CISA : Certified Information Systems Auditor : Part 153

  1. An IS auditor reviewing database controls discovered that changes to the database during normal working hours were handled through a standard set of procedures. However, changes made after normal hours required only an abbreviated number of steps. In this situation, which of the following would be considered an adequate set of compensating controls?

    • Allow changes to be made only with the DBA user account.
    • Make changes to the database after granting access to a normal user account.
    • Use the DBA user account to make changes, log the changes and review the change log the following day.
    • Use the normal user account to make changes, log the changes and review the change log the following day.

    The use of a database administrator (DBA) user account is normally set up to log all changes made and is most appropriate for changes made outside of normal hours. The use of a log, which records the changes, allows changes to be reviewed. The use of the DBA user account without logging would permit uncontrolled changes to be made to databases once access to the account was obtained. The use of a normal user account with no restrictions would allow uncontrolled changes to any of the databases. Logging would only provide information on changes made, but would not limit changes to only those that were authorized. Hence, logging coupled with review form an appropriate set of compensating controls.

  2. Which of the following tests performed by an IS auditor would be the MOST effective in determining compliance with an organization’s change control procedures?

    • Review software migration records and verify approvals.
    • identify changes that have occurred and verify approvals.
    • Review change control documentation and verify approvals.
    • Ensure that only appropriate staff can migrate changes into production.
    The most effective method is to determine through code comparisons what changes have been made and then verify that they have been approved. Change control records and software migration records may not have all changes listed. Ensuring that only appropriate staff can migrate changes into production is a key control process, but in itself does not verify compliance. 
  3. An IS auditor reviewing a database application discovers that the current configuration does not match the originally designed structure. Which of the following should be the IS auditor’s next action?

    • Analyze the need for the structural change.
    • Recommend restoration to the originally designed structure.
    • Recommend the implementation of a change control process.
    • Determine if the modifications were properly approved.
    An IS auditor should first determine if the modifications were properly approved. Choices A, B and C are possible subsequent actions, should the IS auditor find that the structural modification had not been approved.
  4. A programmer maliciously modified a production program to change data and then restored the original code. Which of the following would MOST effectively detect the malicious activity?

    • Comparing source code
    • Reviewing system log files
    • Comparing object code
    • Reviewing executable and source code integrity
    Reviewing system log files is the only trail that may provide information about the unauthorized activities in the production library. Source and object code comparisons are ineffective, because the original programs were restored and do not exist. Reviewing executable and source code integrity is an ineffective control, because integrity between the executable and source code is automatically maintained.
  5. The purpose of code signing is to provide assurance that:

    • the software has not been subsequently modified.
    • the application can safely interface with another signed application.
    • the signer of the application is trusted.
    • the private key of the signer has not been compromised.
    Code signing can only ensure that the executable code has not been modified after being signed. The other choices are incorrect and actually represent potential and exploitable weaknesses of code signing.
  6. An IS auditor should recommend the use of library control software to provide reasonable assurance that:

    • program changes have been authorized.
    • only thoroughly tested programs are released.
    • modified programs are automatically moved to production.
    • source and executable code integrity is maintained.
    Library control software should be used to separate test from production libraries in mainframe and/or client server environments. The main objective of library control software is to provide assurance that program changes have been authorized. Library control software is concerned with authorized program changes and would not automatically move modified programs into production and cannot determine whether programs have been thoroughly tested. Library control software provides reasonable assurance that the source code and executable code are matched at the time a source code is moved to production. However, subsequent events such as a hardware failure can result in a lack of consistency between source and executable code.
  7. An organization has recently installed a security patch, which crashed the production server. To minimize the probability of this occurring again, an IS auditor should:

    • apply the patch according to the patch’s release notes.
    • ensure that a good change management process is in place.
    • thoroughly test the patch before sending it to production.
    • approve the patch after doing a risk assessment.
    An IS auditor must review the change management process, including patch management procedures, and verify that the process has adequate controls and make suggestions accordingly. The other choices are part of a good change management process but are not an IS auditor’s responsibility.
  8. When reviewing procedures for emergency changes to programs, the IS auditor should verify that the procedures:

