3.1 : Quiz Logical Access Flashcards
(1)The IS auditor reviews logical access control with a primary objective to:
A. Access control software is working properly.
B. ensures access is granted as per the approved structure.
C. to protect computer software.
D. to protect computer hardware.
Answer: B. ensures access is granted as per the approved structure.
Explanation:
The scope of a logical access control review is primarily to determine whether or not access is
granted per the organization’s authorizations. Choices A and C relate to procedures of a logical
access control review, rather than objectives. Choice D is relevant to a physical access control
review.
(2)During review of critical application system, the IS auditor observes that user accounts are shared. The Major risk resulting from this situation is that:
A. passwords are changed frequently.
B. Outsider can gain access to the system.
C. passwords are easily guessed.
D. user accountability may not be established
Answer: D. user accountability may not be established
.
Explanation:
If same user accounts are shared with multiple employees, it will be difficult to trace the particular
employee during audit trail. User accountability may not be established is such scenario.
(3)Which of the following is the best technique for protecting critical data inside the server?
A. Security awareness
B. Reading the security policy
C. Security committee
D. Logical access controls
Answer: D. Logical access controls
Explanation
(1) In any given scenario, preference to be given to preventive controls as compared to detective or
deterrent controls. Logical access controls are best preventive controls to ensure data integrity and
confidentiality.
(2) Awareness itself does not protect against unauthorized access or disclosure of information.
(3)Knowledge of an information systems security policy which should be known by the
organizations employees, would help to protect information, but would not prevent the
unauthorized access of information.
(4)A security committee is key to the protection of information assets, but would address security
issues within a broader perspective.
(4)Which of the following BEST logical control mechanism to ensure that access allowed to users
to only those functions needed to perform their duties?
A. Application level access control
B. Data encryption
C. HTTPs protocol
D. Network monitoring device
Answer: A. Application level access control
Explanation:
The use of application-level access control programs is a management control that restricts access
by limiting users to only those functions needed to perform their duties.
(5)Which of the following is the MOST important objective of data protection?
A. current technology trend
B. Ensuring the confidentiality & integrity of information
C. Denying or authorizing access to the IS system
D. internal processing efficiency
Answer. Ensuring the confidentiality of information
Explanation:
Maintaining data confidentiality and integrity is the most important objective of data security. This
is a basic requirement if an organization is to continue as a viable and successful enterprise
(6) The FIRST step in data classification is to:
A. identify data owners.
B. perform a criticality analysis.
C. define access rules.
D. define firewall rules
Answer: A. identify data owners.
Explanation:
Data classification is necessary to define access rules based on a need-to-do and need-to know
basis. The data owner is responsible for defining the access rules; hence, establishing ownership is
the first step in data classification.
(7) IS auditor is reviewing an organization’s logical access security. He should be most concerned if:
A. Passwords are shared.
B. Password files are not protected.
C. Resigned employees’ logon IDs are not deleted immediately.
D. Logon IDs are issued centrally.
Answer: B. Password files are not protected.
Explanation:
Unprotected passwords files represent the greatest risk. Such files should be stored in an encrypted
manner. Other options are also essential but they are less important than ensuring that the
password files are encrypted.
(8 IS auditor is evaluating database-level access control functions. Which of the following access control function will not be in his scope?
A. Creating database profiles for monitoring
B. authorization user at field level.
C. establishing individual accountability
D. Logging database access activities for monitoring access violation
Answer: establishing individual accountability
Explanation:
Establishing individual accountability is the function of the general operating system. Creating
database profiles, verifying user authorization at a field level and logging database access activities
for monitoring access violations are all database-level access control functions
(9)IS auditor observed that even though password policy requires passwords to be a combination of
letters, numbers and special characters, users are not following the same rigorously. To ensure compliance within security policy, the IS auditor should recommend that:
A. password policy to be simplified.
B. password policy to be sent to all users every month.
C. usage of automated password management tool
D. monthly security awareness training to be delivered.
Answer: C. usage of automated password management tool
Explanation:
Among the choices given, use of an automated password management tool is a best preventive
control measure. The software would prevent usage of passwords which are not allowed as per
policy. It would also provide a method for ensuring frequent changes and would prevent the same
user from reusing his/her old password for a designated period of time. Choices A, B and D do not
enforce compliance.
