Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

CISA Study Guide Exam 427 Questions with Verified Answers,100% CORRECT, Exams of Information and Communications Technology (ICT)

CISA Study Guide Exam 427 Questions with Verified Answers

Typology: Exams

2023/2024

Available from 07/27/2024

paul-kamau-2
paul-kamau-2 🇺🇸

2.7

(3)

3.2K documents

1 / 94

Toggle sidebar

Related documents


Partial preview of the text

Download CISA Study Guide Exam 427 Questions with Verified Answers,100% CORRECT and more Exams Information and Communications Technology (ICT) in PDF only on Docsity! CISA Study Guide Exam 427 Questions with Verified Answers Most important step in risk analysis is to identify a. Competitors b. controls c. vulnerabilities d. liabilities - CORRECT ANSWER c. vulnerabilities In a risk based audit planning, an IS auditor's first step is to identify: a. responsibilities of stakeholders b. high-risk areas within the organization c. cost centre d. profit centre - CORRECT ANSWER b. high-risk areas within the organization When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that: a. segregation of duties to mitigate risks is in place b. all the relevant vulnerabilities and threats are identified c. regularity compliance is adhered to d. business is profitable - CORRECT ANSWER b. all the relevant vulnerabilities and threats are identified IS auditor identified certain threats and vulnerabilities in a business process. Next, an IS auditor should: a. identify stakeholder for that business process b. identifies information. assets and the underlying systems c. discloses the threats and impacts to management d. identifies and evaluates the existing controls - CORRECT ANSWER d. identifies and evaluates the existing controls Major advantaged of risk based approach for audit planning is: a. Audit planning can be communicated to client in advance b. Audit activity can be completed within allotted budget c. use of latest technology for audit activities d. Appropriate utilisation of resources for high risk areas - CORRECT ANSWER d. Appropriate utilisation of resources for high risk areas While determining the appropriate level of protection for an information asset an IS auditor should primarily focus on: a. Criticality of information assets b. cost of information assets c. Owner of information asset d. result of vulnerability assessment - CORRECT ANSWER a. Criticality of information assets The decisions and actions of an IS auditor are MOST likely to affect which of the following risks? a. Inherent b. Detection c. Control d. Business - CORRECT ANSWER b. Detection The risk of an IS auditor certifying existence of proper system and procedures without using an inadequate test procedure is an example of: a. internet risk b. control risk c. detection risk d. audit risk - CORRECT ANSWER c. Detection risk Overall business risk for a particular threat can be expressed as: a. a product of the probability. and impact b. probability of occurrence An IS auditor is reviewing payroll application. He identified some vulnerability in the system. What would be the next task? a. Report the vulnerabilities to the management immediately b. examine application development process c. identify threats and likelihood of occurrence d. recommend for new application - CORRECT ANSWER c. identify threats and likelihood of occurrence Absence of proper security measures represents a (n): a. threat b. asset c. impact d. vulnerability - CORRECT ANSWER d. vulnerability IS auditor is developing a risk management program, the FIRST activity to be performed is a(n): a. vulnerability assessment b. evaluation of control c. identification of assets d. gap analysis - CORRECT ANSWER c. identification of assets Benefit of development of organizational policies buy bottom-up approach is that they: a. covers whole organization b. is derived as a result of risk assessment c. will be in line with overall corporate policy d. ensures consistency across the organization - CORRECT ANSWER b. is derived as a result of risk assessment Risk can be mitigated by: a. implementing controls b. insurance d. audit and certification d. contracts and service level agreements (SLAs) - CORRECT ANSWER a. implementing controls (security and control practices) Most important factor while evaluating controls is to ensure that the controls: a. addresses the risk b. does not reduce productivity c. is less costly than risk d. is automotive - CORRECT ANSWER a. addresses the risk The susceptibility of a business or process to make an error that is material in nature, assuming there were no internal controls: a. inherent risk b. control risk c. detection risk d. correction risk - CORRECT ANSWER a. inherent risk The risk that the controls put in place will not prevent, correct, for detect errors on a timely basis a. inherent risk b. control risk c. detection risk d. correction risk - CORRECT ANSWER b. control risk Which of the following factors an IS auditor should primarily consider when determining the acceptable level of risk: a. risk acceptance is the responsibility of senior management b. all risks do not need to be eliminated for a business to be profittable c. risks must be identified and documented in order to perform proper analysis on them d. line management should be involved in the risk analysis because management sees risks daily that others would not recognize - CORRECT ANSWER c. risks must be identified and documented in order to perform proper analysis on them An audit charter should state management's objectives for and delegation of authority to IS audit and MUST be: a. approved by the top management approved by Chief Audit Officer c. approved bye IS department d. approved by IT steering committee - CORRECT ANSWER a. approved by the top management The audit chapter should be approved by the highest level of management and should: a. is updated often to upgrade with the changing nature of technology and the audit profession b. include audit calendar along with resource allocation c. include plan of action in case of disruption of business services d. outlines the overall authority, scope, and responsibilities of the audit function - CORRECT ANSWER d. outlines the overall authority, scope, and responsibilities of the audit function Primary purpose of an audit chapter is two: a. describe audit procedure b. define resource requirement for audit department c. prescribe the code of ethics used by the auditor d. to prescribe authority and responsibilities of audit department - CORRECT ANSWER d. to prescribe authority and responsibilities of audit department The document used buy the top management of organizations too delegate authority to the IS audit function is tthe : a. audit calendar b. audit charter c. risks register d. audit compendium - CORRECT ANSWER b. audit charter a. details, while substantive testing tests controls b. controls, while substantive testing tests details c. financial statements, while substantive testing tests items in trial balance d. internal requirements, while substantive testing tests internal controls - CORRECT ANSWER b. controls, while substantive testing tests details When an IS auditor performs a test to ensure that only active users have access to a critical system, the IS auditor is performing a: a. compliance test b. substantive test c. statistical sample d. judgment sampling - CORRECT ANSWER a. compliance test IS auditors are MOST likely to reduce substantive test procedure if after compliance test they conclude that: a. substantive test would be too costly b. the control environment is poor c. inherent risk is low d. control risks are within the acceptable limits. - CORRECT ANSWER d. control risks are within the acceptable limits. Which of the following is a substantive audit test? a. versifying that a management check has been performed regularly b. observing that user IDs and passwords are required too sign on the computer c. reviewing reports listing short shipments of goods received d. reviewing an aged trial balance of accounts receivable - CORRECT ANSWER d. reviewing an aged trial balance of accounts receivable The objective of compliance tests is to ensure: a. controls are implemented as prescribed b. documentation is complete c. access to users is provided as specified d. Data validation procedures are provided - CORRECT ANSWER a. controls are implemented as prescribed An IS auditor is using a statistical sample to inventory the tape library. What type of test would this be considered? a. substantive b. compliance c. integrated d. continuous audit - CORRECT ANSWER a. substantive Which of the following tests is an IS auditor performing when a sample of programs is selected to determine if the source and object versions are the same? a. a substantive test of program library controls b. a compliance test of program library controls c. a compliance test of the program compiler controls a substantive test of the program compiler controls - CORRECT ANSWER b. a compliance test of program library controls Evidence gathering to evaluate the integrity of individual transactions, data, or other information is typical of which of the following? a. substantive testing b. compliance testting c. detection testing d. control testing - CORRECT ANSWER a. substantive testing What is the difference between compliance testing and substantive testing? - CORRECT ANSWER Compliance testing involves verification of process whereas substantive testing involves verification of transactions or data What is the difference between attribute sampling and variable sampling? - CORRECT ANSWER Attribute sampling is used for compliance testing whereas variable sampling is used for substantive