MY CISA Flashcards
1
Q
Accountability for the maintenance of appropriate security measures over information assets resides with the:
A
Management should ensure that all information assets (data and systems) have an appointed owner who makes decisions about classification and access rights. System owners typically delegate day-to-day custodianship to the systems delivery/operations group and security responsibilities to a security administrator. Owners, however, remain accountable for the maintenance of appropriate security measures.
2
Q
An ADVANTAGE of the use of hot sites as a backup alternative is that:
A
Hot sites can be made ready for operation normally within hours. However, the use of hot sites is expensive, should not be considered as a long-term solution, and requires that equipment and systems software be compatible with the primary installation being backed up.
3
Q
An advantage of using unshielded twisted-pair (UTP) cable for data communication over other copper- based cables is that UTP cable:
A
The use of UTP in copper will reduce the likelihood of crosstalk. While the twisted nature of the media will reduce sensitivity to electromagnetic disturbances, an unshielded copper wire does not provide adequate protection against wiretapping. Attenuation sets in if copper twisted-pair cable is used for longer than 100 meters, necessitating the use of a repeater. The tools and techniques to install UTP are not simpler or easier than other copper-based cables.
4
Q
After a disaster declaration, the media CREATION date at a warm recovery site is based on the:
A
RPO
RPO is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption. The media creation date will reflect the point to which data are to be restored or the RPO.
5
Q
After a full operational contingency test, an IS auditor performs a review of the recovery steps. The IS auditor concludes that the time it took for the technological environment and systems to return to full-functioning exceeded the required critical recovery time. Which of the following should the IS auditor recommend?
A
(1) Performing an exhaustive review of the recovery tasks would be appropriate to identify the way these tasks were performed
(2) identify the time allocated to each of the steps required to accomplish recovery
(3) AND determine where adjustments can be made.
6
Q
Analysis and resolution ARE PERFORMED AFTER
A
logging and triage have been performed.
7
Q
Atomicity GUARANTEES
A
that either the ENTIRE transaction is processed or NONE of it is
8
Q
Authorization tables ARE USED TO VERIFY
A
implementation of logical access controls
9
Q
Availability reports INACTIVITY, such as DOWNTIME, and provides
A
the time periods during which the computer was available for utilization by users or other processes
10
Q
A benefit of Quality of Service (QoS) is that the PARTICIPATING APPLICATIONS
A
will have bandwidth guaranteed.
11
Q
The BEST audit procedure to determine if unauthorized changes have been made to production code is to:
A
EXAMINE CHANGE CONTROL RECORDS AND COMPARE TO OBJECT CODE
The procedure of examining object code files to establish instances of code changes and tracing these back to change control system records is a substantive test that directly addresses the risk of unauthorized code changes.
12
Q
The BEST audit procedure to determine if unauthorized changes have been made to production code is to:
A
examine object code to find instances of changes and trace them back to change control records.
13
Q
Check digits DETECT
A
transposition and transcription errors.
14
Q
Commitment and rollback controls ARE DIRECTLY RELEVANT TO
A
integrity.
These controls ensure that database operations that form a logical transaction unit will complete in its entirety or not at all.. Rollback ensures that the already completed processing is reversed back, and the data already processed are not saved to the disk in the event of the failure of the completion of the transaction processing.
15
Q
CONCURRENCY control is a database management systems (DBMS) concept that is used to address CONFLICTS
A
with the simultaneous accessing or altering of data that can occur with a multi-user system.
16
Q
Configuration management is widely accepted as on of the KEY COMPONENTS of
A
any network, since it establishes how the network will function internally and externally. It also deals with the management of configuration and monitoring performance.
17
Q
Consistency ENSURES that the database is
A
in a legal state when the transaction begins and ends.
18
Q
A contingency plan deals with ways to RECOVER from an unexpected failure, but it DOES NOT
A
address the identification or prevention of cyberattacks.
