1

An accuracy measure for a biometric system is:

False acceptance rate

After reviewing its business processes, a large organization is deploying a new web application based on
a Voice-over Internet control Protocol technology. Which of the following is the MOST appropriate
approach for implementing access control that will facilitate security management of the VoIP web
application?

Role-Based Access Control

The BEST filter rule for protecting a network from being used as an amplifier in a denial-of-service attack
is to deny all:

outgoing traffic with source addresses external to the network.

The BEST overall quantitative measure of the performance of biometric control devices is

equal-error rate.

Q
A business application system accesses a corporate database using a single ID and password embedded
in a program. Which of the following would provide efficient access control over the organization’s
data?

Apply role- based permissions within the application system.

A certificate authority (CA) can delegate the processes of:

establishing a link between the requesting entity and its public key.

A characteristic of User Datagram Protocol in network communications is

packets may arrive out of order.

A company has decided to implement an electronic signature scheme based on a public key
infrastructure. The user’s private key will be stored on the computer’s hard drive and protected by a
password. The MOST significant risk of this approach is::

use of the user’s electronic signature by another person if the password is compromised.

A company is implementing a Dynamic Host Configuration Protocol. Given that the following conditions
exist, which represents the GREATEST concern?

A
Access to a network port is not restricted.

10

A company is planning to install a network-based intrusion detection system to protect the web site that
it hosts. Where should the device be installed?

In the demilitarized zone

11

Company XYZ has outsourced production support to service provider ABC located in another country.
The ABC service provider personnel remotely connect to the corporate network of the XYZ outsourcing
entity over the Internet. Which of the following would BEST provide assurance that transmission of
information is secure while the production support team at ABC is providing support to XYZ?

Virtual private network tunnel

12

Company XYZ has outsourced production support to service provider ABC located in another country.
The ABC service provider personnel remotely connect to the corporate network of the XYZ outsourcing
entity over the Internet. Which of the following would provide the BEST assurance that only authorized
users of ABC connect over the Internet for production support to XYZ?

Two-factor authentication

13

Confidentiality of the data transmitted in a wireless local area network is BEST protected if the session is

encrypted using dynamic keys.

14

Confidentiality of transmitted data can best be delivered by encrypting the

session key with the receiver’s public key.

15

A consulting firm has created a File Transfer Protocol (FTP) site for the purpose of receiving financial
data and has communicated the site’s address, user ID and password to the financial services company
in separate email messages. The company is to transmit its data to the FTP site after manually
encrypting the data. The IS auditor’s GREATEST concern with this process is that

the users may not remember to manually encrypt the data before transmission.

16

The cryptographic hash sum of a message is recalculated by the receiver. This is to ensure:

the integrity of data transmitted by the sender.

17

A digital signature contains a message digest to

show if the message has been altered after transmission.

18

Digital signatures require the

A
signer to have a private key and the receiver to have a public key

19

Distributed denial-of-service attacks on Internet sites are typically evoked by hackers using which of the
following?

Botnets

20

During a logical access controls review, an IS auditor observes that user accounts are shared. The
GREATEST risk resulting from this situation is that

user accountability may not be established.

21

During a logical access controls review, an IS auditor observes that user accounts are shared. The
GREATEST risk resulting from this situation is that

user accountability is not established.

22

During an access control review for a mainframe application, an IS auditor discovers user security groups
without designated owners. The PRIMARY reason that this is a concern to the IS auditor is that without
ownership, there is no one with clear responsibility for

approval of user access.

23
Q

During an audit of an enterprise that is dedicated to e- commerce, the IS manager states that digital
signatures are used when receiving communications from customers. To substantiate this, an IS auditor
must prove that which of the following is used?:

A hash of the data that is transmitted and encrypted with the customer’s private key

24

During an audit of a telecommunications system, an IS auditor finds that the risk of intercepting data
transmitted to and from remote sites is very high. The MOST effective control for reducing this exposure
is

encryption.

25

During an IS risk assessment of a healthcare organization regarding protected healthcare information

(PHI), an IS auditor interviews IS management. Which of the following findings from the interviews
would be of MOST concern to the IS auditor?

Staff have to type “[PHI]” in the subject field of email messages to be encrypted.

26

During an IS audit of a bank, the IS auditor is assessing whether the enterprise properly manages staff
member access to the operating system. The IS auditor should determine whether the enterprise
performs:

periodic review of user activity logs.