testing The development of substantive tests is often dependent on what? - CORRECT ANSWER dependent on the outcome of compliance tests An IS auditor is evaluating control self-assessment program in an organization, What is MAIN objective for implementing control self-assessment (CSA) program? a. tot replace audit responsibilities b. to enhance employee's capabilities c. to comply with regulatory requirements d. to concentrates on high risk area - CORRECT ANSWER d. to concentrates on high risk area An IS auditor has been asked by the management to support its CSA program. Tthe role of an IS auditor in a control self-assessment (CSA) should be that of: a. program incharge b. program manager c. program partner d. program facilitator - CORRECT ANSWER d. program facilitator For successful control self-assessment (CSA) program, it is essential to: a. design stringent control policy b. have auditors take responsibility for control monitoring c. have line managers take responsibility for control monitoring d. implement stringent control policy - CORRECT ANSWER c. have line managers take responsibility for control monitoring An IS auditor has been asked to participate in implementation of control self- assessment program. The auditor should participate primarily as a. team leader b. the auditor should not participate as it would create a potential conflict of interest c. facilitator d. project controller - CORRECT ANSWER c. facilitator Use of statistical sampling will be more relevant as compared to judgement (non- statistical) sampling when: a. its is required to mitigate sampling risk b. auditor is inexperienced c. the probability of error must be objectively quantified d. it is required too mitigate audit risk - CORRECT ANSWER c. the probability of error must be objectively quantified Statistical sampling reduces which of the following risk? a. audit risk b. detection risk c. inherent risk d. sampling risk - CORRECT ANSWER b. detection risk IS auditor is reviewing the internal control of application software. the sampling method that will be MOST useful when testing for compliance is: a. attribute sampling b. variable sampling c. discovery sampling d. stop or go sampling - CORRECT ANSWER a. attribute sampling With regard to confidence correlation, it can be said that: a. small sample size will give high confidence correlation b. if an auditor knows internal controls are strong, the confidence coefficient may be lowered c. small confidence correlation will result into high sample size d. if an auditor knows internal controls are strong, the confidence coefficient may be increased - CORRECT ANSWER b. if an auditor knows internal controls are strong, the confidence coefficient may be lowered Test to determine whether last 50 new user requisitions were correctly processed is an example oof: a. discovery sampling b. substantive testing c. compliance testing d. stop-or- go sampling - CORRECT ANSWER c. compliance testing IS auditor reviewing a critical financial application is concerned about fraud. Which of the following sampling methods would BEST assist the auditors? a. attribute sampling b. variable sampling c. discovery sampling d. stop or goo sampling - CORRECT ANSWER c. discovery sampling Which of he following sampling methods would be the most effective to determine whether access rights to staffs have been authorized as per the authorization matriculates? a. stratified mean per unit b. attribute sampling c. discovery sampling d. stop and go sampling - CORRECT ANSWER b. attribute sampling An IS auditor is determine the appropriate sample size for testing the effectiveness of change management process. No deviation noted in last 2 years audit review and management has assured no deviation I the process for the period under review. Auditor can adopt a: a. higher confidence coefficient resulting in a smaller sample size b. lower confidence coefficient resulting in a higher sample size c. high confidence coefficient resulting in a higher sample size d. lower confidence coefficient resulting in a lower sample size - CORRECT ANSWER d. lower confidence coefficient resulting in a lower sample size Statistical samples is used when? - CORRECT ANSWER Used when the probability of error must be objectively quantified Following samplings are best suitable for compliance and substantive testing - CORRECT ANSWER Compliance testing --> Attribute sampling Substantive tesing -> variable sampling What is the best sampling technique where fraud is being suspected? - CORRECT ANSWER Discovery sampling A higher confidence coefficient will result tin the use of a ________ sample size. - CORRECT ANSWER Larger high sample size will give higher confidence coefficient When internal controls are strong, confidence coefficient/ sample size may be _____________. - CORRECT ANSWER Lowered Statistical sampling minimizes what? - CORRECT ANSWER Detection risk Which of the following clauses in outsourcing contract help MOST to improve service level and minimize the costs? a. use of latest O/S and hardware b. gain- sharing performance bonuses c. penalties for noncompliance d. training to outsourced staff - CORRECT ANSWER b. gain- sharing performance bonuses An organization has outsourced some of its IS processes. What is the MOST important function to be performed by IS management in such scenario? a. ensuring that outsourcing charges are paid as per SLA b. Training to staffs of outsourced vendors c. Levy of penalty for non-compliances d. monitoring the outsourcing provider's performance - CORRECT ANSWER d. monitoring the outsourcing provider's performance IS auditor observed that outsourcing vendors have been appointed without formal written agreements? the IS auditor should recommend that management: An organization is in process of entering into agreement with outsourced vendor. Which of the following should occur FIRST? a. deciding periodicity of contract b. approval from compliance team c. decide the level of penalties d. draft the service level requirements - CORRECT ANSWER d. draft the service level requirements Which of the following document will serve the purpose for vendor performance review buy an IS auditor? a. market feedback of the vendor b. service level agreement (SLA) c. penalty levied reports d. performance report submitted by vendor - CORRECT ANSWER b. service level agreement (SLA) An Is auditor has been asked to recommend effective control for providing temporary access rights to outsourced vendors. Which of the following is the MOST effective control? a. penalty clause in service level agreement (SLA) b. User accounts are created as per defined role (least privilege) with expiration dates dc. dull access is provided for a limited period d. vendor management to be given right to delete ids when work is completed - CORRECT ANSWER b. User accounts are created as per defined role (least privilege) with expiration dates Which of the following is the greatest concern in reviewing system development approach? a. user manages acceptance testing b. a quality plan is not part of the contracted deliverables c. application will be rolled out in 3 phases d. compliance with business requirements are done through prototyping - CORRECT ANSWER b. a quality plan is not part of the contracted deliverables An IS auditor is reviewing process of acquisition of application software. Which of the following is MOST important consideration? a. documented operating procedure to be available b. a backup server be loaded with all the relevant software data c. training to staff d. escrow arrangement for source code - CORRECT ANSWER d. escrow arrangement for source code What for the clauses that are a must in any outsourcing contracts from IS auditor point of view: - CORRECT ANSWER - clause with respect to 'Right to Audit' - clause with respect to ownership of intellectual property rights - clause with respect to data confidentiality and privacy - clause with respect to BCP and DRP What are two main advantages of outsourcing in their preferential order are: - CORRECT ANSWER 1. expert service can be obtained from outside (so organization can concentrate on its core business) 2. cost saving True or false? No organization can outsourced or transfer its accountability even if any process has been outsourced, final accountabilities lies with the organization - CORRECT ANSWER True What will be the main concern of IS auditor if service provider is in other country? - CORRECT ANSWER Main concern will be legal jurisdiction What will be the main concern of IS auditor If there is an absence of proper clarification on legal jurisdiction? - CORRECT ANSWER it can have compliance and legal issues Which of the following is the role of IT Steering Committee? a. advise board on IT strategy b. Approve and monitor funds for IT strategy c. scheduling meetings d. monitoring of outsourcing agreements - CORRECT ANSWER b. Approve and monitor funds for IT strategy Which of the following authority is responsible for monitoring the overall project, achievement of milestones and alignment of project with business requirements? a. user management b. IT steering committee c. IT strategy committee d. System development management - CORRECT ANSWER b. IT steering committee Which of the following sit he role of IT steering committee? a. Issuance of Purchase Order (PO) to empaneled vendor b. providing hardware support c. prioritization of IT projects as per business requirement d. advises board on IT strategy - CORRECT ANSWER c. prioritization of IT projects as per business requirement Tthe chairperson for steering committee who can have significant impact on a business area would be the : a. board member b. executive level officer