Flashcards in CISA Revision Deck (105):
The audit charter should state management's objectives for and delegation of authority to IS audit. Should be approved at the highest levels of management, and should outline the overall authority scope, and responsibilities of the audit function. Should not significantly change over time.
IT Balanced Scorecard
An IT business governance tool aimed at monitoring IT performance evaluation indicators OTHER THAN financial results. It considers other key success factors such as customer satisfaction, innovation capacity, and processing.
Stop or Freezing Point during New System Design
Requires that changes made after that point be evaluated for cost-effectiveness. Used to allow for a review of the cost-benefits and the payback period.
Clustered Server Setup
Makes the entire network vulnerable to natural disasters or other disruptive events. Not recommended for high-availability network configurations.
Logical Access Controls
The PRIMARY safeguard for securing software and data within an information processing facility.
The most important criterion when selecting a location for an offsite storage facility for IS backup files.
The offsite facility must be PHYSICALLY SEPARATED from the data center and not subject to the same risks as the primary data center.
The primary sampling method used for compliance testing. AS is used to estimate the rate of occurance of a specific quality (attribute) AND is used in compliance testing to confirm whether the quality exists.
Monitoring an outsourced provider's performance.
The MOST important function to be performed by IS management when a service has been outsourced. This is critical to ensure that services are delivered to the company as required.
The system and data conversion strategy that provides the GREATEST redundancy. The safest and the most expensive approach.
Adequate and most appropriate compensating control to track after-hours database changes.
Use the DBA user account to make changes. Log the changes and review the change log the following day.
Intrusion Detection System (IDS)
Gathers evidence on intrusive attack or penetration attempt activity.
Business Continuity Plan (BCP) covers only critical processes. The IT auditor should:
Revisit and/or update the Business Impact Analysis (BIA) to assess the risk of not covering all processes in the plan.
Audit Planning : Assessment of Risk
Should be made to provide REASONABLE ASSURANCE that the audit will cover MATERIAL items.
Training provided on a regular basis to all current and new employees.
The MOST LIKELY element of a security awareness program.
Function Point Analysis
An indirect method of measuring the size of an application by considering the number and complexity of its inputs, outputs, and files. Is useful for evaluating complex applications.
PERT (Program evaluation review technique)
A project management technique that helps with both planning and control.
SLOC (Counting source lines of code)
A direct measure of program size. Does NOT allow for the complexity that may be caused by having multiple, linked modules and a variety of inputs and outputs.
White Box Testing
Involves a detailed review of the behavior of program code, and is a quality assurance technique suited to simpler applications during the design and build stage of development.
Security patch installations
Should always be part of a good change management process.
Degaussing obsolete magnetic tapes
The best way to remove data from magnetic tapes. Leaves a very low residue of magnetic induction. Overwriting or erasing tapes may cause magnetic errors but may not remove the data completely. Tape label initialization does not remove the data that follows the label.
The MOST important concern when auditing backup, recovery, and the offsite storage vault
That the data files stored in the vault are synchronized.
When evaluating the collective effort of preventive, detective, or corrective controls within a process, an IS auditor should be aware of:
The point at which controls are EXERCISED as data flow through the system.
The BEST audit technique to use to determine whether there have been unauthorized program changes since the last authorized program update
Automated code comparision: automated, efficient technique to determine whether the two versions correspond. Test data runs only allow for processing verification. Code review will only detect potential errors or inefficient statements.
IT Control Objectives
The statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity.
The PRIMARY purpose for conducting parallel testing is:
To ensure that the implementation of a new system will meet user requirements.
An analysis of peaking/saturated WAN links should result in:
Analysis to establish whether this is a regular pattern and what causes this behavior before expenditure on a larger line capacity is recomended.
Defends against viruses by appending sections of themselves to files. They continuously check the file for changes and report changes as possible viral behavior.
Focus on detecting potentially abnormal behavior, such as writing to the boot sector or MBR, or making changes to EXEs.
CRCs (Cyclical Redundancy Checkers)
Compute a binary number on a known virus-free program that is then stored in a database file. When that program is subsequently called to be executed, the checkers look for changes to the files, compare them to the database, and report possible infection if changes have occurred.
Interpret DOS and ROM BIOS calls, looking for virus-like actions.
The DR/Continuity Plan component that provides the GREATEST assurance of post-disaster recovery:
That an alternate facility will be available until the original information processing facility is restored.
Email systems have become a useful source of litigation evidence BECAUSE:
Multiple cycles of backup files remain available, and documents that have been deleted could potentially be recovered from these files.