27

Q
During the review of a biometrics system operation, an IS auditor should FIRST review the stage of:

enrollment.

28

Email message authenticity and confidentiality is BEST achieved by signing the message using the:

sender’s private key and encrypting the message using the receiver’s public key.

29

The feature of a digital signature that ensures the sender cannot later deny generating and sending the
message is called:

nonrepudiation.

30

A firewall is being deployed at a new location. Which of the following is the MOST important factor in
ensuring a successful deployment?

Testing and validating the rules

31

The FIRST step in data classification is to:

establish ownership.

32
Q

From a control perspective, the PRIMARY objective of classifying information assets is to:

establish guidelines for the level of access controls that should be assigned.

33

The GREATEST benefit of having well- defined data classification policies and procedures is:

a decreased cost of controls.

34

A hotel has placed a PC in the lobby to provide guests with Internet access. Which of the following
presents the GREATEST risk for identity theft?

Session time out is not activated.

35

A human resources company offers wireless Internet access to its guests, after authenticating with a
generic user ID and password. The generic ID and password are requested from the reception desk.
Which of the following controls BEST addresses the situation?

The public wireless network is physically segregated from the company network.

36

The implementation of access controls FIRST requires:

an inventory of IS resources.
37

In an online banking application, which of the following would BEST protect against identity theft?

Two-factor authentication

38

In an organization where an IT security baseline has been defined, an IS auditor should FIRST ensure:

sufficiency.

39

In a public key infrastructure, a registration authority:

verifies information supplied by the subject requesting a certificate.

40

In a small organization, an employee performs computer operations and, when the situation demands,
program modifications. Which of the following should the IS auditor recommend?

Procedures that verify that only approved program changes are implemented

41

The information security policy that states “each individual must have his/her badge read at every
controlled door” addresses which of the following attack methods?

A
Piggybacking

42

An internal audit function is reviewing an internally developed common gateway interface script for a
web application. The IS auditor discovers that the script was not reviewed and tested by the quality
control function. Which of the following types of risk is of GREATEST concern?

Unauthorized access

43

n transport mode, the use of the Encapsulating Security Payload protocol is advantageous over the
authentication header protocol because it provides:

confidentiality.

44

In what capacity would an IS auditor MOST likely see a hash function applied?

Authentication

45

In wireless communication, which of the following controls allows the receiving device to verify that the
received communications have not been altered in transit?

The use of cryptographic hashes

46

Q
An IS auditor discovers that the chief information officer (CIO) of an organization is using a wireless
broadband modem using global system for mobile communications (GSM) technology. This modem is
being used to connect the CIO’s laptop to the corporate virtual private network when the CIO travels
outside of the office. The IS auditor should:

do nothing because the inherent security features of GSM technology are appropriate.

47

An IS auditor discovers that the configuration settings for password controls are more stringent for
business users than for IT developers. Which of the following is the BEST action for the IS auditor to
take?

Determine whether this is a policy violation and document it.

48

An IS auditor evaluating logical access controls should FIRST:

obtain an understanding of the security risk to information processing.

49

An IS auditor finds that conference rooms have active network ports. Which of the following would
prevent this discovery from causing concern?

This part of the network is isolated from the corporate network.

50

An IS auditor inspected a windowless room containing phone switching and networking equipment and
documentation binders. The room was equipped with two handheld fire extinguishers—one filled with
carbon dioxide (CO2), the other filled with halon. Which of the following should be given the HIGHEST
priority in the IS auditor’s report?

Both fire suppression systems present a risk of suffocation when used in a closed room.

51

An IS auditor is assessing a biometric system used to protect physical access to a data center containing
regulated data. Which of the following observations is the GREATEST concern to the auditor?

Data transmitted between the biometric scanners and the access control system do not use a securely
encrypted tunnel.

52

An IS auditor is conducting a postimplementation review of an enterprise’s network. Which of the

following findings would be of MOST concern?

Default passwords are not changed when installing network devices.

53

An IS auditor is evaluating a virtual machine (VM)-based architecture used for all programming and
testing environments. The production architecture is a three-tier physical architecture. What is the
MOST important IT control to test to ensure availability and confidentiality of the web application in
production?

Server configuration has been hardened appropriately.