c. chief information officer (CIO) d. Business analyst - CORRECT ANSWER b. executive level officer An IS steering committee should constitute of: a. board members b. user management c. key executives and representatives from user management d. members from IT dept. - CORRECT ANSWER c. key executives and representatives from user management d. the capacity of installed technology - CORRECT ANSWER a. alignment of IT processes as per business requirement An IS auditor is reviewing an organization's IT strategic plan. He should FIRST review? a. Alignment of IT processes as per business requirement b. the business plan c. the capacity of installed technology d. latest technology trends - CORRECT ANSWER b. the business plan Information security governance requires strategic alignment in terms of: a. enterprise requirements are the basis for security requirements b. security requirements are the basis for enterprise requireemttns c. current technology trend d. benchmarking with industry standards - CORRECT ANSWER a. enterprise requirements are the basis for security requirements As a part of effective IT governance, IT plan should be consistent with the organization's: a. business plan b. information security plan c. business continuity plan d. risk management plan - CORRECT ANSWER a. business plan Best way to determine that whether IS functions support the organization's business objective is to ensure that: a. IS has latest available equipments b. IS plans are designed as per business objectives c. all resources are utilized effectively and efficiently d. IS has proper control over outsourcing partners - CORRECT ANSWER b. IS plans are designed as per business objectives To improve the IS alignment with business, which of the following tis the best practice? a. outsourcing risks are managed b. use of latest technology to operate business c. structured way of sharing of business information d. involvement oft top management to mediate between business and information system - CORRECT ANSWER d. involvement oft top management to mediate between business and information system An IS auditor is evaluating an organization's IS strategy. Which of the following would be the MOST important consideration? a. organization's IS strategy has been approved by CIO b. organization's IS strategy is defined as per IS department's budget c. organization's IS strategy is considered on the basis of latest technology available in the market d. organization's IS strategy supports the business objectives of the organization - CORRECT ANSWER d. organization's IS strategy supports the business objectives of the organization An IS auditor is evaluating an organization's IT security policy. The PRIMARY objective is to ensure that: a. IT security policy is available with all the users b. IT security policy support business and IT objectives c. IT security policy is considered on the basis of latest technology available in the market d. IT security policy is approved by top management - CORRECT ANSWER b. IT security policy support business and IT objectives IT governance to be effective requires that: a. the business strategies and objectives supports the IT strategy b. the business strategy is derived from an IT strategy c. Cost effective IT governance d. The IT strategy supports the business strategies and objectives - CORRECT ANSWER d. The IT strategy supports the business strategies and objectives IS auditor is reviewing software development process. Which of the following islets way to ensure that business requirements are met during software development? a. proper training to developer b. Programmers with good business knowledge c. Adequate docuumentaiton d. User engagement in development process - CORRECT ANSWER d. User engagement in development process An IS auditor is reviewing an organization's IS strategy. Which among below is the most important criteria for such review? a. in includes a mission statement b. it includes usage of latest technology c. it includes best security practices d. it supports the business objectives - CORRECT ANSWER d. it supports the business objectives The purpose of IT balanced scorecard is to evaluate and monitor performance indicators other than: a. financial result b. customer satisfaction c. internal processes d. innovation capacity - CORRECT ANSWER a. financial result Following is the pre-requisite before implementing an IT balanced scorecard: a. existence of effective and efficient IT services b. define key performance indicators c. IT projects should add value to the business d. IT expenses within allotted budget - CORRECT ANSWER b. define key performance indicators Who among the following is responsible for internal control in the organization? a. accounting department b. management c. the external auditor d. IS auditor - CORRECT ANSWER b. management Requirement specifications is ultimately responsible of: a. top management b. project sponsor c. system analyst d. steering committee - CORRECT ANSWER b. project sponsor An organisation has established a steering committee to oversee its application development program. Following is the function of the steering committee: a. documentation of requirements b. escalation of project issues c. design of interface controls d. specification of reports - CORRECT ANSWER b. escalation of project issues Accountability for maintenance of appropriate security measures over information assets resides with the: a. security administrator b. database administrator c. resource owners d. IT group - CORRECT ANSWER c. resource owners Who of the following is ultimately responsible for providing requirement specifications to the software development project team? a. team leader b. project sponsor c. system analyst d. steering committee - CORRECT ANSWER b. project sponsor Who assumes ownership of a systems- development project and the resulting system? a. user management b. project steering committee c. IT management d. System developers - CORRECT ANSWER a. user management Management of an organization is evaluating automated audit tool for its critical business processes. Which of the following audit tools is MOST useful when an audit trail is required? a. integrated test facility (ITF) b. Continuous and intermittent stimulation (CIS) c. Audit hooks D. Snapshots - CORRECT ANSWER D. Snapshots Integraetted test facility (ITF) has advantage over other automated audit tools because of its following characteristics: a. creation of dummies/fictitious entity is not required as testing is done on actual master files b. ITF does not require setting up separate test environments/test processes c. ITF is continuous audit tools and validates the ongoing operation of the system d. ITF eliminates the need to prepare test data - CORRECT ANSWER b. ITF does not require setting up separate test environments/test processes Characteristics that BEST describe an integrated test facility: a. technique to verify system processing b. technique to very system integration c. technique to generate test data d. technique to validate the ongoing operation of the system - CORRECT ANSWER a. technique to verify system processing Management of an organization is evaluating automated audit tool for its critical business processes. Which of the following audit tools is MOST useful for the early detection of errors or irregularities? a. Embedded audit module b. integrated test facility c. Snapshots d. Audit hooks - CORRECT ANSWER d. Audit hooks Which of the below online auditing tools should best identify transactions as per predefined criteria? a. Systems control audit review file and embedded audit modules (SCARF/ EAM) b. Continuous and Intermittent Stimulation (CIS) c. Integrated Test Facilities (ITF) d. Audit Hooks - CORRECT ANSWER b. Continuous and Intermittent Stimulation (CIS) Characteristics that BEST describes and integrated test facility: a. actual transactions are validated on ongoing basis b. enables the IS auditors too generate test data c. Pre-determined results are compared with processing output to ascertain correctness of system processing d. enables the IS auditors to analyze large range of information - CORRECT ANSWER c. Pre-determined results are compared with processing output to ascertain correctness of system processing To identify excess inventory for the previous year, which online auditing technique can be used? a. test data b. generalized audit software c. integrated test facility d. Embedded audit modules - CORRECT ANSWER b. generalized audit software d. data product by a test data generator - CORRECT ANSWER a. same data as used in previous test A new system has been added to client-server environment. Which of the following tests would confirm that modification in window registry will not impact performance of existing environment? a. regression testing b. parallel testing c. white box testing d. sociability testing - CORRECT ANSWER d. sociability testing An organization wants to evaluate whether a new or modified system can operate in its target environment without adversely impacting other existing systems. Which of the following testing would be relevant? a. regression testing b. Sociability testing c. Interface/ integration testing d. pilot testing - CORRECT ANSWER b. Sociability testing Which of the following characteristics of white box testing differentiates between white box testing and black box testing? a. white- box testing involves IS auditor b. white- box testing testing of program's logical structure c. white- box testing involves bottom-up approach d. white- box testing does not involve testing of programs's logical structure - CORRECT ANSWER b. white- box testing testing of program's logical structure