Wednesday 2 March 2016

CISA Question Bank-4






Below are some of the questions collated for easy reference of CISA aspirants. Please note that these questions are easily available from the net and collated  domain-wise for easy reference.


CISA Question Bank-4



1. The MOST significant security concern when using flash memory (e.g., USB removable
disk) is that the:
A. contents are highly volatile.
B. data cannot be backed up.
C. data can be copied.
D. device may not be compatible with other peripherals.
The correct answer is:
C. data can be copied.
Explanation:
Unless properly controlled, flash memory provides an avenue anyone to copy any content with
ease. The contents stored in flash memory are not volatile. Backing up flash memory data is not
a control concern, as the data are sometimes stored as a backup. Flash memory will be accessed
through a PC rather than any other peripheral; therefore, compatibility is not an issue.
...........................................................................................................
2. In a LAN environment, which of the following minimizes the risk of data corruption
during transmission?
A. Using end-to-end encryption for data communication
B. Using separate conduits for electrical and data cables
C. Using check sums for checking the corruption of data
D. Connecting the terminals using a star topology
The correct answer is:
B. Using separate conduits for electrical and data cables
Explanation:
Using separate conduits for data cables and electrical cables, minimizes the risk of data
corruption due to an induced magnetic field created by electrical current. Data encryption
minimizes the risk of data leakage in case of wiretapping; however, it cannot prevent corruption.
A check sum will help detect the data corruption during communication, but will not prevent it.
Using a star topology will increase the speed of communication, but will not detect the
corruption.
...........................................................................................................
3. Which of the following is an operating system access control function?
A. Logging user activities
B. Logging data communication access activities
C. Verifying user authorization at the field level
D. Changing data files
The correct answer is:
A. Logging user activities
Explanation:
General operating system access control functions include log user activities, log events, etc.
Choice B is a network control feature. Choices C and D are database- and/or application-level
access control functions.
...........................................................................................................
4. Which of the following types of transmission media provide the BEST security against
unauthorized access?
A. Copper wire
B. Twisted pair
C. Fiber-optic cables
D. Coaxial cables
The correct answer is:
C. Fiber-optic cables
Explanation:
Fiber-optic cables have proven to be more secure than the other media. Satellite transmission and
copper wire can be violated with inexpensive equipment. Coaxial cable can also be violated
more easily than other transmission media.
...........................................................................................................
5. Which of the following exposures associated with the spooling of sensitive reports for
offline printing should an IS auditor consider to be the MOST serious?
A. Sensitive data can be read by operators.
B. Data can be amended without authorization.
C. Unauthorized report copies can be printed.
D. Output can be lost in the event of system failure.
The correct answer is:
C. Unauthorized report copies can be printed.
Explanation:
Unless controlled, spooling for offline printing may enable additional copies to be printed. Print
files are unlikely to be available for online reading by operators. Data on spool files are no easier
to amend without authority than any other file. There is usually a lesser threat of unauthorized
access to sensitive reports in the event of a system failure
...........................................................................................................
6. For an online transaction processing system, transactions per second is a measure of:
A. throughput.
B. response time.
C. turnaround time.
D. uptime.
The correct answer is:
A. throughput.
Explanation:
Throughput measures how much work is done by a system over a period of time; it measures the
productivity of the system. In an online transaction processing system, transactions per second is
a throughput index. Response time is defined as the length of time that elapsed between
submission of an input and receipt of the first character of output in an online system.
Turnaround time is the length of time that elapsed between submission of a job and receipt of a
completed output. It is a measure of timeliness in a batch system. The percentage of time that the
system is available for processing is called uptime or a reliability index; thus, this is not the
correct answer.
...........................................................................................................
7. Which of the following would enable an enterprise to provide its business partners access
to its intranet (i.e., extranet) across the Internet?
A. Virtual private network
B. Client-server
C. Dial-in access
D. Network service provider
The correct answer is:
A. Virtual private network
Explanation:
A virtual private network (VPN) allows external partners to securely participate in the extranet
using public networks as a transport or shared private networks. Because of its low cost, using
public networks (Internet) as a transport is the principal method. VPNs rely on
tunneling/encapsulation techniques, which allow the Internet Protocol (IP) to carry a variety of
different protocols (e.g., SNA, IPX, NETBEUI). A client-server (choice B) does not address
extending the network to business partners (i.e., client-server refers to a group of computers
within an organization connected by a communications network where the client is the
requesting machine and the server is the supplying machine). Choice C refers to remote users
accessing a secured environment. It is the means, not the method, of providing access to a
network. A network service provider (choice D) may provide services to a shared private
network by providing Internet services, but it does not extend to an organization's intranet.
...........................................................................................................
8. In a web server, a common gateway interface (CGI) is MOST often used as a(n):
A. consistent way for transferring data to the application program and back to the user.
B. computer graphics imaging method for movies and TV.
C. graphic user interface for web design.
D. interface to access the private gateway domain.
The correct answer is:
A. consistent way for transferring data to the application program and back to the user.
Explanation:
The common gateway interface (CGI) is a standard way for a web server to pass a user's request
to an application program and to move data back and forth to the user. When the user requests a
web page (for example, by clicking on a highlighted word or entering a web site address), the
server sends back the requested page. However, when a user fills out a form on a web page and
submits it, it usually needs to be processed by an application program. The web server typically
passes the form information to a small application program that processes the data and may send
back a confirmation message. This method, or convention for passing data back and forth
between the server and the application is called the common gateway interface (CGI). It is part
of the web's HTTP protocol.
...........................................................................................................
9. A programmer maliciously modified a production program to change data and then
restored the original code. Which of the following would MOST effectively detect the
malicious activity?
A. Comparing source code
B. Reviewing system log files
C. Comparing object code
D. Reviewing executable and source code integrity
The correct answer is:
B. Reviewing system log files
Explanation:
Reviewing system log files is the only trail that may provide information about the unauthorized
activities in the production library. Source and object code comparisons are ineffective, because
the original programs were restored and do not exist. Reviewing executable and source code
integrity is an ineffective control, because integrity between the executable and source code is
automatically maintained.
...........................................................................................................
10. In a small organization, an employee performs computer operations and, when the
situation demands, program modifications. Which of the following should the IS auditor
recommend?
A. Automated logging of changes to development libraries
B. Additional staff to provide separation of duties
C. Procedures that verify that only approved program changes are implemented
D. Access controls to prevent the operator from making program modifications
The correct answer is:
C. Procedures that verify that only approved program changes are implemented
Explanation:
While it would be preferred that strict separation of duties be adhered to and that additional staff
is recruited, as suggested in choice B, this practice is not always possible in small organizations.
The IS auditor must look at recommended alternative processes. Of the choices, C is the only
practical one that has an impact. The IS auditor should recommend processes that detect changes
to production source and object code, such as code comparisons, so the changes can be reviewed
on a regular basis by a third party. This would be a compensating control process. Choice A,
involving logging of changes to development libraries, would not detect changes to production
libraries. Choice D is in effect requiring a third party to do the changes, which may not be
practical in a small organization.
...........................................................................................................
11. Which of the following propagation problems do wired and wireless transmissions have
in common?
A. Cross-talk
B. Shadow zones
C. Attenuation
D. Multipath interference
The correct answer is:
C. Attenuation
Explanation:
Attenuation exists in both wired and wireless transmissions. Cross-talk is mutual eletromagnetic
interference that occurs among wired pairs. Shadow zones are locations at which a receiver
cannot receive radio signals due to an obstruction blocking the direct path between the sender
and the receiver. Multipath interference results in a direct signal coming with one or more
reflected radio (wireless) signals.
...........................................................................................................
12. Which of the following LAN physical layouts is subject to total loss if one device fails?
A. Star
B. Bus
C. Ring
D. Completely connected
The correct answer is:
B. Bus
Explanation:
The bus topology is vulnerable to failure if one device fails. In line and bus networks, which are
essentially the same thing, terminals are connected to a single cable. If this cable is severed, all
terminals beyond the point of severance will be unavailable.
...........................................................................................................
13. An IS auditor reviewing a database application discovers that the current configuration
does not match the originally designed structure. Which of the following should be the IS
auditor's next action?
A. Analyze the need for the structural change.
B. Recommend restoration to the originally designed structure.
C. Recommend the implementation of a change control process.
D. Determine if the modifications were properly approved.
The correct answer is:
D. Determine if the modifications were properly approved.
Explanation:
The IS auditor should first determine if the modifications were properly approved. Choices A, B
and C are possible subsequent actions, should the auditor find that the structural modification
had not been approved.
...........................................................................................................
14. Which of the following operating system mechanisms checks each request by a subject
(user process) to access and use an object (e.g., file, device, program) to ensure that the
request complies with a security policy?
A. Address Resolution Protocol
B. Access control analyzer
C. Reference monitor
D. Concurrent monitor
The correct answer is:
C. Reference monitor
Explanation:
A reference monitor is an abstract mechanism that checks each request by a subject (user
process) to access and uses an object (e.g., file, device, program) to ensure that the request
complies with a security policy. A reference monitor is implemented via a security kernel, which
is a hardware/software/firmware mechanism. Address Resolution Protocol (ARP) is a protocol
for mapping an Internet Protocol (IP) address to a physical machine address that is recognized in
the local network. An access control analyzer is an audit utility for analyzing how well access
controls have been implemented and maintained within an access control package. A concurrent
monitor is an audit utility that captures select events as application systems are running to
facilitate assessing program quality.
...........................................................................................................
15. Vendors have released patches fixing security flaws in their software. Which of the
following should the IS auditor recommend in this situation?
A. Assess the impact of patches prior to installation.
B. Ask the vendors for a new software version with all fixes included.
C. Install the security patch immediately.
D. Decline to deal with these vendors in the future.
The correct answer is:
A. Assess the impact of patches prior to installation.
Explanation:
The effect of installing the patch should be immediately evaluated and installation should occur
based on the results of the evaluation. To install the patch without knowing what it might affect
could easily cause problems. New software versions with all fixes included are not always
available and a full installation could be time-consuming. Declining to deal with vendors does
not take care of the flaw.
...........................................................................................................
16. An IS auditor detected that several PCs connected to the Internet have a low security
level that is allowing for the free recording of cookies. This creates a risk because cookies
locally store:
A. information about the Internet site.
B. information about the user.
C. information for the Internet connection.
D. Internet pages.
The correct answer is:
B. information about the user.
Explanation:
The cookie file resides on the client machine. It contains data passed from web sites, so that web
sites can communicate with this file when the same client returns. The web site only has access
to that part of the cookie file that represents the interaction with that particular web site. Cookie
files have caused some issues with respect to privacy. The four choices all relate to a cookie, but
the fact that the cookie stores information about the user is the risk.
...........................................................................................................