54

Q
An IS auditor is reviewing access controls for a manufacturing organization. During the review, the IS
auditor discovers that data owners have the ability to change access controls for a low-risk application.
The BEST course of action for the IS auditor is to:

not report this issue because discretionary access controls are in place.

55

An IS auditor is reviewing a manufacturing company and finds that mainframe users at a remote site
connect to the mainframe at headquarters over the Internet via Telnet. Which of the following offers
the STRONGEST security?

Useofa point-to- point leased line

56

An IS auditor is reviewing a new web-based order entry system the week before it goes live. The IS
auditor has identified that the application, as designed, may be missing several critical controls
regarding how the system stores customer credit card information. The IS auditor should FIRST:

verify that security requirements have been properly specified in the project plan.

57

An IS auditor is reviewing an organization’s controls related to email encryption. The company’s policy
states that all sent email must be encrypted to protect the confidentiality of the message because the
organization shares nonpublic information through email. In a public key infrastructure implementation
properly configured to provide confidentiality. email is:

encrypted with the recipient’s public key and decrypted with the recipient’s private key.

58

Q
The IS auditor is reviewing an organization’s human resources (HR) database implementation. The IS
auditor discovers that the database servers are clustered for high availability, all default database
accounts have been removed and database audit logs are kept and reviewed on a weekly basis. What
other area should the IS auditor check to ensure that the databases are appropriately secured?

Database initialization parameters are appropriate.

59

An IS auditor is reviewing an organization’s network operations center (NOC). Which of the following
choices is of the GREATEST concern? The use of:

a carbon dioxide- based fire suppression system.

60

An IS auditor is reviewing a software-based firewall configuration. Which of the following represents the
GREATEST vulnerability?

Installation on an operating system configured with default settings.

61

An IS auditor is reviewing a third-party agreement for a new cloud-based accounting service provider.
Which of the following considerations is the MOST important with regard to the privacy of the
accounting data?

Return or destruction of information

62

The IS auditor is reviewing findings from a prior IT audit of a hospital. One finding indicates that the
organization was using email to communicate sensitive patient issues. The IT manager indicates that to
address this finding, the organization has implemented digital signatures for all email users. What should
the IS auditor’s response be?

Digital signatures are not adequate to protect confidentiality.

63

An IS auditor is reviewing Secure Sockets Layer enabled web sites for the company. Which of the
following choices would be the HIGHEST risk?

Self-signed digital certificates

64

An IS auditor is reviewing system access and discovers an excessive number of users with privileged
access. The IS auditor discusses the situation with the system administrator, who states that some
personnel in other departments need privileged access and management has approved the access.
Which of the following would be the BEST course of action for the IS auditor?

Determine whether compensating controls are in place.

65

The IS auditor is reviewing the implementation of a storage area network (SAN). The SAN administrator
indicates that logging and monitoring is active, hard zoning is used to isolate data from different
business units and all unused SAN ports are disabled. The administrator implemented the system,
performed and documented security testing during implementation, and is the only user with
administrative rights to the system. What should the IS auditor’s initial determination be?

The SAN administrator presents a potential risk.

66

Q
An IS auditor is reviewing the network infrastructure of a call center and determines that the internal
telephone system is based on Voice-over Internet Protocol technology. Which of the following is the
GREATEST concern?

Ethernet switches are not protected by uninterrupted power supply units.

67

An IS auditor is reviewing the physical security controls of a data center and notices several areas for
concern. Which of the following areas is the MOST important?

The emergency exit door is blocked.

68

An IS auditor is reviewing the physical security measures of an organization. Regarding the access card
system, the IS auditor should be MOST concerned that:

nonpersonalized access cards are given to the cleaning staff, who use a sign- in sheet but show no proof
of identity.

69

An IS auditor performing an audit has determined that developers have been granted administrative
access to the virtual machine management console to manage their own servers used for software
development and testing. Which of the following choices would be of MOST concern for the IS auditor?

Developers have the ability to create or de- provision servers.

70

An IS auditor performing an audit of the newly installed Voice-over Internet Protocol system was
inspecting the wiring closets on each floor of a building. What would be the GREATEST concern?
A

The local area network (LAN) switches are not connected to uninterruptible power supply units.

71

An IS auditor performing a telecommunication access control review should be concerned PRIMARILY

with the:

authorization and authentication of the user prior to granting access to system resources.

