section 4C Flashcards
(126 cards)
1
Q
A ____uniquely identifies the sender of an electronic message
A valid digital signature does not verify the identity of the private key’s owner. It only proves that the message was sent by the owner of the private key T/F
Employees are often identified by something they possess, such as an ID card. T/F
……Their disadvantage: They can be lost, stolen, or given away.
Since no single authentication method is foolproof, multi-factor authentication, such as requiring a smart card and a password, provides much stronger authentication than either method alone T/F
A
digital signature
true
True
True
True
2
Q
Biometric devices would not able to adapt to slight personal changes, such as bloodshot eyes. T/F
They may allow access to unauthorized people. T/F
The biometric templates (the digital representation of an individual's fingerprints or voice) must be stored. Any compromise would not create an issue.
A
False -yes it can
True – malfunctions happen
False - Any compromise of those templates would cause serious problems for people.
3
Q
Which of the following security controls would best prevent unauthorized access to sensitive data via an unattended data terminal directly connected to a mainframe?
Use of a screen saver with a password
Prevention of booting from a diskette by removing the diskette drive
Encryption of data files
Automatic log-off of inactive users
A
Automatic log-off of inactive users
Automatic log-off of inactive data terminals may prevent the viewing of sensitive data on an unattended data terminal.
Screen savers do not prevent the viewing of data on an unattended data terminal.
Data terminals do not have diskette drives.
Encryption of data files will not prevent the viewing of data on an unattended data terminal.
4
Q
In traditional information systems, computer operators are generally responsible for backing up software and data files on a regular basis. In distributed or cooperative systems, ensuring that adequate backups are taken is the responsibility of PROGRAMMERS
RANDOM
___ means providing the ability for a firm to engage in continuous operation. A ____plan would incorporate more than a disaster recovery plan, which only deals with recovery (and continuity) of the computer processing capability of the organization.
A
False - it is user management
Business continuity
5
Q
Backup files can be transported to the remote site in two ways
1. Physically (mail,etc)
2. Electronic Vaulting. Two ways to do this.
…..a. ___ approach - company slectronically sends items to be backed up
…..b ___ pull approach – electronic vault service installs its software on the company computers and automatically backs up the data
To protect data privacy, all data should be \_\_\_before being transmitted.
A
Push
Pull
encrypted
6
Q
Batch processing files are backed up using the ___
When a master file is updated, a new master file is created.
A destroyed master file can be recreated using prior generations of the master file and the appropriate transaction file.
For example, if Wednesday’s master file is destroyed it could be recreated using Tuesday’s master file and Wednesday’s transaction file.
If Tuesday’s master file was also destroyed, it could be recreated using Monday’s master file and Tuesday’s transaction file.
A
grandfather-father-son concept.
7
Q
Online databases are also backed up.
- a ___ is created when a copy of the database in the point in time is made.
- The checkpoint data is stored on a separate storage medium. T/F
- A database is re-created from the last check point t/f
A
check point
true
true
8
Q
A critical aspect of a disaster recovery plan is to be able to regain operational capability as soon as possible. In order to accomplish this, an organization can have an arrangement with its computer hardware vendor to have a fully operational facility available that is configured to the user’s specific needs. This is best known as a cold site
A
false -a hot site
A hot site is a completely operational data processing facility configured to meet the user’s requirements that can be made available to a disaster-stricken organization on short notice.
A cold site is a location that provides everything necessary to quickly install computer equipment in the event of a disaster striking an organization.
9
Q
A ____site is a location that provides everything necessary to quickly install computer equipment in the event of a disaster striking an organization.
A ___site is a completely operational data processing facility configured to meet the user’s requirements that can be made available to a disaster-stricken organization on short notice.
A
Cold
Hot
10
Q
Which of the following statements does not describe how routers control the flow of information on the internet?
Data is divided into packets and transmitted to recreate the original message or data.
Every internet protocol packet contains two parts: a header and a body.
The router reads the destination address in the IP body to determine where it is to be sent.
A border router connects the information system to the internet.
A
The router reads the destination address in the IP body to determine where it is to be sent
A router reads the destination address in the header (not the body) to determine where the information is to be sent.
11
Q
A company’s management is aware that it cannot foresee every contingency even with the best planning. Management believes, however, that a more thorough recovery plan increases the ability to resume operations quickly after an interruption and thus to:
maintain the same level of employment.
minimize the cost of facility repair.
fulfill its obligations to customers.
receive the maximum benefit from planning.
A
fulfill its obligations to customers.
The better the recovery plans, the more likely the company would be to resume operations quickly and fulfill its obligations to customers.
Thorough planning may or may not minimize the cost of facility repair, i.e., the best approach may be to undergo more expensive repair sooner in order to resume operations sooner.
12
Q
Which of the following risks is more likely to be encountered in an end-user computing (EUC) environment as compared to a mainframe computer system?
Inability to afford adequate uninterruptible power supply systems
User input screens without a graphical user interface (GUI)
Applications that are difficult to integrate with other information systems
Lack of adequate utility programs
A
Applications that are difficult to integrate with other information systems
Applications that are difficult to integrate with other information systems are a risk that is considered unique to end-user computer (EUC) system development.
13
Q
Which of the following describes the primary purpose of a disaster recovery plan?
To document how data will be backed up to expedite recovery
To document the location of off-site replacement facilities
To test how well prepared the company is to recover data
To specify the steps required to resume operations
A
To specify the steps required to resume operations
The primary purpose of a disaster recovery plan is to specify the steps required to efficiently and effectively restore/resume data processing operations when there is a disaster
14
Q
PC hard drives can be backed up on CDs, diskettes, and tape files. T/F
The company should periodically practice restoring a system from the backup data so employees know how to quickly restart the system if a failure occurs. T/F
A
True
true
15
Q
The performance audit report of an information technology department indicated that the department lacked a disaster recovery plan. Which of the following steps should management take first to correct this condition?