(10) An IS auditor observes that default printing options are enabled for all users. In this situation, the IS auditor is MOST likely to conclude that:
A. risk of data confidentially increases.
B. risk if data integrity increases.
C. it improvises the productivity of employees.
D. it ensures smooth flow of information among users
Answer: A. risk of data confidentially increases.
Explanation:
Risk of data confidentiality increases as any user can print documents. Print option will not impact
data integrity as data integrity can be impacted by write/delete access for user.
(11)IS Auditor is reviewing wireless network security policy of the organization. Which of the following action would make the wireless network more secure?
A. Disabling MAC (Media Access Control) address filtering
B. Disabling WPA (Wi-Fi Protected Access Protocol)
C. Enabling SSID (service set identifier) broadcasting
D. Disabling SSID (service set identifier) broadcasting
Answer: D. Disabling SSID (service set identifier) broadcasting
666
Explanation:
Disabling SSID broadcasting adds security by making it more difficult for unauthorized users to find
the name of the access point. Opting other options will in fact reduces the security of network.
(12)Auditor is reviewing wireless network security of the organization. Which of the following should be a concern to an IS auditor?
A. 128-bit-static-key WEP (Wired Equivalent Privacy) encryption is enabled.
B. SSID (Service Set IDentifier) broadcasting has been enabled.
C. Antivirus software has been installed in all wireless clients.
D. MAC (Media Access Control) access control filtering has been deployed.
Answer. B. SSID (Service Set IDentifier) broadcasting has been enabled.
Explanation:
Enabling SSID broadcasting reduces the security by making it easier for unauthorized users to find
the name of the access point. Opting other options will strengthen the security of network.
(13)IS auditor is evaluating general operating system access control functions. Which of the following access control function will be in his scope?
A. Logging user activities
B. Logging data communication access activities
C. Verifying user authorization at the field level
D. Changing data files
Answer: A. Logging user activities
Explanation:
General operating system access control functions include log user activities, log events, etc.
Choice B is a network control feature. Choices C and D are database- and/or application level
access control functions
(14)An IS auditor reviewing system controls should be most concerned that:
A. security and performance requirements are considered.
B. changes are recorded in log.
C. process for change authorization is in place.
D. restricted access for system parameters is in place
Answer: A. security and performance requirements are considered.
Explanation:
The primary concern is to ensure that security as well as performance aspects have been considered. This helps to ensure that control objectives are aligned with business objectives. Log maintenance and change authorization are also important but in absence of proper security and performance requirements same may not be effective.
(15)Most effective transmission media in terms of security against unauthorized access is:
A. Copper wire
B. Twisted pair
C. Fiber-optic cables
D. Coaxial cables
Answer: C. Fiber-optic cables
Explanation:
Fiber-optic cables are more secure than the other media. Other media can be compromised easily
as compared to fiber-optic.
(16)Mechanism that checks each request by a subject to access and use an object is as per security policy is known as:
A. Address Resolution Protocol
B. Access control analyzer
C. Reference monitor
D. Reverse Address Resolution Protocol
Answer: C. Reference monitor
Explanation:
(1)In operating systems architecture a reference monitor concept defines a set of design
requirements on a reference validation mechanism, which enforces an access control policy over
subjects’ (e.g., processes and users) ability to perform operations (e.g., read and write) on objects
(e.g., files and sockets) on a system. A reference monitor is implemented via a security kernel, which
is a hardware/software/firmware mechanism.
(2)Address Resolution Protocol is a network layer protocol used to convert an IP address into a
physical address such as an Ethernet address. A host wishing to obtain a physical address
broadcasts an ARP request onto the TCP/IP network. The host on the network that has the IP
address in the request then replies with its physical hardware address.
(3) An access control analyzer is an audit utility for analyzing how well access controls have been
implemented and maintained within an access control package.
