B4-5 Flashcards Preview

BEC BECKER MCQ > B4-5 > Flashcards

Flashcards in B4-5 Deck (24):
1

Controls in the information technology area are classified into the preventive, detective, and corrective categories. Which of the following is a preventive control?

a.

Contingency planning.

b.

Hash total.

c.

Access control software.

d.

Echo check.

Choice "c" is correct. Access control software is a preventive control. It prevents "bad people" from accessing an organization's systems and data.

Choice "a" is incorrect. Contingency planning would be considered a corrective control.

Choice "b" is incorrect. A hash total is a detective control, not a preventive control. A hash total attempts to detect if numbers that are not normally added (such as account numbers) have been processed incorrectly. A batch total is used for numbers, such as dollars, that are normally added.

Choice "d" is incorrect. An echo check is a detective control, not a preventive control.

2

Which of the following types of control plans is particular to a specific process or subsystem, rather than related to the timing of its occurrence?

a.

Detective.

b.

Preventive.

c.

Application.

d.

Corrective.

 

Choice "c" is correct. Application controls are written into the application and are specific to the particular process or subsystem. The words "specific to the particular process or subsystem" almost give it away. The words "process" and "subsystem" are quite similar to the word "application." 

Choices "b", "d", and "a" are incorrect. Preventive, corrective, and detective controls are control procedures that are part of the control environment.

Preventive Controls - Preventive controls are controls that are designed to prevent potential problems from occurring.

Corrective Controls - Corrective controls are controls that are designed to fix problems that have occurred and that have been located by detective controls.

Detective Controls - Detective controls are controls that are designed to locate problems that have occurred so that they can be fixed by corrective controls.

3

Which of the following statements is incorrect for threats in a computerized environment?

a.

A virus is a piece of computer program that inserts itself into some other program to propagate. Alternatively, it can run independently.

b.

Phishing is the sending of phony emails to try to lure people to phony web sites asking for financial information.

c.

A Trojan horse is a program that appears to have a useful function but that contains a hidden and unintended function that presents a security risk.

d.

In a denial-of-service attack, one computer bombards another computer with a flood of information intended to keep legitimate users from accessing the target computer or network.

Choice "a" is correct. This statement is incorrect. A virus is a piece of computer program that inserts itself into some other program to propagate. A virus cannot run independently.

Choices "c", "b", and "d" are incorrect because these statements are correct.

4

Which of the following risks can be minimized by requiring all employees accessing the information system to use passwords?

a.

Collusion.

b.

Data entry errors.

c.

Firewall vulnerability.

d.

Failure of server duplicating function.

 

Choice "c" is correct. Since the a primary purpose of the firewall is to prevent unauthorized access to the network, requiring all users to have a password helps to minimize vulnerability.

Choice "a" is incorrect. Collusion would not be minimized at all by requiring employees to have passwords; the employees conspiring to do bad things could merely share their passwords. 

Choice "b" is incorrect. Passwords would not do anything about data entry errors. 

Choice "d" is incorrect. The usage of passwords or the lack of passwords would have no effect on failure of the server duplicating function.

5

Newt Corporation, headquartered in Los Angeles, is a nationwide provider of educational services to post-graduate students. Due to stringent federal guidelines for the protection of student information, Newt utilizes various firewalls to protect its network from access by outsiders. Which of the following statements with respect to firewalls is/are correct?

a.

All of the statements are correct.

b.

Circuit level gateways only allow data into a network that result from requests from computers inside the network.

c.

Application level gateways examine data coming into the gateway. They can be used to control which computers in a network can access the Internet but cannot be used to control which Internet websites or pages can be viewed once access is allowed.

d.

Packet filtering examines packets of data as they pass through the firewall. Packet filtering is the most complex type of firewall configuration.

Choice "b" is correct. Circuit level gateways, not packet filtering, only allow data into a network that result from requests from computers inside the network by keeping track of requests that are sent out of the network and only allowing data in that is in response to those requests.

Choice "d" is incorrect. Packet filtering examines packets of data as they pass through the firewall. Packet filtering is the simplest, not the most complex, type of firewall configuration.

Choice "c" is incorrect. Application level gateways examine data coming into the gateway. They can be used to control which computers in a network can access the Internet and can be used to control which Internet websites or pages can be viewed once access is allowed.

Choice "a" is incorrect. Choice "b" is the best answer.

6

Which of the following represents the procedure managers use to identify whether the company has information that unauthorized individuals want, how these individuals could obtain the information, the value of the information, and the probability of unauthorized access occurring?

a.

Systems assessment.

b.

Test of controls.

c.

Risk assessment.

d.