72

An IS auditor performing detailed network assessments and access control reviews should FIRST:

determine the points of entry into the network.

73

An IS auditor reviewing access controls for a client-server environment should FIRST:

identify the network access points.

74

An IS auditor reviewing a cloud computing environment that is managed by a third party should be
MOST concerned when:

the service level agreement does not address the responsibility of the vendor in the case of a security
breach.

75

Q
An IS auditor reviewing the authentication controls of an organization should be MOST concerned if:

system administrators use shared login credentials.

76

An IS auditor reviewing wireless network security determines that the Dynamic Host Configuration
Protocol is disabled at all wireless access points. This practice:

reduces the risk of unauthorized access to the network.

77

The IS management of a multinational company is considering upgrading its existing virtual private
network to support Voice-over Internet Protocol communication via tunneling. Which of the following
considerations should be PRIMARILY addressed?

Reliability and quality of service

78

IS management recently replaced its existing wired local area network with a wireless infrastructure to
accommodate the increased use of mobile devices within the organization. This will increase the risk of
which of the following attacks?

War driving

79

An IT auditor is reviewing an organization’s information security policy, which requires encryption of all
data placed on universal serial bus (USB) drives. The policy also requires that a specific encryption
algorithm be used. Which of the following algorithms would provide the greatest assurance that data
placed on USB drives is protected from unauthorized disclosure?
A

Advanced Encryption Standard

80

Java applets and Active X controls are distributed programs that execute in the background of a client
web browser. This practice is considered reasonable when:

the source of the executable file is certain.

81

A key IT systems developer has suddenly resigned from an enterprise. Which of the following will be the
MOST important action?

Terminate the developer’s logical access to IT resources.

82

A laptop computer belonging to a company database administrator (DBA) and containing a file of
production database passwords has been stolen. What should the organization do FIRST?

Change the database password.

83

The MOST effective biometric control system is the one with:

the lowest equal-error rate.

84

Q
The MOST important difference between hashing and encryption is that hashing:

is irreversible.

85

The MOST serious challenge in the operation of an intrusion detection system is:

Study These Flashcards

filtering false positive alerts.

86

A new business application has been designed in a large, complex organization and the business owner
has requested that the various reports be viewed on a “need to know” basis. Which of the following
access control methods would be the BEST method to achieve this requirement?

Study These Flashcards

Role-based

87

A new business application requires deviation from the standard configuration of the operating system
(OS). What activity should the IS auditor recommend to the security manager as a FIRST response?

Study These Flashcards

Assessment of the risk and identification of compensating controls

88

Q
An online stock trading firm is in the process of implementing a system to provide secure email
exchange with its customers. What is the BEST option to ensure confidentiality, integrity and
nonrepudiation?

Study These Flashcards

Digital certificates

89

An organization allows for the use of universal serial bus drives to transfer operational data between
offices. Which of the following is the GREATEST risk associated with the use of these devices?

Study These Flashcards

Theft of the devices

90

An organization can ensure that the recipients of emails from its employees can authenticate the
identity of the sender by:

Study These Flashcards

digitally signing all email messages.

91

An organization has created a policy that defines the types of web sites that users are forbidden to
access. What is the MOST effective technology to enforce this policy?

Study These Flashcards

Web content filter

92

An organization has established a guest network for visitor access. Which of the following should be of
GREATEST concern to an IS auditor?

Study These Flashcards

The guest network is not segregated from the production network.

93

An organization has experienced a large amount of traffic being re-routed from its Voice-over Internet
Protocol packet network. The organization believes it is a victim of eavesdropping. Which of the
following could result in eavesdropping of VoIP traffic?

Study These Flashcards

Corruption of the Address Resolution Protocol cache in Ethernet switches

94

An organization has requested that an IS auditor provide a recommendation to enhance the security and
reliability of its Voice-over Internet Protocol (VoIP) system and data traffic. Which of the following would
meet this objective?

Study These Flashcards

VoIP infrastructure needs to be segregated using virtual local area networks.

95

An organization is considering connecting a critical PC-based system to the Internet. Which of the
following would provide the BEST protection against hacking?

Study These Flashcards

A

An application- level gateway

96

An organization is developing a new web-based application to process orders from customers. Which of
the following security measures should be taken to protect this application from hackers?

Study These Flashcards

Perform a web application security review.

