Answers to Assessment Test

  1. D. The first person on the scene is the incident commander, regardless of rank or position. The incident commander may be relieved by a person with more experience or less experience, according to the situation. The incident commander will change throughout the crisis. For more information, see Chapter 8.

  2. C. Undue restrictions on scope would be a major concern as would a lack of time or the inability to obtain sufficient reliable evidence. For more information, see Chapter 2.

  3. D. All of the audit types are valid except procedural, SAS-74, verification, and regulatory (which are all distracters). The valid audit types are financial, operational (SAS-70), integrated (SAS-94), compliance, administrative, forensic, and information systems. A forensic audit is used to discover information about a possible crime. For more information, see Chapter 1.

  4. C. The recovery point objective (RPO) indicates the fallback position and duration of loss that has occurred. A valid RPO example is to recover by using backup data from last night's backup tape, meaning that the more recent transactions would be lost. The recovery time objective (RTO) indicates a point in time that the restored data should be available for the user to access. For more information, see Chapter 8.

  5. D. Computer assisted audit tools are able to perform detailed technical tasks faster than humans and produce more-accurate data during particular functions such as system scanning. Cost, training, and security of output are major considerations. For more information, see Chapter 2.

  6. C. The risk analysis does not ensure absolute safety. The purpose of using a risk-based audit strategy is to ensure that the audit adds value with meaningful information. For more information, see Chapter 2.

  7. B. According to ISACA, the general steps in business process reengineering are envision the need, initiate the project, diagnose the existing process, redesign a process, use change management to reconstruct the organization in transition, and evaluate the results. For more information, see Chapter 3.

  8. B. Authorization should be separate from all other activities. A second person should review changes before implementation. Authorization will be granted if the change is warranted and the level of risk is acceptable. For more information, see Chapter 3.

  9. C. According to ISACA, the gateway operates at application layer 7 in the OSI model. The function of the gateway is to convert data contained in one protocol into data used by a different protocol. An example is a PC-to-mainframe gateway converting ASCII to mainframe Extended Binary Coded Decimal Interchange Code (EBCDIC). For more information, see Chapter 4.

  10. B. The purpose of the audit committee is to review and challenge assurances made, and to maintain a positive working relationship with management and the auditors. For more information, see Chapters 2 and 3.

  11. B. The third layer of the OSI model is the Network layer. Use the memory tool of "Nor Do I Throw Apples" to remember the layers of the TCP/IP model. The third layer of the TCP/IP model is the Internet layer. For more information, see Chapter 4.

  12. C. The four perspectives on the IT balanced scorecard are the customer perspective, business process perspective, financial perspective, and the growth perspective. Each of these seek to define the highest return by IT. For more information, see Chapter 7.

  13. C. The sender and receiver each have their own public and private (secret) key pair. All the other statements are false. Asymmetric keys are definitely used for creating digital signatures. The sender would never use the recipient's private key, only the recipient's public key. For more information, see Chapter 7.

  14. B. All emergency changes should still undergo the formal change management process after the fact. The review determines whether the change should remain in place or be modified. For more information, see Chapter 6.

  15. C. Any standing data should be purged from the equipment prior to disposal. Standing data refers to information that can be recovered from a device by using any means. For more information, see Chapter 6.

  16. A. The insurance company may dictate salvage to save money. Salvage will increase the delay before recovery. Any replacement purchases by the organization may not be covered under reimbursement. For more information, see Chapter 8.

  17. D. The wireless network may be using wired equivalent protocol (WEP); however, a firewall is still required to protect the internal network. The WEP design has been broken and is considered insecure under all conditions. In addition, new CISP regulations of the Senate Banking Committee with VISA, MasterCard, American Express, and Discover place $100,000 penalties per occurrence for any loss due to noncompliance.

  18. B. Digital signatures provide authentication assurance of the email sender. Digital signatures use the private key of the sender to verify identity. For more information, see Chapter 7.

  19. A. Database views are used to implement least privilege and restrict the data that can be viewed by the user. For more information, see Chapter 7.

  20. B. It is not possible to create business continuity plans without a current Business Impact Analysis (BIA). The BIA identifies critical processes and their dependencies. The critical processes will change as the business changes with new products and customers. For more information, see Chapter 8.

  21. B. Procedures should be implemented to ensure that only approved program changes are implemented. The purpose of separation of duties is to prevent intentional or unintentional errors. A logical separation of duties may exist if a single person performs two job roles. The ultimate objective is to ensure that a second person has reviewed and approved a change before it is implemented. For more information, see Chapter 3.

  22. C. Standards are mandatory, and any deviation would require justification. Exceptions are rarely accepted. For more information, see Chapter 2.