Disaster recovery plan assessment.

 

Choice "c" is correct. The first step in risk assessment is to identify the risks. The question is asking about the risk of unauthorized access to information. The steps would certainly be to identify whether the company has information that unauthorized individuals might want (and what company does not have such information), the value of the information, how those individuals could obtain the information, and the probability of unauthorized access occurring. The steps here are not necessarily in the same order as in the question; regardless, it is risk assessment.

Choice "d" is incorrect. It is not particularly clear exactly what "disaster recovery plan assessment" actually is. It probably means the review of a disaster recovery plan to determine if it will be effective. Regardless, it has nothing to do, per se, with the safeguarding of valuable information.

Choice "a" is incorrect. It is not particularly clear exactly what "system assessment" actually is. It probably means the review of a system to determine if it is operating effectively and efficiently. Regardless, it has nothing to do, per se, with the safeguarding of valuable information.

Choice "b" is incorrect. Test of controls are audit tests to determine if described controls have been placed in operation and are working effectively. Tests of controls have nothing to do with the above scenario, although there are controls involved in the safeguarding of information and those controls may be tested in the course of an audit. This terminology is just terminology that might sound good to an accountant/auditor but which has no real relevance to the question.

7

Which of the following statements best characterizes the function of a physical access control?

a.

Provides authentication of users attempting to log into the system.

b.

Minimizes the risk of incurring a power or hardware failure.

c.

Separates unauthorized individuals from computer resources.

d.

Protects systems from the transmission of Trojan horses.

Choice "c" is correct. The function of a physical access control is to separate unauthorized individuals from computer resources. Examples are locks on doors to computer rooms, etc. which limit physical access to computer resources to people who need such access in the performance of their job responsibilities.

Choice "d" is incorrect. The function of a physical access control is not to protect systems from the transmission of Trojan horses. Trojan horses are software, and physical access controls would not have anything to do with them.

Choice "a" is incorrect. The function of a physical access control is not to provide authentication of users attempting to log into the system; that would be done by some kind of a security system.

Choice "b" is incorrect. The function of a physical access control is not to minimize the risk of incurring a power or hardware failure. A physical access control will do nothing to minimize the risk of power or hardware failures.

8

Which of the following activities would most likely detect computer-related fraud?

a.

Using data encryption.

b.

Conducting fraud-awareness training.

c.

Performing validity checks.

d.

Reviewing the systems-access log.

 

Choice "d" is correct. Because computer-related fraud often involves unauthorized access to systems and/or data, review of system access logs is the most likely of these choices to detect fraud. System access logs are electronic lists of who has accessed or has attempted to access systems or parts of systems or data or subsets of data.

Choice "a" is incorrect. Data encryption might keep intercepted data from being understood, but it will not detect fraud.

Choice "c" is incorrect. Validity checks might prevent erroneous data from being entered into a system, but they will not detect fraud.

Choice "b" is incorrect. Fraud-awareness training would help employees to identify possible fraudulent activity but it is not the most lilely to detect fraud.

9

Which of the following is a computer program that appears to be legitimate but performs an illicit activity when it is run?

a.

Web crawler.

b.

Parallel count.

c.

Redundant verification.

d.

Trojan horse.

Choice "d" is correct. A Trojan horse is a program that appears to have a useful function but that contains a hidden and unintended function that presents a security risk (appears to be legitimate but performs an illicit activity when it is run).

Choice "c" is incorrect. Redundant verification is not a computer program.

Choice "b" is incorrect. A parallel count is not a computer program.

Choice "a" is incorrect. A web crawler (also known as a web spider or web robot) is a program which browses the web in a methodical, automated manner. Web crawlers are mainly used to create a copy of visited web pages for later processing by a search engine. Web crawlers can also be used for automating maintenance tasks on a web site. Web crawlers can also be used to gather specific types of information from web pages. There is nothing illicit about a web crawler.

10

An auditor was examining a client's network and discovered that the users did not have any password protection. Which of the following would be the best example of the type of network password the users should have?

a.

34787761.

b.

tr34ju78.

c.

tR34ju78.

d.

trjunpqs.

 

Choice "c" is correct. Of the choices listed, the best one is "tR34ju78" because it contains a combination of small letters, capital letters, and numbers. This password would be the most difficult to "crack."

Choice "d" is incorrect. "trjunpgs" is not the best password because it is all small letters and not a combination of small letters, capital letters, and numbers.

Choice "a" is incorrect. "34787761" is not the best password because it is all numbers and not a combination of small letters, capital letters, and numbers.

Choice "b" is incorrect. "tr34ju78" is not the best password because it is just small letters and numbers and not a combination of small letters, capital letters, and numbers.

