ISACA. CISA Practice Questions 2009 All

one risk position into several is not sufficient.

374

、

An audit charter should:

A

、

be dynamic and change often to coincide with the changing nature of

technology and the audit profession.

B

、

clearly state audit objectives for, and the delegation of, authority

to the maintenance and review of internal controls.

C

、

document the audit procedures designed to achieve the planned audit

objectives.

D

、

outline the overall authority, scope and responsibilities of the

audit function.

ANSWER:D

NOTE:An audit charter should state management's objectives for and

delegation of authority to IS audit. This charter should not significantly

change over time and should be approved at the highest level of

management. An audit charter would not be at a detailed level and,

therefore, would not include specific audit objectives or procedures.

375

、

During an audit of an enterprise that is dedicated to e-commerce,

the IS manager states that digital signatures are used when receiving

communications from customers. To substantiate this, an IS auditor must

prove that which of the following is used?

A

、

A biometric, digitalized and encrypted parameter with the customer's

public key

B

、

A hash of the data that is transmitted and encrypted with the

customer's private key

C

、

A hash of the data that is transmitted and encrypted with the

customer's public key

D

、

The customer's scanned signature encrypted with the customer's

public key

ANSWER:B

NOTE:The calculation of a hash, or digest, of the data that are

transmitted and its encryption require the public key of the client

(receiver) and is called a signature of the message, or digital signature.

The receiver performs the same process and then compares the received

hash, once it has been decrypted with their private key, to the hash that

is calculated with the received data. If they are the same, the conclusion

would be that there is integrity in the data that have arrived and the

origin is authenticated. The concept of encrypting the hash with the

private key of the originator provides nonrepudiation, as it can only be

decrypted with their public key and, as the CD suggests, the private key

would not be known to the recipient. Simply put, in a key-pair situation,

anything that can be decrypted by a sender's public key must have been

encrypted with their private key, so they must have been the sender, i.e.,

nonrepudiation. Choice C is incorrect because, if this were the case, the

hash could not be decrypted by the recipient, so the benefit of

nonrepudiation would be lost and there could be no verification that the

message had not been intercepted and amended. A digital signature is

created by encrypting with a private key. A person creating the signature

uses their own private key, otherwise everyone would be able to create a

signature with any public key. Therefore, the signature of the client is

created with the client's private key, and this can be verified—by the

enterprise—using the client's public key. Choice B is the correct answer

because, in this case, the customer uses their private key to sign the

hash data.

376

、

A top-down approach to the development of operational policies will

help ensure:

A

、

that they are consistent across the organization.

B

、

that they are implemented as a part of risk assessment.

C

、

compliance with all policies.

D

、

that they are reviewed periodically.

ANSWER:A

NOTE:Deriving lower level policies from corporate policies (a top-down

approach) aids in ensuring consistency across the organization and

consistency with other policies. The bottom-up approach to the development

of operational policies is derived as a result of risk assessment. A

top-down approach of itself does not ensure compliance and development

does not ensure that policies are reviewed.

377

、

Which of the following functions should be performed by the

application owners to ensure an adequate segregation of duties between IS

and end users?

A

、

System analysis

B

、

Authorization of access to data

C

、

Application programming

D

、

Data administration

ANSWER:B

NOTE:The application owner is responsible for authorizing access to data.

Application development and programming are functions of the IS

department. Similarly, system analysis should be performed by qualified

persons in IS who have knowledge of IS and user requirements. Data

administration is a specialized function related to database management

systems and should be performed by qualified database administrators.

378

、

Naming conventions for system resources are important for access

control because they:

A

、

ensure that resource names are not ambiguous.

B

、

reduce the number of rules required to adequately protect resources.

C

、

ensure that user access to resources is clearly and uniquely

identified.

D

、

ensure that internationally recognized names are used to protect

resources.

ANSWER:B

NOTE:Naming conventions for system resources are important for the

efficient administration of security controls. The conventions can be

structured, so resources beginning with the same high-level qualifier can

be governed by one or more generic rules. This reduces the number of rules

required to adequately protect resources, which in turn facilitates

security administration and maintenance efforts. Reducing the number of

rules required to protect resources allows for the grouping of resources

and files by application, which makes it easier to provide access.