19
Q
A continuity of operations plan (COOP)
A
addresses the subset of an organization’s missions that are deemed most critical and contains procedures to sustain these functions at an alternate site for a short time period.
20
Q
Cross-site scripting (CSS) involves the COMPROMISE of the web page to
A
redirect users to content on the attacker web site.
21
Q
A Cyclic Redundancy Check (CRC) is commonly used to determine the:
A
accuracy of blocks of data transfers, such as data transfer from hard disks, is validated by a CRC
22
Q
Determining the Service Delivery Objective (SDO) should be based PRIMARILY on:
A
BUSINESS NEED.
The SDO is the level of service to be reached during the alternate process mode until the normal situation is restored. This is directly related to the business needs.
23
Q
A disaster recovery plan for an organization’s financial system specifies that the Recovery Point Objective (RPO) is zero and the Recovery Time Objective (RTO) is 72 hours. Which of the following is the MOST cost-effective solution?
A
The synchronous copy of the storage achieves the RPO, and a warm site operational in 48 hours meets the required RTO.
Asynchronous updates of the database in distributed locations do not meet the RPO.
Synchronous updates of the data and standby active systems in a hot site meet the RPO and RTO requirements but are more costly than a warm site solution.
24
Q
A DISASTER RECOVERY PLAN (DRP) test should test
A
(1) the plan,
(2) processes
(3) people
(4) and IT systems.
25
Durability GUARANTEES
that a successful transaction will persist, and cannot be undone.
26
During a disaster recovery test, an IS auditor observes that the performance of the disaster recovery site's server is slow. To find the ROOT cause of this, the IS auditor should FIRST review the:
(1) configurations and alignment of the primary and disaster recovery sites.
27
During a disaster recovery test, an IS auditor observes that the performance of the disaster recovery site's server is slow. To find the root cause of this, the IS auditor should FIRST review the:
Since the configuration of the system is the most probable cause, the IS auditor should review that first. If the issue cannot be clarified, the IS auditor should then review the event error log. The disaster recovery test plan and the DRP would not contain information about the system configuration.
28
During a fieldwork observation of system administrative functions, an IS auditor discovered that changes made to the database after normal working hours required only an abbreviated number of steps compared to those made during normal working hours. Which of the following would be considered an adequate set of COMPENSATING controls?
The use of a DBA user account is normally set up to log all changes made and is most appropriate for changes made outside of normal working hours. The use of a log allows changes to be reviewed.
29
During an application audit, the IS auditor finds several problems related to corrupted data in the database. Which of the following is a CORRECTIVE control that the IS auditor should recommend?
Proceeding with Restore Procedures is a corrective control.
30
During an application audit, the IS auditor finds several problems related to corrupted data in the database. Which of the following is a corrective control that the IS auditor should recommend?
Proceed with restore procedures.
31
During fieldwork, an IS auditor experienced a system crash caused by a security patch installation. To provide reasonable assurance that this event will not recur, the IS auditor should ensure that:
The change management process, which would include procedures regarding implementing changes during production hours, helps to ensure that this type of event does not recur.
An IS auditor should review the change management process, including patch management procedures, to verify that the process has adequate controls and to make suggestions accordingly.
While system administrators would normally install patches and patches would normally undergo testing, it is more important that changes be made during non-production times;
Furthermore, parallel testing is not appropriate for security patches because some servers would still be vulnerable.
An approval process could not directly prevent this type of incident from happening.
32
An Echo Check is
a quality check and error-control technique for data transferred over a computer network or other communications link, in which the data received is stored and also transmitted back to its point of origin, where it is compared with the original data.
33
An e-commerce organization with a complex technological environment has numerous concurrent projects. This often results in production system changes. What is the MOST suitable approach to managing system changes so that system outages are minimized?
COORDINATED RELEASE management across projects and systems.
Coordinated release management across projects and systems is a suitable strategy to employ in a complicated, dynamic system environment. Under this option, changes are packaged into releases that are implemented according to a predetermined schedule. Determining what changes are included in a release can be done in accordance with business and technical priorities. With release management, the emphasis is on coordinating changes stemming from multiple sources that impact multiple interconnected systems. This approach should lower technical risk and reduce the potential for system outage.
