CISA : Certified Information Systems Auditor : Part 159

  1. Which of the following is an advantage of using electronic data interchange (EDI)?

    • Contracts with the vendors are simplified.
    • Transcription of information is reduced. 
    • Data validation is provided by the service provider.
    • Multiple inputs of the same document are allowed at different locations.
  2. The risk that is created if a single sign-on is implemented for all systems is that a/an:

    • user can bypass current access security.
    • compromised password gives access to all systems. 
    • authorized user can bypass the security layers.
    • user has equivalent access on all systems.
  3. Which of the following BEST addresses the availability of an online store?

    • Online backups
    • A mirrored site at another location
    • RAID level 5 storage devices
    • Clustered architecture
  4. Which of the following BEST enables system resiliency for an e-commerce organization that requires a low recovery time objective (RTO) and a low recovery point objective (RPO)?

    • Redundant arrays
    • Nightly backups
    • Remote backups
    • Mirrored sites
  5. Which of the following is the MOST important control to help minimize the risk of data leakage from calls made to a business-to-business application programming interface (API)?

    • Providing API security awareness training to developers
    • Deploying content inspection at the API gateway 
    • Implementing API server clusters
    • Implementing an API versioning system
  6. Which of the following functions should be performed by the application owners to ensure an adequate segregation of duties between IS and end users?

    • System analysis
    • Authorization of access to data
    • Application programming
    • Data administration

    The application owner is responsible for authorizing access to data. Application development and programming are functions of the IS department. Similarly, system analysis should be performed by qualified persons in IS who have knowledge of IS and user requirements. Data administration is a specialized function related to database management systems and should be performed by qualified database administrators.

  7. Accountability for the maintenance of appropriate security measures over information assets resides with the:

    • security administrator.
    • systems administrator.
    • data and systems owners.
    • systems operations group.
    Management should ensure that all information assets (data and systems) have an appointed owner who makes decisions about classification and access rights. System owners typically delegate day-to-day custodianship to the systems delivery/operations group and security responsibilities to a security administrator. Owners, however, remain accountable for the maintenance of appropriate security measures.
  8. The GREATEST risk when end users have access to a database at its system level, instead of through the application, is that the users can:

    • make unauthorized changes to the database directly, without an audit trail.
    • make use of a system query language (SQL) to access information.
    • remotely access the database.
    • update data without authentication.
    Having access to the database could provide access to database utilities, which can update the database without an audit trail and without using the application. Using SQL only provides read access to information, in a networked environment, accessing the database remotely does not make a difference.
    What is critical is what is possible or completed through this access. To access a database, it is necessary that a user is authenticated using a user ID.
  9. To determine who has been given permission to use a particular system resource, an IS auditor should review:

    • activity lists.
    • access control lists.
    • logon ID lists.
    • password lists.
    Access control lists are the authorization tables that document the users who have been given permission to use a particular system resource and the types of access they have been granted. The other choices would not document who has been given permission to use (access) specific system resources.
  10. Which of the following is the MOST effective control when granting temporary access to vendors?

    • Vendor access corresponds to the service level agreement (SLA).
    • User accounts are created with expiration dates and are based on services provided.
    • Administrator access is provided for a limited period.
    • User IDs are deleted when the work is completed.
    The most effective control is to ensure that the granting of temporary access is based on services to be provided and that there is an expiration date (hopefully automated) associated with each ID. The SLA may have a provision for providing access, but this is not a control; it would merely define the need for access. Vendors require access for a limited period during the time of service. However, it is important to ensure that the access during this period is monitored. Deleting these user, I Dafter the work is completed is necessary, but if not automated, the deletion could be overlooked.
  11. During a logical access controls review, an IS auditor observes that user accounts are shared. The GREATEST risk resulting from this situation is that:

    • an unauthorized user may use the ID to gain access.
    • user access management is time consuming.
    • passwords are easily guessed.
    • user accountability may not be established.
    The use of a single user ID by more than one individual precludes knowing who in fact used that ID to access a system; therefore, it is literally impossible to hold anyone accountable. All user IDs, not just shared IDs, can be used by unauthorized individuals. Access management would not be any different with shared IDs, and shared user IDs do not necessarily have easily guessed passwords.
  12. Which of the following satisfies a two-factor user authentication?