11

Which of the following statements presents an example of a general control for a computerized system?

a.

Creating hash totals from Social Security numbers for the weekly payroll.

b.

Limiting entry of sales transactions to only valid credit customers.

c.

Restricting access to the computer center by use of biometric devices.

d.

Restricting entry of accounts payable transactions to only authorized users.

 

Choice "c" is correct. Restricting access to the computer center by use of biometric devices represents a general control. General controls are designed to ensure that an organization's control environment is stable and well managed.

Choice "b" is incorrect. Limiting entry of sales transaction to only valid credit customers likely represents an application control (imbedded within the software). Application controls prevent, detect and correct transaction errors and fraud and are application specific.

Choice "a" is incorrect. Creating hash totals from Social Security numbers for the weekly payroll is a processing control. Processing controls include recalculation of batch totals and similar procedures.

Choice "d" is incorrect. Restricting entry of accounts payable to only authorized users represents a user control.

12

Which of the following is an electronic device that separates or isolates a network segment from the main network while maintaining the connection between networks?

a.

Keyword.

b.

Firewall.

c.

Query program.

d.

Image browser.

 

Choice "b" is correct. A firewall is an "electronic device" (a firewall may actually be both hardware and software and not just hardware) that prevents unauthorized users from gaining access to network resources. A firewall isolates a private network of some type from a public network (or a network segment from the main network). It also maintains a (controlled) connection between those two networks.

Choice "c" is incorrect. A query program has nothing to do with connecting networks or with separating or isolating a network segment from the main network. A query program is a program that allows a user to obtain information from a database or other data source.

Choice "d" is incorrect. An image browser is a program that displays a stored graphical image. It has nothing to do with connecting networks or with separating or isolating a network segment from the main network. An image browser is used to display information from a database or other data source.

Choice "a" is incorrect. In computer programming, a keyword is a word or identifier that has a particular meaning to the programming language being used. For example, some people have seen things like (IF…THEN) in some basic programming languages (FORTRAN, COBOL, Visual Basic, and many others). Both IF and THEN are keywords, and they cannot be used in that language out of their specified context. Alternatively, in a search, a keyword is a word that is used to find information somewhere that contains that word. Either way, however, a keyword has nothing to do with connecting networks or with separating or isolating a network segment from the main network.

13

Which of the following statements is/are correct?

a.

Phishing is the sending of phony emails to try to convince people to divulge information.

b.

A virus is a piece of computer program that inserts itself into some other program. Virus protection software can be utilized to protect against viruses. One of the benefits of such software is that it can be installed and forgotten, allowing security personnel to devote their attention to other areas.

c.

A denial-of-service attack is an attack in which one computer bombards another computer with a flood of information.

d.

Choices "c" and "a" are correct.

Choice "d" is correct, which means that both "c" and "a" are incorrect.

Choice "b" is incorrect. A virus is a piece of computer program that inserts itself into some other program. Virus protection software can be utilized to protect against viruses. One of the benefits of such software is definitely not that it can be installed and forgotten. Virus protection software must be continually updated because new viruses are being continually developed. Security personnel who install and forget virus protection software will soon be looking for new jobs.

Choice "c" is the incorrect choice because it is not the only correct answer. A denial-of-service attack is an attack in which one computer bombards another computer with a flood of information intended to keep legitimate users from accessing the target computer or network.

Choice "a" is the incorrect choice because it is not the only correct answer. Phishing is the sending of phony emails to try to convince people to divulge information like account numbers and social security numbers. It is often accomplished by luring people to authentic-looking but fake websites.

14

The protective device that allows private intranet users to access the Internet without allowing Internet users access to private intranet information is called a (an):

a.

Anti-virus protection program.

b.

Browser.

c.

Password.

d.

Firewall.

Choice "d" is correct. The protective device that keeps Internet users from accessing intranet data is termed a firewall.

Choice "a" is incorrect. Anti-virus protection programs scan computers for viruses and, in some cases, destroy them but do not provide security from external access to an organization's private data.

Choice "b" is incorrect. A browser is a software mechanism that allows for research on the Internet or intranet. It is not a security measure.

Choice "c" is incorrect. A password provides security regarding internal access to information but is not a comprehensive security device or procedure to prevent access to a computer system and its data.

15

A company's web server has been overwhelmed with a sudden surge of false requests that caused the server to crash. The company has most likely been the target of:

a.

Piggybacking.

b.

Spoofing.

c.

A denial of service attack.

d.

An eavesdropping attack.