34
ETL
part of a business intelligence system, dedicated to extracting operational or production data, transforming that data and loading them to a central repository (data warehouse or data mart);
ETL does not correlate data or produce reports, and normally it does not have extractors to read log file formats.
35
Filters
allow for some basic isolation of network traffic based on the destination addresses
36
Firewalls
are a collection of computer and network equipment used to allow communications to flow out of the organization and restrict communications flowing into the organization.
37
The FIRST step in the execution of a problem management mechanism should be:
EXCEPTION reporting.
38
For a mission-critical application with a low recovery time objective (RTO), the IS auditor would recommend the use of which of the following recovery strategies?
Redundant site.
39
The frequent updating of which of the following is key to the continued effectiveness of a disaster recovery plan (DRP)?
PERSONNEL LIST
In the event of a disaster, it is important to have a current updated list of personnel who are key to the operation of the plan
40
The frequent updating of which of the following is key to the continued effectiveness of a disaster recovery plan (DRP)?
In the event of a disaster, it is important to have a current updated list of personnel who are key to the operation of the plan.
41
Hardware error reports
provide information to aid in detecting hardware failures and initiating corrective action
42
A hot site should be implemented as a recovery strategy when the:
provide information to aid in detecting hardware failures and initiating corrective action disaster tolerance is low.
43
Ensuring that only authorized personnel can update the database is a
preventive control.
44
In a client-server architecture, a domain name service (DNS) is MOST important because it provides the:
DNS is utilized primarily on the Internet for resolution of the name/address of the web site. It is an Internet service that translates domain names into IP addresses. As names are alphabetic, they are easier to remember. However, the Internet is based on IP addresses. Every time a domain name is used, a DNS service must translate the name into the corresponding IP address. The DNS system has its own network. If one DNS server does not know how to translate a particular domain name, it asks another one, and so on, until the correct IP address is returned.
45
In a disaster recovery situation, which of the following is the MOST important metric to ensure that data are synchronized between critical systems?
Establishing a common RPO is most critical for ensuring that interdependencies between systems are properly synchronized. It ensures that systems do not contain data from different points in time that may result in both accounting transactions that cannot be reconciled and a loss of referential integrity.
46
An incident response plan (IRP)
The IRP determines the information security responses to incidents such as cyberattacks on systems and/or networks. This plan establishes procedures to enable security personnel to identify, mitigate and recover from malicious computer incidents such as unauthorized access to a system or data, denial of service (DoS) or unauthorized changes to system hardware or software.
47
incremental backup
a security copy which contains only those files which have been altered since the last full backup.
48
In the event of a data center disaster, which of the following would be the MOST appropriate strategy to enable a complete recovery of a critical database?
With real-time replication to a remote site, data are updated simultaneously in two separate locations; therefore, a disaster in one site would not damage the information located in the remote site. This assumes that both sites were not affected by the disaster. Daily tape backup recovery could lose up to a day's work of data. .
49
In which of the following situations is it MOST appropriate to implement data mirroring as the recovery strategy?
RPO indicates the latest point in time at which it is acceptable to recover the data. If the RPO is low, data mirroring should be implemented as the data recovery strategy. The RTO is an indicator of the disaster tolerance. The lower the RTO, the lower the disaster tolerance.
50
An IS audit group has been involved in the integration of an automated audit tool kit with an existing enterprise resource planning (ERP) system. Due to performance issues, the audit tool kit is not permitted to go live. What should the IS auditor's BEST recommendation be?
The appropriate recommendation is to review the results of stress tests during UAT.
Reviewing the implementation of selected integrated controls validates the technical design and the control objective, but integrated controls over transactional tables consume large resources. They should be reviewed carefully to determine whether they are mandatory or can be implemented and integrated for only specific transactions over the ERP application.
