Chapter 9. Answer Key 1


1.

B

2.

A

3.

A

4.

C

5.

C

6.

B

7.

A

8.

A

9.

B

10.

C

11.

B

12.

A

13.

A

14.

D

15.

A

16.

B

17.

D

18.

D

19.

A

20.

C

21.

A

22.

B

23.

A

24.

B

25.

A

26.

B

27.

A

28.

C

29.

C

30.

B

31.

A

32.

D

33.

B

34.

C

35.

B

36.

A

37.

C

38.

B

39.

D

40.

A

41.

C

42.

C

43.

B

44.

C

45.

A

46.

C

47.

D

48.

B

49.

A

50.

A

51.

B

52.

D

53.

C

54.

C

55.

B

56.

A

57.

B

58.

C

59.

D

60.

A

61.

B

62.

D

63.

C

64.

C

65.

A

66.

A

67.

A

68.

B

69.

C

70.

A

71.

A

72.

A

73.

C

74.

C

75.

B

76.

B

77.

B

78.

A

79.

B

80.

B

81.

A

82.

D

83.

C

84.

A

85.

A

86.

B

87.

B

88.

C

89.

A

90.

A

91.

C

92.

C

93.

D

94.

A

95.

A

96.

B

97.

B

98.

C

99.

B

100.

B

Question 1

Answer B is correct. The traditional role of an IS auditor in a control self-assessment (CSA) should be that of a facilitator.

Question 2

Answer A is correct. Audit responsibility enhancement is an objective of a control self-assessment (CSA) program.

Question 3

Answer A is correct. IS auditors are most likely to perform compliance tests of internal controls if, after their initial evaluation of the controls, they conclude that control risks are within the acceptable limits. Think of it this way: If any reliance is placed on internal controls, that reliance must be validated through compliance testing. High control risk results in little reliance on internal controls, which results in additional substantive testing.

Question 4

Answer C is correct. Prior audit reports are considered of lesser value to an IS auditor attempting to gain an understanding of an organization's IT process than evidence directly collected.

Question 5

Answer C is correct. The primary purpose of audit trails is to establish accountability and responsibility for processed transactions.

Question 6

Answer B is correct. Allocation of auditing resources to the areas of highest concern is a benefit of a risk-based approach to audit planning.

Question 7

Answer A is correct. After an IS auditor has identified threats and potential impacts, the auditor should then identify and evaluate the existing controls.

Question 8

Answer A is correct. The use of statistical sampling procedures helps minimize detection risk.

Question 9

Answer B is correct. Detection risk results when an IS auditor uses an inadequate test procedure and concludes that material errors do not exist when errors actually exist.

Question 10

Answer C is correct. A primary benefit derived from an organization employing control self-assessment (CSA) techniques is that it can identify high-risk areas that might need a detailed review later.

Question 11

Answer B is correct. A bottom-up approach to the development of organizational policies is often driven by risk assessment.

Question 12

Answer A is correct. Data and systems owners are accountable for maintaining appropriate security measures over information assets.

Question 13

Answer A is correct. Proper segregation of duties prohibits a system analyst from performing quality-assurance functions.

Question 14

Answer D is correct. If an IS auditor observes that project-approval procedures do not exist, the IS auditor should recommend to management that formal approval procedures be adopted and documented.

Question 15

Answer A is correct. The board of directors is ultimately accountable for the development of an IS security policy.

Question 16

Answer B is correct. Proper segregation of duties normally prohibits a LAN administrator from also having programming responsibilities.

Question 17

Answer D is correct. Above all else, an IS strategy must support the business objectives of the organization.

Question 18

Answer D is correct. Batch control reconciliations is a compensatory control for mitigating risk of inadequate segregation of duties.

Question 19

Answer A is correct. Key verification is one of the best controls for ensuring that data is entered correctly.

Question 20

Answer C is correct. A company's implementation of IT will be less likely to succeed if senior management is not committed to strategic planning.

Question 21

Answer A is correct. Lack of employee awareness of a company's information security policy could lead to an unintentional loss of confidentiality.

Question 22

Answer B is correct. A mesh network topology provides a point-to-point link between every network host. If each host is configured to route and forward communication, this topology provides the greatest redundancy of routes and the greatest network fault tolerance.

Question 23

Answer A is correct. An IS auditor usually places more reliance on evidence directly collected, such as through personal observation.

Question 24

Answer B is correct. The transport layer of the TCP/IP protocol suite provides for connection-oriented protocols to ensure reliable communication.

Question 25

Answer A is correct. Electronic data interface (EDI) supports intervendor communication while decreasing the time necessary for review because it is usually configured to readily identify errors requiring follow-up.

Question 26

Answer B is correct. An IS auditor can expect to find system errors to be detailed in the console log.

Question 27

Answer A is correct. Atomicity enforces data integrity by ensuring that a transaction is either completed in its entirely or not at all. Atomicity is part of the ACID test reference for transaction processing.

Question 28

Answer C is correct. When trying to determine the existence of unauthorized access to data by a user or program, the IS auditor will often review the system logs.