 

Choice "c" is correct. In a denial of service attack, one computer bombards another computer with a flood of information intended to keep legitimate users from accessing the target computer or network. A sudden surge of false requests that cause a company's server to crash is a denial of service attack.

Choice "b" is incorrect. A spoofing attack is a breach of network security resulting from a person or program successfully impersonating a legitimate network user for illegitimate purposes.

Choice "a" is incorrect. Piggybacking is the practice of using another person or organization's wireless network connection without the express permission of the subscriber or owner of the network.

Choice "d" is incorrect. An eavesdropping attack seeks to access a network and steal or eavesdrop on communications in an attempt to illicitly obtain passwords or other confidential or sensitive information.

16

Which of the following is an effective electronic access control for an on-line-real-time hotel reservation computer system?

I.

Restricted access to the hotel's front desk area.

II.

The existence of a hot site to be used in the event of disaster recovery being required.

III.

A system of passwords to allow access to the system (passwords are changed on a regular basis).

IV.

A firewall that prevents unauthorized access to the network.

a.

III and IV only.

b.

II, III, and IV only.

c.

II and III only.

d.

I and III only.

 

Choice "a" is correct. Passwords and firewalls are both examples of electronic access controls.

Choices "b", "c", "d" are incorrect:

The correct answer should exclude I. Restricted access to the hotel's front desk is a physical access control.

The correct answer should exclude II. A hot site is a part of the disaster recovery plan; it is not an electronic access control.

The correct answer should include III. Passwords are electronic access controls that authenticate user access to a system, its applications and data.

The correct answer should include IV. A firewall is an electronic access control that prevents unauthorized access to a system, its applications and data.

17

All of the following are different types of reporting risk that an accountant must recognize as threats to accuracy of reports, except:

a.

Data integrity risk.

b.

Financial risk.

c.

Information risk.

d.

Strategic risk.

Choice "a" is correct. There is no separate data integrity risk category.

Choice "d" is incorrect. Strategic risk includes risks such as choosing inappropriate technology.

Choice "b" is incorrect. Financial risk includes risks such as having financial resources lost, wasted, or stolen.

Choice "c" is incorrect. Information risk includes risks such as loss of data integrity, incomplete transactions, or hackers.

18

Which of the following internal control procedures would prevent an employee from being paid an inappropriate hourly wage?

a.

Limiting access to employee master files to authorized employees in the personnel department.

b.

Using real-time posting of payroll so there can be no after-the-fact data manipulation of the payroll register.

c.

Having the supervisor of the data entry clerk verify that each employee's hours worked are correctly entered into the system.

d.

Giving payroll data entry clerks the ability to change any suspicious hourly pay rates to a reasonable rate.

Choice "a" is correct. Limiting access to employee master files to authorized employees in the personnel department will minimize the entry of and thus the processing with an inappropriate hourly wage (rate). Master files should be under the control of a data librarian so that only authorized personnel have access to those files.

Choice "c" is incorrect. Having the supervisor of the data entry (or somebody else) verify that each employee's hours are correctly entered will minimize processing with an inappropriate number of hours but has nothing to do with the hourly wage (rate).

Choice "b" is incorrect. Real-time posting of payroll does nothing to eliminate any after-the-fact manipulation of the payroll register. If the payroll register can be manipulated after-the-fact, such manipulation can occur regardless of whether it is updated online or in batch.

Choice "d" is incorrect. Giving payroll data entry clerks the ability to change any suspicious hourly pay rates to a reasonable rate is not an appropriate internal control practice. Hourly rates should be reviewed by employees in the personnel department, and the rate used should be the correct rate, not a "reasonable" rate.

19

The system of user identification and authentication that prevents unauthorized users from gaining access to network resources is called a:

a.

Firewall.

b.

Network force field.

c.

Network server.

d.

Login ID and encryption.

 

Choice "a" is correct. A firewall is a system of user identification and authentication that prevents unauthorized users from gaining access to network resources. This name may also be applied to a network node used to improve network traffic and to set up a boundary that prevents traffic from one segment from crossing over to another. The most common use is to prevent Internet users from gaining access to an organization's private intranet.

Choice "d" is incorrect. A login ID is used to identify a user and a password authenticates that user. Encryption is used to protect data in transmission and in storage.

Choice "c" is incorrect. A network server is a type of resource protected by the firewall.

Choice "b" is incorrect. There is no such thing as a network force field.

20

Splendora Corporation, a corporation headquartered in Texas, is in the energy business. Since large amounts of money are involved, Splendora needs to have tight security for its data and application systems. Which of the following statements about its security might indicate a weakness in the security?

a.