By evaluating application development projects against the Capability Maturity Model (CMM), an IS auditor should be able to verify that:
Stable, predictable software processes are being followed. However, CMM does NOT guarantee a reliable product, nor does it evaluate technical processes, security requirements, or other application controls.
The MOST IMPORTANT element for the successful implementation of IT governance is:
The identification of organizational strategies. This is necessary to ensure the alignment between IT and corporate governance. The KEY objective of IT governance is to support the business.
Is carried out to ensure that a system can cope with production workloads. A test environment should always be used to avoid damaging the production environment - testing should never take place in a production enviroment. Live workloads should always be used, however, to ensure that the system was stress tested adequately.
Periodic checking of hard drives.
The MOST effective way to detect and identify the loading of illegal software packages onto a network.
Which control best mitigates the risk of undetected and unauthorized program changes being made in the production environment by developers?
Hash key generation. The matching of hash keys over time would allow detection of changes to files.
Naming conventions for system resources are important for access control because they:
Reduce the number of rules required to adequately protect resources. This facilitates security administration and maintenance efforts, and allows for the grouping of resources and files by application.
When faced with multiple minor control weaknesses, the IS auditor's audit report should:
Record the observations and the risk arising from the COLLECTIVE effect of the weaknesses.
It IS appropriate for an IT auditor to request and review a copy of a BCP from each vendor that provides outsourced services.
TRUE: An IS auditor will evaluate the adequacy of the service bureau's BCP and assist their company in implementing a complementary plan. The primary responsibility of an IS auditor is to assure that the company assets are being safeguarded, even if the assets do not reside on the immediate premises.
The PRIMARY concern with using RFID (radio frequency identification) is:
Issues of privacy. The purchaser (P) may not be aware of the tags, and credit card purchases may be able to be tied back to the identity of P. Because RFID can carry unique identifers, it could be possible for a firm to track Ps who purchase items containing RFIDs.
A proprietary software application purchase contract SHOULD provide for:
A source code agreement that provides for the placement of the source code into escrow, ensuring that the purchaser will have the opportunity to modify the software should the vendor cease to be in business.
When faced with control weaknesses, the IS auditor should stress that:
A comprehensive system control framework is necessary. Ex. effective access controls may not sufficiently compensate for other detective control weaknesses. The IS auditor has a FUNDAMENTAL obligation to point out control weaknesses that give rise to unacceptable risks to the organization, and work with management to have these corrected.
Simultaneous duplication of logs onto a write-once disk, helps to:
Detect changes made by unauthorized intruders to systems/platforms.
Provides the BEST protection against hacking attempts. It can define with detail rules that describe the type of user or connection that is or is not permitted. Analyzes ALL layers of the OSI. Remote Access servers require a user name/password, but can still be mapped or scanned. Proxy servers provide protection based on an IP adresses and ports, and can be complex or difficult to configure for multiple applications. Port scanning doesn't help with controlling Internet content, or when all ports need to be controlled.
Which is the MOST effective and environmentally friendly method of supressing a fire in a data center?
Dry-pipe water sprinkers, with an automatic power shut-off system. The pipes must be dry-pipe so as to avoid leakage. Halon is efficient and doesn't threaten human life, but it is environmentally damaging and very expensive. Carbon Dioxide threatens human life (but is safe for the environment), and therefore cannot be set to automatic release.
Which finding would be MOST critical during an audit of a BCP?
Absence of a backup for the network backbone. This failure will impact the ability of all users to access information on the network.
The SUCCESS of control self-assessment (CSA) depends highly on:
Having line managers assume a portion of the responsibility for control monitoring. The primary objective of a CSA program is to leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional area line managers.
1. Non-existent 2. Initial 3. Repeatable 4. Defined 5. Managed 6.Optimized
These are rankings used by the Information Security Governance Maturity Model. When responsibilites for IT security are clearly assigned and enforced, and an IT Security Risk and Impact Analysis is consistently performed, it is said to be managed and measurable.
Which type of testing would confirm that a new or modified system can operate in its target environment without adversely impacting EXISTING systems?
SOCIABILITY testing. PARALLEL testing is the process of feeding data into 2 systems and comparing the results. PILOT testing takes place first at one location and then is extended to other locations. INTERFACE/INTEGRATION testing is a HW or SW test that evaluates the connection of 2 or more components that pass info from one area to another.
Documentation of a business case used in an IT development project should be retained until:
The end of the system's life cycle.
Which type of firewall provides the GREATEST degree and granularity of control?