17. In a TCP/IP-based network, an IP address specifies a:
A. network connection.
B. router/gateway.
C. computer in the network.
D. device on the network.
The correct answer is:
A. network connection.
Explanation:
An IP address specifies a network connection. An IP address encodes both a network and a host
on that network; it does not specify an individual computer, but provides a connection to a
network. A router/gateway connects two networks and has two IP addresses. Hence, an IP
address cannot specify a router. A computer in the network can be connected to other networks
as well. It will then use many IP addresses. Such computers are called multihomed hosts. Here,
again, an IP address cannot refer to the computer. IP addresses do not refer to individual devices
on the network, but refer to the connections by which they are connected to the network.
...........................................................................................................
18. To maximize the performance of a large database in a parallel processing environment,
which of the following is used for separating indexes?
A. Disk partitioning
B. Mirroring
C. Hashing
D. Duplexing
The correct answer is:
C. Hashing
Explanation:
An essential part of designing a database for parallel processing is the partitioning scheme.
Because large databases are indexed, independent indexes must also be partitioned to maximize
performance. Hashing is a method used for index partitioning. It associates data to disks based
on a hash key. Disk partitioning creates logical drives on the single disk for better management
of the contents. Disk mirroring uses two identical disks. All operations on the two disks are
performed so that each disk is a mirror image of the other. This provides redundancy in case of
failure of one of the disks. Disk duplexing makes use of more than one disk with two separate
controllers providing redundancy in case of a disk failure or a controller card failure.
...........................................................................................................
19. An organization has outsourced its help desk. Which of the following indicators would
be the best to included in the SLA?
A. Overall number of users supported
B. Percentage of incidents solved in the first call
C. Number of incidents reported to the help desk
D. Number of agents answering the phones
The correct answer is:
B. Percentage of incidents solved in the first call
Explanation:
Since it is about service level (performance) indicators, the percentage of incidents solved on the
first call is the only option that is relevant. Choices A, C and D are not quality measures of the
help desk service.
...........................................................................................................
20. Which of the following will help detect changes made by an intruder to the system log of
a server?
A. Mirroring the system log on another server
B. Simultaneously duplicating the system log on a write-once disk
C. Write-protecting the directory containing the system log
D. Storing the backup of the system log offsite
The correct answer is:
B. Simultaneously duplicating the system log on a write-once disk
Explanation:
A write-once CD cannot be overwritten. Therefore, the system log duplicated on the disk could
be compared to the original log to detect differences, which could be the result of changes made
by an intruder. Write protecting the system log does not prevent deletion or modification, since
the superuser can override the write protection. Backup and mirroring may overwrite earlier files
and may not be current.
...........................................................................................................
21. The following question refers to the diagram.
For locations 3a, 1d and 3d, the diagram indicates hubs with lines that appear to be open
and active. Assuming that is true, what control(s), if any, should be recommended to
mitigate this weakness?
A. Intelligent hub
B. Physical security over the hubs
C. Physical security and an intelligent hub
D. No controls are necessary since this is not a weakness.
The correct answer is:
C. Physical security and an intelligent hub
Explanation:
Open hubs represent a significant control weakness because of the potential to access a network
connection easily. An intelligent hub would allow the deactivation of a single port while leaving
the remaining ports active. Additionally, physical security would also provide a reasonable
protection over hubs with active ports.
...........................................................................................................
22. A review of wide area network (WAN) usage discovers that traffic on one
communication line between sites, synchronously linking the master and standby database,
peaks at 96 percent of the line capacity. The IS auditor should conclude that:
A. analysis is required to determine if a pattern emerges that results in a service loss for a
short period of time.
B. WAN capacity is adequate for the maximum traffic demands since saturation has not
been reached.
C. the line should immediately be replaced by one with a larger capacity to provide
approximately 85 percent saturation.
D. users should be instructed to reduce their traffic demands or distribute them across all
service hours to flatten bandwidth consumption.
The correct answer is:
A. analysis is required to determine if a pattern emerges that results in a service loss for a
short period of time.
Explanation:
The peak at 96 percent could be the result of a one-off incident, e.g., a user downloading a large
amount of data; therefore, analysis to establish whether this is a regular pattern and what causes
this behavior should be carried out before expenditure on a larger line capacity is recommended.
Since the link provides for a standby database, a short loss of this service should be acceptable. If
the peak is established to be a regular occurrence without any other opportunities for mitigation
(usage of bandwidth reservation protocol, or other types of prioritizing network traffic), the line
should be replaced as there is the risk of loss of service as the traffic approaches 100 percent. If,
however, the peak is a one-off or can be put in other time frames, then user education may be an
option.
...........................................................................................................
23. Which of the following would an IS auditor expect to find in a console log?
A. Names of system users
B. Shift supervisor identification
C. System errors
D. Data edit errors
The correct answer is:
C. System errors
Explanation:
System errors are the only ones that one would expect to find in the console log.
...........................................................................................................
24. An IS auditor is reviewing the database administration (DBA) function to ascertain
whether adequate provision has been made for controlling data. The IS auditor should
determine that the:
A. function reports to data processing operations.
B. responsibilities of the function are well defined.
C. database administrator is a competent systems programmer.
D. audit software has the capability of efficiently accessing the database.
The correct answer is:
B. responsibilities of the function are well defined.
Explanation:
The IS auditor should determine that the responsibilities of the DBA function are not only well
defined but also assure that the DBA reports directly to the IS manager or executive to provide
independence, authority and responsibility. The DBA should not report to either data processing
operations or systems development management. The DBA need not be a competent systems
programmer. Choice D is not as important as choice A.
...........................................................................................................
25. Which of the following BEST limits the impact of server failures in a distributed
environment?
A. Redundant pathways
B. Clustering
C. Dial backup lines
D. Standby power
The correct answer is:
B. Clustering
Explanation:
Clustering allows two or more servers to work as a unit, so that when one of them fails, the other
takes over. Choices A and C are intended to minimize the impact of channel communications
failures, but not a server failure. Choice D provides an alternative power source in the event of
an energy failure.
...........................................................................................................
26. In large corporate networks having supply partners across the globe, network traffic
may continue to rise. The infrastructure components in such environments should be
scalable. Which of the following firewall architectures limits future scalability?
A. Appliances
B. Operating system-based
C. Host-based
D. Demilitarized
The correct answer is:
A. Appliances
Explanation:
The software for appliances is embedded into chips. Firmware-based firewall products cannot be
moved to higher capacity servers. Firewall software that sits on an operating system can always
be scalable due to its ability to enhance the power of servers. Host-based firewalls operate on top
of the server operating system and are scalable. A demilitarized zone is a model of firewall
implementation and is not a firewall architecture.
...........................................................................................................
27. In an EDI process, the device which transmits and receives electronic documents is the:
A. communications handler.
B. EDI translator.
C. application interface.
D. EDI interface.
The correct answer is:
A. communications handler.
Explanation:
A communications handler transmits and receives electronic documents between trading partners
and/or wide area networks (WANs). An EDI translator translates data between the standard
format and a trading partner's proprietary format. An application interface moves electronic
transactions to or from the application system and performs data mapping. An EDI interface
manipulates and routes data between the application system and the communications handler.
...........................................................................................................
28. Which of the following can be used to verify output results and control totals by
matching them against the input data and control totals?
A. Batch header forms
B. Batch balancing
C. Data conversion error corrections
D. Access controls over print spools
The correct answer is:
B. Batch balancing
Explanation:
Batch balancing is used to verify output results and control totals by matching them against the
input data and control totals. Batch header forms control data preparation; data conversion error
corrections correct errors that occur due to duplication of transactions and inaccurate data entry;
and access controls over print spools prevent reports from being accidentally deleted from print
spools or directed to a different printer.
...........................................................................................................
29. Which of the following is the MOST effective method for dealing with the spreading of
a network worm that exploits a vulnerability in a protocol?
A. Install the vendor's security fix for the vulnerability.
B. Block the protocol traffic in the perimeter firewall.
C. Block the protocol traffic between internal network segments.
D. Stop the service until an appropriate security fix is installed.
The correct answer is:
D. Stop the service until an appropriate security fix is installed.
Explanation:
Stopping the service and installing the security fix is the safest way to prevent the worm from
spreading.
If the service is not stopped, installing the fix is not the most effective method because the worm
continues spreading until the fix becomes effective. Blocking the protocol on the perimeter does
not stop the worm from spreading to the internal network(s). Blocking the protocol helps to slow
down the spreading but also prohibits every software that utilizes it from working between
segments
...........................................................................................................
30. Which of the following controls will detect MOST effectively the presence of bursts of
errors in network transmissions?
A. Parity check
B. Echo check
C. Block sum check
D. Cyclic redundancy check
The correct answer is:
D. Cyclic redundancy check
Explanation:
The cyclic redundancy check (CRC) can check for a block of transmitted data. The workstations
generate the CRC and transmit it with the data. The receiving workstation computes a CRC and
compares it to the transmitted CRC. If both of them are equal, then the block is assumed error
free. In this case (such as in parity error or echo check), multiple errors can be detected. In
general, CRC can detect all single-bit and bubble-bit errors. Parity check (known as vertical
redundancy check) also involves adding a bit (known as the parity bit) to each character during
transmission. In this case, where there is a presence of bursts of errors (i.e., impulsing noise
during high transmission rates), it has a reliability of approximately 50 percent. In higher
transmission rates, this limitation is significant. Echo checks detect line errors by retransmitting
data to the sending device for comparison with the original transmission.
...........................................................................................................
31. Which of the following is the MOST critical when evaluating the delivery of IT
services?
A. Tools used to record and analyze incidents
B. Service level agreements negotiated by all appropriate parties
C. Capacity management tools
D. Problem management
The correct answer is:
B. Service level agreements negotiated by all appropriate parties
Explanation:
Service level agreements provide expected levels of service and become the basis for evaluating
the delivery of specified services. Recording tools and capacity management tools provide
information but do not provide a basis against which to measure achievement. Problem
management is not used for evaluating service delivery.
...........................................................................................................
32. Java applets and ActiveX controls are distributed executable programs that execute in
the background of a web browser client. This practice is considered reasonable when:
A. a firewall exists.
B. a secure web connection is used.
C. the source of the executable is certain.
D. the host web site is part of the organization.
The correct answer is:
C. the source of the executable is certain.
Explanation:
Acceptance of these mechanisms should be based on established trust. The control is provided by
only knowing the source and then allowing the acceptance of the applets. Hostile applets can be
received from anywhere. It is virtually impossible at this time to filter at this level. A secure web
connection or firewall are considered external defenses. A firewall will find it more difficult to
filter a specific file from a trusted source. A secure web connection provides confidentiality.
Neither can identify an executable as friendly. Hosting the web site as part of the organization is
impractical. Enabling the acceptance of Java and/or Active X is an all-or-nothing proposition.
The client will accept the program, if the parameters are established to do so.
...........................................................................................................
33. The objective of concurrency control in a database system is to:
A. restrict updating of the database to authorized users.
B. prevent integrity problems, when two processes attempt to update the same data at the
same time.
C. prevent inadvertent or unauthorized disclosure of data in the database.
D. ensure the accuracy, completeness and consistency of data.
The correct answer is:
B. prevent integrity problems, when two processes attempt to update the same data at the
same time.
