ISACA. CISA Practice Questions 2009 All

handling procedures, such as the screening process to know if an event is

a security incident or a false positive. Trap messages are generated by

the Simple Network Management Protocol (SNMP) agents when an important

event happens, but are not particularly related to security or IDSs.

Reject-error rate is related to biometric technology and is not related to

IDSs. Denial-of-service is a type of attack and is not a problem in the

operation of IDSs.

466

、

Minimum password length and password complexity verification are

examples of:

A

、

detection controls.

B

、

control objectives.

C

、

audit objectives.

D

、

control procedures.

ANSWER:D

NOTE:Control procedures are practices established by management to achieve

specific control objectives. Password controls are preventive controls,

not detective controls. Control objectives are declarations of expected

results from implementing controls and audit objectives are the specific

goals of an audit.

467

、

The Secure Sockets Layer (SSL) protocol addresses the

confidentiality of a message through:

A

、

symmetric encryption.

B

、

message authentication code.

C

、

hash function.

D

、

digital signature certificates.

ANSWER:A

NOTE:SSL uses a symmetric key for message encryption. A message

authentication code is used for ensuring data integrity. Hash function is

used for generating a message digest; it does not use public key

encryption for message encryption. Digital signature certificates are used

by SSL for server authentication.

468

、

An IS auditor reviewing wireless network security determines that

the Dynamic Host Configuration Protocol is disabled at all wireless access

points. This practice:

A

、

reduces the risk of unauthorized access to the network.

B

、

is not suitable for small networks.

C

、

automatically provides an IP address to anyone.

D

、

increases the risks associated with Wireless Encryption Protocol

(WEP).

ANSWER:A

NOTE:Dynamic Host Configuration Protocol (DHCP) automatically assigns IP

addresses to anyone connected to the network. With DHCP disabled, static

IP addresses must be used and represent less risk due to the potential for

address contention between an unauthorized device and existing devices on

the network. Choice B is incorrect because DHCP is suitable for small

networks. Choice C is incorrect because DHCP does not provide IP addresses

when disabled. Choice D is incorrect because disabling of the DHCP makes

it more difficult to exploit the well-known weaknesses in WEP.

469

、

In a contract with a hot, warm or cold site, contractual provisions

should cover which of the following considerations?

A

、

Physical security measures

B

、

Total number of subscribers

C

、

Number of subscribers permitted to use a site at one time

D

、

References by other users

ANSWER:C

NOTE:The contract should specify the number of subscribers permitted to

use the site at any one time. Physical security measures are not a part of

the contract, although they are an important consideration when choosing a

third-party site. The total number of subscribers is not a consideration;

what is important is whether the agreement limits the number of

subscribers in a building or in a specific area. The references that other

users can provide is a consideration taken before signing the contract; it

is by no means part of the contractual provisions.

470

、

Which of the following would be MOST important for an IS auditor to

verify when conducting a business continuity audit?

A

、

Data backups are performed on a timely basis

B

、

A recovery site is contracted for and available as needed

C

、

Human safety procedures are in place

D

、

Insurance coverage is adequate and premiums are current

ANSWER:C

NOTE:The most important element in any business continuity process is the

protection of human life. This takes precedence over all other aspects of

the plan.

471

、

The computer security incident response team (CSIRT) of an

organization disseminates detailed descriptions of recent threats. An IS

auditor's GREATEST concern should be that the users might:

A

、

use this information to launch attacks.

B

、

forward the security alert.

C

、

implement individual solutions.

D

、

fail to understand the threat.

ANSWER:A

NOTE:An organization's computer security incident response team (CSIRT)

should disseminate recent threats, security guidelines and security

updates to the users to assist them in understanding the security risk of

errors and omissions. However, this introduces the risk that the users may

use this information to launch attacks, directly or indirectly. An IS

auditor should ensure that the CSIRT is actively involved with users to

assist them in mitigation of risks arising from security failures and to

prevent additional security incidents resulting from the same threat.

