ISACA. CISA Practice Questions 2009 All
Подождите немного. Документ загружается.
C
、
value delivery.
D
、
resource management.
ANSWER:A
NOTE:Performance measurement includes setting and monitoring measurable
objectives of what the IT processes need to deliver (process outcome) and
how they deliver it (process capability and performance). Strategic
alignment primarily focuses on ensuring linkage of business and IT plans.
Value delivery is about executing the value proposition throughout the
delivery cycle. Resource management is about the optimal investment in and
proper management of critical IT resources. Transparency is primarily
achieved through performance measurement as it provides information to the
stakeholders on how well the enterprise is performing when compared to
objectives.
23
、
Which of the following is a dynamic analysis tool for the purpose of
testing software modules?
A
、
Black box test
B
、
Desk checking
C
、
Structured walkthrough
D
、
Design and code
ANSWER:A
NOTE:A black box test is a dynamic analysis tool for testing software
modules. During the testing of software modules a black box test works
first in a cohesive manner as a single unit/entity consisting of numerous
modules, and second with the user data that flows across software modules.
In some cases, this even drives the software behavior. In choices B, C and
D, the software (design or code) remains static and someone closely
examines it by applying their mind, without actually activating the
software. Therefore, these cannot be referred to as dynamic analysis
tools.
24
、
An IS auditor analyzing the audit log of a database management system
(DBMS) finds that some transactions were partially executed as a result of
an error, and are not rolled back. Which of the following transaction
processing features has been violated?
A
、
Consistency
B
、
Isolation
C
、
Durability
D
、
Atomicity
ANSWER:D
NOTE:Atomicity guarantees that either the entire transaction is processed
or none of it is. Consistency ensures that the database is in a legal
state when the transaction begins and ends. Isolation means that, while in
an intermediate state, the transaction data is invisible to external
operations. Durability guarantees that a successful transaction will
persist, and cannot be undone.
25
、
Which of the following reports should an IS auditor use to check
compliance with a service level agreement's (SLA) requirement for uptime?
A
、
Utilization reports
B
、
Hardware error reports
C
、
System logs
D
、
Availability reports
ANSWER:D
NOTE:IS inactivity, such as downtime, is addressed by availability
reports. These reports provide the time periods during which the computer
was available for utilization by users or other processes. Utilization
reports document the use of computer equipment, and can be used by
management to predict how/where/when resources are required. Hardware
error reports provide information to aid in detecting hardware failures
and initiating corrective action. System logs are a recording of the
system's activities.
26
、
In the event of a disruption or disaster, which of the following
technologies provides for continuous operations?
A
、
Load balancing
B
、
Fault-tolerant hardware
C
、
Distributed backups
D
、
High-availability computing
ANSWER:B
NOTE:Fault-tolerant hardware is the only technology that currently
supports continuous, uninterrupted service. Load balancing is used to
improve the performance of the server by splitting the work between
several servers based on workloads. High-availability (HA) computing
facilities provide a quick but not continuous recovery, while distributed
backups require longer recovery times.
27
、
Confidentiality of the data transmitted in a wireless LAN is BEST
protected if the session is:
A
、
restricted to predefined MAC addresses.
B
、
encrypted using static keys.
C
、
encrypted using dynamic keys.
D
、
initiated from devices that have encrypted storage.
ANSWER:C
NOTE:When using dynamic keys, the encryption key is changed frequently,
thus reducing the risk of the key being compromised and the message being
decrypted. Limiting the number of devices that can access the network does
not address the issue of encrypting the session. Encryption with static
keys—using the same key for a long period of time—risks that the key would
be compromised. Encryption of the data on the connected device (laptop,
PDA, etc.) addresses the confidentiality of the data on the device, not
the wireless session.
28
、
Which of the following must exist to ensure the viability of a
duplicate information processing facility?
A
、
The site is near the primary site to ensure quick and efficient
recovery.
B
、
The site contains the most advanced hardware available.