97

An organization is planning to deploy an outsourced cloud-based application that is used to track job
applicant data for the human resources department. Which of the following should be the GREATEST
concern to an IS auditor?

Study These Flashcards

The cloud provider’s data centers are in multiple cities and countries.

98

An organization is planning to replace its wired networks with wireless networks. Which of the following
would BEST secure the wireless network from unauthorized access?

Study These Flashcards

Implement Wi- Fi Protected Access 2.

99

Q
An organization is proposing to establish a wireless local area network (WLAN). Management asks the IS
auditor to recommend security controls for the WLAN. Which of the following would be the MOST
appropriate recommendation?

Study These Flashcards

Physically secure wireless access points to prevent tampering.

100

An organization is reviewing its contract with a cloud computing provider. For which of the following
reasons would the organization want to remove a lock-in clause from the cloud service contract?

Study These Flashcards

Portability

101

An organization provides information to its supply chain partners and customers through an extranet
infrastructure. Which of the following should be the GREATEST concern to an IS auditor reviewing the
firewall security architecture?

Study These Flashcards

The firewall is placed on top of the commercial operating system with all default installation options.

102

An organization’s IT director has approved the installation of a wireless local area network access point
in a conference room for a team of consultants to access the Internet with their laptop computers. The
BEST control to protect the corporate servers from unauthorized access is to ensure that:

Study These Flashcards

A
the conference room network isona separate virtual local area network.

103

An organization stores and transmits sensitive customer information within a secure wired network. It
has implemented an additional wireless local area network (WLAN) to support general-purpose staff
computing needs. A few employees with WLAN access have legitimate business reasons for also
accessing customer information. Which of the following represents the BEST control to ensure
separation of the two networks?

Study These Flashcards

Install a firewall between the networks.

104

An organization with extremely high security requirements is evaluating the effectiveness of biometric
systems. Which of the following performance indicators is MOST important?

Study These Flashcards

False- acceptance rate

105

Over the long term, which of the following has the greatest potential to improve the security incident
response process?

Study These Flashcards

Simulation exercises performed by incident response team

106

Q
The potential for unauthorized system access by way of terminals or workstations within an
organization’s facility is increased when:

Study These Flashcards

connecting points are available in the facility to connect laptops to the network.

107

The PRIMARY goal of a web site certificate is:

Study These Flashcards

authentication of the web site that will be surfed.

108

The PRIMARY purpose of installing data leak prevention software is to:

Study These Flashcards

control confidential documents leaving the internal network.

109

The PRIMARY reason for using digital signatures is to ensure data:

Study These Flashcards

integrity.

110

The purpose of a mantrap controlling access to a computer facility is PRIMARILY to:

Study These Flashcards

prevent piggybacking.

111

The review of router access control lists should be conducted during:

Study These Flashcards

a network security review.

112

A review of wide area network (WAN) usage discovers that traffic on one communication line between
sites, synchronously linking the master and standby database, peaks at 96 percent of the line capacity.
An IS auditor should conclude that:

Study These Flashcards

analysis is required to determine if a pattern emerges that results in a service loss for a short period of
time.

113

The risk of dumpster diving is BEST mitigated by:

Study These Flashcards

implementing security awareness training.

114

The role of the certificate authority (CA) as a third party is to:

Study These Flashcards

confirm the identity of the entity owning a certificate issued by that CA.

115

The Secure Sockets Layer protocol ensures the confidentiality of a message by using:

Study These Flashcards

symmetric encryption.

116

Security administration procedures require read-only access to:

Study These Flashcards

security log files.

117

The technique used to ensure security in virtual private networks is called:

Study These Flashcards

data encapsulation.

118

There is a concern that the risk of unauthorized access may increase after implementing a single sign-on
process. To prevent unauthorized access, the MOST important action is to:

Study These Flashcards

A

mandate a strong password policy.

119

This question refers to the following diagram.

Email traffic from the Internet is routed via firewall-1 to the mail gateway. Mail is routed from the mail
gateway, via firewall- 2, to the mail recipients in the internal network. Other traffic is not allowed. For
example, the firewalls do not allow direct traffic from the Internet to the internal network. The intrusion
detection system (IDS) detects traffic for the internal network that did not originate from the mail
gateway. The FIRST action triggered by the IDS should be to:

Study These Flashcards

create an entry in the log.

120

his question refers to the following diagram.