Splendora generates a default password for new users of its application systems as the employee's last name and encourages but does not require that those passwords be changed. Splendora considers the possibility of a security problem to be remote since employees will invariably change those passwords as soon as they access the systems for the first time.

b.

Each of the statements indicates a potential weakness in Splendora's security.

c.

A backdoor is a means of access that bypasses normal security procedures. Splendora controls access to its data center with access cards that log all employees who enter the computer center, so it does not feel that it has any backdoors.

d.

Splendora has a network firewall that protects access to its network and the applications that run on its networks. Since firewalls protect against intrusion by outsiders, Splendora does not utilize any virus protection software.

Choice "b" is correct. Each of the above statements indicates a potential weakness in Splendora's security.

Choice "c" is the incorrect choice because it is not the only correct answer. A backdoor is a means of access to a program or system that bypasses normal security procedures, it does not refer to a problem with physical access to the facilities. Failure to understand threats of "backdoor" access indicates a security weakness related to risk identification and management.

Choice "a" is the incorrect choice because it is not the only correct answer. This statement indicates a weakness in Splendora's security. New users should be required to change their passwords on the first login. Failure to have adequate password security is a serious security weakness.

Choice "d" is the incorrect choice because it is not the only correct answer. This statement indicates a weakness in Splendora's security. A network firewall protects access to a network. However, firewalls protect against intrusion by outsiders and do nothing to protect against viruses.

21

Which of the following statements is (are) correct for access controls?

I.

Access controls limit access to program documentation, data files, programs, and computer hardware.

II.

Passwords should consist of words that can be found in a common dictionary and should be of a maximum length so that they can be easily remembered.

III.

A backdoor is a means of access to a program or system that bypasses normal security mechanisms. Backdoors should be maintained so that there can be quick access to the system or program for emergency situations.

a.

III only is correct.

b.

I and II only are correct.

c.

II and III only are correct.

d.

I only is correct.

Choice "d" is correct. Statement I is the only correct statement. Access controls limit access to program documentation, data files, programs, and computer hardware.

Statement II is incorrect. Passwords should not consist of words that can be found in a common dictionary and should be of a reasonable length because longer passwords are more difficult to crack than short ones.

Statement III is incorrect. A backdoor is a means of access to a program or system that bypasses normal security mechanisms. Backdoors should be eliminated.

22

Which of the following statements is incorrect for firewalls?

a.

The term firewall may also be applied to a network node used to improve network traffic and to set up a boundary that prevents traffic from one network segment from crossing over to another.

b.

Traditionally, firewalls have been network firewalls that have protected the network as a whole from intrusion by outsiders and invasion by viruses.

c.

A firewall is a system of user identification and authentication that prevents unauthorized users from gaining access to network resources.

d.

Packet filtering is the simplest type of firewall configuration, but it can be circumvented by an intruder who forges an acceptable address (called IP spoofing).

Choice "b" is correct. This is an incorrect statement. Firewalls can deter, but cannot completely prevent, intrusion from outsiders. Firewalls do not prevent or protect against viruses. (It is true that firewalls have traditionally been network firewalls.)

Choice "c" is incorrect. This is a true statement. A firewall is a software or hardware-based network security system that controls the incoming and outgoing network traffic by analyzing the data packets and determining whether they should be allowed through or not, based on an applied rule set.

Choice "d" is incorrect. This is a true statement. Packet filtering examines packets of data as they pass through the firewall according to the rules that have been established for the source of the data, the destination of the data, and the network ports from which the data was sent.

Choice "a" is incorrect. This is a true statement. A firewall acts as a gatekeeper by isolating a private network from a public network. A single company may use multiple firewalls throughout its network.

23

ABC, Inc. assessed overall risks of MIS systems projects on two standard criteria: technology used and design structure. The following systems projects have been assessed on these risk criteria. Which of the following projects holds the highest risk to ABC?

~Technology
~Structure
a.

New

Well defined

b.

Current

Well defined

c.

Current

Sketchy

d.

New

Sketchy

 

Choice "d" is correct. A "sketchy" design structure would have higher risk than well defined structure. A new technology and a sketchy design structure would present the highest risk These issues would need to be considered as part of the risk management component of COBIT. 

Choice "c" is incorrect. A current technology is always going to have a lower, not a higher, risk than a new technology. The design structure could then almost be considered to be irrelevant, because the choice is already incorrect.

Choice "b" is incorrect. A current technology is always going to have a lower, not a higher, risk than a new technology. The design structure could then almost be considered to be irrelevant, because the choice is already incorrect.

Choice "a" is incorrect. A new technology is always going to have a higher, not a lower, risk than a current technology. However, a well-defined structure can be assumed to lower the risk.

24