    • allow changes, which will be completed using after-the-fact follow-up.
    • allow undocumented changes directly to the production library.
    • do not allow any emergency changes.
    • allow programmers permanent access to production programs.
    There may be situations where emergency fixes are required to resolve system problems. This involves the use of special logon IDs that grant programmers temporary access to production programs during emergency situations. Emergency changes should be completed using after-the- fact follow-up procedures, which ensure that normal procedures are retroactively applied; otherwise, production may be impacted. Changes made in this fashion should be held in an emergency library from where they can be moved to the production library, following the normal change management process. Programmers should not directly alter the production library nor should they be allowed permanent access to production programs. 
  9. To determine if unauthorized changes have been made to production code the BEST audit procedure is to:

    • examine the change control system records and trace them forward to object code files.
    • review access control permissions operating within the production program libraries.
    • examine object code to find instances of changes and trace them back to change control records.
    • review change approved designations established within the change control system.
    The procedure of examining object code files to establish instances of code changes and tracing these back to change control system records is a substantive test that directly addresses the risk of unauthorized code changes. The other choices are valid procedures to apply in a change control audit but they do not directly address the risk of unauthorized code changes.
  10. The application systems of an organization using open-source software have no single recognized developer producing patches. Which of the following would be the MOST secure way of updating open-source software?

    • Rewrite the patches and apply them
    • Code review and application of available patches
    • Develop in-house patches
    • identify and test suitable patches before applying them
    Suitable patches from the existing developers should be selected and tested before applying them. Rewriting the patches and applying them is not a correct answer because it would require skilled resources and time to rewrite the patches. Code review could be possible but tests need to be performed before applying the patches. Since the system was developed outside the organization, the IT department may not have the necessary skills and resources to develop patches.
  11. Which of the following processes should an IS auditor recommend to assist in the recording of baselines for software releases?

    • Change management
    • Backup and recovery
    • incident management
    • Configuration management
    The configuration management process may include automated tools that will provide an automated recording of software release baselines. Should the new release fail, the baseline will provide a point to which to return. The other choices do not provide the processes necessary for establishing software release baselines and are not related to software release baselines.
  12. An IS auditor notes that patches for the operating system used by an organization are deployed by the IT department as advised by the vendor. The MOST significant concern an IS auditor should have with this practice is the nonconsideration by lT of:

    • the training needs for users after applying the patch.
    • any beneficial impact of the patch on the operational systems.
    • delaying deployment until testing the impact of the patch.
    • the necessity of advising end users of new patches.
    Deploying patches without testing exposes an organization to the risk of system disruption or failure. Normally, there is no need for training or advising users when a new operating system patch has been installed. Any beneficial impact is less important than the risk of unavailability that could be avoided with proper testing.
  13. In a small organization, developers may release emergency changes directly to production. Which of the following will BEST control the risk in this situation?

    • Approve and document the change the next business day
    • Limit developer access to production to a specific timeframe
    • Obtain secondary approval before releasing to production
    • Disable the compiler option in the production machine
    It may be appropriate to allow programmers to make emergency changes as long as they are documented and approved after the fact. Restricting release time frame may help somewhat; however, it would not apply to emergency changes and cannot prevent unauthorized release of the programs. Choices C and D are not relevant in an emergency situation. 
  14. Time constraints and expanded needs have been found by an IS auditor to be the root causes for recent violations of corporate data definition standards in a new business intelligence project.

    Which of the following is the MOST appropriate suggestion for an auditor to make?