An organization implementing a new system adopted parallel testing. Which of the following is the PRIMARY purpose for conducting parallel testing? a. to ensure cost is within the budget b. to document system functionality c. to highlight errors in the program logic d. to validate system functionality with user requirements - CORRECT ANSWER d. to validate system functionality with user requirements An organization is implementing bottom- up approach for software testing. An advantage in using a botttom-up against a top-down approach is that: a. errors in critical modules can be found early b. test can be performed online once all programs are complete c. errors in interface can be found early d. Confidence in the system is achieved earlier - CORRECT ANSWER c. errors in interface can be found early An IS auditor is reviewing process of acceptance testing. What should be the IS auditor's major concern? a. test objectives not documented b. expected test results not documented by used c. test problem log not update d. unsolved major issues - CORRECT ANSWER d. unsolved major issues For a software development, an organization has planned following tests. Failure in which stage can have the GREATESTT adverse impact on cost and time budgets? a. Unit testing b. Integration testing c. System testing d. Acceptance testing - CORRECT ANSWER d. Acceptance testing An organization is conducting system testing for newly developed software. The primary purpose of a system test is t: a. test efficiency of security controls built in the system b. determine appropriate documentation of system functionality C. Evaluate the system functionality d. identify and document the benefit of new system - CORRECT ANSWER C. Evaluate the system functionality A major vulnerability was observed in a application by IS team. To mitigate risk, a patch was applied to a significant number of modules. Which of the following tests should an IS auditor recommend? a. Security testing b. Load testing c. System testing D. Interface testing - CORRECT ANSWER c. System testing An organization has implemented prototyping approach for development of system. Which of the following methods is MOST effective during the initial phases of prototyping? a. Bottom-up b. parallel c. Volumes d. top-down - CORRECT ANSWER d. top-down Best approach for conducting stress testing is: a. using test data and in test environment b. using live data and in production environment c. Using live data and in test environment d. Using test data and in production environment - CORRECT ANSWER c. Using live data and in test environment In final acceptance testing, QAT and UAT were combined. The MAJOR concern will be: a. increase in cost of testing b. inadequate documentation c. insufficient functional testing d. delays in test results - CORRECT ANSWER c. insufficient functional testing When creating data for testing the logic in a new system, Which of the following is MOST critical? which of the following control BEST detects transmission errors by appending extra bits onto the end of each segment? a. checksum b. parity check c. redundancy check d. check digits - CORRECT ANSWER c. redundancy check Detection of bursts of errors in network transmissions is Best ensured by: a. parity check b. echo check c. checksum d. cyclic redundancy check - CORRECT ANSWER d. cyclic redundancy check To ensure detection and correction of errors, redundant information is transmitted with each character or frame. This control is known as: a. parity bits b. block sum checks c. forward error control d. cyclic redundancy check - CORRECT ANSWER c. forward error control An IS auditor is reviewing a ERP system. To evaluate data integrity he should review atomicity to ensure that: a. hardware or software failure will not impact the database b. each transaction is isolated from other transactions c. database consistency is maintained d. a transaction is completely in its entirety. - CORRECT ANSWER d. a transaction is completely in its entirety. As an IS auditor is reviewing EDI application and observed that validation edit ' Check Digit' has been implemented for financial transactions. Purpose of 'Check Digit' is to: a. Detect only Datta-transcription errors b. detect data- transposition and transcription errors c. detect data-transmission error d. Detect only data-transposition errors - CORRECT ANSWER b. detect data- transposition and transcription errors Which control would you used to identify transcription and transpositions errors (accuracy)? - CORRECT ANSWER Check digit Which control would you use to identify data transmission errors (completeness and integrity) - CORRECT ANSWER CRC and checksum Which control would you use to correct data transmission errors - CORRECT ANSWER Forward error control (FEC) Which control would you use to ensure that a transaction must either fully happen or not happen at all - CORRECT ANSWER atomicity An IS auditor evaluating how the project manager has monitored the process of the project. Which of the following is MOST relevant in this context? a. Critical Path Methodologies B> PERT C. Gantt Chart d. Function point analysis (FPA) - CORRECT ANSWER C. Grantt Chart Which of the following should an IS auditor review to understand project progress in terms of time, budget, and deliverables and for projecting estimates at completion (EACs)? a. earned value analysis (EVA) b. PERT c. Gantt Chart d. Function Point Analysis (EVA) - CORRECT ANSWER a. earned value analysis (EVA) The purpose of Function Point analysis (FPA): a. to define functionalities of a software b. to identify risk in software development program c. to estimate efforts required to develop software d. to monitor the process the software development - CORRECT ANSWER c. to estimate efforts required to develop software Which of the following is a advantage of the program evaluation review techniques (PERT) over other techniques? PERT: a. considers single scenario for planning and control projects b. considers different scenarios for planning and control projects c. Defines functionalities of the software under development d. Allows the user to define program and system parameters - CORRECT ANSWER b. considers different scenarios for planning and control projects A system under development has multiple linked modules which will handle several million queries and transactions a year. Which of these techniques could the IS auditor use to estimate the size of the development effort? a. Critical Path methodology (COM) b. Counting Source lines of code (SLOC) c. Function point analysis d. Program evaluation review technique (PERT) - CORRECT ANSWER c. Function point analysis Which of the following techqnieues would provide the GREATEST assistance in developing an estimate of project duration? a. function point analysis b. PERT c. Critical Path Methodology (CPM) d. Object - oriented system developement - CORRECT ANSWER b. PERT When identifying an earlier project completion time, the activities that should be selected for early completion and more concentration are those: a. activities with shortest completion time b. decision trees c. logic trees d. logic algorithms - CORRECT ANSWER b. decision trees A decision support system (DSS): a. concentrates on highly structrued problems b. supports the requirements of only top management c. emphasizes flexibility in the decision making approach of users d. fails to survive in changing environments - CORRECT ANSWER c. emphasizes flexibility in the decision making approach of users The Business Information System which provides answers to semi-structured problems and for validation of business decisions is: a. decision support system b. strctured information syystem c. transaction processing syystem d. executive support system - CORRECT ANSWER a. decision support system An IS auditor reviewing the decision support system should be MOST concerned with the : a. quality of input data b. level of experience and skills contained in the knowledge base c. logical access control of the system d. processing controls implemented in the system, - CORRECT ANSWER b. level of experience and skills contained in the knowledge base An organization is developing one of its applications using agile approach. Which of the following would be a risk in agile development process? a. insufficient documentation b. insufficient testing c. poor requirements definition d. insufficient user involvement - CORRECT ANSWER a. insufficient documentation Which of the following is the characteristic of agile software development approach? a. systemic documentation b. more importance is placed on formal paper-based deliverables c. extensive use of software development tools to maximize steam productivity d. reviews a the end of each iteration to identify lessons learned for future use in the project - CORRECT ANSWER d. reviews a the end of each iteration to identify lessons learned for future use in the project Which of the following is considered as limitation of the agile software development methodology? a. quality of system may be impacted due to speed of development and limited budget b. absence of well-defined requirements may end up with more requirements than needed c. absence of review mechanism to identify lesions learned for future use in the project d. incomplete documentation due to time management - CORRECT ANSWER d. incomplete documentation due to time management An organization is developing one of its applications using prototyping approach. Which of the following would be an advantage of using prototyping for systems development? a. sufficient controls will rebuilt in the system b. sufficient audit trail will be built in the system c. reduction in