Question 29

Answer C is correct. A graphical interface to the map of the network topology is essential for the IS auditor to obtain a clear understanding of network management.

Question 30

Answer B is correct. If users have direct access to a database at the system level, risk of unauthorized and untraceable changes to the database increases.

Question 31

Answer A is correct. A virtual private network (VPN) helps to secure access between an enterprise and its partners when communicating over an otherwise unsecured channel such as the Internet.

Question 32

Answer D is correct. Using capacity-monitoring software to monitor usage patterns and trends enables management to properly allocate resources and ensure continuous efficiency of operations.

Question 33

Answer B is correct. A system downtime log can be very helpful to an IS auditor when determining the efficacy of a systems maintenance program.

Question 34

Answer C is correct. Concurrency controls are used as a countermeasure for potential database corruption when two processes attempt to simultaneously edit or update the same information.

Question 35

Answer B is correct. A long asymmetric encryption key (public key encryption) increases encryption overhead and cost. All other answers are single shared symmetric keys.

Question 36

Answer A is correct. Worms are malicious programs that can run independently and can propagate without the aid of a carrier program such as email.

Question 37

Answer C is correct. Identifying network applications such as mail, web, or FTP servers to be externally accessed is an initial step in creating a proper firewall policy.

Question 38

Answer B is correct. With public key encryption or asymmetric encryption, data is encrypted by the sender using the recipient's public key; the data is then decrypted using the recipient's private key.

Question 39

Answer D is correct. The SSL protocol provides confidentiality through symmetric encryption such as Data Encryption Standard, or DES.

Question 40

Answer A is correct. Information systems security policies are used as the framework for developing logical access controls.

Question 41

Answer C is correct. Time stamps are an effective control for detecting duplicate transactions such as payments made or received.

Question 42

Answer C is correct. File encryption is a good control for protecting confidential data residing on a PC.

Question 43

Answer B is correct. Logical access controls should be reviewed to ensure that access is granted on a least-privilege basis, per the organization's data owners.

Question 44

Answer C is correct. PKI uses a combination of public-key cryptography and digital certificates to provide some of the strongest overall control over data confidentiality, reliability, and integrity for Internet transactions.

Question 45

Answer A is correct. The primary purpose of digital signatures is to provide authentication and integrity of data.

Question 46

Answer C is correct. A digital signature is created by the sender to prove message integrity by initially using a hashing algorithm to produce a hash value, or message digest, from the entire message contents. Upon receiving the data, the recipient can independently create its own message digest from the data for comparison and data integrity validation. Public and private keys are used to enforce confidentiality. Hashing algorithms are used to enforce integrity.

Question 47

Answer D is correct. A fingerprint scanner facilitating biometric access control can provide a very high degree of server access control.

Question 48

Answer B is correct. Logical access controls are often the primary safeguards for systems software and data.

Question 49

Answer A is correct. Honeypots are often used as a detection and deterrent control against Internet attacks.

Question 50

Answer A is correct. A monitored double-doorway entry system, also referred to as a mantrap or deadman door, is used as a deterrent control for the vulnerability of piggybacking.

Question 51

Answer B is correct. Application-layer gateways, or proxy firewalls, are an effective method for controlling downloading of files via FTP. Because FTP is an OSI application-layer protocol, the most effective firewall needs to be capable of inspecting through the application layer.

Question 52

Answer D is correct. Biometrics can be used to provide excellent physical access control.

Question 53

Answer C is correct. Screensaver passwords are an effective control to implement as a countermeasure for the vulnerability of data entry operators potentially leaving their computers without logging off.

Question 54

Answer C is correct. ISPs can use access control lists to implement inbound traffic filtering as a control to identify IP packets transmitted from unauthorized sources.

Question 55

Answer B is correct. A key distinction between encryption and hashing algorithms is that hashing algorithms are irreversible.

Question 56

Answer A is correct. Data diddling involves modifying data before or during systems data entry.

Question 57

Answer B is correct. When evaluating biometric access controls, a low equal error rate (EER) is preferred. EER is also called the crossover error rate (CER).

Question 58

Answer C is correct. Data owners are ultimately responsible and accountable for reviewing user access to systems.

Question 59

Answer D is correct. To properly implement data classification, establishing data ownership is an important first step.

Question 60

Answer A is correct. End-user involvement is critical during the business impact assessment phase of business continuity planning.

Question 61

Answer B is correct. Of the three major types of BCP tests (paper, walk-through, and preparedness), only the preparedness test uses actual resources to simulate a system crash and validate the plan's effectiveness.

Question 62

Answer D is correct. Disaster recovery for systems typically focuses on making alternative processes and resources available for transaction processing.

Question 63

Answer C is correct. Of the three major types of BCP tests (paper, walk-through, and preparedness), a walk-through test requires only that representatives from each operational area meet to review the plan.

Question 64

Answer C is correct. Criticality of assets is often influenced by the business criticality of the data to be protected and by the scope of the impact upon the organization as a whole. For example, the loss of a network backbone creates a much greater impact on the organization as a whole than the loss of data on a typical user's workstation.