(4) Reverse ARP (RARP) can be used by a host to discover its IP address. In this case, the host
broadcasts its physical address and a RARP server replies with the host’s IP address.
(17) IS auditor is reviewing level of access available for different user. To determine the same, which of the following should an IS auditor review?
A. Log file maintained for system access
B. Job descriptions of users.
C. Logs maintained for access control violation.
D. System configuration files for control options used
Answer: D. System configuration files for control options used
Explanation:
A review of system configuration files for control options used would show level of access available
for different user. Both log files are detective in nature. Job descriptions of users will not provide
details about access level.
(18) Read Only option is always recommended for:
A. access control matrix/rule.
B. log files for suspected transactions.
C. logging rules
D. user profiles.
Answer: B. log files for suspected transactions.
.
Explanation:
Security administration procedures require read-only access to security log files to ensure that,
once generated, the logs are not modified. Logs provide evidence and track suspicious transactions
and activities. Other options may require modification and hence write access can also be provided.
(19) An IS auditor performing a telecommunication access control review should be concerned
PRIMARILY with the:
A. regular updation of logs files of usage of various system resources.
B. authorization and authentication mechanism for allowing access only to authorized user.
C. Encryption mechanism for data protection.
D. mechanism to control remote access
Answer:B. authorization and authentication mechanism for allowing access only to authorized user.
Explanation:
Unless and until proper authorization and authentication process is not established, other controls may not serve the purpose. This is a preventive control. The authorization and authentication of users is the most significant aspect. Other options will serve the purpose only if authorized users are allowed the access.
(20) Discretionary Access Control will be more effective if they:
A. are placed in accordance with mandatory access controls.
B. are placed independently of mandatory access controls.
C. allow enable users to bypass mandatory access controls as and when required.
D. are allowed by security policy.
Answer: A. are placed in accordance with mandatory access controls.
Explanation:
Mandatory Access Controls (MACs) are logical access control that cannot be controlled or modified
by normal users or data owners. Discretionary Access Controls (DACs) are logical access control that may be activated or modified by the data owners at their discretion. DACs to be more effective have to be designed in accordance with MACs. Mandatory access controls are prohibitive, anything that is not expressly permitted is forbidden. Only within this context do discretionary controls operate, prohibiting still more access with the same exclusionary principle
(21)Best method to remove confidential data from computer storage is:
A. hard disk should be demagnetized.
B. hard disk should be formatted.
C. data on the hard disk should be deleted.
D. data on the hard disk should be defragmented.
Answer: A. hard disk should be demagnetized.
Explanation:
The hard disk should be demagnetized, since this will cause all of the bits to be set to zero,
eliminating any chance of retrieving information that was previously stored on the disk. Other
options may not be that effective.
(22)Appropriateness of router setting is to be reviewed during:
A. Physical access review.
B. Network security review.
C. Data center security review.
D. Data back-up review.
Answer: B. Network security review.
Explanation:
Network security reviews include reviewing router access control lists, port scanning, internal and
external connections to the system, etc
(23)IS auditor is reviewing physical controls for data centre. For visitor access to data centre, most
effective control he should recommend is that:
A. Escort policy for every visitor.
B. Issuance of visitor badge
C. Proper sign in procedure for visitors.
D. Security Checks procedure for every visitor
Answer: Escort policy for every visitor.
Explanation:
Escorting visitors will provide the best assurance that visitors have permission to access the data
processing facility. Other controls are not as reliable as escort policy.
(24) The major risk for lack of an authorization process for users of an application would be:
A. many users can claim to be a specific user.
B. there is no way to limit role based access.
C. Sharing of user accounts.
D. principle of least privilege can be assured
Answer: B. there is no way to limit role based access.
Explanation:
(1) Without an appropriate authorization process, it will be impossible to establish functional limits
and accountability. Hence correct option is option B i.e. there is no way to limit role based access.
(2) The risk that many users can claim to be a specific user can be better addressed by proper
authentication process rather than authorization.
(3)Authorization process will not directly impact sharing user accounts. Other controls are required
to prevent sharing of user accounts.
(4)In absence of proper authorization process principle of least privilege cannot be assured