Bulletproof the information security architecture
Designate a hot site
Designate a cold site
Prepare a statement of responsibilities for tasks included in a disaster recovery plan
A
Prepare a statement of responsibilities for tasks included in a disaster recovery plan
16
Q
Disaster Recovery Plans Include
Setting ___priorities
Providing the necessary ___
Providing for backup computer and telecommunications facilities T/F
Having procedures for periodic ___ and ___
Complete ___of the process
A
recovery insurances true testing and revision documentation
17
Q
Greater reliance of management on information systems increases the exposure to:
unauthorized third-party access to systems.
systematic programming errors.
inadequate knowledge bases.
business interruption.
A
Biz interruption
Greater reliance of management on information systems increases the exposure to business interruption. As management relies more on information systems for crucial functions, system failures have the potential to interrupt business.
18
Q
A company has a significant e-commerce presence and self-hosts its website. To assure continuity in the event of a natural disaster, the firm should adopt which of the following strategies?
Back up the server database daily
Store records off-site
Purchase and implement RAID technology
Establish an off-site mirrored web server
A
Establish an off-site mirrored web server
A natural disaster could destroy the onsite web server as well as any backup server at the same location. A disaster could also destroy communications channels to that site. A second identical server (a mirror) with separate communications channels located remotely would facilitate continuity in a disaster.
19
Q
A new accounts receivable clerk, working for a wholesaler, noticed that a customer had apparently changed addresses. The clerk had accessed the customer’s computer file and revised all addresses. One week later the customer complained that goods were being sent to the wrong address. The primary control to prevent this occurrence is TRAINING ON DATA ENTRY
A
False - It is database security
The primary control to prevent someone from accessing the customer’s computer file and revising all addresses is database security. Proper security would prevent changes by an accounts receivable clerk.
20
Q
All of the following are classifications of controls used to make systems more secure except:
nonphysical access controls.
segregation of system duties.
logical access controls.
internet and telecommunications controls.
A
nonphysical access controls.
Nonphysical access controls are not one of the five classifications of controls used to make systems more secure.
21
Q
The five classifications of controls used to make systems more secure are:
A
segregation of duties
, physical access controls,
logical access controls,
personal computers and client/server network protection,
internet and telecommunications controls.
22
Q
During the process of electronically transmitting data, which of the following IT controls would provide the most assurance that unauthorized disclosure of sensitive information would be prevented?
Encryption
Restricted access
A strongly worded confidentiality warning
Separate transmission of the data file and its password
A
encryption
Encryption provides the most assurance that unauthorized disclosure of sensitive information is prevented. Encryption is transforming data, called plaintext, into unreadable gibberish, called ciphertext. Decryption reverses this process, transforming ciphertext back into plaintext.
23
Q
A digital signature is used primarily to determine that a message is:
unaltered in transmission.
not intercepted en route.
received by the intended recipient.
sent to the correct address.
A
unaltered
A digital signature allows the creator of a message to digitally “sign” the data and provides proof of authorization. Because a digital signature cannot be altered, it allows the recipient to determine that a message has been unaltered in transmission.
24
Q
SOC 2: Report on Controls at a Service Organization Relevant to: CAPS ….CAPS SOC (Suck)
A
Confidentiality
Availability
Processing Integrity
Security
25
SOC REPORTS
In a ____ report, the service auditor provides an opinion as to whether the service organization’s description “fairly presents” the system that was designed and implemented, and whether the controls were suitably designed to meet the criteria as of a specified date.
In a ____report, the service auditor provides an opinion on whether the service organization’s description “fairly presents” the system that was designed and implemented; the controls were suitably designed to meet the criteria; the controls operated effectively during the specified period of time; and the service organization is in compliance with the commitments in its statement of privacy practices, if the report covers the privacy principle.
Type 1 report
Type 2
26
Which of the following is an objective of logical security controls for information systems?
To ensure complete and accurate recording of data
To ensure complete and accurate processing of data
To restrict access to specific data and resources
To provide an audit trail of the results of processing
To restrict access to specific data and resources
Logical security controls for information systems are used to restrict access to specific data and resources.
Input controls ensure complete and accurate recording of data.
Processing controls ensure complete and accurate processing of data.
Output controls provide an audit trail of results of processing.
27
LOGICAL CONTROLS
Several levels of logical access are needed:
____which ensures that unauthorized users and devices are not allowed to access any part of the system
___, which makes sure the system can recognize authorized users, but restrict their access to:
a. ) Data they're Not allowed to use
b. ) the functions they're authorized to perform.
Authentication,
Authorization
28
Unauthorized alteration of online records can be prevented by employing:
key verification.
computer sequence checks.
computer matching.
database access controls.
Database access controls
Users can gain access to databases from terminals only through established recognition and authorization procedures; thus, unauthorized access is prevented.
29
In spite of management's insistence on following procedures, there have been occasions, usually associated with emergencies, in which a program in the test library was used for the company's operations. A risk of using test library programs in emergency situations is that:
the personnel preparing the programs may not be authorized to write or modify them.
the programs may not be further tested before being placed into production permanently.
the integrity of the production library is threatened under such circumstances.
operational personnel may not be fully satisfied with the output of the programs.
the programs may not be further tested before being placed into production permanently.
A risk associated with such programs is that the programs may not be tested further before being placed into production permanently. The temptation is to place the test library program into production if it appeared to run satisfactorily.
30
A controller is developing a disaster recovery plan for a corporation's computer systems. In the event of a disaster that makes the company's facilities unusable, the controller has arranged for the use of an alternate location and the delivery of duplicate computer hardware to this alternate location. Which of the following recovery plans would best describe this arrangement?