Ensuring that resource names are not ambiguous cannot be achieved through

the use of naming conventions. Ensuring the clear and unique

identification of user access to resources is handled by access control

rules, not naming conventions. Internationally recognized names are not

required to control access to resources. Naming conventions tend to be

based on how each organization wants to identify its resources.

379

、

When reviewing procedures for emergency changes to programs, the IS

auditor should verify that the procedures:

A

、

allow changes, which will be completed using after-the-fact

follow-up.

B

、

allow undocumented changes directly to the production library.

C

、

do not allow any emergency changes.

D

、

allow programmers permanent access to production programs.

ANSWER:A

NOTE:There may be situations where emergency fixes are required to resolve

system problems. This involves the use of special logon IDs that grant

programmers temporary access to production programs during emergency

situations. Emergency changes should be completed using after-the-fact

follow-up procedures, which ensure that normal procedures are

retroactively applied; otherwise, production may be impacted. Changes made

in this fashion should be held in an emergency library from where they can

be moved to the production library, following the normal change management

process. Programmers should not directly alter the production library nor

should they be allowed permanent access to production programs.

380

、

Which of the following would an IS auditor consider the MOST

relevant to short-term planning for an IS department?

A

、

Allocating resources

B

、

Keeping current with technology advances

C

、

Conducting control self-assessment

D

、

Evaluating hardware needs

ANSWER:A

NOTE:The IS department should specifically consider the manner in which

resources are allocated in the short term. Investments in IT need to be

aligned with top management strategies, rather than focusing on technology

for technology's sake. Conducting control self-assessments and evaluating

hardware needs are not as critical as allocating resources during

short-term planning for the IS department.

381

、

To ensure message integrity, confidentiality and nonrepudiation

between two parties, the MOST effective method would be to create a

message digest by applying a cryptographic hashing algorithm against:

A

、

the entire message, enciphering the message digest using the

sender's private key, enciphering the message with a symmetric key and

enciphering the key by using the receiver's public key.

B

、

any part of the message, enciphering the message digest using the

sender's private key, enciphering the message with a symmetric key and

enciphering the key using the receiver's public key.

C

、

the entire message, enciphering the message digest using the

sender's private key, enciphering the message with a symmetric key and

enciphering both the encrypted message and digest using the receiver's

public key.

D

、

the entire message, enciphering the message digest using the

sender's private key and enciphering the message using the receiver's

public key.

ANSWER:A

NOTE:Applying a cryptographic hashing algorithm against the entire message

addresses the message integrity issue. Enciphering the message digest

using the sender's private key addresses nonrepudiation. Encrypting the

message with a symmetric key, thereafter allowing the key to be enciphered

using the receiver's public key, most efficiently addresses the

confidentiality of the message as well as the receiver's nonrepudiation.

The other choices would address only a portion of the requirements.

382

、

An IS auditor notes that patches for the operating system used by an

organization are deployed by the IT department as advised by the vendor.

The MOST significant concern an IS auditor should have with this practice

is the nonconsideration by IT of:

A

、

the training needs for users after applying the patch.

B

、

any beneficial impact of the patch on the operational systems.

C

、

delaying deployment until testing the impact of the patch.

D

、

the necessity of advising end users of new patches.

ANSWER:C

NOTE:Deploying patches without testing exposes an organization to the risk

of system disruption or failure. Normally, there is no need for training

or advising users when a new operating system patch has been installed.

Any beneficial impact is less important than the risk of unavailability

that could be avoided with proper testing.

383

、

Which of the following controls would be the MOST comprehensive in a

remote access network with multiple and diverse subsystems?

A

、

Proxy server

B

、

Firewall installation

C

、

Network administrator

D

、

Password implementation and administration

ANSWER:D

NOTE:The most comprehensive control in this situation is password

implementation and administration. While firewall installations are the

primary line of defense, they cannot protect all access and, therefore, an

element of risk remains. A proxy server is a type of firewall

installation; thus, the same rules apply. The network administrator may

serve as a control, but typically this would not be comprehensive enough

to serve on multiple and diverse systems.