Explanation:
Concurrency controls prevent data integrity problems, which can arise when two update
processes access the same data item at the same time. Access controls restrict updating of the
database to authorized users and controls, such as passwords, prevent the inadvertent or
unauthorized disclosure of data from the database. Quality controls, such as edits, ensure the
accuracy, completeness and consistency of data maintained in the database.
...........................................................................................................
34. A referential integrity constraint consists of:
A. ensuring the integrity of transaction processing.
B. ensuring that data are updated through triggers.
C. ensuring controlled user updates to the database.
D. rules for designing tables and queries.
The correct answer is:
B. ensuring that data are updated through triggers.
Explanation:
Referential integrity constraints ensure that a change in a primary key of one table is
automatically updated in the matching foreign keys of other tables. This is done using triggers.
...........................................................................................................
35. Which of the following would be considered an essential feature of a network
management system?
A. A graphical interface to map the network topology
B. Capacity to interact with the Internet to solve the problems
C. Connectivity to a help desk for advice on difficult issues
D. An export facility for piping data to spreadsheets
The correct answer is:
A. A graphical interface to map the network topology
Explanation:
To trace the topology of the network, a graphical interface would be essential. It is not necessary
that each network be on the Internet and connected to a help desk, and the ability to export to a
spreadsheet is not an essential element.
...........................................................................................................
36. An organization is moving its application maintenance in-house from an outside source.
Which of the following should be the main concern of an IS auditor?
A. Regression testing
B. Job scheduling
C. User manuals
D. Change control procedures
The correct answer is:
D. Change control procedures
Explanation:
It is essential for the maintenance and control of software that change control procedures be in
place. Regression testing is completed after changes are made to the software, and since the
software is already being used, the job schedule must be in place and may be reviewed later. This
change does not affect user manuals and any associated risks.
...........................................................................................................
37. Which of the following translates e-mail formats from one network to another, so the
message can travel through all the networks?
A. Gateway
B. Protocol converter
C. Front-end communication processor
D. Concentrator/multiplexor
The correct answer is:
A. Gateway
Explanation:
A gateway performs the job of translating e-mail formats from one network to another, so
messages can make their way through all the networks. A protocol converter is a hardware
device that converts between two different types of transmissions, such as asynchronous and
synchronous transmissions. A front-end communication processor connects all network
communication lines to a central computer to relieve the central computer from performing
network control, format conversion and message handling tasks. A concentrator/multiplexor is a
device used for combining several lower-speed channels into a higher-speed channel.
...........................................................................................................
38. Utilizing audit software to compare the object code of two programs is an audit
technique used to test program:
A. logic.
B. changes.
C. efficiency.
D. computations.
The correct answer is:
B. changes.
Explanation:
The use of audit software to compare programs is an audit technique used to test change control.
...........................................................................................................
39. Which of the following devices extends the network and has the capacity to store frames
and act as a storage and forward device?
A. Router
B. Bridge
C. Repeater
D. Gateway
The correct answer is:
B. Bridge
Explanation:
A bridge connects two separate networks to form a logical network (e.g., joining an Ethernet and
token network) and has the storage capacity to store frames and act as a storage and forwarding
device. Bridges operate at the OSI data link layer by examining the media access control header
of a data packet. Routers are switching devices that operate at the OSI network layer by
examining network addresses (i.e., routing information encoded in an IP packet). The router, by
examining the IP address, can make intelligent decisions in directing the packet to its destination.
Repeaters amplify transmission signals to reach remote devices by taking a signal from a LAN,
reconditioning and retiming it, and sending it to another. This functionality is hardware-encoded
and occurs at the OSI physical layer. Gateways provide access paths to foreign networks.
...........................................................................................................
40. When reviewing the implementation of a LAN, the IS auditor should FIRST review the:
A. node list.
B. acceptance test report.
C. network diagram.
D. user's list.
The correct answer is:
C. network diagram.
Explanation:
To properly review a LAN implementation, the IS auditor should first verify the network
diagram and confirm the approval. Verification of nodes from the node list and the network
diagram would be next followed by a review of the acceptance test report and then the user's list.
...........................................................................................................
41. The FIRST step in managing the risk of a cyberattack is to:
A. assess the vulnerability impact.
B. evaluate the likelihood of threats.
C. identify critical information assets.
D. estimate potential damage.
The correct answer is:
C. identify critical information assets.
Explanation:
The first step in managing risk is the identification and classification of critical information
resources (assets). Once the assets have been identified, the process moves onto the identification
of threats, vulnerabilities and calculation of potential damages.
...........................................................................................................
42. Which of the following is the MOST effective means of determining which controls are
functioning properly in an operating system?
A. Consulting with the vendor
B. Reviewing the vendor installation guide
C. Consulting with the system programmer
D. Reviewing the system generation parameters
The correct answer is:
D. Reviewing the system generation parameters
Explanation:
System generation parameters determine how a system runs, the physical configuration and its
interaction with the workload.
...........................................................................................................
43. By establishing a network session through an appropriate application, a sender
transmits a message by breaking it into packets, but the packets may reach the receiver out
of sequence. Which OSI layer addresses the out-of-sequence message through segment
sequencing?
A. Network layer
B. Session layer
C. Application layer
D. Transport layer
The correct answer is:
D. Transport layer
Explanation:
The function of resequencing packets (segment) received out of order is taken care of by the
transport layer. Neither the network, session or application layers address resequencing.
...........................................................................................................
44. Which of the following procedures would MOST effectively detect the loading of illegal
software packages onto a network?
A. The use of diskless workstations
B. Periodic checking of hard drives
C. The use of current antivirus software
D. Policies that result in instant dismissal if violated
The correct answer is:
B. Periodic checking of hard drives
Explanation:
The periodic checking of hard drives would be the most effective method of identifying illegal
software packages loaded to the network. Antivirus software will not necessarily identify illegal
software, unless the software contains a virus. Diskless workstations act as a preventive control
and are not effective, since users could still download software from other than diskless
workstations. Policies lay out the rules about loading the software, but will not detect the actual
occurrence.
...........................................................................................................
45. A benefit of quality of service (QoS) is that the:
A. entire network's availability and performance will be significantly improved.
B. telecom carrier will provide the company with accurate service-level compliance reports.
C. participating applications will have guaranteed service levels.
D. communications link will be supported by security controls to perform secure online
transactions.
The correct answer is:
C. participating applications will have guaranteed service levels.
Explanation:
The main function of QoS is to optimize network performance by assigning priority to business
applications and end users, through the allocation of dedicated parts of the bandwidth to specific
traffic. Choice A is not true because the communication itself will not be improved, while the
speed of data exchange for specific applications could be faster. Availability will not be
improved. The QoS tools that many carriers are using do not provide reports of service levels;
however, there are other tools that will generate service-level reports. Even when QoS is
integrated with firewalls, VPNs, encryption tools and others, the tool itself is not intended to
provide security controls.
...........................................................................................................
46. An installed Ethernet cable run in an unshielded twisted pair (UTP) network is more
than 100 meters long. Which of the following could be caused by the length of the cable?
A. Electromagnetic interference (EMI)
B. Cross-talk
C. Dispersion
D. Attenuation
The correct answer is:
D. Attenuation
Explanation:
Attenuation is the weakening of signals during transmission. When the signal becomes weak, it
begins to read a 1 for a 0, and the user may experience communication problems. UTP faces
attenuation around 100 meters. Electromagnetic interference (EMI) is caused by outside
electromagnetic waves affecting the desired signals, which is not the case here. Cross-talk has
nothing to do with the length of the UTP cable.
...........................................................................................................
47. Which of the following is the BEST control to detect internal attacks on IT resources?
A. Checking of activity logs
B. Reviewing firewall logs
C. Implementing a security policy
D. Implementing appropriate segregation of duties
The correct answer is:
A. Checking of activity logs
Explanation:
Verification of individual activity logs will detect the misuse of IT resources. Depending on the
configuration, firewall logs can help in detecting attacks passing through the firewall.
Implementation of a security policy and segregation of duties are deterrent controls that might
prevent the misuse of IT resources.
...........................................................................................................
48. One of the purposes of library control software is to allow:
A. programmers access to production source and object libraries.
B. batch program updating.
C. operators to update the control library with the production version before testing is
completed.
D. read-only access to source code.
The correct answer is:
D. read-only access to source code.
Explanation:
An important purpose of library control software is to allow read-only access to source code.
Choices A, B and C are activities which library control software should help to prevent or
prohibit.
...........................................................................................................
49. The BEST way to minimize the risk of communication failures in an e-commerce
environment would be to use:
A. compression software to minimize transmission duration.
B. functional or message acknowledgments.
C. a packet-filtering firewall to reroute messages.
D. leased asynchronous transfer mode lines.
The correct answer is:
D. leased asynchronous transfer mode lines.
Explanation:
Leased asynchronous transfer mode lines are a way to avoid using public and shared
infrastructures from the carrier or Internet service provider that have a greater number of
communication failures. Compression software, choice A, is a valid way to reduce the problem,
but is not as good as leased asynchronous transfer mode lines. Choice B is a control based on
higher protocol layers and helps if communication lines are introducing noise, but not if a link is
down. A packet-filtering firewall, choice C, does not reroute messages.
...........................................................................................................
50. Which of the following controls would be MOST effective in ensuring that production
source code and object code are synchronized?
A. Release-to-release source and object comparison reports
B. Library control software restricting changes to source code
C. Restricted access to source code and object code
D. Date and time-stamp reviews of source and object code
The correct answer is:
D. Date and time-stamp reviews of source and object code
Explanation:
Date and time-stamp reviews of source and object code would ensure that source code, which
has been compiled, matches the production object code. This is the most effective way to ensure
that the approved production source code is compiled and is the one being used.
...........................................................................................................
51. IS management has recently informed the IS auditor of its decision to disable certain
referential integrity controls in the payroll system to provide users with a faster report
generator. This will MOST likely increase the risk of:
A. data entry by unauthorized users.
B. a nonexistent employee being paid.
C. an employee receiving an unauthorized raise.
D. duplicate data entry by authorized users.
The correct answer is:
B. a nonexistent employee being paid.
Explanation:
Referential integrity controls prevent the occurrence of unmatched foreign key values. Given that
a nonexistent employee does not appear in the employees table, there will never be a
corresponding entry in the salary payment's table. The other choices cannot be detected by
referential integrity controls.
...........................................................................................................
52. Which of the following is MOST directly affected by network performance monitoring
tools?
A. Integrity
B. Availability
C. Completeness
D. Confidentiality
The correct answer is:
B. Availability
Explanation:
In case of a disruption in service, one of the key functions of network performance monitoring
tools is to ensure that the information has remained unaltered. It is a function of security
monitoring to assure confidentiality by using such tools as encryption. However, the most
important aspect of network performance is assuring the ongoing dependence on connectivity to
run the business. Therefore, the characteristic that benefits the most from network monitoring is
availability.
...........................................................................................................
53. The database administrator has decided to disable certain normalization controls in the
database management system (DBMS) software to provide users with increased query
performance. This will MOST likely increase the risk of:
A. loss of audit trails.
B. redundancy of data.
C. loss of data integrity.
D. unauthorized access to data.
The correct answer is:
B. redundancy of data.
Explanation:
Normalization is the removal of redundant data elements from the database structure. Disabling
features of normalization in relational databases will increase the likelihood of data redundancy.