Cold Site
31
A checkpoint/restart procedure is primarily designed to recover from:
programming errors.
data input errors.
computer operator errors.
hardware failures.
hardware failures.
32
The term “____” refers to the periodic copying of the results of a program prior to its actual completion. The copy is written to secondary storage for use in restarting a program, should there be an interruption in the operation of the hardware devices. Restart is initiated from the most current (recent) checkpoint, rather than at the beginning of the program.
checkpoint-restart procedure
33
Which of the following statements presents an example of a general control for a computerized system?
Limiting entry of sales transactions to only valid credit customers
Creating hash totals from Social Security numbers for the weekly payroll
Restricting entry of accounts payable transactions to only authorized users
Restricting access to the computer center by use of biometric devices
Restricting access to the computer center by use of biometric devices
34
____ controls apply to all applications processed by the computerized system.
General controls
35
Many organizations are critically dependent on information systems to support daily business operations. Consequently, an organization may incur significant loss of revenues or incur significant expenses if a disaster such as a hurricane or power outage causes information systems processing to be delayed or interrupted. A bank, for example, may incur significant penalties as a result of missed payments.
Which of the following management activities is essential to ensure continuity of operations in the event a disaster or catastrophe impairs information systems processing?
Review of insurance coverage
Electronic vaulting
Change control procedures
Contingency planning
Contingency planning
Contingency planning is a management activity which is essential to ensure continuity of operations in the event a disaster impairs information systems processing.
36
____is a management activity which is essential to ensure continuity of operations in the event a disaster impairs information systems processing.
Contingency planning
37
Which of the following risks can be minimized by requiring all employees accessing the information system to use passwords?
Collusion
Data entry errors
Failure of server duplicating function
Firewall vulnerability
Firewall vulnerability
Passwords are used to prevent unauthorized access to an information system. If passwords are required, it minimizes the chance of an intruder accessing sensitive data since the firewall will prevent such acces
38
A ____prevents outsiders and employees from gaining unauthorized access to a system.
....It only consists of software T/f
Firewalls also unifies internal networks to protect sensitive data from unauthorized internal use. T/F
Firewalls often use ___hardware, software, and other information technology to reduce outages and failures.
Firewalls act as filters and only permit packets that meet specific conditions to pass. t/F
firewall
False -both software & hardware
False - it separates internal networks
redundant
True
39
Firewalls can be penetrated or bypassed, so:
all communication network links should be periodically monitored to determine whether a firewall was bypassed by wireless communications links
__ and ___ systems should be used to detect any penetrations.
false -continuously
intrusion detection and prevention
40
Which of the following classifications of security controls includes smoke detectors, generators, security guards, and ID badges?
Technical
Physical
Administrative
Logical
Physical
41
A routine part of an organization's disaster recovery plan should require the ongoing preparation of backup files ... t/f
true
42
Company A has numerous personal computers (PCs) with full processing capabilities linked into an integrated local area network with a file server which in turn is fully connected to the central mainframe computer. Data entry, comprehensive processing, and inquiry routines are possible at all nodes in the network.
A control feature designed to negate the use of utility programs to read files which contain all authorized access user codes for the network are LOG-ON PASSWORDS
FALSE - internally encrypted passwords
Internally encrypted passwords are a form of access control designed to prevent unauthorized access by use of a utility program to identify passwords.
43
Encryption protection is least likely to be used in which of the following situations?
When transactions are transmitted over local area networks
When wire transfers are made between banks
When confidential data are sent by satellite transmission
When financial data are sent over dedicated, leased lines
When transactions are transmitted over local area networks
Encryption protection is least likely to be used when transactions are transmitted over local area networks. Such protection makes it difficult for intercepted transmissions to be understood or modified.
Encoding is important when confidential data are transmitted between geographically separated locations that can be electronically monitored.
Encryption is often used when wire transfers are made between banks, confidential data are sent by satellite transmission, and financial data are sent over dedicated leased lines.
44
A company's web server has been overwhelmed with a sudden surge of false requests that caused the server to crash. The company has most likely been the target of:
Denial of Service Attack
45
Which of the following would normally be the functions of security software?
Authenticates user identification and controls access to information resources
Logs the activity of the computer system including the time each program is started and when each file is accessed
Displays the data typed into a terminal keyboard
Records and monitors changes to program source code and object code files
Authenticates user identification and controls access to information resources
Authentication and subsequent access to computer resources are the primary functions of security software.
46
Authentication and subsequent access to computer resources are the primary functions of ___
security software.
47
An entity doing business on the Internet most likely could use any of the following methods to prevent unauthorized intruders from accessing proprietary information except:
password management.
data encryption.
digital certificates.
batch processing.
Batch Processing
In batch processing, items to be processed are collected in groups to permit fast and convenient processing (processed as a group). atch processing does not prevent unauthorized intruders from accessing information on the Internet.
The other answer choices are incorrect because passwords, encryption, and digital certificates are all methods commonly used to restrict unauthorized access to data.
48
What is a major disadvantage to using a private key to encrypt data?
Both sender and receiver must have the private key before this encryption method will work.
The private key cannot be broken into fragments and distributed to the receiver.
The private key is used by the sender for encryption but not by the receiver for decryption.
The private key is used by the receiver for decryption but not by the sender for encryption.
Both sender and receiver must have the private key before this encryption method will work.
A major disadvantage of private key encryption is that both the sender and receiver must have the same (private) key, and this must be securely transmitted to avoid interception and decryption of the message by others.
49
A SOC 1 reports on the:
controls at a service organization relevant to policies and procedures, communications, and monitoring.
controls at a service organization relevant to user entities’ internal control over financial reporting (ICFR).
controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.
controls at a service organization relevant to access controls, system operations, change management, and risk mitigation.
controls at a service organization relevant to user entities’ internal control over financial reporting (ICFR).