384

、

Which of the following is the most important element in the design

of a data warehouse?

A

、

Quality of the metadata

B

、

Speed of the transactions

C

、

Volatility of the data

D

、

Vulnerability of the system

ANSWER:A

NOTE:Quality of the metadata is the most important element in the design

of a data warehouse. A data warehouse is a copy of transaction data

specifically structured for query and analysis. Metadata aim to provide a

table of contents to the information stored in the data warehouse.

Companies that have built warehouses believe that metadata are the most

important component of the warehouse.

385

、

Which of the following provides the best evidence of the adequacy of

a security awareness program?

A

、

The number of stakeholders including employees trained at various

levels

B

、

Coverage of training at all locations across the enterprise

C

、

The implementation of security devices from different vendors

D

、

Periodic reviews and comparison with best practices

ANSWER:D

NOTE:The adequacy of security awareness content can best be assessed by

determining whether it is periodically reviewed and compared to industry

best practices. Choices A, B and C provide metrics for measuring various

aspects of a security awareness program, but do not help assess the

content.

386

、

Which of the following Internet security threats could compromise

integrity?

A

、

Theft of data from the client

B

、

Exposure of network configuration information

C

、

A Trojan horse browser

D

、

Eavesdropping on the net

ANSWER:C

NOTE:Internet security threats/vulnerabilities to integrity include a

Trojan horse, which could modify user data, memory and messages found in

client-browser software. The other options compromise confidentiality.

387

、

Which of the following is the BEST method for preventing the leakage

of confidential information in a laptop computer?

A

、

Encrypt the hard disk with the owner's public key.

B

、

Enable the boot password (hardware-based password).

C

、

Use a biometric authentication device.

D

、

Use two-factor authentication to logon to the notebook.

ANSWER:A

NOTE:Only encryption of the data with a secure key will prevent the loss

of confidential information. In such a case, confidential information can

be accessed only with knowledge of the owner's private key, which should

never be shared. Choices B, C and D deal with authentication and not with

confidentiality of information. An individual can remove the hard drive

from the secured laptop and install it on an unsecured computer, gaining

access to the data.

388

、

Which of the following should an IS auditor recommend for the

protection of specific sensitive information stored in the data warehouse?

A

、

Implement column- and row-level permissions

B

、

Enhance user authentication via strong passwords

C

、

Organize the data warehouse into subject matter–specific databases

D

、

Log user access to the data warehouse

ANSWER:A

NOTE:Choice A specifically addresses the question of sensitive data by

controlling what information users can access. Column-level security

prevents users from seeing one or more attributes on a table. With

row-level security a certain grouping of information on a table is

restricted; e.g., if a table held details of employee salaries, then a

restriction could be put in place to ensure that, unless specifically

authorized, users could not view the salaries of executive staff. Column-

and row-level security can be achieved in a relational database by

allowing users to access logical representations of data rather than

physical tables. This “fine-grained” security model is likely to offer the

best balance between information protection while still supporting a wide

range of analytical and reporting uses. Enhancing user authentication via

strong passwords is a security control that should apply to all users of

the data warehouse and does not specifically address protection of

sensitive data. Organizing a data warehouse into subject-specific

databases is a potentially useful practice but, in itself, does not

adequately protect sensitive data. Database-level security is normally too

“coarse” a level to efficiently and effectively protect information. For

example, one database may hold information that needs to be restricted

such as employee salary and customer profitability details while other

information such as employee department may need to be legitimately

accessed by a large number of users. Organizing the data warehouse into

subject matter–specific databases is similar to choice B in that this

control should generally apply. Extra attention could be devoted to

reviewing access to tables with sensitive data, but this control is not

sufficient without strong preventative controls as specified in choice A.

389

、

During a security audit of IT processes, an IS auditor found that

there were no documented security procedures. The IS auditor should:

A

、

create the procedures document.

B

、

terminate the audit.

C

、

conduct compliance testing.

D

、

identify and evaluate existing practices.