Forwarding the security alert is not harmful to the organization.

Implementing individual solutions is unlikely and users failing to

understand the threat would not be a serious concern.

472

、

A team conducting a risk analysis is having difficulty projecting

the financial losses that could result from a risk. To evaluate the

potential losses, the team should:

A

、

compute the amortization of the related assets.

B

、

calculate a return on investment (ROI).

C

、

apply a qualitative approach.

D

、

spend the time needed to define exactly the loss amount.

ANSWER:C

NOTE:The common practice, when it is difficult to calculate the financial

losses, is to take a qualitative approach, in which the manager affected

by the risk defines the financial loss in terms of a weighted factor

(e.g., one is a very low impact to the business and five is a very high

impact). An ROI is computed when there is predictable savings or revenues

that can be compared to the investment needed to realize the revenues.

Amortization is used in a profit and loss statement, not in computing

potential losses. Spending the time needed to define exactly the total

amount is normally a wrong approach. If it has been difficult to estimate

potential losses (e.g., losses derived from erosion of public image due to

a hack attack), that situation is not likely to change, and at the end of

the day, the result will be a not well-supported evaluation.

473

、

Change control for business application systems being developed

using prototyping could be complicated by the:

A

、

iterative nature of prototyping.

B

、

rapid pace of modifications in requirements and design.

C

、

emphasis on reports and screens.

D

、

lack of integrated tools.

ANSWER:B

NOTE:Changes in requirements and design happen so quickly that they are

seldom documented or approved. Choices A, C and D are characteristics of

prototyping, but they do not have an adverse effect on change control.

474

、

Which of the following would prevent unauthorized changes to

information stored in a server's log?

A

、

Write-protecting the directory containing the system log

B

、

Writing a duplicate log to another server

C

、

Daily printing of the system log

D

、

Storing the system log in write-once media

ANSWER:D

NOTE:Storing the system log in write-once media ensures the log cannot be

modified. Write-protecting the system log does not prevent deletion or

modification, since the superuser or users that have special permission

can override the write protection. Writing a duplicate log to another

server or daily printing of the system log cannot prevent unauthorized

changes.

475

、

Which of the following should be of PRIMARY concern to an IS auditor

reviewing the management of external IT service providers?

A

、

Minimizing costs for the services provided

B

、

Prohibiting the provider from subcontracting services

C

、

Evaluating the process for transferring knowledge to the IT

department

D

、

Determining if the services were provided as contracted

ANSWER:D

NOTE:From an IS auditor's perspective, the primary objective of auditing

the management of service providers should be to determine if the services

that were requested were provided in a way that is acceptable, seamless

and in line with contractual agreements. Minimizing costs, if applicable

and achievable (depending on the customer's need) is traditionally not

part of an IS auditor's job. This would normally be done by a line

management function within the IT department. Furthermore, during an

audit, it is too late to minimize the costs for existing provider

arrangements. Subcontracting providers could be a concern, but it would

not be the primary concern. Transferring knowledge to the internal IT

department might be desirable under certain circumstances, but should not

be the primary concern of an IS auditor when auditing IT service providers

and the management thereof.

476

、

As part of the business continuity planning process, which of the

following should be identified FIRST in the business impact analysis?

A

、

Organizational risks, such as single point-of-failure and

infrastructure risk

B

、

Threats to critical business processes

C

、

Critical business processes for ascertaining the priority for

recovery

D

、

Resources required for resumption of business

ANSWER:C

NOTE:The identification of the priority for recovering critical business

processes should be addressed first. Organizational risks should be

identified next, followed by the identification of threats to critical

business processes. Identification of resources for business resumption

will occur after the tasks mentioned.

477

、

Which of the following is an attribute of the control

self-assessment (CSA) approach?

A

、

Broad stakeholder involvement

B

、

Auditors are the primary control analysts

C

、

Limited employee participation

D

、

Policy driven

ANSWER:A

NOTE:The control self-assessment (CSA) approach emphasizes management of

and accountability for developing and monitoring the controls of an

organization's business processes. The attributes of CSA include empowered

employees, continuous improvement, extensive employee participation and

training, all of which are representations of broad stakeholder

involvement. Choices B, C and D are attributes of a traditional audit

approach.