C
、
The workload of the primary site is monitored to ensure adequate
backup is available.
D
、
The hardware is tested when it is installed to ensure it is working
properly.
ANSWER:C
NOTE:Resource availability must be assured. The workload of the site must
be monitored to ensure that availability for emergency backup use is not
impaired. The site chosen should not be subject to the same natural
disaster as the primary site. In addition, a reasonable compatibility of
hardware/software must exist to serve as a basis for backup. The latest or
newest hardware may not adequately serve this need. Testing the hardware
when the site is established is essential, but regular testing of the
actual backup data is necessary to ensure the operation will continue to
perform as planned.
29
、
To reduce the possibility of losing data during processing, the FIRST
point at which control totals should be implemented is:
A
、
during data preparation.
B
、
in transit to the computer.
C
、
between related computer runs.
D
、
during the return of the data to the user department.
ANSWER:A
NOTE:During data preparation is the best answer, because it establishes
control at the earliest point.
30
、
The FIRST step in managing the risk of a cyberattack is to:
A
、
assess the vulnerability impact.
B
、
evaluate the likelihood of threats.
C
、
identify critical information assets.
D
、
estimate potential damage.
ANSWER:C
NOTE:The first step in managing risk is the identification and
classification of critical information resources (assets). Once the assets
have been identified, the process moves onto the identification of
threats, vulnerabilities and calculation of potential damages.
31
、
An IS auditor examining a biometric user authentication system
establishes the existence of a control weakness that would allow an
unauthorized individual to update the centralized database on the server
that is used to store biometric templates. Of the following, which is the
BEST control against this risk?
A
、
Kerberos
B
、
Vitality detection
C
、
Multimodal biometrics
D
、
Before-image/after-image logging
ANSWER:A
NOTE:Kerberos is a network authentication protocol for client-server
applications that can be used to restrict access to the database to
authorized users. Choices B and C are incorrect because vitality detection
and multimodal biometrics are controls against spoofing and mimicry
attacks. Before-image/after-image logging of database transactions is a
detective control, as opposed to Kerberos, which is a preventative
control.
32
、
The ultimate purpose of IT governance is to:
A
、
encourage optimal use of IT.
B
、
reduce IT costs.
C
、
decentralize IT resources across the organization.
D
、
centralize control of IT.
ANSWER:A
NOTE:IT governance is intended to specify the combination of decision
rights and accountability that is best for the enterprise. It is different
for every enterprise. Reducing IT costs may not be the best IT governance
outcome for an enterprise. Decentralizing IT resources across the
organization is not always desired, although it may be desired in a
decentralized environment. Centralizing control of IT is not always
desired. An example of where it might be desired is an enterprise desiring
a single point of customer contact.
33
、
A company has decided to implement an electronic signature scheme
based on public key infrastructure. The user's private key will be stored
on the computer's hard drive and protected by a password. The MOST
significant risk of this approach is:
A
、
use of the user's electronic signature by another person if the
password is compromised.
B
、
forgery by using another user's private key to sign a message with
an electronic signature.
C
、
impersonation of a user by substitution of the user's public key
with another person's public key.
D
、
forgery by substitution of another person's private key on the
computer.
ANSWER:A
NOTE:The user's digital signature is only protected by a password.
Compromise of the password would enable access to the signature. This is
the most significant risk. Choice B would require subversion of the public
key infrastructure mechanism, which is very difficult and least likely.
Choice C would require that the message appear to have come from a
different person and therefore the true user's credentials would not be
forged. Choice D has the same consequence as choice C.
34
、
An organization has a mix of access points that cannot be upgraded to
stronger security and newer access points having advanced wireless
security. An IS auditor recommends replacing the nonupgradeable access
points. Which of the following would BEST justify the IS auditor's
recommendation?
A
、
The new access points with stronger security are affordable.
B
、
The old access points are poorer in terms of performance.
C
、
The organization's security would be as strong as its weakest
points.