    • Achieve standards alignment through an increase of resources devoted to the project
    • Align the data definition standards after completion of the project
    • Delay the project until compliance with standards can be achieved
    • Enforce standard compliance by adopting punitive measures against violators
    Provided that data architecture, technical, and operational requirements are sufficiently documented, the alignment to standards could be treated as a specific work package assigned to new project resources. The usage of nonstandard data definitions would lower the efficiency of the new development, and increase the risk of errors in critical business decisions. To change data definition standards after project conclusion (choice B) is risky and is not a viable solution. On the other hand, punishing the violators (choice D) or delaying the project (choice C) would be an inappropriate suggestion because of the likely damage to the entire project profitability.
  15. After installing a network, an organization installed a vulnerability assessment tool or security scanner to identify possible weaknesses. Which is the MOST serious risk associated with such tools?

    • Differential reporting
    • False-positive reporting
    • False-negative reporting
    • Less-detail reporting
    False-negative reporting on weaknesses means the control weaknesses in the network are not identified and therefore may not be addressed, leaving the network vulnerable to attack. False- positive reporting is one in which the controls are in place, but are evaluated as weak, which should prompt a rechecking of the controls. Less-detail reporting and differential reporting functions provided by these tools compare scan results over a period of time.
  16. The FIRST step in managing the risk of a cyber-attack is to:

    • assess the vulnerability impact.
    • evaluate the likelihood of threats.
    • identify critical information assets.
    • estimate potential damage.
    The first step in the managing risk is the identification and classification of critical information resources (assets). Once the assets have been identified, the process moves onto the identification of threats, vulnerabilities and calculation of potential damages. 
  17. Which of the following is the MOST effective method for dealing with the spreading of a network worm that exploits vulnerability in a protocol?

    • Install the vendor’s security fix for the vulnerability.
    • Block the protocol traffic in the perimeter firewall.
    • Block the protocol traffic between internal network segments.
    • Stop the service until an appropriate security fix is installed.
    Stopping the service and installing the security fix is the safest way to prevent the worm from spreading, if the service is not stopped, installing the fix is not the most effective method because the worm continues spreading until the fix becomes effective. Blocking the protocol on the perimeter does not stop the worm from spreading to the internal network(s). Blocking the protocol helps to slow down the spreading but also prohibits any software that utilizes it from working between segments.
  18. The PRIMARY objective of performing a postincident review is that it presents an opportunity to:

    • improve internal control procedures.
    • harden the network to industry best practices.
    • highlight the importance of incident response management to management.
    • improve employee awareness of the incident response process.
    A postincident review examines both the cause and response to an incident. The lessons learned from the review can be used to improve internal controls. Understanding the purpose and structure of postincident reviews and follow-up procedures enables the information security manager to continuously improve the security program. Improving the incident response plan based on the incident review is an internal (corrective) control. The network may already be hardened to industry best practices. Additionally, the network may not be the source of the incident. The primary objective is to improve internal control procedures, not to highlight the importance of incident response management (IRM), and an incident response (IR) review does not improve employee awareness.
  19. The computer security incident response team (CSIRT) of an organization disseminates detailed descriptions of recent threats. An IS auditor’s GREATEST concern should be that the users might:

    • use this information to launch attacks.
    • forward the security alert.
    • implement individual solutions.
    • fail to understand the threat.
    An organization’s computer security incident response team (CSIRT) should disseminate recent threats, security guidelines and security updates to the users to assist them in understanding the security risk of errors and omissions. However, this introduces the risk that the users may use this information to launch attacks, directly or indirectly. An IS auditor should ensure that the CSIRT is actively involved with users to assist them in mitigation of risks arising from security failures and to prevent additional security incidents resulting from the same threat. Forwarding the security alert is not harmful to the organization, implementing individual solutions is unlikely and users failing to understand the threat would not be a serious concern.
  20. The MAIN criterion for determining the severity level of a service disruption incident is:

    • cost of recovery.
    • negative public opinion.
    • geographic location.
    • downtime.
    The longer the period of time a client cannot be serviced, the greater the severity of the incident. The cost of recovery could be minimal yet the service downtime could have a major impact.
    Negative public opinion is a symptom of an incident. Geographic location does not determine the severity of the incident.