A Service Organization Control (SOC) 1 report is on the controls at a service organization relevant to user entities’ internal control over financial reporting (ICFR). SOC 1 reports are based on Statement on Standards for Attestation Engagements (SSAE) 16
SOC 2 and SOC 3 reports are on the controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.
50
In general, mainframe computer production programs and data are adequately protected against unauthorized access. Certain utility software may, however, have privileged access to software and data. To compensate for the risk of unauthorized use of privileged software, Information Systems (IS) management can RESTRICT THE PRIVILEGED ACCESS.
False - it can only limit the access
51
Engaging in traditional electronic data interchange (EDI) provides which of the following benefits?
Enhanced audit trails
Guaranteed payments from customers
Added flexibility to entice new partners
Reduced likelihood of stockout costs
Reduced likelihood of stockout costs
52
Which of the following networks provides the least secure means of data transmission?
Value-added
Public-switched
Local area
Private
Public-switched
Public-switched networks are open to the general public and offer the lowest level of security.
53
Which of the following information technology (IT) terms is not matched with its appropriate definition?
Hadoop: a free, open-source software framework that stores large amounts of data
Predictive analytics technology: uses data, statistical algorithms, and machine-learning techniques to identify the likelihood of future outcomes based on historical data
Big data: a term that describes the large volume of diverse and complex data available to businesses on a day-to-day basis
Data-mining technology: enables entities to analyze text data from the web, comment fields, books, and other text-based sources to uncover insights not previously identified
Data-mining technology: enables entities to analyze text data from the web, comment fields, books, and other text-based sources to uncover insights not previously identified
Text-mining technology (not data mining) enables entities to analyze text data from the web, comment fields, books, and other text-based sources to uncover insights not previously identified.
Text mining uses machine learning or natural language processing technology to comb through documents such as emails, blogs, and Twitter feeds to analyze large amounts of information and discover new topics and term relationships.
54
____technology, entities can analyze text data from the web, comment fields, books, and other text-based sources to uncover insights not previously identified.
Text mining:
55
The internal auditor is reviewing a new policy on electronic mail. Appropriate elements of such a policy would include all of the following, except:
erasing all employees' electronic mail immediately upon employment termination.
encrypting electronic mail messages when transmitted over phone lines.
limiting the number of electronic mail packages adopted by the organization.
directing that personnel do not send highly sensitive or confidential messages using electronic mail.
erasing all employees' electronic mail immediately upon employment termination.
The company should have access to the business-related e-mail that is left behind. Access to e-mail can also be critical in business or possible criminal investigations. The privacy concerns of the individual case must be mitigated by competing business interest; the need to follow-up on business e-mail and to assist in investigations.
56
Which of the following statements best characterizes the function of a physical access control?
Protects systems from the transmission of Trojan horses
Provides authentication of users attempting to log into the system
Separates unauthorized individuals from computer resources
Minimizes the risk of incurring a power or hardware failure
Separates unauthorized individuals from computer resources
57
he best evidence that contingency planning is effective is to have:
no processing interruptions during the past year.
comprehensive documentation of the plan.
sign-off on the plan by the internal audit department.
successful testing of the plan.
successful testing of the plan.
The only way to know whether contingency planning has been effective is to test the plan, by simulating an interruption or by conducting a paper test with a walk-through of recovery procedures.
58
Which of the following passwords would be most difficult to crack?
OrCa!FlSi
language
12 HOUSE 24
pass56word
Passwords containing nonalphanumeric characters are the most difficult to crack because, when compared to simply alphanumeric password combinations, the number of possible combinations increases exponentially when nonalphanumeric characters are used.
59
Many organizations are critically dependent on information systems to support daily business operations. Consequently, an organization may incur significant loss of revenues or incur significant expenses if a disaster such as a hurricane or power outage causes information systems processing to be delayed or interrupted.
Which of the following activities is necessary to determine what would constitute a disaster for an organization?
Risk analysis
File and equipment backup requirements analysis
Vendor supply agreement analysis
Contingent facility contract analysis
Risk Analysis
Risk analysis is necessary to determine an organization's definition of a disaster and evaluate the effect of that disaster.
System backup analysis, vendor supply agreement analysis, and contingent facility contract analysis are all contingency planning strategies to react to a disaster.
60
Mainframe computer systems include several advanced processing procedures. Two of the most common processing procedures are multiprocessing and multiprogramming. Which of the following statements about these processing procedures is false?
Multiprocessing usually involves two or more computers functioning simultaneously.
Multiprogramming allows multiple programs to be executed at exactly the same time.
Multiprogramming switches back and forth between programs during processing.
Multiprocessing allows the sharing of a central memory during processing.
Multiprogramming allows multiple programs to be executed at exactly the same time.
Multiprocessing involves the simultaneous execution of two or more tasks, usually by using two or more processing units that are part of the same system (with a single central memory).
Multiprogramming is the appearance of simultaneous execution of two programs as a single processing unit switches back and forth between the programs.
61
____involves the simultaneous execution of two or more tasks, usually by using two or more processing units that are part of the same system (with a single central memory).
____is the appearance of simultaneous execution of two programs as a single processing unit switches back and forth between the programs.
Multiprocessing
Multiprogramming
62
Because of the sensitivity of its data, an online system for developing estimates and generating proposals was implemented with several layers of access control. Control over users' initial log-in is a function of the:
integrated test facility.
operating system.
subschema authorizations.
application software.
nitial log-in to a system is a function of the operating system–level access control software.
An integrated test facility is an audit approach to validating processing.
Database subschema authorizations control access to specific views of fields in a database.
Access to applications and their data is a function of application level software.
63
When users request access to data or programs or try to operate the system, a ____can determine if the user is authorized to perform the desired action.
Compatibility tests use an ___
compatibility test
access control matrix
64
Which of the following is not one of the more common types of cybersecurity threats?
