Chapter 7 Information Asset Protection Review Questions What is the best method for an organization to allow its business

partners to ac cess the comp any intranet across the Internet? A. Shared virtual private network B. Shared lease line C. Internet firewall D. Network router with MLSP 2. Digital signatures are primarily designed to provide additional protection wi th electronic mess ages in order to ensure which of the following? A. Message deletion B. Message read by unauthorized party C. Sender verification D. Message modification 3. Internet communication requires more security. To audit Internet security and access control, the IS auditor will first need to examine what? A. Validity of password changes B. Architecture of the client/server application C. Network architecture and design D. Virus protection and firewall servers 4. Which of the following is the most appropriate method to ensure confidentiali ty in data communications? A. Secure hash algorithm (SHA-1) B. Virtual private network (VPN) C. Digital signatures D. Digital certificates with public-key encryption 5. What is the most effective method for preventing or limiting the damage cause d by a software virus attack? 4. Access controf software configured for restricted setting B. Updated virus signatures C. Antivirus policies and standards D. Data download standards with administrative review 6. What is the primary purpose of a network firewall? A. Protect company systems from attack by external systems. B. Protect downstream systems from all the internal attacks. C. Protect all modem-connected systems from Internet attacks. D. Protect attached systems from attacks running through the firewall. Review Questions 333 7. Which of the following is the least dependable form of biometrics? A. Hand geometry B. Facial recognition C. Signature analysis D. Iris scanning 8. The IS auditor has just completed a review of an organization. Which of the f ollowing weakn esses would be considered the most serious? A. I..ack of separation of duties for critical functions. B. Weak password controls without effective policy enforcement. C. Business continuity plans include noncritical applications. D. Network server is not backed up regularly. 9. What is the purpose of the DMZ (demilita rized zone) concept for Internet com munications? A. Demilitarized refers to a safe zone that is protected from all Internet attac ks. B. Subner that is semiprotected and allow s external access.

C. Protected subnet implemented using a fifth-generation firewall. D. Safeguard control for communication allowing access to internal production se rvers. 10. An c-commerce website needs to be monitored to detect possible hacker activi ty. What would be the best security component to perform this function? A. Third-generation firewall B. Honey net ACL router with built-in sniffer software C. Elliptic data encryption for privileged files D. Statistical or signature-based detection software 11. The auditee organization decided to implement single sign-on SSO) tor all th eir users. I heir implementation will be using logon ID and passwords for access control. What sit uation should they be concerned about? A. Password aging must be set to force unique password changes every 30 to 60 da ys using alphanumeric characters. B. The user s system access will have protection; however, password changes will b e more diff icult because of synchronization issues between servers. C. Unauthorized login would have access to the maximum resources available on th e network. D. The servers will need memory and CPU upgrades to handle the extra workload ge nerated by SSO. Chapter 7 Information Asset Protection 12. What is the primary purpose of intrusion detection systems (IDSs) compared t o firewall systems? A. A firewall blocks all attacks; IDS informs us if the firewall was successful. B. TDS will notify the system administrator at every possible attack that has oc curred, whether successful or unsuccessful. C. A firewall reports all attacks to the IDS. D. IDS logs and notifies the system adminitrator of any suspected attacks but ma y nor recognize every attack. 13. Which of the following statements is true cnccrning asymmetric-key cryptogra phy? A. The sender and receiver have different keys. B. The sender and receiver use the same key. C. The sender encrypts the files by using the recipient s private key. D. Asymmetric keys cannot be used for digital signatures. 14. The IS auditor is auditing the controls related to employee termination. Whi ch of the following is the most important aspect to be reviewed? A. Company staff is notified about the termination. B. All login accounts of the employee are terminated. C. Details of the employee have been removed from active payroll files. D. Company property provided to the employee has been returned. 15. Which is the most important responsibility of the IS security person? A. Controlling and monitoring data security policies B. Promoting security awareness within the organization C. Establishing new procedures for iT and reviewing their legal accuracy D. System administration of the servers and database 16. What method provides the best level of access control to confidential data b eing processed on a local server?

A. Writing a history of all transaction activity to the system log for auditing. B. Processing of sensitive transactions requires a separate login and password. C. Application software uses internal access control rules to implement least pr ivilege. D. System login access is restricted to particular stations or hours of operatio n. 17. What is the primary purpose for using datahase views? A. Allow the user access into the database. B. Provide a method for generating reports. C. Allow the system administrator access to maintain the database. D. Restrict the viewing of selected data.