Audit trails are a feature of DBMS software that can be lost by not enabling them. These are not
connected to normalization controls. The integrity of data is not directly affected by disabling
normalization controls. Access to data is set through defining user rights and controlling access
to information, and is not affected by normalization controls.
...........................................................................................................
54. Which of the following network components is PRIMARILY set up to serve as a
security measure by preventing unauthorized traffic between different segments of the
network?
A. Firewalls
B. Routers
C. Layer 2 switches
D. VLANs
The correct answer is:
A. Firewalls
Explanation:
Firewall systems are the primary tool that enable an organization to prevent unauthorized access
between networks. An organization may choose to deploy one or more systems that function as
firewalls. Routers can filter packets based on parameters, such as source address, but are not
primarily a security tool. Based on Media Access Control (MAC) addresses, layer 2 switches
separate traffic in a port as different segments and without determining if it is authorized or
unauthorized traffic. A virtual LAN (VLAN) is a functionality of some switches that allows them
to switch the traffic between different ports as if they are in the same LAN. Nevertheless, they do
not deal with authorized vs. unauthorized traffic.
...........................................................................................................
55. In a client-server system, which of the following control techniques is used to inspect
activity from known or unknown users?
A. Diskless workstations
B. Data encryption techniques
C. Network monitoring devices
D. Authentication systems
The correct answer is:
C. Network monitoring devices
Explanation:
Network monitoring devices may be used to inspect activities from known or unknown users and
can identify client addresses, which may assist in finding evidence of unauthorized access. This
serves as a detective control. Diskless workstations prevent access control software from being
bypassed. Data encryption techniques can help protect sensitive or propriety data from
unauthorized access, thereby serving as a preventive control. Authentication systems may
provide environmentwide, logical facilities that can differentiate among users, before providing
access to systems.
...........................................................................................................
56. The most likely error to occur when implementing a firewall is:
A. incorrectly configuring the access lists.
B. compromising the passwords due to social engineering.
C. connecting a modem to the computers in the network.
D. inadequately protecting the network and server from virus attacks.
The correct answer is:
A. incorrectly configuring the access lists.
Explanation:
An updated and flawless access list is a significant challenge and, therefore, has the greatest
chance for errors at the time of the initial installation. Passwords do not apply to firewalls, a
modem bypasses a firewall and a virus attack is not an element in implementing a firewall.
...........................................................................................................
57. IT operations for a large organization have been outsourced. An IS auditor reviewing
the outsourced operation should be MOST concerned about which of the following
findings?
A. The outsourcing contract does not cover disaster recovery for the outsourced IT
operations.
B. The service provider does not have incident handling procedures.
C. Recently a corrupted database could not be recovered because of library management
problems.
D. Incident logs are not being reviewed.
The correct answer is:
A. The outsourcing contract does not cover disaster recovery for the outsourced IT
operations.
Explanation:
The lack of a disaster recovery provision presents a major business risk. Incorporating such a
provision into the contract will provide the outsourcing organization leverage over the service
provider. Choices B, C and D are problems that should be addressed by the service provider, but
are not as important as contract requirements for disaster recovery.
...........................................................................................................
58. A network diagnostic tool that monitors and records network information is a(n):
A. online monitor.
B. downtime report.
C. help desk report.
D. protocol analyzer.
The correct answer is:
B. downtime report.
Explanation:
Protocol analyzers are network diagnostic tools that monitor and record network information
from packets traveling in the link to which the analyzer is attached. Online monitors (choice A)
measure telecommunications transmissions and determine whether transmissions were accurate
and complete. Downtime reports (choice B) track the availability of telecommunication lines and
circuits. Help desk reports (choice C) are prepared by the help desk, which is staffed or
supported by IS technical support personnel trained to handle problems occurring during the
course of IS operations.
...........................................................................................................
59. In regard to moving an application program from the test environment to the
production environment, the BEST control would be provided by having the:
A. application programmer copy the source program and compiled object module to the
production libraries.
B. application programmer copy the source program to the production libraries and then
have the production control group compile the program.
C. production control group compile the object module to the production libraries using
the source program in the test environment.
D. production control group copy the source program to the production libraries and then
compile the program.
The correct answer is:
D. production control group copy the source program to the production libraries and then
compile the program.
Explanation:
The best control would be provided by having the production control group copy the source
program to the production libraries and then compile the program.
...........................................................................................................
60. To evaluate the referential integrity of a database, an IS auditor should review the:
A. composite keys.
B. indexed fields.
C. physical schema.
D. foreign keys.
The correct answer is:
D. foreign keys.
Explanation:
A foreign key is a column in a table that references a primary key of another table, thus
providing the referential integrity. Composite keys consist of two or more columns designated
together as a table's primary key. Field indexing speeds up searches, but does not ensure
referential integrity. Referential integrity is related to the logical schema, not the physical
schema.
...........................................................................................................
61. A critical function of a firewall is to act as a:
A. special router that connects the Internet to a LAN.
B. device for preventing authorized users from accessing the LAN.
C server used to connect authorized users to private, trusted network resources.
D. proxy server to increase the speed of access to authorized users.
The correct answer is:
C server used to connect authorized users to private, trusted network resources.
Explanation:
A firewall is a set of related programs, located at a network gateway server, that protects the
resources of a private network from users of other networks. An enterprise with an intranet that
allows its workers access to the wider Internet installs a firewall to prevent outsiders from
accessing its own private data resources and for controlling the outside resources to which its
own users have access. Basically, a firewall, working closely with a router program, filters all
network packets to determine whether or not to forward them to their destination. A firewall
includes or works with a proxy server that makes network requests on behalf of workstation
users. A firewall is often installed in a specially designated computer separate from the rest of
the network, so no incoming request can get directed to private network resources.
...........................................................................................................
62. An IS auditor needs to link his/her microcomputer to a mainframe system that uses
binary synchronous data communications with block data transmission. However, the IS
auditor's microcomputer, as presently configured, is capable of only asynchronous ASCII
character data communications. Which of the following must be added to the IS auditor's
computer to enable it to communicate with the mainframe system?
A. Buffer capacity and parallel port
B. Network controller and buffer capacity
C. Parallel port and protocol conversion
D. Protocol conversion and buffer capability
The correct answer is:
D. Protocol conversion and buffer capability
Explanation:
For the IS auditor's microcomputer to communicate with the mainframe, the IS auditor must use
a protocol converter to convert the asynchronous and synchronous transmission. Additionally,
the message must be spooled to the buffer to compensate for different rates of data flow.
...........................................................................................................
63. When reviewing a firewall, which of the following should be of MOST concern to an IS
auditor?
A. A well-defined security policy
B Implementation of a firewall with the latest and most secure algorithm
C. The effectiveness of the firewall in enforcing the security policy
D. The security of the platform in which the firewall resides
The correct answer is:
C. The effectiveness of the firewall in enforcing the security policy
Explanation:
The existence of a good security policy is important, but if the firewall has not been implemented
so as to effectively enforce the policy, then the policy is of little value. Although the other
choices are concerns, they are not as great a concern as the effectiveness of the firewall in
enforcing the security policy.
...........................................................................................................
64. Which of the following controls would provide the GREATEST assurance of database
integrity?
A. Audit log procedures
B. Table link/reference checks
C. Query/table access time checks
D. Rollback and rollforward database features
The correct answer is:
B. Table link/reference checks
Explanation:
Performing table link/reference checks serves to detect table linking errors (such as completeness
and accuracy of the contents of the database) and thus provides the greatest assurance of
database integrity. Audit log procedures enable recording of all events that have been identified
and help in tracing the events. However, they only point to the event and do not ensure
completeness or accuracy of the database's contents. Querying/monitoring table access time
checks helps designers improve database performance, but not integrity. Rollback and
rollforward database features ensure recovery from an abnormal disruption. They assure the
integrity of the transaction that was being processed at the time of disruption, but do not provide
assurance on the integrity of the contents of the database.
...........................................................................................................
65. Which of the following protocols would be involved in the implementation of a router
and an interconnectivity device monitoring system?
A. Simple Network Management Protocol
B. File Transfer Protocol
C. Simple Mail Transfer Protocol
D. Telnet
The correct answer is:
A. Simple Network Management Protocol
Explanation:
The Simple Network Management Protocol provides a means to monitor and control network
devices and to manage configurations and performance. The File Transfer Protocol (FTP),
transfers files from a computer on the Internet to the user's computer and does not have any
functionality related to monitoring network devices. Simple Mail Transfer Protocol (SMTP) is a
protocol for sending and receiving e-mail messages and does not provide any monitoring or
management for network devices. Telnet is a standard terminal emulation protocol used for
remote terminal connections, enabling users to log into remote systems and use resources as if
they were connected to a local system; it does not provide any monitoring or management of
network devices.
...........................................................................................................
66. Which of the following is the BEST method for preventing exploitation of system
vulnerabilities?
A. Log monitoring
B. Virus protection
C. Intrusion detection
D. Patch management
The correct answer is:
D. Patch management
Explanation:
Many system vulnerabilities exist because of defects in the design of system code and require the
vendor to issue patches to eliminate the exposures. Effective patch management is the best
method of preventing exploitation in that it can eliminate the identified vulnerabilities. Log
monitoring, intrusion detection and virus protection will not as effectively prevent such
exploitation.
...........................................................................................................
67. Which of the following reports should an IS auditor use to check compliance with a
service level agreement's (SLA) requirement for uptime?
A. Utilization reports
B. Hardware error reports
C. System logs
D. Availability reports
The correct answer is:
D. Availability reports
Explanation:
IS inactivity, such as downtime, is addressed by availability reports. These reports provide the
time periods during which the computer was available for utilization by users or other processes.
Utilization reports document the use of computer equipment, and can be used by management to
predict how/where/when resources are required. Hardware error reports provide information to
aid in detecting hardware failures and initiating corrective action. System logs are a recording of
the system's activities.
...........................................................................................................
68. A programmer, using firecall IDs, as provided in the manufacture's manual, gained
access to the production environment and made an unauthorized change. Which of the
following could have prevented this from happening?
A. Deactivation
B. Monitoring
C. Authorization
D. Resetting
The correct answer is:
D. Resetting
Explanation:
The vendor supplied firecall IDs should be reset at the time of implementing the system and new
IDs generated. Deactivation may cause the disruption of a critical production job. Without
resetting the vendor provided firecall IDs, monitoring and authorization of such IDs are not
effective controls.
...........................................................................................................
69. A Ping command is used to measure:
A. attenuation.
B. throughput,
C. delay distortion.
D. latency.
The correct answer is:
D. latency.
Explanation:
Latency, which is measured using a Ping command, represents the delay that a message/packet
will have in traveling from source to destination. A decrease in amplitude as a signal propagates
through a transmission medium is called attenuation. Throughput, which is the quantity of work
per unit of time, is measured in bytes per second. Delay distortion represents delay in
transmission because the rate of propagation of a signal along a transmission line varies with the
frequency.