To detect attack attempts that the firewall is unable to recognize, an IS auditor should recommend
placing a network intrusion detection system between the:

Study These Flashcards

firewall and the organization’s network.

121

To ensure that an organization is complying with privacy requirements, an IS auditor should FIRST
review:

Study These Flashcards

legal and regulatory requirements.

122

To protect a Voice-over Internet Protocol infrastructure against a denial-of-service attack, it is MOST

important to secure the:

Study These Flashcards

session border controllers.

123

A Transmission Control Protocol/Internet Protocol (TCP/IP)-based environment is exposed to the

Internet. Which of the following BEST ensures that complete encryption and authentication protocols
exist for protecting information while transmitted?

Study These Flashcards

Work is completed in tunnel mode with IP security.

124

Two-factor authentication can be circumvented through which of the following attacks?

Study These Flashcards

War driving

125

The use of digital signatures:

Study These Flashcards

validates the source of a message.

126

The use of residual biometric information to gain unauthorized access is an example of which of the
following attacks?

Study These Flashcards

Replay

127

Validated digital signatures in an email software application will:

Study These Flashcards

help detect spam.

128

What is a risk associated with attempting to control physical access to sensitive areas such as computer
rooms using card keys or locks?

Study These Flashcards

Unauthorized individuals wait for controlled doors to open and walk in behind those authorized.

129

What is the MOST prevalent security risk when an organization implements remote virtual private
network (VPN) access to its network?

Study These Flashcards

Malicious code could be spread across the network.

130

What method might an IS auditor use to test wireless security at branch office locations?

Study These Flashcards

War driving

131

When auditing a role-based access control system, the IS auditor noticed that some IT security
employees have system administrator privileges on some servers, which allows them to modify or
delete transaction logs. Which would be the BEST recommendation that the IS auditor should make?

Study These Flashcards

Write transaction logs in real time to Write Once and Read Many drives.

132

When auditing security for a data center, an IS auditor should look for the presence of a voltage
regulator to ensure that the:

Study These Flashcards

hardware is protected against power surges.

133

When planning an audit of a network setup, an IS auditor should give HIGHEST priority to obtaining
which of the following network documentation?

Study These Flashcards

A
Wiring and schematic diagram

134

When protecting an organization’s IT systems, which of the following is normally the next line of defense
after the network firewall has been compromised?

Study These Flashcards

Intrusion detection system

135

When reviewing a digital certificate verification process, which of the following findings represents the
MOST significant risk?

Study These Flashcards

The certificate revocation list is not current.

136

When reviewing an intrusion detection system, an IS auditor should be MOST concerned about which of
the following?

Study These Flashcards

Low coverage of network traffic

137

When reviewing an organization’s logical access security to its remote systems, which of the following
would be of GREATEST concern to an IS auditor?

Study These Flashcards

A

Unencrypted passwords are used.

138

When reviewing the configuration of network devices, an IS auditor should FIRST identify:

Study These Flashcards

the importance of the network devices in the topology.

139

When reviewing the implementation of a local area network, an IS auditor should FIRST review the:

Study These Flashcards

network diagram.

140

When reviewing the procedures for the disposal of computers, which of the following should be the
GREATEST concern for the IS auditor?

Study These Flashcards

All files and folders on hard disks are separately deleted, and the hard disks are formatted before leaving
the organization.

141

When transmitting a payment instruction, which of the following will help verify that the instruction was
not duplicated?

Study These Flashcards

A

Using a sequence number and time stamp

142

When using a digital signature, the message digest is computed by the:

Study These Flashcards

sender and receiver both.

143

When using public key encryption to secure data being transmitted across a network:

Study These Flashcards

the key used to encrypt is public, but the key used to decrypt the data is private.

144

Which control is the BEST way to ensure that the data in a file have not been changed during
transmission?

Study These Flashcards

Hash values

145

Which of the following antispam filtering methods has the LOWEST possibility of false-positive alerts?

Study These Flashcards

A
Check-sum based

146

Which of the following BEST describes the role of a directory server in a public key infrastructure?

Study These Flashcards

Makes other users’ certificates available to applications

147

Which of the following BEST encrypts data on mobile devices?

Study These Flashcards

Elliptical curve cryptography

148

Which of the following BEST ensures the integrity of a server’s operating system?

Study These Flashcards

Hardening the server configuration

149

Which of the following BEST limits the impact of server failures in a distributed environment?