  23. B. The auditor must be independent of personal and organizational relationships with the auditee, which could imply a biased opinion. The auditor is not permitted to audit a system for which they participated in the support, configuration, or design. An auditor may not audit any system that they helped to remediate. For more information, see Chapter 1.

  24. A. Notice that analyzing the business impact is always the first step. Then criteria are selected to guide the strategy selection. A detailed plan is written by using the strategy. The written plan is then implemented. After implementation, the plan and staff are tested for effectiveness. The plan is revised, and then the testing and maintenance cycle begins. For more information, see Chapter 8.

  25. D. The sender uses the recipient's public key to encrypt a file that only the recipient can read (decrypt). The sender's private key provides authenticity. The sender's public key provides integrity. The role of the keys is based on the direction of the transaction. The roles reverse when the original recipient replies with another message, thereby assuming the sender's role. For more information, see Chapter 7.

  26. A. The auditor can use an embedded audit module, also known as an integrated test facility, to create a set of dummy transactions that will be processed along with genuine transactions. The auditor compares the output data against their own calculations. This allows for substantial testing without disrupting the normal processing schedule. For more information, see Chapter 2.

  27. A. Discovery sampling is known as the 100 percent sample. All available sources are investigated to find any evidence that may exist. Discovery sampling is commonly used in criminal investigations. It's also the best way to find possible correlations when an event cannot be explained. For more information, see Chapter 2.

  28. B. The separation of duties is intended to prevent an individual from monitoring their own work or authorizing their own changes. Self-monitoring and self-authorization would be a problem warranting serious concern because it violates the intention of IT governance. The auditor would want to investigate whether changes were formally reviewed and approved by the change control board prior to implementation. For more information, see Chapter 6.

  29. A. The most important concern is how management controls the use of encryption. Is the encryption managed under a complete life cycle that governs creating the keys, storing the keys, providing proper authorization to use the keys, using the keys correctly with the appropriate algorithm for maximum confidentiality, tracking the use of the keys, archiving or reissuing keys, retiring the keys, and ultimately destroying the encryption keys after all legal obligations have been met? For more information, see Chapter 7.

  30. B. Bit stream imaging is the only backup method that records the deleted files along with the contents of the swap space and slack space. Bit stream backup is also referred to as physical imaging. All of the other choices would miss these important files that are necessary as evidence. For more information, see Chapter 7.

  31. A. General controls represent the highest class of controls that apply to everyone within the organization. Pervasive controls represent the protection necessary when using technology. IS controls are pervasive in all departments using computers. No matter who is in charge, the IS controls must be used to ensure integrity and availability. Detailed controls specify how a procedure will be executed. Application controls are the lowest-level controls that are usually built into the software or that govern its use. Application controls will be compromised if the higher-level controls are not present. For more information, see Chapter 3.

  32. A. The ACID principle says to write the entire transaction or back it completely out. A stands for atomicity (all or nothing), C for consistency (restore data if the write fails), I for isolation (separation between transactions), and D for durability (retain the data). For more information, see Chapter 5.

  33. C. The sender's public key provides authentication that the message came from that specific individual. A private key provides confidentiality. For more information, see Chapter 7.

  34. B. Function Point Analysis is used by highly experienced programmers to estimate the complexity involved in writing new software. It starts by counting the inputs, outputs, inquiries (searches), data structure, and external interfaces. For more information, see Chapter 4.

  35. C. The major control types are physical (stops), detective (finds), and corrective (fixes). A deterrent control is simply a very weak form of preventative control. For more information, see Chapter 3.

  36. A. The phases in incident handling are 1) preparation, 2) detection and analysis, 3) containment eradication and recovery, and 4) postincident activity, including lessons learned. For more information, see Chapter 6.

  37. B. The auditor needs to review the audit alternatives to determine whether the alternatives could sufficiently compensate for the omission. The auditor should cancel their report if the omitted procedures would change the outcome and if audit alternatives cannot compensate for the deficiency. For more information, see Chapter 2.

  38. B. Centralized management always provides the most control. Distributed management is also known as discretionary because the decision is made locally and is based on a variety of factors. Distributed methods provide the lowest overall control. For more information, see Chapter 7.

  39. D. Creating a tape backup is a preventative control to prevent the loss of data. However, the verify function is a detective control intended to detect any discrepancies between the tape and the hard disk. It's a detective control because it still requires the operator to manually fix the problem after it is found. Verification and audits are always detective controls. For more information, see Chapter 7.

  40. A. Digital certificates (also known as a soft token) can be used for two-factor authentication. The key fob is also known as a hard token because of its physical nature. Passwords do not provide for two-factor authentication unless coupled with hard tokens, soft tokens, or biometrics. For more information, see Chapter 7.

  41. B. Use of proper change control would represent the least concern for the auditor. Auditors want to see change control procedures being used for separation of duties. All of the other choices represent violations warranting further investigation. For more information, see Chapter 6.

  42. A. Legal is not one of the primary implementation methods. Controls are implemented by using physical methods, logical methods (technical), and administrative methods. Administrative methods include laws, policies, procedures, and contracts. The combination of physical, logical, and administrative methods is used to obtain legal compliance. For more information, see Chapter 3.

  43. C. Unlike a virus, a worm can freely travel across network connections to infect other systems. Worms can infect files without the file being opened or closed by the user. For more information, see Chapter 7.

  44. A. System accreditation is a formal sign-off witnessing management's acceptance of fitness for the system's intended use and full responsibility for any failures. System accreditation is for a period of 90 days, 180 days, or 365 days (annual). The system must be reaccredited by the expiration date. For more information, see Chapter 5.

  45. C. Key wrapping is used to protect encryption keys during storage and transmission of the keys. Encryption keys should never be directly accessible to the user. For more information, see Chapter 7.

  46. A. A qualified opinion means the auditor has reservations about the scope of the audit, concerns with the available evidence, or concerns that the findings may not represent the true story. Audit reports containing a qualified opinion will have limitations on the use of the report. For more information, see Chapter 2.

  47. Answer: C. The complete System Development Life Cycle contains seven phases, not six. The auditee may have a control failure because the postimplementation (phase 6) or disposal process (phase 7) may not have been formally adopted. Using fewer than seven phases would indicate that shortcuts have been taken. For more information, see Chapter 5.

  48. Answer: D. The differential backup method will copy all files that have changed since the last full backup but will not reset the archive bit. Files can be restored in less time by using just the last full backup with the last differential backup tape. For more information, see Chapter 6.

  49. A. The sender's private key is never used by the recipient. It takes only three keys to decrypt the message: the sender's public key, the recipient's public key, and the recipient's private key. For more information, see Chapter 7.

  50. A. IT security managers should report problems to internal auditors. It's a reporting conflict if an IT-related employee is required to make violation reports directly to their manager. There may be job pressures to cover up problems. A built-in reporting conflict exists when your job requires you to report violations to your superior, when the same person is responsible for ensuring compliance. For more information, see Chapter 6.

  51. B. An electronic signature is worthless unless the recipient actually tests the signature by decrypting it. Electronic signatures should never be trusted by their presence. Digital signatures must be tested by the recipient to verify their authenticity. For more information, see Chapter 7.

  52. D. Limiting the use of encryption keys is the best available choice to protect them from compromise. Separation of duties also applies to encryption keys. Each encryption key should have a special purpose without reusing the same key on different tasks. For more information, see Chapter 7.

  53. B. Management must make their assertions independent of the auditor's report. The role of the auditor is to determine whether management claims can be verified as correct by the available evidence. For more information, see Chapter 1.

  54. A. The business continuity (BC) plan is likely to fail. It would be nearly impossible for a BC plan to work without first performing a business impact analysis (BIA). Nobody can protect business processes that they were unable to define in a formal specification (BIA report). For more information, see Chapter 8.

  55. C. Identification is simply a claim that must be verified. Authentication is when the claim matches the reference, thereby indicating that the identity is correct. For more information, see Chapter 7.

  56. B. Every auditor should build a list of all the individual points contained in a regulation, citing each point by page, paragraph, and line number. This detailed specification will be used to explain how the audit meets the objective. Specific tests should be created for each item. If the audit test must be rerun, the subsequent auditor should always find similar results by using your documentation. For more information, see Chapter 2.

  57. A. ISACA audit standards of professional ethics are intended to provide consistency. We do not want you to cast any disgrace upon our profession. We hope that by following the standards, you will not embarrass yourself or fail to understand the duties of an auditor. For more information, see Chapter 1.

  58. D. CISAs can lose their credentials by possessing or using materials for which they do not hold a valid copyright license. Violating copyright restrictions is a violation of law and ethics. For more information, see Chapter 1.

  59. D. Portfolio management is similar to trading stocks or baseball cards. The objective is to get the highest possible value for your collection of projects. Each project is judged on which ones represent the best return on investment; all other projects are cancelled or ignored. Changes to the work breakdown structure (list of project tasks) will occur within the project itself. For more information, see Chapter 1.

  60. A. Whether conducting an internal or external audit, the auditor is a paid impartial observer. None of the other statements are true. The auditor never takes ownership of problems found. Standards are either met by the client (compliant) or not met by the client (not compliant). For more information, see Chapter 1.

  61. A. A crash dump file is created when the system crashes abruptly. This file contains the contents of working memory (RAM) and a list of tasks that were being processed. This special diagnostic file is extremely helpful during forensic investigations. For more information, see Chapter 6.

  62. B. Expert systems make decisions for the user by using weighting rules against data points in the database (heuristics) to build correlations. Expert systems frequently contain more than 100,000 discrete points of data. All the other choices expect the user to make their own decision based on available information. For more information, see Chapter 5.

  63. C. Middle floors. ISACA states that the computer room should never be in the basement because of the risk of flooding. The first floor is susceptible to break-ins. The top floor is susceptible to roof leaks and storm damage. In this book, we discuss the details of how the basement decision occurred. For more information, see Chapter 7.

  64. B. A haphazard sample is also known as a judgmental sample. For more information, see Chapter 2.

  65. D. A policy is strategic, standards are tactical, and procedures are operational. For more information, see Chapter 1.

  66. C. A nonworking process would be the best candidate for reengineering. The actual decision is based on the best return on investment. There is no need to reengineer something that fails to generate a positive return. For more information, see Chapter 3.

  67. B. Formal approval is necessary before moving into the next phase. A review meeting is held with the stakeholders, project manager, and executive chairperson. All of the projections and open issues are discussed. Each item is approved, rejected, or cancelled. The project may advance to the next stage with formal approval. The auditor should look for evidence of formal approval and how the decision was made. For more information, see Chapter 5.

  68. C. A write-blocker is used to prevent any changes from being written to the hard disk during the collection of evidence. The simple act of booting up the computer will cause changes that taint the evidence. Any changes, no matter how small, will be used by defense lawyers to prove that evidence tampering occurred. Any claim of evidence tampering that cannot be disproved will destroy the value of the evidence. For more information, see Chapter 6.

  69. B. Using a system with a Redundant Array of Independent—or Inexpensive—Disks (RAID) will increase availability. RAID does not prevent data corruption; therefore, backups are still required. RAID systems use more disk space for redundancy but provide less available storage capacity. For more information, see Chapter 4.

  70. A. Audit charters are high-level documents used to grant authorization to the auditor responsible for conducting an audit, and to specify that the auditor will be accountable for their behavior. For more information, see Chapter 2.

  71. C. Root kits are used by hackers to remotely subvert the operating system security and compromise the kernel. Root kits can be installed without the knowledge of the user and use stealth techniques to hide their existence from monitoring software. For more information, see Chapter 7.

  72. D. Rapid Application Development (RAD) methodology automates only a portion of phase 2 requirements, phase 3 design, and phase 4 development. RAD does not provide the planning and documentation necessary in feasibility, requirements, implementation, and postimplementation. For more information, see Chapter 5.

  73. A. Auditing is a review of past history. We use evidence and testing to determine the story. It's not possible to use an audit to forecast compliance benefits before entering production. Every system creates unforeseen consequences that can be fully realized only after that system enters production. You can audit the system attributes during design and development, not the unrealized operating issues impacting its compliance. Compliance requires an audit after it enters production to include the way the system is actually used and managed. For more information, see Chapter 5.

  74. C. The data owner is responsible for designating the appropriate information security level and appointing the custodian. The data owner is usually a vice president or higher, up to an agency head. The data owner also specifies the controls to be used. The audit committee and management can change the security level if the data owner fails to properly classify the data. For more information, see Chapter 3.

  75. A. Auditing of the system configuration and reading system logs are examples of detective controls implemented by using administrative methods. Auditing is always a detective control. Auditors may use computer assisted audit tools, but auditing is still an administrative process. For more information, see Chapter 2.

  76. D. Firewalls do not need to be backed up except after changes to the system. Backups of the firewall must be full backups on stand-alone devices, also known as a zero day restore. An auditor should be seriously concerned if source routing is enabled (major hazard), backup media is left in the drive (covert storage for attackers), remote login or file sharing is enabled (open to remote access). For more information, see Chapter 7.

  77. C. The auditee will usually get amnesty for turning you in. Copyright violations are always illegal and unethical. You can bet that the auditee will later boast about how they helped you, or blast you for issuing an unfavorable report after they did you a favor. Never use unauthorized software under any condition; besides breaking the law, it will make you look bad. No honest person or organization wants to use an auditor who violates the law. For more information, see Chapter 1.

  78. C. The auditor should contact the audit committee, never law enforcement or the regulators. If necessary, the auditor's lawyer will handle contacting the authorities. For more information, see Chapter 2.

  79. B. Agile programming is used to create prototypes via time-box management techniques to force new iterations within short periods of time. Traditional administrative planning and documentation is forfeited in favor of the undocumented knowledge contained in a person's head. For more information, see Chapter 5.

  80. D. Reports by internal auditors have a low corresponding value due to the built-in reporting conflict that may exist. This is why external independent audits are required for regulatory licensing. For more information, see Chapter 2.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.117.148.105