Ransomware
Blockchain
Malware
Social engineering
Blockchain
A blockchain is a digitized, decentralized, public ledger of all cryptocurrency transactions; it is not an example of a cybersecurity threat.
Social engineering is a tactic designed to trick an individual or entity into revealing sensitive information.
65
Some of the more common types of cybersecurity threats include the following:
____: A type of malicious software designed to extort money by blocking access to files or the computer system until the ransom is paid
___is a tactic designed to trick an individual or entity into revealing sensitive information.
___: A type of software designed to gain unauthorized access or to cause damage to a computer
___The practice of sending fraudulent emails that resemble emails from reputable sources
_____An attack that bombards the receiving server with so much information that it shuts down,
```
Ransomware
Social engineering
Malware
Phishing:
Denial of service (DOS):
```
66
Online access controls are absolutely essential in controlling access to and operation of modern computer systems. These controls include:
Authorized user code number
passwords
list of all files and programs
a record of the type of access each user has for each file/program
Yep
67
Which of the following is a network node that is used to set up as a boundary that prevents traffic from one segment to cross over to another?
Router
Gateway
Firewall
Heuristic
Firewall
A firewall is a method used to isolate the company computers behind a device that acts as a gatekeeper. This gatekeeper prevents traffic from one segment from crossing over to another
68
Which of the following best describes a hot site?
Location within the company that is most vulnerable to a disaster
Location where a company can install data processing equipment on short notice
Location that is equipped with a redundant hardware and software configuration
Location that is considered too close to a potential disaster area
Location that is equipped with a redundant hardware and software configuration
69
A _____site is a completely operational data processing facility configured to meet the user's requirements that can be made available to a disaster-stricken organization on short notice. It is a location with redundant hardware & software configuration.
A ____site is a location that provides everything necessary to quickly install computer equipment in the event of a disaster striking an organization.
Hot
Cold
70
ho are the intended users of a Service Organization Control (SOC) 2 report?
Management of the service organization, user entities, and user auditors
Anyone (no restrictions)
Parties that are knowledgeable about the nature of the service provided by the service organization
User auditors
Parties that are knowledgeable about the nature of the service provided by the service organization
SOC 2 reports are restricted and are only for parties that are knowledgeable about the nature of the service provided by the service organization. SOC 1 reports are for management of the service organization, user entities, and user auditors. SOC 3 reports have no restrictions and can be distributed to anyone.
71
Who are these reports intended for?
SOC1
SOC2
SOC3
SOC1 - management of the service organization, user entities, user auditors
Soc2 - parties that are knowledgeable about the nature of the service provided by the service org
Soc3 - anybody
72
To encrypt a document:
the data to be encrypted is divided into ___the same length as the ___
the formula is applied to each block of data, producing a ___t version of the data that is the same size as the original.
blocks, key
ciphertext
73
A large property insurance company has regional centers that customers call to report claims. Although the regional centers are not located in areas known to be prone to natural disasters, the company needs a disaster recovery plan that would restore call answering capacity in the event of a disaster or other extended loss of service. The best plan for restoring capacity in the event of a disaster would be to reroute call traffic to a THIRD PARTY SERVICE CENTER
False - a non-affected regional center
74
Which of the following is not an area that should be included in an entity’s cybersecurity risk assessment?
Identity management
End-user education
Malware protection
Disaster recovery/business continuity planning
Malware Protection
Malware protection, along with next-generation firewalls, DNS (domain name system) filtering, antivirus software, and email security solutions, is an example of technology used to protect against the risk of cyber attacks.
75
CYBERSECURITY RISK ASSESSMENT
From a business perspective, multiple areas of risk need to be addressed, including:
security over networks, applications, data and databases, infrastructure, endpoint devices (computers, smart devices, and routers), mobile
devices, and cloud storage;
identity management;
disaster recovery/business continuity planning; and
end-user education.
yeehaw
76
An online database management system for sales and receivables was recently expanded to include credit approval transactions. An evaluation of controls was not performed prior to implementation.
To prevent unauthorized access to specific data elements, the database management system should contain which of the following controls?
Sign-on verification security at the physical terminals
Password specifications for each data file or element
Periodic tests of the system using production databases
Terminal security used in lieu of passwords for each data element or file
Password specifications for each data file or element
77
Which of the following types of business planning focuses on how a company can most effectively restore business operations following a disaster?
Capacity planning
Budget planning
Strategy planning
Continuity planning
continuity planning
A continuity plan explains how a business would recover its operations or move operations to another location after damage by events like natural disasters, theft, or flooding.
78
The National Cyber Security Alliance (NCSA) guidelines for conducting cyber-risk assessment focus on several key areas. Which of the following is not a risk assessment area?
Identify an organization’s most valuable information requiring protection
Identify the threats and risks facing the organization's valuable information
Identify the damage an organization would incur should its valuable data be lost or wrongfully exposed
Develop and implement a plan to mitigate cyber risk
Develop and implement a plan to mitigate cyber risk
Developing and implementing a plan to mitigate cyber risk is a key step in providing cybersecurity; however, it is not part of the risk assessment stage.
79
NCSA’s guidelines for conducting cyber-risk assessments focus on three key areas:
identifying an organization’s most __requiring protection,
identifying the __ and __facing that information
outlining the ___an organization would incur should that data be lost or wrongfully exposed.
valuable information
threats and risks
damage
80
Notebook computers provide automation outside of the normal office location. Which of the following would provide the least security for sensitive data stored on a notebook computer?
Encryption of data files on the notebook computer
Setting up a password for the screensaver program on the notebook computer
Using a notebook computer with a removable hard disk drive
Using a locking device that can secure the notebook computer to an immovable obje
Setting up a password for the screensaver program on the notebook computer
81
Laptops, cell phones, and PDA devices require special attention to prevent their theft and the loss of the data they contain.