The APPLICATION GATEWAY firewall - it has specific proxies for each TCP/IP service, and filters traffic across OSI L3-L7. A Screening Router and a Packet Filter works at the protocol, service and/or port level (L3-L4). A Circuit Gateway is based on a proxy or program that acts as an intermediary between external and internal accesses (L3/L4).
To ensure message integrity, confidentiality, and nonrepudiation between 2 parties, the MOST effective method would be to create a message digest by applying a cryptographic hashing algorithm against:
The ENTIRE message, enciphering the MESSAGE DIGEST using the SENDER'S PRIVATE KEY (nonrepudiation), enciphering the MESSAGE with a SYMMETRIC KEY, and enciphering the KEY by using the RECEIVER'S PUBLIC KEY (confidentiality and receiver nonrepudiation).
What is the initial step in creating a firewall policy?
Identification of network applications to be externally accessed.
In a BCP, the MAJOR risk with not defining the point at which a situation could be declared a crisis is:
That execution of the DRP/BCP could be impacted.
A top-down approach to the development of operational policies will help ensure:
That they are consistent across the organization. A bottom-up approach would be derived as a result of risk assessment.
Which approach will BEST ensure the successful offshore development of business applications?
Detailed and correctly applied specifications.
The FIRST step in managing the risk of a cyberattack is to:
Identify critical information assets. After this, the next steps include identifying the threats and vulnerabilities, and calculating potential damages.
Which component of network architecture acts as a decoy to detect active Internet attacks?
HONEYPOTS - these are computer systems that are expressly set up to attract and trap individuals who attempt to penetrate others individuals' computer systems. They can provide data on methods used to attack systems. FIREWALLS are basically preventative measures. TRAPDOORS create a vulnerability that provides an opportunity for the insertion of unauthorized code into a system. TRAFFIC ANALYSIS is a type of passive attack.
NEURAL networks are effective in detecting FRAUD because they can:
Attack problems that require consideration of a large number of input variables. They can capture relationships and patterns, BUT NOT new trends. Neural networks will not work well at solving problems for which sufficiently large and general sets of training data are not obtainable.
Which computers would be of the MOST concern to an IS auditor reviewing a VPN implementation?
The at-home computers of employees who connect via VPN. These are least subject to corporate security policies, and are, therefore, high-risk.
When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ENSURE that:
Vulnerabilities and threats are indentified. This will determine the areas to be audited and the extent of coverage.
AFTER a review applications (assets) and making a vulnerability assessment, the next task(s) would be to:
(1) Identify threats, and (2) estimate the liklihood of a threat's occurrence.
Which of the following backup techniques is the MOST appropriate where an organization requires extremely granular data restore points, as defined by the recovery point objective (RPO)?
Continuous data backup - this process happens online, and in real-time.
An organization is using an enterprise resource management (ERP) application. Which type of controls would be the MOST effective?
Role-based access controls (RBAC). RBAC controls the system access by defining roles for a group of users. Users are assigned to the various roles and the access is granted based on the user's role. User-level permissions would create larger administrative overhead. Fine-grained access control is difficult to implement and maintain in large enterprises. Discretionary access control may create inconsistencies in the access control management.
When reviewing an implementation of a VoIP system over a corporate WAN, an IS auditor should expect to find:
Traffic engineering. This is a statistical technique that helps to ensure that quality of service requirements are achieved by minimizing packet loss, latency, and/or jitter.
An IS auditor doing penetration testing during an audit of Internet connections would:
Use tools and techniques available to a hacker.
The GREATEST advantage of using web services for the exchange of information between two systems is:
Efficient interfacing. Web services facilitate the exchange of information between two systems regardless of the OS or progamming language used. Communication, however, will not necessarily securer or faster, and there is no documentation benefit in using web services.
What reduces the potential impact of social engineering attacks?
Security awareness programs.
Which of the following should an IS auditor review to gain an understanding of the effectiveness of controls over the management of multiple projects?
A project portfolio database. This is the basis for project portfolio management, and includes detailed project data. Project portfolio management requires specific project portfolio reports.
Which of the following online auditing techniques is MOST effective for the early detection of errors or irregularities?
AUDIT HOOKS. The audit hook technique involves embedding code in application systems for the examination of selected transactions. This helps the IS auditor to act before an error or an irregularity gets out of hand. An EMBEDDED AUDIT MODULE involves embedding specially-written software in the organization's host application system so that application systems are monitored on a selective basis. An INTEGRATED TEST FACILITY is used when it is not practical to use test data. SNAPSHOTS are used when an audit trail is required.