Study These Flashcards

Clustering
150

Which of the following choices BEST helps information owners to properly classify data?

Study These Flashcards

Training on organizational policies and standards

151

Which of the following choices is the MOST effective control that should be implemented to ensure
accountability for application users accessing sensitive data in the human resource management system
(HRMS) and among interfacing applications to the HRMS?

Study These Flashcards

Audit trails

152

Which of the following components is responsible for the collection of data in an intrusion detection
system?

Study These Flashcards

Sensor

153

Which of the following controls will MOST effectively detect the presence of bursts of errors in network
transmissions?

Study These Flashcards

A
Cyclic redundancy check

154

Which of the following controls would BEST detect intrusion?

Study These Flashcards

Unsuccessful logon attempts are monitored by the security administrator.

155

Which of the following controls would be the MOST comprehensive in a remote access network with
multiple and diverse subsystems?

Study These Flashcards

Virtual private network

156

Which of the following cryptography options would increase overhead/cost?

Study These Flashcards

A long asymmetric encryption key is used.

157

Which of the following environmental controls is appropriate to protect computer equipment against
short-term reductions in electrical power?

Study These Flashcards

A
Power line conditioners

158

Which of the following exposures associated with the spooling of sensitive reports for offline printing
should an IS auditor consider to be the MOST serious?

Study These Flashcards

Unauthorized report copies might be printed.

159

Which of the following features of a public key infrastructure is MOST closely associated with proving
that an online transaction was authorized by a specific customer?

Study These Flashcards

Nonrepudiation

160

Which of the following findings would be of GREATEST concern to an IS auditor during a review of logical
access to an application?

Study These Flashcards

The file storing the application ID password is in cleartext in the production code.

161

Which of the following functions is performed by a virtual private network?

Study These Flashcards

A
Hiding information from sniffers on the net

162

Which of the following groups would create MOST concern to an IS auditor if they have full access to the
production database?

Study These Flashcards

Application developers

163

Which of the following intrusion detection systems will MOST likely generate false alarms resulting from
normal network activity?

Study These Flashcards

Statistical-based

164

Which of the following is a form of two-factor user authentication?

Study These Flashcards

A smart card and personal identification number

165

Which of the following is an advantage of elliptic curve encryption over RSA encryption?

Study These Flashcards

A
Computation speed

166

Which of the following is an effective preventive control to ensure that a database administrator
complies with the custodianship of the enterprise’s data?

Study These Flashcards

Segregation of duties

167

Which of the following is an example of the defense in-depth security principle?

Study These Flashcards

Using a firewall as well as logical access controls on the hosts to control incoming network traffic

168

Which of the following is an object- oriented technology characteristic that permits an enhanced degree
of security over data?

Study These Flashcards

Encapsulation

169

Which of the following is BEST suited for secure communications within a small group?

Study These Flashcards

A
Web of trust

170

Which of the following is the BEST audit procedure to determine if a firewall is configured in compliance
with an organization’s security policy?

Study These Flashcards

Review the parameter settings.

171

Which of the following is the BEST control over a guest wireless ID that is given to vendor staff?

Study These Flashcards

Assignment of a renewable user ID which expires daily

172

Which of the following is the BEST control to prevent the deletion of audit logs by unauthorized
individuals in an organization?

Study These Flashcards

Only select personnel should have rights to view or delete audit logs.

173

Which of the following is the BEST way to minimize unauthorized access to unattended end-user PC
systems?

Study These Flashcards

A
Enforce use of a password- protected screen saver

174

Which of the following is the GREATEST concern associated with the use of peer-to-peer computing?

Study These Flashcards

Data leakage

175

Which of the following is the MOST effective control for restricting access to unauthorized Internet sites
in an organization?

Study These Flashcards

Routing outbound Internet traffic through a content-filtering proxy server

176

Which of the following is the MOST effective control over visitor access to a data center?

Study These Flashcards

Visitors are escorted.

177

Which of the following is the MOST effective control when granting temporary access to vendors?

Study These Flashcards

User accounts are created with expiration dates and are based on services provided.
178

Which of the following is the MOST important security consideration to an organization that wants to
move a business application to external cloud service (PaaS) provided by a vendor?

Study These Flashcards

Classification and categories of data process by the application.

179

Which of the following is the MOST reliable form of single factor personal identification?