...........................................................................................................
70. The method of routing traffic through split-cable facilities or duplicate-cable facilities is
called:
A. alternative routing.
B. diverse routing.
C. redundancy.
D. circular routing.
The correct answer is:
B. diverse routing.
Explanation:
Diverse routing is the method of routing traffic through split-cable facilities or duplicate-cable
facilities, which can be accomplished with different/duplicate cable sheaths. Alternative routing
is the method of routing information via an alternative medium, such as copper cable or fiber
optics. Redundancy involves providing extra capacity, with an option to use such excess capacity
in the event the primary transmission capability is not available. Circular routing is the logical
path of a message in a communication network based on a series of gates at the physical network
layer in the open system interconnection.
...........................................................................................................
71. Which of the following line media would provide the BEST security for a
telecommunication network?
A. Broadband network digital transmission
B. Baseband network
C. Dial-up
D. Dedicated lines
The correct answer is:
D. Dedicated lines
Explanation:
Dedicated lines are set apart for a particular user or organization. Since there is no sharing of
lines or intermediate entry points, the risk of interception or disruption of telecommunications
messages is lower.
...........................................................................................................
72. An organization has outsourced IT operations to a service provider. The organization's
IS auditor makes the following observations:
 Key servers located at the outsourcing organization are about to be moved to
the service provider.
 Critical systems are backed up, but recovery is inefficient.
 Disaster recovery is not covered by the outsourcing contract.
 The service provider backs up data to the building next to it.
Which of the following should the IS auditor recommend be done immediately?
A. Improve the backup of critical systems.
B. Delay moving the servers.
C. Incorporate disaster recovery in the contract.
D. Back up data to a location further away from the service provider.
The correct answer is:
B. Delay moving the servers.
Explanation:
Moving the servers may cause a business interruption and should be postponed until disaster
recovery is included in the outsourcing contract. Choices A, C and D should be addressed during
the development of viable disaster recovery provisions and after the server move is postponed.
...........................................................................................................
73. During an audit of the tape management system at a data center, an IS auditor
discovered that parameters are set to bypass or ignore the labels written on tape header
records. The IS auditor also determined that effective staging and job setup procedures
were in place. In this situation, the IS auditor should conclude that the:
A. tape headers should be manually logged and checked by the operators.
B. staging and job setup procedures are not appropriate compensating controls.
C. staging and job setup procedures compensate for the tape label control weakness.
D. tape management system parameters must be set to check all labels.
The correct answer is:
C. staging and job setup procedures compensate for the tape label control weakness.
Explanation:
Compensating controls are an important part of a control structure. They are considered adequate
if they help to achieve the control objective and are cost-effective. In this situation, the IS auditor
is most likely to conclude that staging and job setup procedures compensate for the tape label
control weakness.
...........................................................................................................
74. Which of the following is the GREATEST risk related to the monitoring of audit logs?
A. Logs are not backed up periodically.
B. Routine events are recorded.
C. Procedures for enabling logs are not documented.
D. Unauthorized system actions are recorded but not investigated.
The correct answer is:
D. Unauthorized system actions are recorded but not investigated.
Explanation:
If unauthorized system actions are not investigated, the log is useless. Not backing up logs
periodically is a risk, but not as critical as the need to investigate questionable actions. Recording
routine events can make it more difficult to recognize unauthorized actions, but the critical
events are still recorded. Procedures for enabling and reviewing logs should be documented, but
documentation does not ensure investigation.
...........................................................................................................
75. Which of the following would an IS auditor consider to be the MOST helpful when
evaluating the effectiveness and adequacy of a computer preventive maintenance program?
A. A system downtime log
B. Vendors' reliability figures
C. Regularly scheduled maintenance log
D. A written preventive maintenance schedule
The correct answer is:
A. A system downtime log
Explanation:
A system downtime log provides information regarding the effectiveness and adequacy of
computer preventive maintenance programs.
...........................................................................................................
76. Which of the following would be the MOST secure firewall system?
A. Screened-host firewall
B. Screened-subnet firewall
C. Dual-homed firewall
D. Stateful-inspection firewall
The correct answer is:
B. Screened-subnet firewall
Explanation:
A screened-subnet firewall, also used as a demilitarized zone (DMZ), utilizes two packet
filtering routers and a bastion host. This provides the most secure firewall system, since it
supports both network- and application-level security while defining a separate DMZ network. A
screened-host firewall utilizies a packet filtering router and a bastion host. This approach
implements basic network layer security (packet filting) and application server security (proxy
services). A dual-homed firewall system is a more restrictive form of a screened-host firewall
system, configuring one interface for information servers and another for private network host
computers. A stateful inspection firewall working at the transport layer keeps track of the
destination IP address of each packet that leaves the organization's internal network and allows a
reply from the recorded IP addresses.
...........................................................................................................
77. Which of the following is a control over component communication failure/errors?
A. Restricting operator access and maintaining audit trails
B. Monitoring and reviewing system engineering activity
C. Providing network redundancy
D. Establishing physical barriers to the data transmitted over the network
The correct answer is:
C. Providing network redundancy
Explanation:
Redundancy by building some form of duplication into the network components, such as a link,
router or switch, to prevent loss, delays or data duplication is a control over component
communication failure or error. Other related controls are loop/echo checks to detect line errors,
parity checks, error correction codes and sequence checks. Choices A, B and D are
communication network controls
...........................................................................................................
78. Which of the following BEST ensures the integrity of a server's operating system?
A. Protecting the server in a secure location
B. Setting a boot password
C. Hardening the server configuration
D. Implementing activity logging
The correct answer is:
C. Hardening the server configuration
Explanation:
Hardening a system means to configure it in the most secure manner (install latest security
patches, properly define the access authorization for users and administrators, disable insecure
options and uninstall unused services) to prevent nonprivileged users from gaining the right to
execute privileged instructions and thus take control of the entire machine, jeopardizing the OS's
integrity. Protecting the server in a secure location and setting a boot password are good
practices, but do not ensure that a user will not try to exploit logical vulnerabilities and
compromise the OS. Activity logging has two weaknesses in this scenario—it is a detective
control (not a preventive one) and the attacker who already gained privileged access can modify
logs or disable them.
...........................................................................................................
79. Reconfiguring which of the following firewall types will prevent inward downloading of
files through the File Transfer Protocol (FTP)?
A. Circuit gateway
B. Application gateway
C. Packet filter
D. Screening router
The correct answer is:
B. Application gateway
Explanation:
An application gateway firewall is effective in preventing applications, such as FTPs, from
entering the organization network. A circuit gateway firewall is able to prevent paths or circuits,
not applications, from entering the organization's network. A packet filter firewall or screening
router will allow or prevent access based on IP packets/address.
...........................................................................................................
80. Checking for authorized software baselines is an activity addressed within which of the
following?
A. Project management
B. Configuration management
C. Problem management
D. Risk management
The correct answer is:
B. Configuration management
Explanation:
Configuration management accounts for all IT components, including software. Project
management is about scheduling, resource management and progress tracking of software
development. Problem management records and monitors incidents. Risk management involves
risk identification, impact analysis, an action plan, etc.
...........................................................................................................
81. An independent software program that connects two otherwise separate applications
sharing computing resources across heterogeneous technologies is known as:
A. middleware.
B. firmware.
C. application software.
D. embedded systems.
The correct answer is:
A. middleware.
Explanation:
Middleware is independent software that connects two otherwise separate applications sharing
computing resources across heterogeneous technologies. Firmware is software (programs or
data) that has been written onto read-only memory (ROM). It is a memory chip with embedded
program code that holds its content when power is turned off. Firmware is a combination of
software and hardware. Application software are programs that address an organization's
processes and functions as opposed to system software, which enables the computer to function.
Embedded systems are built-in modules for a specific purpose, e.g., SCARF.
...........................................................................................................
82. Which of the following is a control to detect an unauthorized change in a production
environment?
A. Denying programmers access to production data
B. Requiring change requests to include benefits and costs
C. Periodically comparing control and current object and source programs
D. Establishing procedures for emergency changes
The correct answer is:
C. Periodically comparing control and current object and source programs
Explanation:
Running the code comparison program on the control and current object and source programs
allows for the detection of unauthorized changes in the production environment. Choices A, B
and D are preventive controls that are effective as long as they are being applied consistently.
...........................................................................................................
83. To share data in a multivendor network environment, it is essential to implement
program-to-program communication. With respect to program-to-program
communication features, that can be implemented in this environment, which of the
following makes implementation and maintenance difficult?
A. User isolation
B. Controlled remote access
C. Transparent remote access
D. The network environments
The correct answer is:
D. The network environments
Explanation:
Depending on the complexity of the network environment, implementation of program-toprogram
communication features becomes progressively more difficult. It is possible to
implement program-to-program communication to isolate a user in the multivendor network.
Program-to-program communication can be implemented to control and monitor the files that a
user can transfer between systems, and the remote program-to-program communication will be
transparent to the end user. All of these are security features.
...........................................................................................................
84. An IS auditor evaluating the resilience of a high-availability network should be MOST
concerned if:
A. the setup is geographically dispersed.
B. the network servers are clustered in a site.
C. a hot site is ready for activation.
D. diverse routing is implemented for the network.
The correct answer is:
B. the network servers are clustered in a site.
Explanation:
A clustered setup in one location makes the entire network vulnerable to natural disasters or
other disruptive events. Dispersed geographical locations and diverse routing provide backups if
a site has been destroyed. A hot site would also be a good alternative for a single-point-of-failure
site.
...........................................................................................................
85. Which of the following types of firewalls would BEST protect a network from an
Internet attack?
A. Screened subnet firewall
B. Application filtering gateway
C. Packet filtering router
D. Circuit-level gateway
The correct answer is:
A. Screened subnet firewall
Explanation:
A screened subnet firewall would provide the best protection. The screening router can be a
commercial router or a node with routing capabilities and the ability to allow or avoid traffic
between nets or nodes based on addresses, ports, protocols, interfaces, etc. Application-level
gateways are mediators between two entities that want to communicate, also known as proxy
gateways. The application level (proxy) works at the application level, not only at a package
level. The screening controls at the package level, addresses and ports, but does not see the
contents of the package. A packet filtering router examines the header of every packet or data
traveling between the Internet and the corporate network.
...........................................................................................................
86. An organization is negotiating a service level agreement (SLA) with a vendor. Which of
the following should occur FIRST?
A. Develop a feasibility study.
B. Check for compliance with corporate policies.
C. Draft the service level penalties.
D. Draft the service level requirements.
The correct answer is:
D. Draft the service level requirements.
Explanation:
A clear understanding of what the customer requires is the first step in the development of an
SLA. This is done via drafting the SLRs (service level requirements). When the SLRs are
drafted, the next step is to define how this new or modified service can, in terms of operational
aspects, be made available. Compliance is important, but it should be discussed after a mutual
understanding of the service to be provided is clear and the technical and organizational road
map of how this will be accomplished is sketched in greater detail. Drafting the service level
penalties is a step that takes place toward the end of the process.