478

、

Which of the following would effectively verify the originator of a

transaction?

A

、

Using a secret password between the originator and the receiver

B

、

Encrypting the transaction with the receiver's public key

C

、

Using a portable document format (PDF) to encapsulate transaction

content

D

、

Digitally signing the transaction with the source's private key

ANSWER:D

NOTE:A digital signature is an electronic identification of a person,

created by using a public key algorithm, to verify to a recipient the

identity of the source of a transaction and the integrity of its content.

Since they are a “shared secret” between the user and the system itself,

passwords are considered a weaker means of authentication. Encrypting the

transaction with the recipient's public key will provide confidentiality

for the information, while using a portable document format (PDF) will

probe the integrity of the content but not necessarily authorship.

479

、

The MOST likely explanation for the use of applets in an Internet

application is that:

A

、

it is sent over the network from the server.

B

、

the server does not run the program and the output is not sent over

the network.

C

、

they improve the performance of the web server and network.

D

、

it is a JAVA program downloaded through the web browser and executed

by the web server of the client machine.

ANSWER:C

NOTE:An applet is a JAVA program that is sent over the network from the

web server, through a web browser and to the client machine; the code is

then run on the machine. Since the server does not run the program and the

output is not sent over the network, the performance on the web server and

network—over which the server and client are connected—drastically

improves through the use of applets. Performance improvement is more

important than the reasons offered in choices A and B. Since JAVA virtual

machine (JVM) is embedded in most web browsers, the applet download

through the web browser runs on the client machine from the web browser,

not from the web server, making choice D incorrect.

480

、

Which of the following reduces the potential impact of social

engineering attacks?

A

、

Compliance with regulatory requirements

B

、

Promoting ethical understanding

C

、

Security awareness programs

D

、

Effective performance incentives

ANSWER:C

NOTE:Because social engineering is based on deception of the user, the

best countermeasure or defense is a security awareness program. The other

choices are not user-focused.

481

、

A manufacturing firm wants to automate its invoice payment system.

Objectives state that the system should require considerably less time for

review and authorization and the system should be capable of identifying

errors that require follow up. Which of the following would BEST meet

these objectives?

A

、

Establishing an inter-networked system of client servers with

suppliers for increased efficiencies

B

、

Outsourcing the function to a firm specializing in automated

payments and accounts receivable/invoice processing

C

、

Establishing an EDI system of electronic business documents and

transactions with key suppliers, computer to computer, in a standard

format

D

、

Reengineering the existing processing and redesigning the existing

system

ANSWER:C

NOTE:EDI is the best answer. Properly implemented (e.g., agreements with

trading partners transaction standards, controls over network security

mechanisms in conjunction with application controls), EDI is best suited

to identify and follow up on errors more quickly, given reduced

opportunities for review and authorization.

482

、

Which of the following is the PRIMARY purpose for conducting

parallel testing?

A

、

To determine if the system is cost-effective

B

、

To enable comprehensive unit and system testing

C

、

To highlight errors in the program interfaces with files

D

、

To ensure the new system meets user requirements

ANSWER:D

NOTE:The purpose of parallel testing is to ensure that the implementation

of a new system will meet user requirements. Parallel testing may show

that the old system is, in fact, better than the new system, but this is

not the primary reason. Unit and system testing are completed before

parallel testing. Program interfaces with files are tested for errors

during system testing.

483

、

To protect a VoIP infrastructure against a denial-of-service (DoS)

attack, it is MOST important to secure the:

A

、

access control servers.

B

、

session border controllers.

C

、

backbone gateways.

D

、

intrusion detection system (IDS).