Study These Flashcards

Iris scan

180

Which of the following is the MOST reliable method to ensure identity of sender for messages
transferred across Internet?

Study These Flashcards

Digital certificates

181

Which of the following is the MOST secure and economical method for connecting a private network
over the Internet in a small- to medium-sized organization?

Study These Flashcards

Virtual private network

182

Which of the following is the MOST secure way to remove data from obsolete magnetic tapes during a
disposal?

Study These Flashcards

Degaussing the tapes

183

Which of the following is the MOST significant function of a corporate public key infrastructure and
certificate authority employing X.509 digital certificates?

Study These Flashcards

It binds a digital certificate and its public key to an individual subscriber’s identity.

184

Which of the following is the responsibility of information asset owners?

Study These Flashcards

Assignment of criticality levels to data

185

Which of the following line media would provide the BEST security for a telecommunication network?

Study These Flashcards

Dedicated lines
186

Which of the following manages the digital certificate life cycle to ensure adequate security and controls
exist in digital signature applications related to e- commerce?

Study These Flashcards

Certificate authority

187

Which of the following network components is PRIMARILY set up to serve as a security measure by
preventing unauthorized traffic between different segments of the network?

Study These Flashcards

Firewalls

188

Which of the following preventive controls BEST helps secure a web application?

Study These Flashcards

Developer training

189

Which of the following provides the GREATEST assurance for database password encryption?

Study These Flashcards

Advanced encryption standard

190

Which of the following provides the MOST relevant information for proactively strengthening security
settings?

Study These Flashcards

Honeypot

191

Which of the following public key infrastructure (PKI) elements describes procedure for disabling a
compromised private key?

Study These Flashcards

Certification practice statement

192

Which of the following should an IS auditor be MOST concerned about in a financial application?

Study These Flashcards

Programmers have access to the production database.

193

Which of the following should be a concern for an IS auditor reviewing an organization’s cloud
computing strategy which is based on a software as a service (SaaS) model with an external provider?

Study These Flashcards

Incident handling procedures with the provider are not well defined.
194

Which of the following types of firewalls provide the GREATEST degree and granularity of control?

Study These Flashcards

Application gateway

195

Which of the following types of firewalls would BEST protect a network from an Internet attack?

Study These Flashcards

Screened subnet firewall

196

Which of the following types of penetration tests simulates a real attack and is used to test incident
handling and response capability of the target?

Study These Flashcards

Double-blind testing

197

Which of the following types of transmission media provide the BEST security against unauthorized
access?

Study These Flashcards

Fiber-optic cables
198

Which of the following will BEST maintain the integrity of a firewall log?

Study These Flashcards

Sending log information to a dedicated third- party log server

199

Which of the following would an IS auditor consider a weakness when performing an audit of an
organization that uses a public key infrastructure with digital certificates for its business- to-consumer
transactions via the Internet?

Study These Flashcards

The organization is the owner of the CA.

200

Which of the following would be BEST prevented by a raised floor in the computer machine room?

Study These Flashcards

Damage of wires around computers and servers

201

Which of the following would be of MOST concern to an IS auditor reviewing a virtual private network
implementation? Computers on the network that are located:

Study These Flashcards

in employees’ homes.
202

Which of the following would BEST ensure continuity of a wide area network across the organization?

Study These Flashcards

Built-in alternative routing

203

Which of the following would be the BEST access control procedure?

Study These Flashcards

The data owner formally authorizes access and an administrator implements the user authorization
tables.

204

Which of the following would be the BEST overall control for an Internet business looking for
confidentiality, reliability and integrity of data?

Study These Flashcards

Secure Sockets Layer

205

Which of the following would effectively verify the originator of a transaction?

Study These Flashcards

Digitally signing the transaction with the source’s private key

206

Which of the following would MOST effectively enhance the security of a challenge-response based
authentication system?

Study These Flashcards

Implementing measures to prevent session hijacking attacks

207

Which one of the following can be used to provide automated assurance that proper data files are being
used during processing?

Study These Flashcards

File header record

208

While auditing an internally developed web application, an IS auditor determines that all business users
share a common access profile. Which of the following is the MOST relevant recommendation to
prevent the risk of unauthorized data modification?

Study These Flashcards

Customize user access profiles per job responsibility.

209

With the help of a security officer, granting access to data is the responsibility of:

Study These Flashcards

A
data owners.