...........................................................................................................
87. Which of the following applet intrusion issues poses the GREATEST risk of disruption
to an organization?
A. A program that deposits a virus on a client machine
B. Applets recording keystrokes and, therefore, passwords
C. Downloaded code that reads files on a client's hard drive
D. Applets opening connections from the client machine
The correct answer is:
D. Applets opening connections from the client machine
Explanation:
An applet is a program downloaded from a web server to the client, usually through a web
browser that provides functionality for database access, interactive web pages and
communications with other users. Applets opening connections from the client machine to other
machines on the network and damaging those machines, as a denial-of-service attack, pose the
greatest threat to an organization and could disrupt business continuity. A program that deposits
a virus on a client machine is referred to as a malicious attack (i.e., specifically meant to cause
harm to a client machine), but may not necessarily result in a disruption of service. Applets that
record keystrokes and, therefore, passwords and downloaded code that reads files on a client's
hard drive relate more to organizational privacy issues, and although significant, are less likely to
cause a significant disruption of service.
...........................................................................................................
88. Which of the following is widely accepted as one of the critical components in
networking management?
A. Configuration management
B. Topological mappings
C. Application of monitoring tools
D. Proxy server trouble shooting
The correct answer is:
A. Configuration management
Explanation:
Configuration management is widely accepted as one of the key components of any network,
since it establishes how the network will function internally and externally. It also deals with the
management of configuration and monitoring performance. Topological mappings provide
outlines of the components of the network and its connectivity. Application monitoring is not
essential and proxy server trouble shooting is used for trouble-shooting purposes.
...........................................................................................................
89. Which of the following is MOST important when assessing services provided by an
Internet service provider (ISP)?
A. Performance reports generated by the ISP
B. The service level agreement (SLA)
C. Interviews with the provider
D. Interviews with other clients of the ISP
The correct answer is:
B. The service level agreement (SLA)
Explanation:
A service level agreement provides the basis for an adequate assessment of the degree to which
the provider is meeting the level of agreed service. Choices A, C and D would not be the basis
for an independent evaluation of the service.
...........................................................................................................
90. When reviewing system parameters, an IS auditor's PRIMARY concern should be that:
A. they are set to meet security and performance requirements.
B. changes are recorded in an audit trail and periodically reviewed.
C. changes are authorized and supported by appropriate documents.
D. access to parameters in the system is restricted.
The correct answer is:
A. they are set to meet security and performance requirements.
Explanation:
The primary concern is to find the balance between security and performance. Recording
changes in an audit trail and periodically reviewing them is a detective control; however, if
parameters are not set according to business rules, monitoring of changes may not be an effective
control. Reviewing changes to ensure they are supported by appropriate documents is also a
detective control. If parameters are set incorrectly, the related documentation and the fact that
these are authorized does not reduce the impact. Restriction of access to parameters ensures that
only authorized staff can access the parameters; however, if the parameters are set incorrectly,
restricting access will still have an adverse impact.
...........................................................................................................
91. Which of the following systems-based approaches would a financial processing
company employ to monitor spending patterns to identify abnormal patterns and report
them?
A. A neural network
B. Database management software
C. Management information systems
D. Computer-assisted audit techniques
The correct answer is:
A. A neural network
Explanation:
A neural network will monitor and learn patterns, reporting exceptions for investigation.
Database management software is a method of storing and retrieving data. Management
information systems provide management statistics but do not normally have a monitoring and
detection function. Computer-assisted audit techniques detect specific situations, but are not
intended to learn patterns and detect abnormalities.
...........................................................................................................
92. Which of the following reports is a measure of telecommunication transmissions and
determines whether transmissions are completed accurately?
A. Online monitor reports
B. Downtime reports
C. Help desk reports
D. Response-time reports
The correct answer is:
A. Online monitor reports
Explanation:
Online monitors measure telecommunication transmissions and determine whether transmissions
are completed accurately. Downtime reports track the availability of telecommunication lines
and circuits. Help desk reports handle problems occurring in the normal course of operations.
Response-time reports identify the time it takes for a command entered at a terminal to be
answered by the computer.
...........................................................................................................
93. Web and e-mail filtering tools are PRIMARILY valuable to an organization because
they:
A. protect the organization from viruses and nonbusiness materials.
B. maximize employee performance.
C. safeguard the organization's image.
D. assist the organization in preventing legal issues
The correct answer is:
A. protect the organization from viruses and nonbusiness materials.
Explanation:
The main reason for investing in web and e-mail filtering tools is that they significantly reduce
risks related to viruses, spam, mail chains, recreational surfing and recreational e-mail. Choice B
could be true in some circumstances (i.e., it would need to be implemented along with an
awareness program, so that employee performance can be significantly improved); however, in
such cases, it would not be as relevant as choice A. Choices C and D are secondary or indirect
benefits.
...........................................................................................................
94. The database administrator (DBA) suggests that DB efficiency can be improved by
denormalizing some tables. This would result in:
A. loss of confidentiality.
B. increased redundancy.
C. unauthorized accesses.
D. application malfunctions.
The correct answer is:
B. increased redundancy.
Explanation:
Normalization is a design or optimization process for a relational database (DB) that minimizes
redundancy; therefore, denormalization would increase redundancy (Redundancy which is
usually considered positive when it is a question of resource availability is negative in a database
environment, since it demands additional, otherwise unnecessary, data handling efforts.)
Denormalization is sometimes advisable for functional reasons. It should not cause loss of
confidentiality, unauthorized accesses or application malfunctions.
...........................................................................................................
95. Which of the following should be done by an IS auditor when a source code comparison
indicates modifications were made?
A. Determine whether modifications were authorized.
B. Update the control copy of the source code.
C. Manually review the source code.
D. Insert remarks in the source code describing the modifications.
The correct answer is:
A. Determine whether modifications were authorized.
Explanation:
The IS auditor's primary objective should be to determine if the changes were authorized. A
manual review of the source code may be done in some instances, but this would not answer the
question of whether the changes were authorized. Choices B and D would not be proper actions.
...........................................................................................................
96. Utility programs that assemble software modules needed to execute a machine
instruction application program version are:
A. text editors.
B. program library managers.
C. linkage editors and loaders.
D. debuggers and development aids.
The correct answer is:
C. linkage editors and loaders.
Explanation:
Utility programs that assemble software modules needed to execute a machine instruction
application program version are linkage editors and loaders.
...........................................................................................................
97. In a database management system (DBMS), the location of data and the method of
accessing the data are provided by the:
A. data dictionary.
B. metadata.
C. directory system.
D. data definition language.
The correct answer is:
C. directory system.
Explanation:
A directory system describes the location of data and the access method. A data dictionary
contains an index and description of all the items stored in the database. Metadata are the data
elements required to define an enterprisewide data warehouse. The data definition language
processor allows the database administrator (DBA) to create/modify a data definition for
mapping between external and conceptual schemes.
...........................................................................................................
98. The interface that allows access to lower- or higher-level network services is called:
A. firmware.
B. middleware.
C. X.25 interface.
D. utilities.
The correct answer is:
B. middleware.
Explanation:
Middleware, a class of software employed by client-server applications, provides services, such
as identification, authentication, directories and security. It facilitates client-server connections
over the network and allows client applications to access and update remote databases and
mainframe files. Firmware consists of memory chips with embedded program code that hold
their content when the power is turned off. X.25 interface is the interface between data terminal
equipment and data circuit terminating equipment for terminals operating in the packet mode on
some public data networks. Utilities are system software used to perform system maintenance
and routines that are required during normal processing, such as sorting or backup.
...........................................................................................................
99. Which of the following is a control over database administration activities?
A. A database checkpoint to restart processing after a system failure
B. Database compression to reduce unused space
C. Supervisory review of access logs
D. Backup and recovery procedures to ensure database availability
The correct answer is:
C. Supervisory review of access logs
Explanation:
To ensure management approval of database administration activities and to exercise control
over the use of database tools, there should be a supervisory review of access logs. Database
administration activities include among others, database checkpoints, database compression
techniques, and data backup and recovery procedures established and implemented to ensure
database availability.
...........................................................................................................
100. The following question refers to the diagram.
Assuming this diagram represents an internal facility and the organization is implementing
a firewall protection program, where should firewalls be installed?
A. No firewalls are needed.
B. Op-3 location only
C. MIS (Global) and NAT2
D. SMTP Gateway and op-3
The correct answer is:
D. SMTP Gateway and op-3
Explanation:
The objective of a firewall is to protect a trusted network from an untrusted network; therefore,
locations needing firewall implementations would be at the existence of the external connections.
All other answers are incomplete or represent internal connections.
...........................................................................................................
101. An IS auditor reviewing database controls discovered that changes to the database
during normal working hours were handled through a standard set of procedures.
However, changes made after normal hours required only an abbreviated number of steps.
In this situation, which of the following would be considered an adequate set of
compensating controls?
A. Allow changes to be made only with the DBA user account.
B. Make changes to the database after granting access to a normal user account
C. Use the DBA user account to make changes, log the changes and review the change log
the following day.
D. Use the normal user account to make changes, log the changes and review the change log
the following day.
The correct answer is:
C. Use the DBA user account to make changes, log the changes and review the change log
the following day.
Explanation:
The use of a database administrator (DBA) user account is (should be) normally set up to log all
changes made and is most appropriate for changes made outside of normal hours. The use of a
log, which records the changes, allows changes to be reviewed. The use of the DBA user account
without logging would permit uncontrolled changes to be made to databases once access to the
account was obtained. The use of a normal user account with no restrictions would allow
uncontrolled changes to any of the databases. Logging would only provide information on
changes made, but would not limit changes to only those that were authorized. Hence, logging
coupled with review form an appropriate set of compensating controls.
...........................................................................................................
102. Which of the following hardware devices relieves the central computer from
performing network control, format conversion and message handling tasks?
A. Spool
B. Cluster controller
C. Protocol converter
D. Front-end processor
The correct answer is:
D. Front-end processor
Explanation:
A front-end processor is a hardware device that connects all communication lines to a central
computer to relieve the central computer.
...........................................................................................................
103. An IS auditor has recently discovered that because of a shortage of skilled operations
personnel, the security administrator has agreed to work one late-night shift a month as the
senior computer operator. The MOST appropriate course of action for the IS auditor is to:
A. advise senior management of the risk involved.
B. agree to work with the security officer on these shifts as a form of preventative control.
C. develop a computer-assisted audit technique to detect instances of abuses of this
arrangement.
D. review the system log for each of the late-night shifts to determine whether any irregular
actions occurred.
The correct answer is:
A. advise senior management of the risk involved.
Explanation:
The IS auditor's first and foremost responsibility is to advise senior management of the risk
involved in having the security administrator perform an operation's function. This is a violation
of separation of duties. The IS auditor should not get involved in processing.
...........................................................................................................
104. During the requirements definition phase for a database application, performance is
listed as a top priority. To access the DBMS files, which of the following technologies
should be recommend for optimal I/O performance?