D
、
The new access points are easier to manage.
ANSWER:C
NOTE:The old access points should be discarded and replaced with products
having strong security; otherwise, they will leave security holes open for
attackers and thus make the entire network as weak as they are.
Affordability is not the auditor's major concern. Performance is not as
important as security in this situation. Product manageability is not the
IS auditor's concern.
35
、
What is the BEST action to prevent loss of data integrity or
confidentiality in the case of an e-commerce application running on a LAN,
processing electronic fund transfers (EFT) and orders?
A
、
Using virtual private network (VPN) tunnels for data transfer
B
、
Enabling data encryption within the application
C
、
Auditing the access control to the network
D
、
Logging all changes to access lists
ANSWER:A
NOTE:The best way to ensure confidentiality and integrity of data is to
encrypt it using virtual private network (VPN) tunnels. This is the most
common and convenient way to encrypt the data traveling over the network.
Data encryption within the application is less efficient than VPN. The
other options are good practices, but they do not directly prevent the
loss of data Integrity and confidentiality during communication through a
network.
36
、
When using a digital signature, the message digest is computed:
A
、
only by the sender.
B
、
only by the receiver.
C
、
by both the sender and the receiver.
D
、
by the certificate authority (CA).
ANSWER:C
NOTE:A digital signature is an electronic identification of a person or
entity. It is created by using asymmetric encryption. To verify integrity
of data, the sender uses a cryptographic hashing algorithm against the
entire message to create a message digest to be sent along with the
message. Upon receipt of the message, the receiver will recompute the hash
using the same algorithm and compare results with what was sent to ensure
the integrity of the message.
37
、
The GREATEST benefit in implementing an expert system is the:
A
、
capturing of the knowledge and experience of individuals in an
organization.
B
、
sharing of knowledge in a central repository.
C
、
enhancement of personnel productivity and performance.
D
、
reduction of employee turnover in key departments.
ANSWER:A
NOTE:The basis for an expert system is the capture and recording of the
knowledge and experience of individuals in an organization. Coding and
entering the knowledge in a central repository, shareable within the
enterprise, is a means of facilitating the expert system. Enhancing
personnel productivity and performance is a benefit; however, it is not as
important as capturing the knowledge and experience. Employee turnover is
not necessarily affected by an expert system.
38
、
Upon receipt of the initial signed digital certificate the user will
decrypt the certificate with the public key of the:
A
、
registration authority (RA).
B
、
certificate authority (CA).
C
、
certificate repository.
D
、
receiver.
ANSWER:B
NOTE:A certificate authority (CA) is a network authority that issues and
manages security credentials and public keys for message encryption. As a
part of the public key infrastructure, a CA checks with a registration
authority (RA) to verify information provided by the requestor of a
digital certificate. If the RA verifies the requestor's information, the
CA can issue a certificate. The CA signs the certificate with its private
key for distribution to the user. Upon receipt, the user will decrypt the
certificate with the CA's public key.
39
、
What should an organization do before providing an external agency
physical access to its information processing facilities (IPFs)?
A
、
The processes of the external agency should be subjected to an IS
audit by an independent agency.
B
、
Employees of the external agency should be trained on the security
procedures of the organization.
C
、
Any access by an external agency should be limited to the
demilitarized zone (DMZ).
D
、
The organization should conduct a risk assessment and design and
implement appropriate controls.
ANSWER:D
NOTE:Physical access of information processing facilities (IPFs) by an
external agency introduces additional threats into an organization.
Therefore, a risk assessment should be conducted and controls designed
accordingly. The processes of the external agency are not of concern here.
It is the agency's interaction with the organization that needs to be
protected. Auditing their processes would not be relevant in this
scenario. Training the employees of the external agency may be one control
procedure, but could be performed after access has been granted. Sometimes
an external agency may require access to the processing facilities beyond
the demilitarized zone (DMZ). For example, an agency which undertakes
maintenance of servers may require access to the main server room.