deployment time d. sufficient change control will be built in the system - CORRECT ANSWER c. reduction in deployment time An organization is developing one of mitts applications using prototyping approach. Which of tthe following testing methods is MOS effective during the initial phases of prototyping? a. bottom-up b. Parallel c. Volume d. Top- down - CORRECT ANSWER d. Top- down Which of the following techniques uses a prototype that can be updated regularly to meet ever changing user or business requirements? a. reverse engineering b. object-oriented system development (OOD) c. Software reengineering (BPR) d. Rapid application development (RAD) - CORRECT ANSWER d. Rapid application development (RAD) Which of the following is an advantage of prototyping? a. prototyping ensures strong internal controls b. prototyping ensures significant time and costs savings c. prototyping ensures strong change controls d. prototyping ensures that extra functions are not added too the intended system - CORRECT ANSWER b. prototyping ensures significant time and costs savings An organization is developing one of its applications using prototyping approach. Change control can be impacted by the : a. involvement of user in prototyping b. rapid pace of modification in requirements and design c. trial and error approach in prototyping d. absence of integrated tools - CORRECT ANSWER b. rapid pace of modification in requirements and design An organisation considering development of system should use which of the below methodology two develop system faster, reduce development costs, and still maintain high quality? a. CPM b. Rapid application development (RAD) c. PERT b. A quality plan is not part of the contracted deliverables c. Module is released in phases instead of full implementation d. Prototyping is used to ensure that system is aligned with business objectives - CORRECT ANSWER b. A quality plan is not part of the contracted deliverables Which of the following is the MAJOR advantage of a component-based development a. ability to manage multiple data types b. ability to model complex relationships c. ability to meet the demands of a changing environment d. ability to support multiple development environments - CORRECT ANSWER d. ability to support multiple development environments Which of the following would be the IS auditor's main concern while reviewing the business process reengineering process? a. appropriate key controls are in place to protect assets and information resources b. requirements of the new system are appropriately documented c. Time and resource budget is adhered to d. Roles and responsibilities assigned for new process - CORRECT ANSWER a. appropriate key controls are in place to protect assets and information resources An organisation is implementing business process reengineering (BPR) project for its critical system. Which of the following is the impact of BPR? a. business processes will remain stable b. information technologies will not change c. the process will improve performance of product and services d. input from clients and customers will no longer be necessary - CORRECT ANSWER c. the process will improve performance of product and services An organization is implementing business process reengineering (BPR) project for its critical system. Which of the following is the FIRST step? a. defining the scope and areas to be reviewed b. designing a project plan c. analyzing the process under review d. reengineering the process under review - CORRECT ANSWER a. defining the scope and areas to be reviewed Which of the following represents a typical prototype of an interactive application? a. program logic and screens b. interactive edits and screens c. interactive edits programs logic and sample reports d. screens, interactive edits, program logic and sample reports - CORRECT ANSWER b. interactive edits and screens what is the MAJOR risk associated with agile development - CORRECT ANSWER Lack of documentation What are reviews done in agile approach - CORRECT ANSWER to identify lessons for future use in the project What is the waterfall approach most suitable? - CORRECT ANSWER When requirements are well defined and understood. The waterfall approach is not successful when requirements are changing frequently. What is the difference between reengineering and reverse engineering? - CORRECT ANSWER Reengineering refers to provers of major changes in system and reverse engineering refers too studying and analyzing softwares toto see how it function and two use that information to develop a similar system, When is Top- up testing method MOST effective? - CORRECT ANSWER during initial phases of prototyping Describe RAD - CORRECT ANSWER uses a prototype approach that can be updated continually to meet changing user or business requirementts What is a MAJOR benefit of object-oriented developmetn - CORRECT ANSWER The ability to reuse objects what is the MAJOR advantage of a component-based dvelopment approach? - CORRECT ANSWER Support tof multiple development environments. What is the recovery time objective (RTO)? a. the extent of acceptable system downtime b. the time period the crisis is expected to last c. the extent of acceptable data loss d. the time required for the crisis management team too respond. - CORRECT ANSWER a. the extent of acceptable system downtime What level of RTO will a critical monitoring system have? a. Very high TRTO b. Very low RO, close to zero c. Close to a year d. Medium level of RTO, close to 50% - CORRECT ANSWER b. Very low RO, close to zero What is recovery point objective (RPO)? a. extent of acceptable system downtime b. the time period the crisis is expected to last c. the extent of acceptable data loss d. the date by which lost data can be recovered buy recovery team - CORRECT ANSWER c. the extent of acceptable data loss A RPO will be deemed critical if it is a. small b. large c. medium d. large than industry standards. - CORRECT ANSWER a. small The the RPO is close to zero, how will the overall cost of maintaining the environment for recovery be? d. system compatibility is not an requirement in case of hot sites. - CORRECT ANSWER c. hot sites can be made ready for operation within a short period of time For recovering a non-critical system, which of the following is appropriate option? a. cold site b. mirrored site c. hot site d. warm site - CORRECT ANSWER a. cold site Which of the following situation is MOST suitable for implementation of hot site as a recovery strategy? a. disaster tolerance is high b. RPO is high c. RTO is high d. disaster tolerance is low - CORRECT ANSWER d. disaster tolerance is low An alternate recovery site with space and basic infrastructure like electrical wiring, air-conditioning and flooring , but not computer or communications equipment is a : a. cold site b. warm site c. hot site d. mirrored sitet - CORRECT ANSWER a. cold site What tis the GREATEST concern when implementing warm site as a recovery site? a. timely availability of hardware b. availability of heat, humidity and air condition equipment c. adequacy of electrical power connections d. space arrangements - CORRECT ANSWER a. timely availability of hardware Which among the following will have lowest expenditure in terms of recovery arrangements? a. warm site facility b. cold site c. hot site d. reciprocal agreement - CORRECT ANSWER d. reciprocal agreement In which fo the following recovery processing site, only arrangement for electricity and HVAC is available? a. cold site b. mirrored site c. hot site d. warm site - CORRECT ANSWER a. cold site Which of the following is the GREATEST concern when an organization's backup facility is at a hot site? a. timely availability of hardware b. availability of heat, humidity and air condition equipment c. adequacy of electrical power connections d. requirement of updated database - CORRECT ANSWER d. requirement of updated database An organization is considering type of transmission media which provide best security against unauthorized access. Which of the following provides best security?. a. unshielded twisted pair b. shielded twisted pair c. fiber-optic cables d. coaxial cables - CORRECT ANSWER c. fiber-optic cables Which of the following transmission error can occur in wired as well as wireless communication? a. cross- talk b. attenuation c. sags, spikes, and surges d. multipath interference - CORRECT ANSWER b. attenuation Which of the following transmission error can be caused by the length of cable if UTP is more than 100 meters long? a. electromagnetic interference (EMI) b. Cross-talk c. Attenuation d. sags, spikes, and surges - CORRECT ANSWER c. Attenuation To minimize the risk of data corruption, which of the following options can be effective? a. separate conduits for electrical and data cables b. encryption c. check-digits d. hashing - CORRECT ANSWER a. separate conduits for electrical and data cables Which transmission method would provide best security? a. dedicated lines b. wireless network c. dial-uup d. broadband network - CORRECT ANSWER a. dedicated lines An organization is routinely traffic through split- cable or duplicate- cable facility. This arrangement is called? a. diverse routing b. alternate routing c. gateway d. bridge - CORRECT ANSWER a. diverse routing Use of redundant combinations (local carrier lines, microwaves, and/or coaxial) to access local communication loop is known as: a. incremental backup b. differential backup c. grandfather-father- son rotation d. full backup - CORRECT ANSWER a. incremental backup Backup scheme where in backup of data is taken only for data changed after full backup (incremental backup is ignored) is known as : a. incremental