A. Storage area network (SAN)
B. Network Attached Storage (NAS)
C. Network file system (NFS v2)
D. Common Internet File System (CIFS)
The correct answer is:
A. Storage area network (SAN)
Explanation:
In contrast to the other options, in a SAN comprised of computers, FC switches or routers and
storage devices, there is no computer system hosting and exporting its mounted file system for
remote access, aside from special file systems. Access to information stored on the storage
devices in a SAN is comparable to direct attached storage, which means that each block of data
on a disk can be addressed directly, since the volumes of the storage device are handled as
though they are local, thus providing optimal performance. The other options describe
technologies in which a computer (or appliance) shares its information with other systems. To
access the information, the complete file has to be read.
...........................................................................................................
105. An IS auditor is PRIMARILY concerned about electromagnetic emissions from a
cathode ray tube (CRT) because they may:
A. cause health disorders (such as headaches) and diseases.
B. be intercepted and information may be obtained from them.
C. cause interference in communications.
D. cause errors in the motherboard.
The correct answer is:
B. be intercepted and information may be obtained from them.
Explanation:
The greatest risk, although infrequent, due to the expensive technology required is choice B. The
expense would be justified only if the value of the information to be obtained was high. CRTs
can be intercepted, and information obtained can be from them. This is called a tempest attack,
taken from the code name of the first secret project in which such an interception was studied.
These weak signals can be radiated and intercepted with the proper equipment or transmitted, for
example, via power leads. The signals fade rapidly as distance increases. The first line of defense
is to create a physical security zone (PSZ) to keep receivers at a distance. They can cause health
disorders, such as headaches and diseases; however, no studies have confirmed that these risks
are higher than those posed by the natural radiation found in certain zones (e.g., mountain areas).
The intensity of the radiation is so low that, with normal technology, they can not cause
interference with communications.
...........................................................................................................
106. To determine how data are accessed across different platforms in a heterogeneous
environment, an IS auditor should FIRST review:
A. business software.
B. infrastructure platform tools.
C. application services.
D. system development tools.
The correct answer is:
C. application services.
Explanation:
Projects should identify the complexities of the IT Infrastructure that can be simplified or
isolated by the development of application services. Application services isolate system
developers from the complexities of the IT infrastructure and offer common functionalities that
are shared by many applications. Application services take the form of interfaces, middleware,
etc. Business software focuses on business processes, whereas application services bridge the
gap between applications and the IT Infrastructure components. Infrastructure platform tools are
related to core hardware and software components required for development of the IT
infrastructure. Systems development tools represent development components of the IT
infrastructure development.
...........................................................................................................
107. Applying a retention date on a file will ensure that:
A. data cannot be read until the date is set.
B. data will not be deleted before that date.
C. backup copies are not retained after that date.
D. datasets having the same name are differentiated.
The correct answer is:
B. data will not be deleted before that date.
Explanation:
A retention date will ensure that a file cannot be overwritten before that date has passed. The
retention date will not affect the ability to read the file. Backup copies would be expected to have
a different retention date and, therefore, may well be retained after the file has been overwritten.
The creation date, not the retention date, will differentiate files with the same name.
...........................................................................................................
108. An organization provides information to its supply chain partners and customers
through an extranet infrastructure. Which of the following should be the GREATEST
concern to an IS auditor reviewing the firewall security architecture?
A. A Secure Sockets Layer (SSL) has been implemented for user authentication and remote
administration of the firewall.
B. On the basis of changing requirements, firewall policies are updated.
C. Inbound traffic is blocked unless the traffic type and connections have been specifically
permitted.
D. The firewall is placed on top of the commercial operating system with all installation
options.
The correct answer is:
D. The firewall is placed on top of the commercial operating system with all installation
options.
Explanation:
The greatest concern when implementing firewalls on top of commercial operating systems is the
potential presence of vulnerabilities that could undermine the security posture of the firewall
platform itself. In most circumstances when commercial firewalls are breached, that breach is
facilitated by vulnerabilities in the underlying operating system. Keeping all installation options
available on the system further increases the risks of vulnerabilities and exploits. Using SSL for
firewall administration (choice A) is important, changes in user and supply chain partners' roles
and profiles will be dynamic. Therefore, it is appropriate to maintain the firewall policies daily
(choice B), and prudent to block all inbound traffic unless permitted (choice C).
...........................................................................................................
109. An IS auditor is performing a network security review of a telecom company that
provides Internet connection services to shopping malls for their wireless customers. The
company uses Wireless Transport Layer Security (WTLS) and Secure Sockets Layer (SSL)
technology for protecting their customer's payment information. The IS auditor should be
MOST concerned, if a hacker:
A. compromises the Wireless Application Protocol (WAP) gateway.
B. installs a sniffing program in front of the server.
C. steals a customer's PDA.
D. listens to the wireless transmission.
The correct answer is:
A. compromises the Wireless Application Protocol (WAP) gateway.
Explanation:
In a WAP gateway, the encrypted messages from customers must be decrypted to transmit over
the Internet and vice versa. Therefore, if the gateway is compromised all of the messages would
be exposed. SSL protects the messages from sniffing on the Internet, limiting disclosure of the
customer's information. WTLS provides authentication, privacy and integrity and prevents
messages from eavesdropping.
...........................................................................................................
110. Which of the following would normally be found in application run manuals?
A. Details of source documents
B. Error codes and their recovery actions
C. Program flowcharts and file definitions
D. Change records for the application source code
The correct answer is:
B. Error codes and their recovery actions
Explanation:
Application run manuals should include actions to be taken by an operator when an error occurs.
Source documents and source code are irrelevant to the operator. Although dataflow diagrams
may be useful, detailed program diagrams and file definitions are not.
...........................................................................................................
111. Change management procedures are established by IS management to:
A. control the movement of applications from the test environment to the production
environment.
B. control the interruption of business operations from lack of attention to unresolved
problems.
C. ensure the uninterrupted operation of the business in the event of a disaster.
D. verify that system changes are properly documented.
The correct answer is:
A. control the movement of applications from the test environment to the production
environment.
Explanation:
Change management procedures are established by IS management to control the movement of
applications from the test environment to the production environment. Problem escalation
procedures control the interruption of business operations from lack of attention to unresolved
problems, and quality assurance procedures verify that system changes are authorized and tested.
...........................................................................................................
112. An IS auditor reviewing an organization's data file control procedures finds that
transactions are applied to the most current files, while restart procedures use earlier
versions. The IS auditor should recommend the implementation of:
A. source documentation retention.
B. data file security.
C. version usage control.
D. one-for-one checking
The correct answer is:
C. version usage control.
Explanation:
For processing to be correct, it is essential that the proper version of a file is used. Transactions
should be applied to the most current database, while restart procedures should use earlier
versions. Source documentation should be retained for an adequate time period to enable
documentation retrieval, reconstruction or verification of data, but it does not aid in ensuring that
the correct version of a file will be used. Data file security controls prevent access by
unauthorized users who could then alter the data files; however, it does not ensure that the
correct file will be used. It is necessary to ensure that all documents have been received for
processing, (one-for-one); however, this does not ensure the use of the correct file.
...........................................................................................................
113. Which of the following is the MOST probable cause for a mail server being used to
send spam?
A. Installing an open relay server
B. Enabling Post Office Protocol (POP3)
C. Using Simple Mail Transfer Protocol (SMTP)
D. Activating user accounting
The correct answer is:
A. Installing an open relay server
Explanation:
An open relay (or open proxy) allows unauthorized people to route their spam through someone
else's mail server. POP3 and SMTP are commonly used mail protocols. Activating user
accounting does not relate to using a server to send spam.
...........................................................................................................
114. The following question refers to the diagram.
In the 2c area on the diagram, there are three hubs connected to each other. What potential
risk might this indicate?
A. Virus attack
B. Performance degradation
C. Poor management controls
D. Vulnerability to external hackers
The correct answer is:
B. Performance degradation
Explanation:
Hubs are internal devices that usually have no direct external connectivity and, thus, are not
prone to hackers. There are no known viruses that are specific to hub attacks. While this situation
may be an indicator of poor management controls, choice B is more likely when the practice of
stacking hubs and creating more terminal connections is used.
...........................................................................................................
115. Which of the following is the BEST audit procedure to determine if a firewall is
configured in compliance with an organization's security policy?
A. Review the parameter settings.
B. Interview the firewall administrator.
C. Review the actual procedures.
D. Review the device's log file for recent attacks.
The correct answer is:
A. Review the parameter settings.
Explanation:
A review of the parameter settings will provide a good basis for comparison of the actual
configuration to the security policy and will provide audit evidence documentation. The other
choices do not provide as strong audit evidence as choice A.
...........................................................................................................
116. Congestion control is BEST handled by which OSI layer?
A. Data link layer
B. Session layer
C. Transport layer
D. Network layer
The correct answer is:
C. Transport layer
Explanation:
The transport layer is responsible for reliable data delivery. This layer implements a flow control
mechanism that can detect congestion, reduce data transmission rates and increase transmission
rates when the network appears to no longer be congested (e.g., TCP flow controls). The network
layer is not correct because congestion control occurs based on router implementations of flow
control at the subnet level (i.e., source quench messages sent out when router memory or the
buffer reaches capacity); however, no message exists to cancel or discard messages, which
actually may increase congestion problems. The session and data link layers do not have any
functionality for network management.
...........................................................................................................
117. Following a reorganization of a company's legacy database, it was discovered that
records were accidentally deleted. Which of the following controls would have MOST
effectively detected this occurrence?
A. Range check
B. Table lookups
C. Run-to-run totals
D. One-for-one checking
The correct answer is:
C. Run-to-run totals
Explanation:
Run-to-run totals would have been an effective detective control over processing in this situation.
Table lookups and range checks are used for data validation before input, or as close to the point
of origination as possible. One-for-one checking is time-consuming and, therefore, less effective.
...........................................................................................................
118. Neural networks are effective in detecting fraud, because they can:
A. discover new trends since they are inherently linear.
B solve problems where large and general sets of training data are not obtainable.
C attack problems that require consideration of a large number of input variables.
D. make assumptions about the shape of any curve relating variables to the output.
The correct answer is:
C attack problems that require consideration of a large number of input variables.
Explanation:
Neural networks can be used to attack problems that require consideration of numerous input
variables. They are capable of capturing relationships and patterns often missed by other
statistical methods, and they will not discover new trends. Neural networks are inherently
nonlinear and make no assumption about the shape of any curve relating variables to the output.
Neural networks will not work well at solving problems for which sufficiently large and general
sets of training data are not obtainable.
...........................................................................................................
119. Capacity monitoring software is used to ensure:
A. maximum use of available capacity.
B. that future acquisitions meet user needs.
C. concurrent use by a large number of users.
D. continuity of efficient operations.
The correct answer is:
D. continuity of efficient operations.
Explanation:
Capacity monitoring software shows the actual usage of online systems vs. their maximum
capacity. The aim is to enable software support staff to ensure that efficient operation, in the
form of response times, is maintained in the event that use begins to approach the maximum
available capacity. Systems should never be allowed to operate at maximum capacity.