Restricting access within the DMZ will not serve the purpose.
40
、
Is it appropriate for an IS auditor from a company that is
considering outsourcing its IS processing to request and review a copy of
each vendor's business continuity plan?
A
、
Yes, because an IS auditor will evaluate the adequacy of the service
bureau's plan and assist their company in implementing a complementary
plan.
B
、
Yes, because based on the plan, an IS auditor will evaluate the
financial stability of the service bureau and its ability to fulfill the
contract.
C
、
No, because the backup to be provided should be specified adequately
in the contract.
D
、
No, because the service bureau's business continuity plan is
proprietary information.
ANSWER:A
NOTE:The primary responsibility of an IS auditor is to assure that the
company assets are being safeguarded. This is true even if the assets do
not reside on the immediate premises. Reputable service bureaus will have
a well-designed and tested business continuity plan.
41
、
Security administration procedures require read-only access to:
A
、
access control tables.
B
、
security log files.
C
、
logging options.
D
、
user profiles.
ANSWER:B
NOTE:Security administration procedures require read-only access to
security log files to ensure that, once generated, the logs are not
modified. Logs provide evidence and track suspicious transactions and
activities. Security administration procedures require write access to
access control tables to manage and update the privileges according to
authorized business requirements. Logging options require write access to
allow the administrator to update the way the transactions and user
activities are monitored, captured, stored, processed and reported.
42
、
Which of the following encrypt/decrypt steps provides the GREATEST
assurance of achieving confidentiality, message integrity and
nonrepudiation by either sender or recipient?
A
、
The recipient uses their private key to decrypt the secret key.
B
、
The encrypted prehash code and the message are encrypted using a
secret key.
C
、
The encrypted prehash code is derived mathematically from the
message to be sent.
D
、
The recipient uses the sender's public key, verified with a
certificate authority, to decrypt the prehash code.
ANSWER:D
NOTE:Most encrypted transactions use a combination of private keys, public
keys, secret keys, hash functions and digital certificates to achieve
confidentiality, message integrity and nonrepudiation by either sender or
recipient. The recipient uses the sender's public key to decrypt the
prehash code into a posthash code, which when equaling the prehash code,
verifies the identity of the sender and that the message has not been
changed in route; this would provide the greatest assurance. Each sender
and recipient has a private key known only to themselves and a public key,
which can be known by anyone. Each encryption/decryption process requires
at least one public key and one private key, and both must be from the
same party. A single, secret key is used to encrypt the message, because
secret key encryption requires less processing power than using public and
private keys. A digital certificate, signed by a certificate authority,
validates senders' and recipients' public keys.
43
、
Which of the following manages the digital certificate life cycle to
ensure adequate security and controls exist in digital signature
applications related to e-commerce?
A
、
Registration authority
B
、
Certificate authority (CA)
C
、
Certification relocation list
D
、
Certification practice statement
ANSWER:B
NOTE:The certificate authority maintains a directory of digital
certificates for the reference of those receiving them. It manages the
certificate life cycle, including certificate directory maintenance and
certificate revocation list maintenance and publication. Choice A is not
correct because a registration authority is an optional entity that is
responsible for the administrative tasks associated with registering the
end entity that is the subject of the certificate issued by the CA. Choice
C is incorrect since a CRL is an instrument for checking the continued
validity of the certificates for which the CA has responsibility. Choice D
is incorrect because a certification practice statement is a detailed set
of rules governing the certificate authority's operations.
44
、
Which of the following data validation edits is effective in
detecting transposition and transcription errors?
A
、
Range check
B
、
Check digit
C
、
Validity check
D
、
Duplicate check
ANSWER:B
NOTE:A check digit is a numeric value that is calculated mathematically
and is appended to data to ensure that the original data have not been
altered, e.g., an incorrect, but valid, value substituted for the
original. This control is effective in detecting transposition and
transcription errors. A range check is checking data that matches a
predetermined range of values. A validity check is programmed checking of