Employees should always lock their laptops to an _.
Store sensitive data on __media, rather than the hard drive, in an encrypted format and lock it up at night.
Install software on laptops so that if it is stolen the laptop will automatically ____to reveal its current location when the thief attempts to use it to connect to the Internet.
immovable object
removable
dial a toll-free number or use Wi-Fi positioning
82
An organization uses electronic mail extensively over the Internet. All users have an established password to get into their account. Which of the following statements is correct regarding such security?
All messages on the Internet are encrypted, thereby providing enhanced security.
Passwords are effective in ensuring that someone attempting to log on under a user's name is prevented from casually accessing the user's data.
If someone gains supervisory level access to the file server containing electronic messages, they could still not gain access to the file containing electronic mail messages unless they first decrypted the security control log.
All of these statements are correct.
Passwords are effective in ensuring that someone attempting to log on under a user's name is prevented from casually accessing the user's data.
Passwords are effective against the casual intruder.
Messages on the Internet are not encrypted. It is the sender's and receiver's responsibility to encrypt confidential information.
If someone gains access to the server, he or she can download the file of messages and gain access to the messages without working with any security log.
83
The use of message encryption software:
guarantees the secrecy of data.
requires manual distribution of keys.
increases system overhead.
reduces the need for periodic password changes.
increase system overhead
The machine instructions necessary to encrypt and decrypt data constitute system overhead, which means that processing may be slowed down.
84
Good planning will help an organization restore computer operations after a processing outage. Good recovery planning should ensure that:
backup/restart procedures have been built into job streams and programs.
change control procedures cannot be bypassed by operating personnel.
planned changes in equipment capacities are compatible with projected workloads.
service level agreements with owners of applications are documented.
backup/restart procedures have been built into job streams and programs.
An essential component of a disaster recovery plan is that the need for backup/restart has been anticipated and provided for in the application systems.
85
Each day, after all processing is finished, a bank performs a backup of its online deposit files and retains it for seven days. Copies of each day's transaction files are not retained. This approach is:
valid, in that having a week's worth of backups permits recovery even if one backup is unreadable.
risky, in that restoring from the most recent backup file would omit subsequent transactions.
valid, in that it minimizes the complexity of backup/recovery procedures if the online file has to be restored.
risky, in that no checkpoint/restart information is kept with the backup files.
risky, in that restoring from the most recent backup file would omit subsequent transactions.
The practice is risky in that restoring from the most recent backup file would omit transactions occurring since the backup was taken.
86
Managers at a consumer products company purchased personal computer (PC) software only from recognized vendors and prohibited employees from installing non-authorized software on their PCs. To minimize the likelihood of computer viruses infecting any of its systems, the company should also:
restore infected systems with authorized versions.
recompile infected programs from source code backups.
institute program change control procedures.
test all new software on a stand-alone PC.
test all new software on a stand-alone PC
The best way for the company to minimize the likelihood of computer viruses infecting its systems would be to test all new software on a stand-alone PC before installing it on networked computers in the system..
87
Which of the following situations would most likely provide the best way to secure data integrity for a personal computer environment?
Provision of personal computers to all users
Trained, proficient user group
All computers linked to a local area network (LAN)
Adequate program documentation
All computers linked to a local area network (LAN)
Data integrity relates to using data for its intended purpose. A local area network would promote data integrity by making data available only to those users having a legitimate reason for access. Centralized access controls would help promote data integrity.
88
Which of the following is a computer program that appears to be legitimate but performs an illicit activity when it is run?
Redundant verification
Parallel count
Web crawler
Trojan horse
Trojan Horse
89
An information technology director collected the names and locations of key vendors, current hardware configuration, names of team members, and an alternative processing location. What is the director most likely preparing?
disaster recovery plan
90
A disaster recovery alternate site configured to meet user data processing requirements, including the appropriate hardware, is called a:
cold site.
remote processing site.
reciprocal site.
hot site.
Hot site
A hot site is one that contains all essential hardware to restore the system in a minimal amount of time. A hot site is more costly than a cold site, which includes only appropriate power, air conditioning, and support systems, but no hardware.
91
Which of the following is an electronic device that separates or isolates a network segment from the main network while maintaining the connection between networks?
firewall
92
Computer program libraries can best be kept secure by:
restricting physical and logical access.
denying access from remote terminals.
monitoring physical access to program library media.
installing a logging system for program access.
restricting physical and logical access.
Restricting physical and logical access secures program libraries from unauthorized use, in person and remotely via terminals.
93
All host devices (PCs and servers where programs reside) and applications (software on those hosts) should be -__
Hardening is the process of modifying the configuration of hosts and application software and deleting, or turning off, unused and unnecessary programs that represent potential security threats.
hardened.
YEP
94
The primary objective of security software is to:
control access to information system resources.
restrict access to prevent installation of unauthorized utility software.
detect the presence of viruses.
monitor the separation of duties within applications.
control access to info sys. resources
95
Tunneling is used to create a virtual private network. All of the following statements describe tunneling except:
packets are encrypted and sent over the internet.
the network is protected by a single firewall.
data is split into small internet protocol (IP) packets.
at the destination the packets are decrypted.
the network is protected by a single firewall.
Tunneling is used to create a virtual private network and can also be used to safeguard internal networks. Networks are connected firewall to firewall (i.e., tunneling) via the internet. (multiple firewalls)
96
The duties properly assigned to an information security officer could include all of the following, except:
developing an information security policy for the organization.
maintaining and updating the list of user passwords.
commenting on security controls in new applications.
monitoring and investigating unsuccessful access attempts.
maintaining and updating the list of user passwords.
97
T/F regarding digital sig
A valid digital signature does not identify the owner of the private key.
It uniquely identifies the sender.
