choose the best answer. Answer C is incorrect. Telnet through a VPN is also a good option, as VPNs will offer better authentication options than simple SSH, but the data passing through it is still unencrypted, so anyone on the remote end of the VPN (where the server is located) could still potentially sniff the traffic. Like the previous option, this is not the best answer.
6.	þ Answer A is correct. Logging to a central location and utilizing a monitoring software package (such as an IDS) is a detective control. ý Answer B is incorrect. A corrective control would address a situation. Logging and monitoring does not address an action, although it could be part of a follow-up series of activities in the event of an incident, in order to detect if the incident should be repeated. Answer C is incorrect. A defective control would be a control that is not working properly. Answer D is incorrect. A selective control is not a type of control that is actively used.
7.	þ Answer A is the correct answer. ý Answers B, C, and D are incorrect. They do not differentiate gathering of evidence to get organization control procedures (compliance testing) against gathering evidence for the purpose of evaluating the integrity of data and transactions.
8.	þ Answer B is correct. While it is possible that hiring a relative into an organization or showing a relative preferential treatment is not prudent, it is not related to separation of duties per se. ý Answer A is incorrect. No access to sensitive combinations of capabilities is required to prevent one person from having excessive rights. Answer C is incorrect. Prohibition of conversion and concealment is part of separation of duties. Answer D is incorrect. This is an integral component of the separation of duties principle.
9.	þ Answer C is correct. The audit log ensures accountability. Audit logs must be protected from accidental or malicious modification and provides accountability for actions. ý Answers A, B, and D are incorrect. Audit logs can provide important operational information such as data restore success or failure, but tying accountability to a specific terminal, user ID, or individual is more significant from a security perspective.
10.	þ Answer D is correct. ý Answer A is incorrect. Telnet is inherently insecure because it passes credentials in the clear over the remote connection and is susceptible to interception. Answer C is incorrect. Although the VPN tunnel effectively encrypts the session, it does not do so from end to end. The encryption terminates at the VPN tunnel endpoints and is still susceptible to interception locally. This is a possible option but not as effective as Answer B.
11.	þ Answer D is correct. Because you cannot accurately predict or anticipate the likelihood of all exploits in advance, it is difficult to use a query key. ý Answers A, B, and C are incorrect. All are examples of concrete criteria that can be reviewed easily in an audit trail because it can be distinctly identified. Therefore, they are recommended for use as key query criteria.
12.	þ Answer D is correct. Substantive tests may include a test of transactions or analytical procedures. ý Answer A is incorrect. This explains an aspect of IDS testing. Answer B is incorrect. Substantive testing involves testing to verify that controls are performing as expected, not as a preventative control. Answer C is incorrect. Interviews are considered data gathering, not testing procedures.
13.	þ Answers A, B, and C are correct. Many indicators exist that indicate an ineffective organization and invite circumvention of security policy. Unauthorized hardware/software purchases introduce significant liability and financial penalties for an organization if licensing agreements are violated. High staff turnover is often an indicator of low morale and may lead to a pervasive "lack of ownership" attitude that employees are not personally responsible for achieving organizational security goals. A backlog of work requests may indicate that current operations workflow is not efficient. If the quality and effectiveness of operational procedures are in disarray there is a good possibility that security practices will be negatively affected as well. ý Answer D is incorrect. Personal effects cluttering employees desks is not an audit flag per se unless that clutter includes user ID and password "cheat sheets" or other security violations. Also, if family or pets names are visible and strong passwords are not in use the employee could become subject to password guessing based on personal items on desk and weak password combination.
14.	þ Answer B is correct. Unauthorized use and allocation of records is made possible when separation of duties is not in place. Authorization is the key recordkeeping function that must be separated from the other three. ý Answers A, C, and D are incorrect. Transaction correction, origination, and recording are standard recordkeeping procedures that must not be combined with authorization. The risk here is that any one of these three functions combined can increase the possibility of fraud.
15.	þ Answer D is correct. The auditor needs to ensure that the personnel responsible for determining business needs and services required are properly engaged and aligned. If the sufficient understanding of business needs and services required are not matched, the service provider may charge for services that are excessive and not required. ý Answer A is incorrect. A "Right to Audit" clause is an important aspect of service level agreements but it is not the first thing to consider. To prevent misdirected allocation of resources and funds, the appropriate business personnel need to provide the business requirements. "Right to Audit" is significant but considered a detective control. Answer B is incorrect. Identification of security objectives are important to emphasize which assets are to be protected and to what degree. The mechanisms used to protect those assets vary with technology changes, but the end result and guaranteed level of protection is considered more significant. Answer C is incorrect. The cost of services is important when considering several vendors, but comes after verification that the services offered align with business needs and that the proper decision making business personnel are engaged.