Reviewing the selected integrated controls and their implementation may necessitate additional resources.
Requesting vendor technical support to resolve performance issues is a good option, but not the best recommendation.
51
An IS auditor discovers that developers have operator access to the command line of a production environment operating system. Which of the following controls would BEST mitigate the risk of undetected and unauthorized program changes to the production environment?
Hash keys: are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs.
52
An IS auditor is reviewing the change management process for an enterprise resource planning (ERP) application. Which of the following is the BEST method for testing program changes?
Tracing a sample of modified programs to supporting change tickets is the best way to test change management controls. This method is most likely to identify instances in which a change was made without supporting documentation.
53
An IS auditor needs to review the procedures used to restore a software application to its state prior to an upgrade. Therefore, the auditor needs to assess:
The FALLBACK procedures.
Fallback procedures are used to restore a system to a previous state and are an important element of the change control process. The other choices are not related to the change control process—a process which specifies what procedures should be followed when software is being upgraded.
54
An IS auditor notes during an audit that an organization's business continuity plan (BCP) does not adequately address information confidentiality during the recovery process. The IS auditor should recommend that the plan be modified to include:
Business should consider whether information security levels required during recovery should be the same, lower or higher than when business is operating normally. In particular, any special rules for access to confidential data during a crisis need to be identified
55
An IS auditor performing an application maintenance audit would review the log of program changes for the:
authorization of program changes
56
An IS auditor performing an independent classification of systems should consider a situation where functions could be performed manually at a tolerable cost for an extended period of time as:
Sensitive functions are best described as those that can be performed manually at a tolerable cost for an extended period of time.
57
An IS auditor performing an independent classification of systems should consider a situation where functions could be performed manually at a tolerable cost for an extended period of time as:
SENSITIVE: Sensitive functions are best described as those that can be performed manually at a tolerable cost for an extended period of time. Critical functions are those that cannot be performed unless they are replaced by identical capabilities and cannot be replaced by manual methods. Vital functions refer to those that can be performed manually but only for a brief period of time;
58
Isolation
means that, while in an intermediate state, the transaction data are invisible to external operations
59
It is MOST appropriate to implement an incremental backup scheme when:
In an incremental backup, after the full backup, only the files that have changed are backed up, thus minimizing media storage.
60
It is MOST appropriate to implement an incremental backup scheme when:
there is limited media capacity.
61
IT management has decided to install a level 1 Redundant Array of Inexpensive Disks (RAID) system in all servers to compensate for the elimination of offsite backups. The IS auditor should recommend:
reinstating the offsite backups. A RAID system, at any level, will not protect against a natural disaster. The problem will not be alleviated without offsite backups, more frequent onsite backups or even setting up a cold site.
62
IT management has decided to install a level 1 Redundant Array of Inexpensive Disks (RAID) system in all servers to compensate for the elimination of offsite backups. The IS auditor should recommend:
A RAID system, at any level, will not protect against a natural disaster. The problem will not be alleviated without offsite backups, more frequent onsite backups or even setting up a cold site
63
A large chain of shops with electronic funds transfer (EFT) at point-of-sale devices has a central communications processor for connecting to the banking network. Which of the following is the BEST disaster recovery plan for the communications processor?
Having an alternative standby processor at another network node would be the best solution. The unavailability of the central communications processor would disrupt all access to the banking network, resulting in the disruption of operations for all of the shops. This could be caused by failure of equipment, power or communications. Offsite storage of backups would not help, since EFT tends to be an online process and offsite storage will not replace the dysfunctional processor. The provision of an alternate processor onsite would be fine if it were an equipment problem, but would not help in the case of a power outage. Installation of duplex communication links would be most appropriate if it were only the communication link that failed.
64
last-mile circuit protection
The method of providing telecommunication continuity through the use of many recovery facilities, providing redundant combinations of local carrier T-1s, microwave and/or coaxial cable to access the local communication loop in the event of a disaster
65
A live test of a mutual agreement for IT system recovery has been carried out, including a four-hour test of intensive usage by the business units. The test has been successful, but gives only partial assurance that the:
system and the IT operations team can sustain operations in the emergency environment.