backup b. differential backup c. grandfather-father- son rotation d. full backup - CORRECT ANSWER b. differential backup Which of the following backup scheme takes requires more the and media capacity for backup storage a. incremental backup b. differential backup c. grandfather-father- son rotation d. full backup - CORRECT ANSWER d. full backup Which of the following backup scheme is more effective and faster for data restoration? a. incremental backup b. differential backup c. grandfather-father- son rotation d. full backup - CORRECT ANSWER d. full backup Which of the following should be disabled too increase security of wireless network against unauthorized access? a. MAC (media access control) address filtering b. encryption c. WPA- 2 (wi-fi protected access protocol) d. SSID (service set identifier) broadcasting - CORRECT ANSWER d. SSID (service set identifier) broadcasting Which of the following technique is more relevant to test wireless (wi-fi) security of an organization? a. WPA-2 b. war dialling c. war driving d. social engineering - CORRECT ANSWER c. war driving Which of the following should be a concern to an IS auditor reviewing a wireless network? a. system hardening of all wireless clients b. SSID (service set identifier) broadcasting has been enabled c. WPA-2 (wi-fi protected access protocol) encryption is enabled d. DHCP (dynamic host configuration protocol) is disabled at all wireless access points - CORRECT ANSWER b. SSID (service set identifier) broadcasting has been enabled Dynamic Host configuration protocol (DHCP) is disabled att all wireless access points. Which of the following statement is true when DHCP is disabled for wireless networks? a. increases the risk of unauthorized access to the network b. decreases the risk of unauthorized access to the network c. Automatically provides an IP address to anyone d. it disables SSID (service sett identifier) - CORRECT ANSWER b. decreases the risk of unauthorized access to the network Best Method to ensure confidentiality of the data transmitted in a wireless LAN is to: a. restrict access to predefined MAC addresses b. Protect the session be encrypting with use of static keys c. protect the session bye encrypting with use dynamic keys d. initiate the session by encrypted device - CORRECT ANSWER c. protect the session bye encrypting with use dynamic keys Usage of witless infrastructure for use of mobile devices within the organization, increases risk of which of the following attacks? a. port scanning b. social engineering c. piggybacking d. war driving - CORRECT ANSWER d. war driving For man-in-the-middle attach, which of the following encryption techniques will BEST protect a wireless network? a. wired equivalent privacy (WEP) b. MAC- based pre-shared key (PSK) c. Randomly generated pre-shared key (PSK) d. Service sett identifier (SSID) - CORRECT ANSWER c. Randomly generated pre- shared key (PSK) Best practices for Wireless (wi-fi) security? - CORRECT ANSWER Enable MAC address filtering Enable encryption to protect data in transit disable SSID broadcasting Disable DHCP What tis the strongest encryption standard for wireless connection? - CORRECT ANSWER WPA-2 When is the confidentiality of the data transmitted in a wireless LAN is BES protected? - CORRECT ANSWER If the session is encrypted using dynamic keys Tthe most robust configuration in firewall rule base is: a. allow all traffic and deny the specified traffic b. deny all traffic and allow the specified traffic d. inadequate anti-virus updation - CORRECT ANSWER a. wrong configuration of the access lists The first step in installing a Firewall in a large organization is: a. developing security policy b. review firewall settings c. prepare access control list d. configure the firewall - CORRECT ANSWER a. developing security policy Which of the following is the MOST critical function of a firewall? a. to act as a special router that connects different network b. device for preventing authorized users from accessing the LAN c. device used to connect authorized user to trusted network resources d. proxy server to increase the speed of access to authorized user - CORRECT ANSWER c. device used to connect authorized user to trusted network resources Which of the following should be the GREATEST concern to an IS auditor reviewing the firewall security architecture? a. secure sockets layer (SSL) has been implemented b. firewall policies are updated on the basis of changing requirements c. inbound traffic is blocked unless the traffic type and connections have been specifically permitted d. the firewall is placed on top of the commercial operating system with all installation options - CORRECT ANSWER d. the firewall is placed on top of the commercial operating system with all installation options An IS auditor is reviewing firewall security of the organization. Which of the following is the BEST audit procedure to determine if a firewall is configured as per security policy? a. review incident logs b. review access control list c. review the actual procedures d. review the parameter settings - CORRECT ANSWER d. review the parameter settings Which of the following concerns would be addressed by a firewall? a. unauthorized access from external network b. unauthorized access from internal network c. a delay in internet connectivity d. a delay in system processing - CORRECT ANSWER a. unauthorized access from external network The IS auditor reviews logical access control with a primary objective to: a, access control software is working properly b. ensures access is granted as per the approved structure c. to protect computer software d. to protect computer hardware - CORRECT ANSWER b. ensures access is granted as per the approved structure During review of critical application system, the IS auditor observes that user accounts are shared. The MAJOR risk resulting from this situation is that: a. passwords are changed frequently b. outsider can gain access to the system c. passwords are easily guessed d. user accountability may not be established. - CORRECT ANSWER d. user accountability may not be established. Which of the following is the best technique for protecting critical data inside the server? a. security awareness b. regarding the securing policy c. security committee d. logical access control - CORRECT ANSWER d. logical access control Which of the following BEST logical control mechanisms to ensure that access allowed to user to only those functions needed to perform their duties? a. applicatpton level access control b. data encryption c. HTTPs protocol d. Network monitoring device - CORRECT ANSWER a. applicatpton level access control Which of the following is the MOST important objective of data protection? a. current technology trend b. ensuring the confidentiality and integrity of information c. denying or authorizing access to the IS system d. internal processing efficiency - CORRECT ANSWER b. ensuring the confidentiality and integrity of information The FIRST step in data classification is to : a. identify data owners b. perform a criticality analysis c. define access rules d. define firewall rules - CORRECT ANSWER a. identify data owners IS auditor is reviewing an organization's logical access security. He should be most concerned if: a. passwords are shared b. password files are not protected c. resigned employees logon IDs are not deleted immediately d. Logon IDs are issued centrally - CORRECT ANSWER b. password files are not protected IS auditor is evaluating database-level access control functions. Which of the following access control function will not be in his scope? a. creating database profiles for monitoring IS auditor is reviewing level of access available for different user. Too determine the same, which of the following should an IS auditor review? a. log file maintained for system access b. job description of user c. logs maintaining for access control violation d. system configuration files for control options used - CORRECT ANSWER d. system configuration files for control options used Read Only option is always recommended for: a. access control matrix/rule b. log files for suspected transactions c. logging rules d. user profiles - CORRECT ANSWER b. log files for suspected transactions An IS auditor performing a telecommunicaiton access control review should be concerned PRIMARILY with the: a. regular updation of logs files of usage of various system resources b. authorization and authentication mechanism for allowing access only to authorized user c. Encryption mechanism for data protection d. Mechanism to control remote access - CORRECT ANSWER b. authorization and authentication mechanism for allowing access only to authorized user Discretionary Access Control will be more effective if they: a. are placed in accordance with mandatory access controls b. are placed independently of mandatory access controls c. allow enable users to bypass mandatory access controls as and when required d. are allowed by security policy - CORRECT ANSWER a. are placed in accordance with mandatory access controls Best method to remove confidential data from computer storage is: a. hard disk should be demagnetized b. hard disk should be formatted c. data on hard disk should be deleted d. data on the hard disk should be defragmented - CORRECT ANSWER a. hard disk should be demagnetized Appropriateness of router setting is to be reviewed during: a. physical access review b. network security review c. data centre security review d. data back-up review - CORRECT ANSWER b. network security review IS auditor is reviewing physical controls for data centre. For visitor access to datta centre, most effective control he should recommend is