If coding standards are not enforced and code reviews are rarely carried out, this will MOST increase the likelihood of a successful:
BUFFER OVERFLOW ATTACK (especially in web-based applications). BRUTE FORCE attacks are used to crack passwords. DDOS attacks are used to flood and overwhelm its targets, preventing them from responding to legitimate requests. WAR DIALING uses modem-scanning tools to hack PBXs.
A BENEFIT of open system architecture is that it:
Facilitates operability between systems made by different vendors. Closed system components are, in contrast, built to proprietary standards and cannot (or will not) interface with existing systems.
Web and email filtering tools are PRIMARILY valuable to an organization because they:
Protect the organization from viruses, spam, mail chains, recreational surfing and email, and other nonbusiness materials.
The PRIMARY objective of service-level management (SLM) is to:
Define, negotiate, agree, document and record, and manage the required levels of service in the manner in which the customer requires those services. This doesn't necessarily ensure high availability, or that costs will be minimized.
An IS auditor performing a telecommunications access control review should be concerned PRIMARILY with the:
Preventative control of authorization and authentication of a user prior to granting access to system resources. Weak controls at this level can affect all other aspects of the system.
Which IT governance best practice IMPROVES strategic alignment?
Top management mediating between the imperatives of business and technology. Managing supplier and partner risks is a RISK MANAGEMENT best practice. A knowledge base on customers, products, markets and processes is an IT VALUE DELIVERY best practice. An infrastructure being provided to facilitate the creation and sharing of business information is an IT VALUE DELIVERY and a RISK MANAGEMENT best practice.
At the completion of a system development project, a postproject review SHOULD include:
Identifying LESSONS LEARNED that may be applicable to future projects.
If no project risks have been identified during the early stages of a development project, the IS auditor SHOULD:
Stress the importance of spending time at THIS point in the project to consider and document risks, and to develop contingency plans. The IS auditor has an obligation to the project sponsor and the organization to advise on appropriate project management practices.
An IS auditor reviewing an organization's data file control procedures finds that transactions are applied to the most current data files, while restart procedures use earlier versions. The IS auditor should recommend the implementation of:
VERSION USAGE CONTROL when it is essential that the proper version of a file is used.
If an IS auditor finds that the risk of data being intercepted to and from remote sites is very high, the MOST effective and secure control that he can recommend to reduce this exposure is:
If an IS auditor finds that conference rooms have active network ports, it is MOST important to ensure that:
That part of the network is ISOLATED from the corporate network.
Which represents the GREATEST risk created by a reciprocal agreement for disaster recovery between two companies?
That future developments may result in hardware and software incompatibility.
An Internet-based attack using password sniffing CAN:
Be used to gain access to systems containing proprietary information. SPOOFING attacks can be used to enable one party to act as if they are by another party. DATA MODIFICATION attacks can be used to modify the contents of certain transactions. REPUDIATION OF TRANSACTIONS can cause major problems with billing systems and transaction processing agreements.
What type of controls would an IS auditor look for in an environment where duties cannot be appropriately segregated?
COMPENSATING controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated. OVERLAPPING controls are two controls addressing the same control objective or exposure. BOUNDARY controls establish the interface between the would-be user of a computer system and the computer system itself, and are individual-based
Which of the following is a concern when data are transmitted through Secure Socket Layer (SSL) encryption, implemented on a trading partner's server?
That the organization doesn't have control over encryption. The SSL security protocol provides data encryption, server authentication, message integrity, and optional client authentication. Simply installing a digital certificate turns on SSL capabilities, and SSL encrypts the datum whicle it is being transmitted over the Internet - there is no PW to remember b/c the encryption is done in the background.
Where a business system accesses a corporate database using a single ID and PW embedded in a program, what would provide efficient access control over the organization's data?
The best compensating control would be role-based permissions within the application system to ensure that access to data is granted based on a user's role. The issue is with permissions, not authentication.
What would have the HIGHEST priority in a business continuity plan (BCP)?
The resumption of critical processes has the highest priority since it enables business processes to begin immediately after the interruption and not later than the declared mean time between failure (MTBF).
A company has decided to implement an electronic signature scheme based on PKI. The user's private key will be stored on the computer's HDD and protected by a PW. The MOST significant risk of this approach is:
That a compromise of the PW would enable access to the signature, which could result in the impersonation of the user by substitution of the user's public key with another person's public key.
If an IS auditor notes that an organization has adequate BCPs for each individual process, but not a comprehensive BCP for the entire organization, the IS auditor should:
Determine whether the BCPs are consistent with one another in order to provide a viable BCP strategy.