66
log management tool
is a product designed to aggregate events from many log files (with distinct formats and from different sources), store them and typically correlate them offline to produce many reports (e.g., exception reports showing different statistics including anomalies and suspicious activities) and to answer time-based queries (e.g., how many users have entered the system between 2 a.m. and 4 a.m. over the past three weeks).
67
A lower recovery time objective (RTO) results in:
higher cost.
68
maximum tolerable outage (MTO)
is the amount of time allowed for the recovery of a business function or resource after a disaster occurs; it does not have a direct influence on data recovery.
69
Network Data Management Protocol (NDMP) technology should be used for backup if
a network attached storage (NAS) appliance is required.
70
Network Data Management Protocol (NDMP) technology should be used for backup if:
a network attached storage (NAS) appliance is required.
71
Network Data Management Protocol (NDMP) technology should be used for backup if:
a network attached storage (NAS) appliance is required.
NDMP defines three kind of services:
1. A data service that interfaces with the primary storage to be backed up or restored
2. A tape service that interfaces with the secondary storage (primarily a tape device)
3. A translator service performing translations including multiplexing multiple data streams into one data stream and vice versa
NDMP services interact with each other. The result of this interaction is the establishment of an NDMP control session if the session is being used to achieve control for the backup or restore operation. It would result in an NDMP data session if the session is being used to transfer actual file system or volume data (including metadata).
Control sessions are always TCP/IP-based, but data streams can be TCP/IP-based or storage area network (SAN)- based. NDMP is more or less network attached storage-centric (NAS-centric) and defines a way to back up and restore data from a device, such as a NAS appliance, on which it is difficult to install a backup software agent. In the absence of NDMP, these data must be backed up as a shared drive on the local area network (LAN), which is accessed via network file protocols such as Common Internet File System (CIFS) or Network File System (NFS), degrading backup performance. NDMP works on a block level for transferring payload data (file content) but metadata and traditional file system information needs to be handled by legacy backup systems that initiate NDMP data movement. NDMP does not know about nor take care of consistency issues regarding related volumes (e.g., a volume to store database files, a volume to store application server data and a volume to store web server data). NDMP can be used to do backups in such an environment (e.g., SAP), but the logic required must be either put into a dedicated piece of software or must be scripted into the legacy backup software.
72
Neural networks
can be used to attack problems that require consideration of numerous input variables. They are capable of capturing relationships and patterns often missed by other statistical methods, but they will not discover new trends.
73
Installed Ethernet cable run in an unshielded twisted pair (UTP) network is more than 100 meters long. Which of the following could be caused by the length of the cable?
Attenuation is the weakening of signals during transmission. When the signal becomes weak, it begins to read a 1 for a 0, and the user may experience communication problems. UTP faces attenuation around 100 meters
74
An organization has a business process with a recovery time objective (RTO) equal to zero and a recovery point objective (RPO) close to one minute. This implies that the process can tolerate:
a data loss of up to one minute, but the processing must be continuous.
75
An organization has implemented a disaster recovery plan. Which of the following steps should be carried out next?
A best practice would be to conduct a paper test. Senior management sponsorship and business needs identification should have been obtained prior to implementing the plan. A paper test should be conducted first, followed by system or full testing.
76
A packet filtering router
examines the header of every packet or data traveling between the Internet and the corporate network.
77
Parity check
a method for detecting errors in data communications or within a computer system by counting the number of ones or zeros per byte or per word, including a special check bit (parity bit) to see if the value is even or odd.
78
parity check
is a hardware control that detects data errors when data are read from one computer to another, from memory or during transmission
79
Parsing
Parsing is the process of splitting up a continuous stream of characters for analytical purposes, and is widely applied in the design of programming languages or in data entry editing.
80
primary key in database
works in one table, so it is not able to provide/ensure referential integrity by itself.