that: a. escort policy for every visitor b. issuance of visitor badge c. proper sign in procedure for visitors d. security checks procedure for every visitor - CORRECT ANSWER a. escort policy for every visitor The major risk for lack of an authorization process for users of an application would be: a. many users can claim to be a specific user b. there is no way too limit role based access c. sharing of user accounts d. principle of least privilege can be assured - CORRECT ANSWER b. there is no way too limit role based access An IS auditor has been asked to recommend effective control for providing temporary access rights to outsourced vendors. Which of the following is the MOSTT effective control? a. penalty clause In service level agreement (SLA) b. user accounts are created as per defined role (least privilege) with expiration dates c. full access is provided for a limited period d. vendor management to be given right to delete Ids when work is completed. - CORRECT ANSWER b. user accounts are created as per defined role (least privilege) with expiration dates For effective access control, proper naming conventions for system resources are essential because they: a. ensures that resource names are as per their utility b. access rules can be structured and better managed. c. ensures that user access to resources is clearly identified. d. ensures that international standard for naming is maintained - CORRECT ANSWER b. access rules can be structured and better managed. IS auditor is reviewing security of a payroll application. Which of the following should concern him? a. role-based access to users b. hardening of systems where application runs c. the ability of users to access and modify the data base directly d. two factor authentication for access - CORRECT ANSWER c. the ability of users to access and modify the data base directly Which among the below is the First step in implementation of access control listtt? a. a categorization of IS resources b. tithe grouping of IS resources c. implementation of access control rules d. creating inventory of available IS resource - CORRECT ANSWER d. creating inventory of available IS resource IS auditor is reviewing general IT controls of an organization. Which of the following should concern him? a. LAN connections are easily in the facility to connect laptops toto the networks b. two factors authentication is mandatory of access of critical applications d. ensure that internationally recognized names are used to protect resources - CORRECT ANSWER b. reduce the number of rules required to adequately protect resources In co-ordination with database administrator, craning access to data is the responsibility of: a. data owners b. system engineer c. security officer d. librarians - CORRECT ANSWER a. data owners An IIS auditor is reviewing data classification policy of an organization. Forma control perspective, the PRIMARY objective of classifying information assets is to: a. ensures that all assets are insured against losses b. to assist in risk assessment c. establish appropriate access control guidelines d. ensure all information assets have access controls - CORRECT ANSWER c. establish appropriate access control guidelines From control perspective, access to application data should be given by: a. database administrator b. data custodian c. data owner d. security administrator - CORRECT ANSWER c. data owner An IS auditor is reviewing access control policy of an organization. Which of the following is responsible for authorizing access rights to production data and systems? a. process owner b. data owner c. data custodian d. security administrator - CORRECT ANSWER b. data owner An IS auditor is reviewing access control policy of an organization. Which of the following is the BEST basis for determining the appropriate level of information resource protection? a. classification of Information assets b. data owner c. threat assessment d. cost of information assets - CORRECT ANSWER a. classification of Information assets The MOST important benefit of having data classification policy is: a. data classification ensures accurate inventory of information assets b. data classification helps to decrease cost of controls c. data classification helps in vulnerability assessment d. data classification helps in appropriate alignment with data owners - CORRECT ANSWER b. data classification helps to decrease cost of controls For appropriate data classification, the MOST important requirement is: a. knowledge of technical controls for protection of data b. awareness and training about organizational policies and standards c. use of automatic data control tools d. understanding the requirements of data user - CORRECT ANSWER b. awareness and training about organizational policies and standards Hash function will address which of the concerns about electronic message: a. message confidentiality b. message integrity c. message availability d. message compression - CORRECT ANSWER b. message integrity Digital signature will address which of the concerns about electronic message: a. authentication and integrity of data b. authentication and confidentiality of data c. confidentiality and integrity of data d. authentication and availability of data - CORRECT ANSWER a. authentication and integrity of data A digital signiture is created buy the sender to prove message integrity by: a. encrypting the message with the sender's private key. Upon receiving the data, the recipient can decrypt the data using the sender's public key b. encrypting the message with the recipient's public key. upon receiving the data, the recipient can decrypt the data using the recipient's public key c. initially using a hashing algorithm t produce a hash value or message digest from the entire message contents. Upon receiving the data, the recipient can independently create it d. encrypting the message with the sender's public key. Upon receiving the data, the recipient can decrypt the data using the recipient's private key. - CORRECT ANSWER c. initially using a hashing algorithm t produce a hash value or message digest from the entire message contents. Upon receiving the data, the recipient can independently create it Digital signature addresses which ofthte following concerns about electronic message? a. unauthorized archiving b. confidentiality c. unauthorized copying d. alteration - CORRECT ANSWER d. alteration Which of the following is used to address the risk of has being compromised? a. digital signatures b. Message encryption c. email password d. disabling SSID broadcast - CORRECT ANSWER a. digital signatures b. authentication c. non-repudiation d. security - CORRECT ANSWER c. non-repudiation In an e-commerce application, which of the following should be rely on to prove tithe the transactions were actually made? a. proof of delivery b. authentication c. Encryption d. Non-repudiation - CORRECT ANSWER d. Non-repudiation Mr. A has sent a message along with encrypted (by A's private key) hash of the message to Mr. B. This will ensure: a. authenticity and integrity b. Authenticity and confidentiality c. integrity and privacy d. privacy and non- repudiation - CORRECT ANSWER a. authenticity and integrity Digital signatures require the: a. signer to have a public key of sender and the receiver to have a private key of the sender b. signer to have a private key of the sender and the receive to have a public key of the sender c. signer and receiver to have a public key d. signer and receiver to have a private key - CORRECT ANSWER b. signer to have a private key of the sender and the receive to have a public key of the sender A Digital signature contains a hash value (message digest) to : a. ensure message integrity b. define the encryption algorithm c. confirm the identity of the originator d. compress the message - CORRECT ANSWER a. ensure message integrity In public key encryption (assymmetric encryption) to secure message confidentiality: a. encryption is done by private key and decryption is done by public key b. encryption is done by public key and decryption is done by private key c. both the key used to encrypt and decrypt the data are public d. both the key used to encrypt and decrypt the data are private - CORRECT ANSWER b. encryption is done by public key and decryption is done by private key In public key encryption (asymmetric encryption) to authenticate the sender of the message: a. hash of the message to be encrypted by sender's private key and decryption is done by sender's public key b. hash of the message to be encrypted by sender's public key and decryption is done by sender's private key c. hash of the message to be encrypted by receiver's private key and decryption is done by receiver's public key d. Hash of the message to be encrypted by receiver's public key and decryption is done by receiver's private key - CORRECT ANSWER a. hash of the message to be encrypted by sender's private key and decryption is done by sender's public key In public key encryption (asymmetric encryption) to ensure integrity of the message: a. hash of the message to be encrypted by sender's private key and decryption is done by sender's public key b. hash of the message to be encrypted by sender's public key and decryption is done by sender's private key c. hash of the message to be encrypted by receiver's private key and decryption is done by receiver's public key d. hash of the message to be encrypted by receiver's public key and decryption is done by receiver's private key - CORRECT ANSWER a. hash of the message to be encrypted by sender's private key and decryption is done by sender's public key Which of the following ensures confidentiality of the message