To protect a VoIP infrastructure against a DoS attack, it is MOST important to secure the:
SESSION BORDER CONTROLLERS. SBCs enhance the security in the access network (AN) and in the core. In the AN, they hide a user's real addressand provide a managed public address. SBCs permit access to clients behind FWs while maintaining the FW's effectiveness. In the core, SBCs protect the users and the network.They hide network topology and user's real addresses. They can also monitor bandwidth and QoS.
A web server is attacked and compromised. What should be performed FIRST to handle the incident?
Disconnect the web server from the network to contain the damage and prevent more actions by the attacker.
When developing a BCP, which tools shoud be used to gain an understanding of the organization's business processes?
RISK ASSESSMENT (RA) and BUSINESS IMPACT ASSESSMENT (BIA) are tools for understanding business-for-business continuity planning. BUSINESS CONTINUITY SELF-AUDIT is a tool for evaluating the adequacy of a BCP. RESOURCE RECOVERY ANALYSIS is a tool for identifying a business resumption strategy. GAP ANALYSIS can be used to identify deficiencies in a BCP plan.
What would be a considered a weakness, with regard to an organzation that uses PKI with digital certificates?
If the organization is also the owner of the certificate authority (CA), this could potentially create a perceived conflict of interest if customers wanted to allege fraud during a transaction repudiation.
The PRIMARY role of the certificate authority (CA) as a third party is to:
Confirm the identity of an entity owning a certificate issued by that CA. The primary activity of a CA is to issue certificates. The CA can contribute to authenticating communicating partners, but is not involved in the communication stream itself.
An IS auditor reviewing wireless network security determines that DHCP is disabled at all WAPs. This practice:
Reduces the risk of unauthorized access to the network.
The PRIMARY objective of testing a BCP is to:
Identify and provide evidence of any limitations of the current BCP.
What method might an IS auditor use to test wireless security at branch office locations?
WAR DRIVING - this is a technique for locating and gaining access to wireless networks by driving or walking with a wireless equipped computer around a building. WAR DIALING is a technique for gaining access to a computer or network through the dialing of defined blocks of telephone numbers, with the hope of getting an answer from a modem. SOCIAL ENGINEERING is a techniqueused to gather info that can assist an attacker in gaining logical or physical access to data or resources. PASSWORD CRACKERS are tools used to guess users' PWs by trying combinations and dictionary words.
Confidentiality of data transmitted in a WLAN is BEST protected if the session is:
Encrypted using DYNAMIC KEYS. With dynamic keys, the encryption key is changed frequently, thus reducing the risk of key compromise and unauthorized message decryption.
DDoS attacks on Internet sites are typically evoked by hackers by using:
TROJAN HORSES - these are malicious or damaging code hidden within an authorized computer program. Hackers use Trojans to mastermind DDoS attacks from multiple ccomputers simultaneously. LOGIC BOMBS are programs designed to destroy or modify data at a specific time in the future. PHISHING is an attack, normally via email, pretending to be an authorized person or organization requesting information. SPYWARE is a program that picks up information from PC drives by making copies of their contents.
Which anti-spam filtering technique would BEST prevent a valid, variable-length email message containing a heavily-weighted spam keyword from being labeled as spam?
BAYESIAN (STATISTICAL) FILTERING - BF applies statistical modeling to messages by performing a frequency analysis on each word within the message and then evaluating the message as a whole. It can ignore a suspicious keyword if the entire message is within normal bounds. HEURISTIC FILTERING is less effective since new exception rules may need to be defined when a valid message is labeled as spam. SIGNATURE-BASED FILTERING is useless against variable-length messages because the calculated MD5 hash changes all the time. PATTERN MATCHING is actually a degraded rule-based technique where the rules operate at the word level using wildcards, and not at higher levels.
When determining the ACCEPTABLE time period for the RESUMPTION of critical business processes:
BOTH downtime AND recovery costs need to be evaluated. The outcome of a BIA should be a recovery strategy that represents the optimal balance,
Where a mix of access points cannot be upgraded to stronger or more advanced wireless security, a recommendation to replace the access points is BEST justified by the argument that:
The organization's security would only be as strong as its weakest points. Affordability, performance, and product manageability is NOT the IS auditor's concern in this situation.
From a control perspective, the PRIMARY objective of classifying information assets is to:
Establish guidelines for the level of access controls that should be assigned. Information has varying degrees of sensitivity and criticality in meeting business objectives. By assigning classes or levels of sensitivity and criticality to information resources, management can establish guidelines for the level of access controls that should be assigned. End user management and the security administrator will use these classifications in their risk assessment (RA) process to assign a given class to each asset.