ANSWER:D

NOTE:One of the main objectives of an audit is to identify potential

risks; therefore, the most proactive approach would be to identify and

evaluate the existing security practices being followed by the

organization. IS auditors should not prepare documentation, as doing so

could jeopardize their independence. Terminating the audit may prevent

achieving one of the basic audit objectives, i.e., identification of

potential risks. Since there are no documented procedures, there is no

basis against which to test compliance.

390

、

As updates to an online order entry system are processed, the

updates are recorded on a transaction tape and a hard copy transaction

log. At the end of the day, the order entry files are backed up on tape.

During the backup procedure, a drive malfunctions and the order entry

files are lost. Which of the following is necessary to restore these

files?

A

、

The previous day's backup file and the current transaction tape

B

、

The previous day's transaction file and the current transaction tape

C

、

The current transaction tape and the current hard copy transaction

log

D

、

The current hard copy transaction log and the previous day's

transaction file

ANSWER:A

NOTE:The previous day's backup file will be the most current historical

backup of activity in the system. The current day's transaction file will

contain all of the day's activity. Therefore, the combination of these two

files will enable full recovery up to the point of interruption.

391

、

While reviewing sensitive electronic work papers, the IS auditor

noticed that they were not encrypted. This could compromise the:

A

、

audit trail of the versioning of the work papers.

B

、

approval of the audit phases.

C

、

access rights to the work papers.

D

、

confidentiality of the work papers.

ANSWER:D

NOTE:Encryption provides confidentiality for the electronic work papers.

Audit trails, audit phase approvals and access to the work papers do not,

of themselves, affect the confidentiality but are part of the reason for

requiring encryption.

392

、

Data flow diagrams are used by IS auditors to:

A

、

order data hierarchically.

B

、

highlight high-level data definitions.

C

、

graphically summarize data paths and storage.

D

、

portray step-by-step details of data generation.

ANSWER:C

NOTE:Data flow diagrams are used as aids to graph or chart data flow and

storage. They trace the data from its origination to destination,

highlighting the paths and storage of data. They do not order data in any

hierarchy. The flow of the data will not necessarily match any hierarchy

or data generation order.

393

、

Which of the following should an IS auditor recommend to BEST

enforce alignment of an IT project portfolio with strategic organizational

priorities?

A

、

Define a balanced scorecard (BSC) for measuring performance

B

、

Consider user satisfaction in the key performance indicators (KPIs)

C

、

Select projects according to business benefits and risks

D

、

Modify the yearly process of defining the project portfolio

ANSWER:C

NOTE:Prioritization of projects on the basis of their expected benefit(s)

to business, and the related risks, is the best measure for achieving

alignment of the project portfolio to an organization's strategic

priorities. Modifying the yearly process of the projects portfolio

definition might improve the situation, but only if the portfolio

definition process is currently not tied to the definition of corporate

strategies; however, this is unlikely since the difficulties are in

maintaining the alignment, and not in setting it up initially. Measures

such as balanced scorecard (BSC) and key performance indicators (KPIs) are

helpful, but they do not guarantee that the projects are aligned with

business strategy.

394

、

During a business continuity audit an IS auditor found that the

business continuity plan (BCP) covered only critical processes. The IS

auditor should:

A

、

recommend that the BCP cover all business processes.

B

、

assess the impact of the processes not covered.

C

、

report the findings to the IT manager.

D

、

redefine critical processes.

ANSWER:B

NOTE:The business impact analysis needs to be either updated or revisited

to assess the risk of not covering all processes in the plan. It is

possible that the cost of including all processes might exceed the value

of those processes; therefore, they should not be covered. An IS auditor

should substantiate this by analyzing the risk.

395

、

Assuming this diagram represents an internal facility and the

organization is implementing a firewall protection program, where should

firewalls be installed?

A

、

No firewalls are needed

B

、

Op-3 location only

C

、

MIS (Global) and NAT2

D

、

SMTP Gateway and op-3

ANSWER:D

NOTE:The objective of a firewall is to protect a trusted network from an

untrusted network; therefore, locations needing firewall implementations

would be at the existence of the external connections. All other answers

are incomplete or represent internal connections.

ISACA. CISA Practice Questions 2009 All

Подождите немного. Документ загружается.