    • Iris scanning plus fingerprint scanning
    • Terminal ID plus global positioning system (GPS)
    • A smart card requiring the user’s PIN
    • User ID along with password
    A smart card addresses what the user has. This is generally used in conjunction with testing what the user knows, e.g., a keyboard password or personal identification number (PIN). Proving who the user is usually requires a biometrics method, such as fingerprint, iris scan or voice verification, to prove biology. This is not a two-factor user authentication, because it proves only who the user is. A global positioning system (GPS) receiver reports on where the user is. The use of an ID and password (what the user knows) is a single- factor user authentication.
  13. What is the MOST effective method of preventing unauthorized use of data files?

    • Automated file entry
    • Tape librarian
    • Access control software
    • Locked library
    Access control software is an active control designed to prevent unauthorized access to data.
  14. Which of the following is the PRIMARY safeguard for securing software and data within an information processing facility?

    • Security awareness
    • Reading the security policy
    • Security committee
    • Logical access controls
    To retain a competitive advantage and meet basic business requirements, organizations must ensure that the integrity of the information stored on their computer systems preserve the confidentiality of sensitive data and ensure the continued availability of their information systems. To meet these goals, logical access controls must be in place. Awareness (choice A) itself does not protect against unauthorized access or disclosure of information. Knowledge of an information systems security policy (choice B), which should be known by the organization’s employees, would help to protect information, but would not prevent the unauthorized access of information. A security committee (choice C) is key to the protection of information assets, but would address security issues within a broader perspective.
  15. When reviewing an organization’s logical access security, which of the following should be of MOST concern to an IS auditor?

    • Passwords are not shared.
    • Password files are not encrypted.
    • Redundant logon IDs are deleted.
    • The allocation of logon IDs is controlled.
    When evaluating the technical aspects of logical security, unencrypted files represent the greatest risk. The sharing of passwords, checking for the redundancy of logon IDs and proper logon ID procedures are essential, but they are less important than ensuring that the password files are encrypted.
  16. Passwords should be:

    • assigned by the security administrator for first time logon.
    • changed every 30 days at the discretion of the user.
    • reused often to ensure the user does not forget the password.
    • displayed on the screen so that the user can ensure that it has been entered properly.
    Initial password assignment should be done discretely by the security administrator. Passwords should be changed often (e.g., every 30 days); however, changing should not be voluntary, it should be required by the system. Systems should not permit previous passwords to be used again. Old passwords may have been compromised and would thus permit unauthorized access. Passwords should not be displayed in any form.
  17. When performing an audit of access rights, an IS auditor should be suspicious of which of the following if allocated to a computer operator?

    • Read access to data
    • Delete access to transaction data files
    • Logged read/execute access to programs
    • Update access to job control language/script files
    Deletion of transaction data files should be a function of the application support team, not operations staff. Read access to production data is a normal requirement of a computer operator, as is logged access to programs and access to JCL to control job execution.
  18. To prevent unauthorized entry to the data maintained in a dial-up, fast response system, an IS auditor should recommend:

    • online terminals are placed in restricted areas.
    • online terminals are equipped with key locks.
    • ID cards are required to gain access to online terminals.
    • online access is terminated after a specified number of unsuccessful attempts.
    The most appropriate control to prevent unauthorized entry is to terminate connection after a specified number of attempts. This will deter access through the guessing of IDs and passwords. The other choices are physical controls, which are not effective in deterring unauthorized accesses via telephone lines.
  19. An IS auditor conducting an access control review in a client-server environment discovers that all printing options are accessible by all users. In this situation, the IS auditor is MOST likely to conclude that:

    • exposure is greater, since information is available to unauthorized users.
    • operating efficiency is enhanced, since anyone can print any report at any time.
    • operating procedures are more effective, since information is easily available.
    • user friendliness and flexibility is facilitated, since there is a smooth flow of information among users.
    Information in all its forms needs to be protected from unauthorized access. Unrestricted access to the report option results in an exposure. Efficiency and effectiveness are not relevant factors in this situation. Greater control over reports will not be accomplished since reports need not be in a printed form only. Information could be transmitted outside as electronic files, because print options allow for printing in an electronic form as well.
  20. Sign-on procedures include the creation of a unique user ID and password. However, an IS auditor discovers that in many cases the username and password are the same. The BEST control to mitigate this risk is to:

    • change the company’s security policy.
    • educate users about the risk of weak passwords.
    • build in validations to prevent this during user creation and password change.
    • require a periodic review of matching user ID and passwords for detection and correction.
    The compromise of the password is the highest risk. The best control is a preventive control through validation at the time the password is created or changed. Changing the company’s security policy and educating users about the risks of weak passwords only provides information to users, but does little to enforce this control. Requiring a periodic review of matching user ID and passwords for detection and ensuring correction is a detective control.