ANSWER:B

NOTE:Session border controllers enhance the security in the access network

and in the core. In the access network, they hide a user's real address

and provide a managed public address. This public address can be

monitored, minimizing the opportunities for scanning and denial-of-service

(DoS) attacks. Session border controllers permit access to clients behind

firewalls while maintaining the firewall's effectiveness. In the core,

session border controllers protect the users and the network. They hide

network topology and users' real addresses. They can also monitor

bandwidth and quality of service. Securing the access control server,

backbone gateways and intrusion detection systems (IDSs) does not

effectively protect against DoS attacks.

484

、

The MOST important reason for an IS auditor to obtain sufficient and

appropriate audit evidence is to:

A

、

comply with regulatory requirements.

B

、

provide a basis for drawing reasonable conclusions.

C

、

ensure complete audit coverage.

D

、

perform the audit according to the defined scope.

ANSWER:B

NOTE:The scope of an IS audit is defined by its objectives. This involves

identifying control weaknesses relevant to the scope of the audit.

Obtaining sufficient and appropriate evidence assists the auditor in not

only identifying control weaknesses but also documenting and validating

them. Complying with regulatory requirements, ensuring coverage and the

execution of audit are all relevant to an audit but are not the reason why

sufficient and relevant evidence is required.

485

、

The BEST method of proving the accuracy of a system tax calculation

is by:

A

、

detailed visual review and analysis of the source code of the

calculation programs.

B

、

recreating program logic using generalized audit software to

calculate monthly totals.

C

、

preparing simulated transactions for processing and comparing the

results to predetermined results.

D

、

automatic flowcharting and analysis of the source code of the

calculation programs.

ANSWER:C

NOTE:Preparing simulated transactions for processing and comparing the

results to predetermined results is the best method for proving accuracy

of a tax calculation. Detailed visual review, flowcharting and analysis of

source code are not effective methods, and monthly totals would not

address the accuracy of individual tax calculations.

486

、

Which of the following is a network diagnostic tool that monitors

and records network information?

A

、

Online monitor

B

、

Downtime report

C

、

Help desk report

D

、

Protocol analyzer

ANSWER:D

NOTE:Protocol analyzers are network diagnostic tools that monitor and

record network information from packets traveling in the link to which the

analyzer is attached. Online monitors (choice A) measure

telecommunications transmissions and determine whether transmissions were

accurate and complete. Downtime reports (choice B) track the availability

of telecommunication lines and circuits. Help desk reports (choice C) are

prepared by the help desk, which is staffed or supported by IS technical

support personnel trained to handle problems occurring during the course

of IS operations.

487

、

Which of the following BEST supports the prioritization of new IT

projects?

A

、

Internal control self-assessment (CSA)

B

、

Information systems audit

C

、

Investment portfolio analysis

D

、

Business risk assessment

ANSWER:C

NOTE:It is most desirable to conduct an investment portfolio analysis,

which will present not only a clear focus on investment strategy, but will

provide the rationale for terminating nonperforming IT projects. Internal

control self-assessment (CSA) may highlight noncompliance to the current

policy, but may not necessarily be the best source for driving the

prioritization of IT projects. Like internal CSA, IS audits may provide

only part of the picture for the prioritization of IT projects. Business

risk analysis is part of the investment portfolio analysis but, by itself,

is not the best method for prioritizing new IT projects.

488

、

The most likely error to occur when implementing a firewall is:

A

、

incorrectly configuring the access lists.

B

、

compromising the passwords due to social engineering.

C

、

connecting a modem to the computers in the network.

D

、

inadequately protecting the network and server from virus attacks.

ANSWER:A

NOTE:An updated and flawless access list is a significant challenge and,

therefore, has the greatest chance for errors at the time of the initial

installation. Passwords do not apply to firewalls, a modem bypasses a

firewall and a virus attack is not an element in implementing a firewall.

489

、

An IS auditor should review the configuration of which of the

following protocols to detect unauthorized mappings between the IP address

and the media access control (MAC) address?

A

、

Simple Object Access Protocol (SOAP)

ISACA. CISA Practice Questions 2009 All

Подождите немного. Документ загружается.