Monitoring software is intended to prevent this. Although the software reports may be used to
support a business case for future acquisitions, it would not provide information on the effect of
user requirements and it would not ensure concurrent usage of the system by users, other than to
highlight levels of user access.
...........................................................................................................
120. After installing a network, an organization installed a vulnerability assessment tool or
security scanner to identify possible weaknesses. Which is the MOST serious risk
associated with such tools?
A. Differential reporting
B. False-positive reporting
C. False-negative reporting
D. Less-detail reporting
The correct answer is:
C. False-negative reporting
Explanation:
False-negative reporting on weaknesses means the control weaknesses in the network are not
identified and, hence, may not be addressed, leaving the network vulnerable to attack. Falsepositive
reporting is one in which the controls are in place, but are evaluated as weak, which
should prompt a rechecking of the controls. Less-detail reporting and differential reporting
functions provided by these tools compare scan results over a period of time.
...........................................................................................................
121. Analysis of which of the following would MOST likely enable the IS auditor to
determine if an unapproved program attempted to access sensitive data?
A. Abnormal job termination reports
B. Operator problem reports
C. System logs
D. Operator work schedules
The correct answer is:
C. System logs
Explanation:
System logs are automated reports that identify most of the activities performed on the computer.
Many programs that analyze the system log to report on specifically defined items have been
developed. Abnormal job termination reports identify application jobs that were terminated
before successful completion. Operator problem reports are used by operators to log computer
operations problems and their solutions. Operator work schedules are maintained by IS
management to assist in human resource planning.
...........................................................................................................
122. An IS auditor analyzing the audit log of a database management system (DBMS) finds
that some transactions were partially executed as a result of an error, and are not rolled
back. Which of the following transaction processing features has been violated?
A. Consistency
B. Isolation
C. Durability
D. Atomicity
The correct answer is:
D. Atomicity
Explanation:
Atomicity guarantees that either the entire transaction is processed or none of it is. Consistency
ensures that the database is in a legal state when the transaction begins and ends. Isolation means
that, while in an intermediate state, the transaction data is invisible to external operations.
Durability guarantees that a successful transaction will persist, and cannot be undone.
...........................................................................................................
123. Receiving an EDI transaction and passing it through the communication's interface
stage usually requires:
A. translating and unbundling transactions.
B. routing verification procedures.
C. passing data to the appropriate application system.
D. creating a point of receipt audit log.
The correct answer is:
B. routing verification procedures.
Explanation:
The communication's interface stage requires routing verification procedures. EDI or ANSI X12
is a standard that must be interpreted by an application for transactions to be processed and then
to be invoiced, paid and sent, whether they are for merchandise or services. There is no point in
sending and receiving EDI transactions if they cannot be processed by an internal system.
Unpacking transactions and recording audit logs are important elements that help follow business
rules and establish controls, but are not part of the communication's interface stage.
...........................................................................................................
124. Reverse proxy technology for web servers should be deployed if:
A. http servers’ addresses must be hidden.
B. accelerated access to all published pages is required.
C. caching is needed for fault tolerance.
D. bandwidth to the user is limited.
The correct answer is:
A. http servers’ addresses must be hidden.
Explanation:
Reverse proxies are primarily designed to hide physical and logical internal structures from
outside access. Complete URLs or URIs can be partially or completely redirected without
disclosing which internal or DMZ server is providing the requested data. This technology might
be used if a trade-off between security, performance and costs has to be achieved. Proxy servers
cache some data but normally cannot cache all pages to be published because this depends on the
kind of information the web servers provide. The ability to accelerate access depends on the
speed of the back-end servers, i.e., those that are cached. Thus, without making further
assumptions, a gain in speed cannot be assured, but virtualization and hiding of internal
structures can. If speed is an issue a scale-out approach (avoiding adding additional delays by
passing firewalls, involving more servers, etc.) would be a better solution. Due to the limited
caching option, reverse proxies are not suitable for enhancing fault tolerance. User requests that
are handled by reverse proxy servers are using exactly the same bandwidth as direct requests to
the hosts providing the data.
...........................................................................................................
125. The purpose of code signing is to provide assurance that:
A. the software has not been subsequently modified.
B. the application can safely interface with another signed application.
C. the signer of the application is trusted.
D. the private key of the signer has not been compromised.
The correct answer is:
A. the software has not been subsequently modified.
Explanation:
Code signing can only ensure that the executable code has not been modified after being signed.
The other choices are incorrect and actually represent potential and exploitable weaknesses of
code signing.
...........................................................................................................
126. Which of the ISO/OSI model layers provides for routing packets between nodes?
A. Data link
B. Network
C. Transport
D. Session
The correct answer is:
B. Network
Explanation:
The network layer switches and routes information (network layer header). Node-to-node data
link services are extended across a network by this layer. The network layer provides service for
routing packets (units of information at the network layer) between nodes connected through an
arbitrary network. The data link layer transmits information as groups-of-bits (logical units
called a frame) to adjacent computer systems (node-to-node). The bits in a frame are divided into
an address field (media access control—MAC—48-bit hardware address), control field, data
field and error-control field. The transport layer provides end-to-end data integrity. To ensure
reliable delivery, the transport layer builds on the error-control mechanisms provided by lower
layers. If lower layers are not adequate, the transport layer is the last chance for error recovery.
The session layer provides the control structure for communications between applications. It
establishes, manages and terminates connections (sessions) between cooperating applications,
and performs access security checking.
...........................................................................................................
127. An organization wants to enforce data integrity principles and achieve faster
performance/execution in a database application. Which of the following design principles
should be applied?
A. User (customized) triggers
B. Data validation at the front end
C. Data validation at the back end
D. Referential integrity
The correct answer is:
D. Referential integrity
Explanation:
Referential integrity should be implemented at the time of the design of the database to provide a
faster execution mechanism. All other options are implemented at the application coding stage.
...........................................................................................................
128. Which of the following will prevent dangling tuples in a database?
A. Cyclic integrity
B. Domain integrity
C. Relational integrity
D. Referential integrity
The correct answer is:
D. Referential integrity
Explanation:
Referential integrity ensures that a foreign key in one table will equal null or the value of a
primary in the other table. For every tuple in a table having a referenced/foreign key, there
should be a corresponding tuple in another table, i.e., for existence of all foreign keys in the
original tables. If this condition is not satisfied, then it results in a dangling tuple. Cyclical
checking is the control technique for the regular checking of accumulated data on a file against
authorized source documentation. There is no cyclical integrity testing. Domain integrity testing
ensures that a data item has a legitimate value in the correct range or set. Relational integrity is
performed at the record level and is ensured by calculating and verifying specific fields.
...........................................................................................................
129. Which of the following types of firewalls provide the GREATEST degree and
granularity of control?
A. Screening router
B. Packet filter
C. Application gateway
D. Circuit gateway
The correct answer is:
C. Application gateway
Explanation:
The application gateway is similar to a circuit gateway, but it has specific proxies for each
service. To handle web services, it has an HTTP proxy that acts as an intermediary between
externals and internals, but is specifically for HTTP. This means that it not only checks the
packet IP addresses (layer 4) and the ports it is directed to (in this case port 80, layer 4), it also
checks every http command (layers 5 and 7). Therefore, it works in a more detailed (granularity)
way than the others. Screening router and packet filter (choices A and B) basically work at the
protocol, service and/or port level. This means that they analyze packets from layers 3 and 4 (not
from higher levels). A circuit gateway (choice D) is based on a proxy or program that acts as an
intermediary between external and internal accesses. This means that, during an external access,
instead of opening a single connection to the internal server, two connections are established—
one from the external server to the proxy (which conforms the circuit-gateway) and one from the
proxy to the internal server. Layers 3 and 4 (IP and TCP) and some general features from higher
protocols are used to perform these tasks.
...........................................................................................................
130. In a client-server architecture, a domain name service (DNS) is MOST important,
because it provides the:
A. address of the domain server.
B. resolution service for the name/address.
C. IP addresses for the Internet.
D. domain name system.
The correct answer is:
B. resolution service for the name/address.
Explanation:
DNS is utilized primarily on the Internet for resolution of the name/address of the web site. It is
an Internet service that translates domain names into IP addresses. As names are alphabetic, they
are easier to remember. However, the Internet is based on IP addresses. Everytime a domain
name is used, a DNS service must translate the name into the corresponding IP address. The
DNS system has its own network. If one DNS server does not know how to translate a particular
domain name, it asks another one, and so on, until the correct IP address is returned.
...........................................................................................................
131. Which of the following tests performed by an IS auditor would be the MOST effective
in determining compliance with an organization's change control procedures?
A. Review software migration records and verify approvals.
B. Identify changes that have occurred and verify approvals.
C. Review change control documentation and verify approvals.
D. Ensure that only appropriate staff can migrate changes into production.
The correct answer is:
B. Identify changes that have occurred and verify approvals.
Explanation:
The most effective method is to determine through code comparisons what changes have been
made and then verify that they have been approved. Change control records and software
migration records may not have all changes listed. Ensuring that only appropriate staff can
migrate changes into production is a key control process, but in itself does not verify compliance.
...........................................................................................................
132. To determine which users can gain access to the privileged supervisory state, which of
the following should an IS auditor review?
A. System access log files
B. Enabled access control software parameters
C. Logs of access control violations
D. System configuration files for control options used
The correct answer is:
D. System configuration files for control options used
Explanation:
A review of system configuration files for control options used would show which users have
access to the privileged supervisory state. Both systems access log files and logs of access
violations are detective in nature. Access control software is run under the operating system.
...........................................................................................................
133. A universal serial bus (USB) port:
A. connects the network without a network card.
B. connects the network with an Ethernet adapter.
C. replaces all existing connections.
D. connects the monitor.
The correct answer is:
B. connects the network with an Ethernet adapter.
Explanation:
The USB port connects the network without having to install a separate network interface card
inside a computer by using a USB Ethernet adapter.
...........................................................................................................
134. Which of the following BEST reduces the ability of one device to capture the packets
that are meant for another device?
A. Filters
B. Switches
C. Routers
D. Firewalls
The correct answer is:
B. Switches
Explanation:
Switches are at the lowest level of network security and transmit a packet to the device to which
it is addressed. This reduces the ability of one device to capture the packets that are meant for
another device. Filters allow for some basic isolation of network traffic based on the destination
addresses. Routers allow packets to be given or denied access based on the addresses of the
sender and receiver and the type of packet. Firewalls are a collection of computer and network
equipment used to allow communications to flow out of the organization and restrict
communications flowing into the organization.
...........................................................................................................
135. A company is implementing a dynamic host configuration protocol (DHCP). Given
that the following conditions exist, which represents the GREATEST concern?
A. Most employees use laptops.
B. A packet filtering firewall is used.
C. The IP address space is smaller than the number of PCs.
D. Access to a network port is not restricted.
The correct answer is:
D. Access to a network port is not restricted.
Explanation:
Given physical access to a port, anyone can connect to the internal network. The other choices do
not present the exposure that access to a port does. DHCP provides convenience (an advantage)
to the laptop users. Sharing IP addresses and the existence of a firewall can be security measures.
...........................................................................................................

3 comments: