CISA : Certified Information Systems Auditor : Part 143

  1. A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization. Which of the following is MOST effective in detecting such an intrusion?

    • Installing biometrics-based authentication
    • Configuring the router as a firewall
    • Periodically reviewing log files
    • Using smart cards with one-time passwords
  2. Which of the following are used in a firewall to protect the entity’s internal resources?

    • Internet Protocol (IP) address restrictions
    • Remote access servers
    • Secure Sockets Layers (SSLs)
    • Fail-over services
  3. A company has located its computer center on a moderate earthquake fault. Which of the following is the MOST important consideration in establishing a contingency plan and an alternate processing site?

    • The alternative site does not reside on the same fault no matter how far the distance apart.
    • The contingency plan for high priority applications does not involve a shared cold site.
    • The alternative site is a hot site with equipment ready to resume processing immediately.
    • The contingency plan provides for backup tapes to be taken to the alternative site.
  4. Which of the following is the BEST way to address potential data privacy concerns associated with inadvertent disclosure of machine identifier information contained within security logs?

    • Only collect logs from servers classified as business critical.
    • Limit the use of logs to only those purposes for which they were collected.
    • Limit log collection to only periods of increased security activity.
    • Restrict the transfer of log files from host machine to online storage.
  5. The PRIMARY benefit to using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:

    • has a decreased risk of leakage.
    • is more effective at suppressing flames.
    • allows more time to abort release of the suppressant.
    • disperses dry chemical suppressants exclusively.
  6. On a public-key cryptosystem when there is no previous knowledge between parties, which of the following will BEST help to prevent one person from using a fictitious key to impersonate someone else?

    • Encrypt the message containing the sender’s public key, using a private-key cryptosystem.
    • Send a certificate that can be verified by a certification authority with the public key.
    • Encrypt the message containing the sender’s public key; using the recipient’s pubic key.
    • Send the public key to the recipient prior to establishing the connection.
  7. Which of the following should be the PRIMARY basis for how digital evidence is handled during a forensics investigation?

    • Industry best practices
    • Regulatory requirements
    • Organizational risk culture
    • Established business practices
  8. A database administrator should be prevented from:

    • using an emergency user ID.
    • accessing sensitive information.
    • having end user responsibilities.
    • having access to production files.
  9. Which of the following security risks can be reduced by a properly configured network firewall?

    • Insider attacks
    • SQL injection attacks
    • Denial of service (DoS) attacks
    • Phishing attacks
  10. Which of the following does a lack of adequate security controls represent?

    • Threat
    • Asset
    • Impact
    • Vulnerability

    The lack of adequate security controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers. This could result in a loss of sensitive information and lead to the loss of goodwill for the organization. A succinct definition of risk is provided by the Guidelines for the Management of IT Security published by the International Organization for Standardization (ISO), which defines risk as the ‘potential that a given threat will exploit the vulnerability of an asset or group of assets to cause loss or damage to the assets.’ The various elements of the definition are vulnerability, threat, asset and impact. Lack of adequate security functionality in this context is a vulnerability.

  11. Assessing IT risks is BEST achieved by:

    • evaluating threats associated with existing IT assets and IT projects.
    • using the firm’s past actual loss experience to determine current exposure.
    • reviewing published loss statistics from comparable organizations.
    • reviewing IT control weaknesses identified in audit reports.
    To assess IT risks, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches. Choices B, C and D are potentially useful inputs to the risk assessment process, but by themselves are not sufficient. Basing an assessment on past losses will not adequately reflect inevitable changes to the firm’s IT assets, projects, controls and strategic environment. There are also likely to be problems with the scope and quality of the loss data available to be assessed. Comparable organizations will have differences in their IT assets, control environment and strategic circumstances. Therefore, their loss experience cannot be used to directly assess organizational IT risk. Control weaknesses identified during audits will be relevant in assessing threat exposure and further analysis may be needed to assess threat probability. Depending on the scope of the audit coverage, it is possible that not all of the critical IT assets and projects will have recently been audited, and there may not be a sufficient assessment of strategic IT risks.
  12. Which of the following terms refers to systems designed to detect and prevent the unauthorized transmission of information from the computer systems of an organization to outsiders?

    • ILD&P
    • ICT&P
    • ILP&C
    • ILR&D
    • None of the choices.
    Information Leakage Detection and Prevention (ILD&P) is a computer security term referring to systems designed to detect and prevent the unauthorized transmission of information from the computer systems of an organization to outsiders. Network ILD&P are gateway-based systems installed on the organization’s internet network connection and analyze network traffic to search for unauthorized information transmissions. Host Based ILD&P systems run on end-user workstations to monitor and control access to physical devices and access information before it has been encrypted.
  13. To address the risk of operations staff’s failure to perform the daily backup, management requires that the systems administrator sign off on the daily backup. This is an example of risk:

    • avoidance
    • transference
    • mitigation
    • acceptance
    Mitigation is the strategy that provides for the definition and implementation of controls to address the risk described. Avoidance is a strategy that provides for not implementing certain activities or processes that would incur risk. Transference is the strategy that provides for sharing risk with partners or taking insurance coverage. Acceptance is a strategy that provides for formal acknowledgement of the existence of a risk and the monitoring of that risk.
  14. A poor choice of passwords and transmission over unprotected communications lines are examples of:

    • vulnerabilities.
    • threats.
    • probabilities.
    • impacts.
    Vulnerabilities represent characteristics of information resources that may be exploited by a threat. Threats are circumstances or events with the potential to cause harm to information resources. Probabilities represent the likelihood of the occurrence of a threat, while impacts represent the outcome or result of a threat exploiting a vulnerability.
  15. An IS auditor reviewing the risk assessment process of an organization should FIRST:

    • identify the reasonable threats to the information assets.
    • analyze the technical and organizational vulnerabilities.
    • identify and rank the information assets.
    • evaluate the effect of a potential security breach.
    Identification and ranking of information assets-e.g., data criticality, locations of assets-will set the tone or scope of how to assess risk in relation to the organizational value of the asset. Second, the threats facing each of the organization’s assets should be analyzed according to their value to the organization. Third, weaknesses should be identified so that controls can be evaluated to determine if they mitigate the weaknesses. Fourth, analyze how these weaknesses, in absence of given controls, would impact the organization information assets.
  16. An IS auditor is reviewing an IT security risk management program. Measures of security risk should:

    • address all of the network risks.
    • be tracked over time against the IT strategic plan.
    • take into account the entire IT environment.
    • result in the identification of vulnerability tolerances.
    When assessing IT security risk, it is important to take into account the entire IT environment. Measures of security risk should focus on those areas with the highest criticality so as to achieve maximum risk reduction at the lowest possible cost. IT strategic plans are not granular enough to provide appropriate measures. Objective metrics must be tracked over time against measurable goals, thus the management of risk is enhanced by comparing today’s results against last week, last month, last quarter. Risk measures will profile assets on a network to objectively measure vulnerability risk. They do not identify tolerances.
  17. Which of the following should be considered FIRST when implementing a risk management program?

    • An understanding of the organization’s threat, vulnerability and risk profile
    • An understanding of the risk exposures and the potential consequences of compromise
    • A determination of risk management priorities based on potential consequences
    • A risk mitigation strategy sufficient to keep risk consequences at an acceptable level
    Implementing risk management, as one of the outcomes of effective information security governance, would require a collective understanding of the organization’s threat, vulnerability and risk profile as a first step. Based on this, an understanding of risk exposure and potential consequences of compromise could be determined. Risk management priorities based on potential consequences could then be developed. This would provide a basis for the formulation of strategies for risk mitigation sufficient to keep the consequences from risk at an acceptable level.
  18. As a driver of IT governance, transparency of IT’s cost, value and risks is primarily achieved through:

    • performance measurement.
    • strategic alignment.
    • value delivery.
    • resource management.
    Performance measurement includes setting and monitoring measurable objectives of what the IT processes need to deliver {process outcome) and how they deliver it (process capability and performance). Strategic alignment primarily focuses on ensuring linkage of business and IT plans. Value delivery is about executing the value proposition throughout the delivery cycle. Resource management is about the optimal investment in and proper management of critical IT resources. Transparency is primarily achieved through performance measurement as it provides information to the stakeholders on how well the enterprise is performing when compared to objectives.
  19. Which of the following should be the MOST important consideration when deciding areas of priority for IT governance implementation?

    • Process maturity
    • Performance indicators
    • Business risk
    • Assurance reports
    Priority should be given to those areas which represent a known risk to the enterprise’s operations. The level of process maturity, process performance and audit reports will feed into the decision making process. Those areas that represent real risk to the business should be given priority.
  20. The PRIMARY benefit of implementing a security program as part of a security governance framework is the:

    • alignment of the IT activities with IS audit recommendations.
    • enforcement of the management of security risks.
    • implementation of the chief information security officer’s (CISO) recommendations.
    • reduction of the cost for IT security.
    The major benefit of implementing a security program is management’s assessment of risk and its mitigation to an appropriate level of risk, and the monitoring of the remaining residual risks. Recommendations, visions and objectives of the auditor and the chief information security officer (CISO) are usually included within a security program, but they would not be the major benefit.
    The cost of IT security may or may not be reduced.