It is not legally binding as a signature.
It encrypts a private key of the sender’s message that can only be decoded with a corresponding key.
T
T
False- It is not legally binding as a signature
T
A digital signature is considered to be legally binding.
98
In one company, the application systems must be in service 24 hours a day. The company's senior management and information systems management have worked hard to ensure that the information systems recovery plan supports the business disaster recovery plan. A crucial aspect of recovery planning for the company is ensuring that:
organizational and operational changes are reflected in the recovery plans.
changes to systems are tested thoroughly before being placed into production.
organizational and operational changes are reflected in the recovery plans.
99
An auditor is planning an audit of a customer information system which uses a local area network (LAN) with personal computers (PCs). Increased risks associated with the company's use of a LAN and PCs, as opposed to use of a mainframe, could include all of the following, except:
lack of documentation of procedures to ensure the complete capture of data.
poor security of data residing on the PCs.
problems with failures of the hardware used for processing data.
incomplete data communications.
problems with failures of the hardware used for processing data.
Problems with failures of the hardware used for processing data are not considered a major risk, as PCs have hardware components similar to mainframe computers. The integrity of the hardware is quite high.
100
Data access security related to applications may be enforced through all the following, except:
user identification and authentication functions incorporated in the application.
utility software functions.
user identification and authentication functions in access control software.
security functions provided by a database management system.
utility software functions.
Data access security related to applications cannot be enforced through utility software functions.
Utility programs are one of the more serious “holes” in data access security since some of them can actually bypass normal access controls.
101
Utility programs are one of the more serious “holes” in data access security since some of them can actually bypass normal access controls. T/F
True
102
An access control matrix consists of:
a list of all authorized user ___and ___,
a list of all __ and ___ maintained on the system,
a record of the type of ___to which each user is entitled.
code numbers and passwords
files and programs
access
103
Compatibility tests are sometimes employed to determine whether an acceptable user is allowed to proceed. In order to perform compatibility tests, the system must maintain an access control matrix. The one item that is not part of an access control matrix is a:
limit on the number of transaction inquiries that can be made by each user in a specified time period.
A limit on transaction totals and frequency is not part of the access control matrix. An access control matrix consists of:
a list of all authorized user code numbers and passwords,
a list of all files and programs maintained on the system, and
a record of the type of access to which each user is entitled.
104
Disaster plans must include all of the following factors:
```
A backup for programs and data
An alternative processing site
Off-site storage of backup
Identification of critical applications
A method for testing the plan
```
YEP
105
With respect to backup procedures for master files that are magnetic tape as opposed to master files on magnetic disk:
a separate backup run is required for both tape and disk.
a separate backup run is required only for the tape.
a separate backup run is required for disk while the prior master on magnetic tape serves as a backup.
the grandfather cycle is required in either filing situation.
a separate backup run is required for disk while the prior master on magnetic tape serves as a backup.
Disk-oriented systems typically employ destructive updating (i.e., new (updated) master records are written over the old master records, thereby destroying them). Consequently, disk-oriented systems require separate backup procedures. Whereas, tape-oriented systems generate a new master file tape as an output from the updating run, leaving the old master file tape and the transaction file tape for use as backup.
106
Magnetic tape is a secondary storage medium T/F
A master file is used in electronic data processing and contains relatively permanent information used for reference and updated periodically.
A transaction file is a relatively temporary data file containing transaction data that is typically used to update a master file
true
True - its like a perm file
True - this is like transactions each month in a bank statement to come to an ending balance
107
Contingency planning alternatives can vary by computer processing environment. A company is least likely to use a reciprocal processing agreement for:
small systems.
large batch operations.
online teleprocessing facilities.
small batch operations.
online teleprocessing facilities.
Online teleprocessing would generally not involve a reciprocal processing agreement.
Reciprocal processing agreements are often used for small systems, large batch operations, and small batch operations.
108
Reciprocal processing agreements are often used for ___systems, ___batch operations, and __batch operations.
small , large , small
109
Backup computer and telecommunications facilities, which can be arranged by:
Establish ___ agreements
Sign a contract for a ___ fee
____ distributing processing capacity in a multilocation org so organizations can take over if 1 fails
Invest in duplicate ___
Reciprocal
Contingent
Fail-soft
software/hardware/data storage devices
110
Most organizations are concerned about the potential compromise of passwords. Which of the following procedures would be the most effective in controlling against a perpetrator obtaining someone else's password?
Allow only the users to change their passwords and encourage them to change passwords frequently.
Implement a computer program that tests to see that the password is not easily guessed.
Implement the use of “see-through” authentication techniques whereby the user uses a card to generate a password and verifies both the key and the generated password to the system.
Limit password authorization to time of day and location.
Implement the use of “see-through” authentication techniques whereby the user uses a card to generate a password and verifies both the key and the generated password to the system.
“See-through” authentication techniques, such as the one described, require the user to have two important elements to identify one's self to the system, i.e., something they possess (the card used to generate the password) and something they know (the key or password to generate the new password).
111
____authentication techniques, such as the one described, require the user to have two important elements to identify one's self to the system, i.e.,
something they possess (the card used to generate the password)
something they know (the key or password to generate the new password).
“See-through”
112
Risk assessments, recovery plans for data systems, and implementation of safeguards are all components of:
disaster plan
113
T/F Regarding Personal computers and networks are more vulnerable than mainframes for all of the following reasons except:
it is sometimes difficult to segregate duties in a PC environment.
PC users are usually not as safety- and control-conscious as mainframe users.
networks can only be accessed from work computers.
PCs and laptops are portable and subject to theft.
T
T
F
T
networks can only be accessed from work computers.
Networks can be remotely accessed from almost anywhere using phone lines and the internet.
It is difficult to segregate duties in a PC and network environment, and one person may be responsible for both developing and operating a PC system. PC users are usually not as security- and control-conscious as mainframe users. PC laptops are portable and subject to theft.