Question 65

Answer A is correct. Of the three major types of off-site processing facilities (hot, warm, and cold), a cold site is characterized by at least providing for electricity and HVAC. A warm site improves upon this by providing for redundant equipment and software that can be made operational within a short time.

Question 66

Answer A is correct. With the objective of mitigating the risk and impact of a major business interruption, a disaster-recovery plan should endeavor to reduce the length of recovery time necessary and the costs associated with recovery. Although DRP results in an increase of pre- and post-incident operational costs, the extra costs are more than offset by reduced recovery and business impact costs.

Question 67

Answer A is correct. A cold site is often an acceptable solution for preparing for recovery of noncritical systems and data.

Question 68

Answer B is correct. Any changes in systems assets, such as replacement of hardware, should be immediately recorded within the assets inventory of a business continuity plan.

Question 69

Answer C is correct. Although BCP and DRP are often implemented and tested by middle management and end users, the ultimate responsibility and accountability for the plans remain with executive management, such as the board of directors.

Question 70

Answer A is correct. Obtaining user approval of program changes is very effective for controlling application changes and maintenance.

Question 71

Answer A is correct. Library control software restricts source code to read-only access.

Question 72

Answer A is correct. Regression testing is used in program development and change management to determine whether new changes have introduced any errors in the remaining unchanged code.

Question 73

Answer C is correct. Determining time and resource requirements for an application-development project is often the most difficult part of initial efforts in application development.

Question 74

Answer C is correct. A primary high-level goal for an auditor who is reviewing a systems-development project is to ensure that business objectives are achieved. This objective guides all other systems development objectives.

Question 75

Answer B is correct. Whenever an application is modified, the entire program, including any interface systems with other applications or systems, should be tested to determine the full impact of the change.

Question 76

Answer B is correct. The quality of the metadata produced from a data warehouse is the most important consideration in the warehouse's design.

Question 77

Answer B is correct. Function point analysis (FPA) provides an estimate of the size of an information system based on the number and complexity of a system's inputs, outputs, and files.

Question 78

Answer A is correct. User management assumes ownership of a systems-development project and the resulting system.

Question 79

Answer B is correct. If an IS auditor observes that individual modules of a system perform correctly in development project tests, the auditor should inform management of the positive results and recommend further comprehensive integration testing.

Question 80

Answer B is correct. When participating in a systems-development project, an IS auditor should also strive to ensure that adequate and complete documentation exists for all projects.

Question 81

Answer A is correct. A function point analysis (FPA) is a reliable technique for estimating the scope and cost of a software-development project.

Question 82

Answer D is correct. PERT is a program-evaluation review technique that considers different scenarios for planning and control projects.

Question 83

Answer C is correct. If an IS auditor observes that an IS department fails to use formal documented methodologies, policies, and standards, the auditor should at least document the informal standards and policies, and test for compliance. Furthermore, the IS auditor should recommend to management that formal documented policies be developed and implemented.

Question 84

Answer A is correct. Inadequate software baselining often results in project scope creep because functional requirements are not defined as well as they could be.

Question 85

Answer A is correct. Fourth-generation languages (4GLs) are most appropriate for designing the application's graphical user interface (GUI). They are inappropriate for designing any intensive data-calculation procedures.

Question 86

Answer B is correct. Run-to-run totals can verify data through various stages of application processing.

Question 87

Answer B is correct. The board of directors and executive officers are ultimately accountable for the functionality, reliability, and security within IT governance.

Question 88

Answer C is correct. Data-mining techniques can be used to help identify and investigate unauthorized transactions.

Question 89

Answer A is correct. Network environments often add to the complexity of program-to-program communication, making application systems implementation and maintenance more difficult.

Question 90

Answer A is correct. Quantitative risk analysis is not always possible because the IS auditor is attempting to calculate risk using nonquantifiable threats and potential losses. In this event, a qualitative risk assessment is more appropriate.

Question 91

Answer C is correct. An IS auditor must first understand relative business processes before performing an application audit.

Question 92

Answer C is correct. Defining the scope of areas to be reviewed is the first step in a business process re-engineering project.

Question 93

Answer D is correct. When storing data archives off-site, data must be synchronized to ensure data completeness.

Question 94

Answer A is correct. A redundancy check can help detect transmission errors by appending especially calculated bits onto the end of each segment of data.

Question 95

Answer A is correct. A completeness check is an edit check to determine whether a field contains valid data.

Question 96

Answer B is correct. A transaction journal provides the information necessary for detecting unauthorized input from a terminal.

Question 97

Answer B is correct. An intentional or unintentional disclosure of a password is not likely to be evident within control logs.

Question 98

Answer C is correct. Benchmarking partners are identified in the research stage of the benchmarking process.

Question 99

Answer B is correct. A check digit is an effective edit check to detect data-transposition and transcription errors.

Question 100

Answer B is correct. Parity bits are a control used to validate data completeness.



Exam Cram 2. CISA
Cisa Exam Cram 2
ISBN: B001EEFNHG
EAN: N/A
Year: 2005
Pages: 146

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net