81
The PRIMARY objective of service-level
| management (SLM) is to
define, agree on, record and manage the required levels of service.
82
The PRIMARY purpose of a business impact assessment (BIA) is to:
define recovery strategies.
83
A programmer maliciously modified a production program to change data and then restored the original code. Which of the following would MOST effectively detect the malicious activity?
Reviewing system log files
84
Protocol analyzers
are network diagnostic tools that monitor and record network information from packets traveling in the link to which the analyzer is attached
85
The purpose of code signing is to provide
| assurance that:
can only ensure that the executable code has not been modified after being signed.
86
Reasonableness check
detects transmission errors by appending calculated bits onto the end of each segment of data.
87
reasonableness check
A reasonableness check compares data to predefined reasonability limits or occurrence rates established for the data.
88
Recovery procedures for an information
| processing facility are BEST based on:
RTO - the amount of time allowed for the recovery of a business function or resource after a disaster occurs; it does not determine acceptable data loss
89
Recovery procedures for an information processing facility are BEST based on:
The RTO is the amount of time allowed for the recovery of a business function or resource after a disaster occurs; it does not determine acceptable data loss
90
Regarding a disaster recovery plan, the role of an IS auditor should include:
The IS auditor should be present when disaster recovery plans are tested, to ensure that the test meets the targets for restoration, and the recovery procedures are effective and efficient. As appropriate, the auditor should provide a report of the test results. All other choices are a responsibility of management.
91
The responsibilities of a disaster recovery relocation team include:
coordinating the process of moving from the hot site to a new location or to the restored original location.
92
RFID
Radio-Frequency Identification (RFID) is the use of radio waves to read and capture information stored on a tag attached to an object. A tag can be read from up to several feet away and does not need to be within direct line-of-sight of the reader to be tracked.
93
Routers
allow packets to be given or denied access based on the addresses of the sender and receiver and the type of packet
94
RTO and RPO
RTO measures an organization's tolerance for downtime and RPO measures how much data loss can be accepted
95
SIEM product
has some similar features. It correlates events from log files, but does it online and normally is not oriented to storing many weeks of historical information and producing audit reports. A correlation engine is part of a SIEM product. It is oriented to making an online correlation of events
96
Stealth commanding is the hijacking of a web server by the installation of unauthorized code. While the use of hidden forms may increase the risk of server compromise,
the most common server exploits involve vulnerabilities of the server operating system or web server.
97
Steganography
Steganography is a technique for concealing the existence of messages or information. An increasingly important steganographical technique is digital watermarking, which hides data within data, e.g., by encoding rights information in a picture or music file without altering the picture or music's perceivable aesthetic qualities.
98
Switches
are at the lowest level of network security and transmit a packet to the device to which it is addressed. This reduces the ability of one device to capture the packets that are meant for another device
99
System Cutover
Details of system cutover will depend on your migration plan. Most commonly, the process of retiring the old system and bringing the new one on line is gradual, with the two systems, or at least their parts, coexisting for a while to enable an orderly and controlled transfer of the user fleets.
100
System logs
are a recording of the system's activities.
101
Establishing controls to handle concurrent access problems is a
preventive control.
102
Establishing standards is a preventive control, and monitoring for compliance is a
detective control.
103
Restore procedures can be used to recover databases to
their last-known archived version.
104
A redundant site contains either
duplicate mirror facilities that are online at all times or computing facilities of a reduced capacity that can process at the acceptable service delivery objective (SDO) requirement. The data are live—there are no delays waiting for files to be restored. This site is in full operation and able to take over processing within seconds or minutes.
105
Critical functions are those that
cannot be performed unless they are replaced by identical capabilities and cannot be replaced by manual methods.
106
Vital functions refer to those that can be performed
manually but only for a brief period of time; this is associated with lower costs of disruption than critical functions.
107
Noncritical functions may be
interrupted for an extended period of time at little or no cost to the company, and require little time or cost to restore