114
Objectives of disaster recovery do not include which of the following?
Minimize disruption, damage, and loss from disaster.
Establish a short-term data processing alternative so the company can quickly resume normal operations.
Perform regular preventive maintenance on key system components.
Train and familiarize personnel with emergency procedures.
Perform regular preventive maintenance on key system components.
115
____is the process of electronically transmitting and storing backups of programs and data at a remote data storage facility.
Electronic vaulting
116
A data and program backup procedure in which files are electronically transferred to a remote location is called A REMOTE BACKUP FACILITY
False - Electronic Vaultingn
117
A business continuity plan (often called a disaster recovery plan) is used to smoothly and quickly restore data processing capacity when there is a disaster. 5 steps include: (THIS IS ALSO THE ORDER IT SHOULD HAPPEN IN)
```
Conduct a biz impact ___
Design recovery ___
develop a recovery ___
Test,accept,implement the plan T/F
Conduct ___maintenance
```
```
analysis
Strategy
Plan
True
Periodic
```
118
fter reviewing the end-user computing (EUC) policy of an organization, an internal auditor audits the actuarial function and notices that some minimum control requirements are missing. Which of the following is a risk of using potentially incorrect end-user developed files?
Management places the same degree of reliance on the files as they do on files generated from mainframe systems.
Management receives limited information for decision making due to a lack of flexibility in EUC files.
Management is unable to respond to competitive pressures quickly.
Management continues to incur additional cost because it takes more hours to do the tasks using EUC.
Management places the same degree of reliance on the files as they do on files generated from mainframe systems.
End-user computing (EUC) allows users to develop their own information systems, but such systems often do not have the same level of general and application controls applied to the company's mainframe system. Thus, there is an increased risk that data produced by such systems will be inaccurate.
119
____allows users to develop their own information systems
End-user computing (EUC)
120
To prevent interruptions in information systems operation, which of the following controls are typically included in an organization's disaster recovery plan?
Backup and data transmission controls
Data input and downtime controls
Backup and downtime controls
Disaster recovery and data processing controls
Backup and downtime controls
Three categories of controls are used to ensure information system availability: (1) minimizing system downtime, (2) disaster recovery plan, and (3) data and program file backups
121
Three categories of controls are used to ensure information system availability & prevent interruptions in an I/S operation. These controls are included in an organizations disaster recovery plan:
(1) minimizing system ___
(2) disaster recovery ___
(3) data and program file ___
downtime,
plan,
backups
122
A company switches all processing to an alternate site, and staff members report to the alternate site to verify that they are able to connect to all major systems and perform all core business processes from the alternate site. Which of the following best identifies the activities performed by the staff?
Closed loop verification
Disaster recovery planning
Authentication validation
Segregation control testing
Disaster recovery planning
Having an alternate processing site is an example of disaster recovery planning since it allows processing to continue on the alternate site if something should happen to the main processing system. A disaster recovery plan is used to smoothly and quickly restore data processing capacity when there is a disaster.
Authentication validation is a process of ensuring that proper parties are allowed to access the system. It is not related to disaster recovery.
123
Bacchus, Inc., is a large multinational corporation with various business units around the world. After a fire destroyed the corporate headquarters and largest manufacturing site, plans for which of the following would help Bacchus ensure a timely recovery?
Daily backup
Network security
Business continuity
Backup power
Biz Continuity
Business continuity means providing the ability for a firm to engage in continuous operation. A business continuity plan would incorporate more than a disaster recovery plan, which only deals with recovery (and continuity) of the computer processing capability of the organization.
124
Some companies have been the target of terrorist attacks in recent years. The best approach to avoid having a data center be selected as a terrorist's target is to:
ensure that the disaster recovery plans are fully tested.
harden the electrical and communications systems against attack.
maintain as low a profile as possible for the data center.
monitor the locations and activities of known terrorists.
maintain as low a profile as possible for the data center.
The best approach to avoid having the data center identified as a terrorist's target is to establish as low a profile as possible for the data center, e.g., by refraining from (1) identifying the building on the outside as a data center, (2) showcasing the data center through glass windows, of (3) advertising the important role the data center plays in operations.
125
A company employing an online computer system has CRT terminals located in all operating departments for inquiry and updating purposes. Many of the company's employees have access to and are required to use the CRT terminals. A control the company would incorporate to prevent an employee from making an unauthorized change to computer records unrelated to that employee's job would be to:
restrict the physical access to terminals.
establish user codes and passwords.
use validity checks.
apply a compatibility test to transactions or inquiries entered by the user.
Use of a compatibility test for users would assure that an employee used a CRT only for purposes related to that employee's job description. For example, an accounts receivable clerk would not be allowed access to inventory or fixed asset records since those records would not be compatible with the duties of an accounts receivable clerk.
None of the control measures mentioned in the other answers would specifically prevent an employee from making an unauthorized change in computer records unrelated to that employee's job.
126
An automobile and personal property insurer has decentralized its information processing to the extent that headquarters had less processing capacity than any of its regional processing centers. These centers are responsible for initiating policies, communicating with policyholders, and adjusting claims. The company uses leased lines from a national telecommunications company. Initially, the company thought there would be little need for inter-region communication, but that has not been the case. The company underestimated the number of customers that would move between regions and the number of customers with claims arising from accidents outside their regions. The company has a regional center in an earthquake-prone area and is planning how to continue processing if that center, or any other single center, were unable to perform its processing.
Unfortunately, the company has not revised its contingency plan since the time when its data processing was mostly centralized at headquarters. The existing plan is likely to be out of date because of:
changes in equipment, data, and software.
because the company has not revised its contingency plan since the decentralization, the existing plan will probably be out of date because of changes in equipment, data, and software.