and also authenticity of the sender of the message? a. encrypting the hash of the message with the sender's private key and thereafter encrypting the message with the receiver's public key b. encrypting the hash of message with the sender's private key and thereafter encrypting the message with the receiver's private key c. Encrypting the hash of the message with the recipe's public key and thereafter encrypting the message with the sender's private key d. encrypting the hash of the message with the receiver's public key and thereafter encrypting the message with the sender's public key - CORRECT ANSWER a. encrypting the hash of the message with the sender's private key and thereafter encrypting the message with the receiver's public key Message authenticity and confidentiality is BES achieved by encrypting hash of the message using the: a. sender's private key and encrypting the message using the receiver's public key b. sender's public key and encrypting the message using the receiver's private key c. receiver's private key and encrypting the message using the sender's public key d. receiver's public key and encrypting the message using the sender's private key - CORRECT ANSWER a. sender's private key and encrypting the message using the receiver's public key Authority thatt manages the certificate life cycles is the: a. certificate authority (CA) b. certificate revocation list (CRL) c. Certification practice statement (CPS) d. Registration authority (RA) - CORRECT ANSWER a. certificate authority (CA) In a public key infrastructure, role of a registration authority is to : a. issue the certificates to subscriber b. manage certificate throughout its life cycle c. maintain list of revoked list d. validate the information provided buy the subscriber requesting a certificate - CORRECT ANSWER d. validate the information provided buy the subscriber requesting a certificate Which of the following PKI element control and manage the digital certificate life cycle to ensure proper security exist in digital signature applications? a. certification revocation list b. registration authority (Ra) c. certificate authority (CA) d. Certification practice statement - CORRECT ANSWER c. certificate authority (CA) Which of tthe following processes can be delegated by a certificate authority (CA) a. issuance of digital certificates b. managing the certificate throughout its life cycle. c. establishing a link between the requesting entity and its public key d. maintain list of revoked lists - CORRECT ANSWER c. establishing a link between the requesting entity and its public key In public key infrastructure, which of the following would ban IS auditor consider a weakness? a. certificate authorities are centrally located however customers are widely dispersed geographically. b. transaction can be made from any computer or mobile device c. the certificate authority has multiple data processing centers to manage the certificates d. the organization is the owner of the certificate authority. - CORRECT ANSWER d. the organization is the owner of the certificate authority. In a public key infrastructure, a registration authority: a. issues the certificate b. verifies information supplied by the subject requesting a certificate c. signs the certificate to achieve authentication and non-repudiation. d. Managing the certificate throughout its life cycle. - CORRECT ANSWER b. verifies information supplied by the subject requesting a certificate Detailed description for dealing with a compromised private key is provided in which of tithe following public key infrastructure (PKI) elements? a. certificate policy (CP) b. certificate revocation list (CRL) c. certification practice statement (CPS) d. PKI disclosure statementt (PDS) - CORRECT ANSWER c. certification practice statement (CPS) In a public key infrastructure, role of a certificate authority is too: a. ensure secured communication and secured network services based on certificates b. validate the identity and authenticity of the entity owning the certificate and integrity of the certificate issued by that CA c. ensure secured communication infrastructure between parties d. hosting a private key of subscribers in public domain - CORRECT ANSWER b. validate the identity and authenticity of the entity owning the certificate and integrity of the certificate issued by that CA An organization is considering implementing a biometric access control for one of its critical system. Among below mentioned biometrics, which has the highest reliability and lowest false- acceptance rate (FAR)? a. fingerprints b. retina scan c. face recognition d. voice recognition - CORRECT ANSWER b. retina scan An organization is considering implementing biometric access control fro one of its critical system. The auditor should be MOST concerned with which of the following? a. False - Acceptance Rate (FAR) b. False- Rejection Rate (FRR) c. Equal Error Rate (EER) d. Number of staff enrolled for biometrics - CORRECT ANSWER a. False - Acceptance Rate (FAR) The best overall quantitative performance indicator for biometric system is: a. False - Acceptance Rate (FAR) b. False- Rejection Rate (FRR) c. Equal Error Rate (EER) d. Number of staff enrolled for biometrics - CORRECT ANSWER c. Equal Error Rate (EER) An organization is considering implementing a biometric access control for one of its critical system. Among below mentioned biometrics, tthe MOST effective biometric control system is tthe one: a. with highest equal-error rate (EER) b. with lowest equal- error rate (EER) c. with highest cross error rate (CER) d. which covers all the systems in the organizations - CORRECT ANSWER b. with lowest equal- error rate (EER) b. brute-force c. cryptographic d. replay - CORRECT ANSWER c. cryptographic Which of the following attack involves sending the numerous different biometric samples to a biometric device? a. mimic b. brute-force c. cryptographic d. replay - CORRECT ANSWER b. brute-force An organization is considering implementing access control for all PCs that access critical data. This will: a. completely eliminate the risk of false acceptance i.e unauthorized access will be eliminated completely b. require enrollment of all users that access the critical data c. require fingerprint reader to be controlled by a seperate password d. provide assurance that unauthorized access will be impossible. - CORRECT ANSWER b. require enrollment of all users that access the critical data An organization has installe da IDS which monitor general patterns of activity and creates tthe database. Which of the following intrusion detection system (IDSs) has this feature? a. packet filtering b. signature-based c. statistical- based d. neural networks - CORRECT ANSWER d. neural networks The component of an IDS that collect's the data is a. sensor b. analyzer c. user interface d. administration console - CORRECT ANSWER a. sensor Even for normal activity, which of the following intrusion detection systems (IDSs) will MOST likely generate false alarms? a. statistical-based b. signature- based c. neural network d. Host-based - CORRECT ANSWER a. statistical-based An IS auditor is reviewing installation of intrusion detection system (IDS). Which of the following is a GREATEST concern? a. number of non-alarming events identified as alarming b. system not able to identify the alarming attacks c. automated tool is used for analysis of reports/logs d. traffic from known source is blocked by IDS - CORRECT ANSWER b. system not able to identify the alarming attacks An organization wants to detect attack attempts tha the firewall is unable to recognize. A network intrusion detection system (IDS) between the: a. internet and firewall b. firewall and organization's internal network c. internett and the IDS d. IDS and internal network - CORRECT ANSWER b. firewall and organization's internal network Which of the following is a function of an intrusion detection system (IDS)? a. obtain evidence on intrusive activity b. control tthe access on the basis of defined rule c. blocking access to websites for unauthorized users d. preventing access to servers for unauthorized user. - CORRECT ANSWER a. obtain evidence on intrusive activity Which of the following is the most important routine problem in implementation of intrusion detection system (IDS)? a. instances of false rejection rate b. instances of false acceptance rate c. instances of false positives d. denial of service attacks - CORRECT ANSWER c. instances of false positives Attempts of intrusion attacks and penetration threat to a network can be detected by which of the following by analyzing the behavior of the system? a. router b. intrusion detection system (IDS) c. stateful inspection d. packet inspection - CORRECT ANSWER b. intrusion detection system (IDS) To detect intrusion, BESTT control would be: a. controlled procedure for granting user access b. inactive system to be automatically logged off after time limit c. actively monitoring unsuccessful login attempts d. deactivate the user ID after specified unsuccessful login attempts - CORRECT ANSWER c. actively monitoring unsuccessful login attempts An IS auditor reviewing the implementation of IDS should be most concerned if: a. high instances of false alarm by statistical based IDS b. IDS is placed between firewall and internal network c. IDS is used to detect encrypted traffic d. signature based IDS is not able tot identify new threats - CORRECT ANSWER c. IDS is used to detect encrypted traffic Of all three IDS (i. signature, ii. statistics, and iii. neural network), neural network is more effective in detecting fraud because: a. intrusion is identified on the basis of known type of atttakcs