2008 CISA PRACTICE QUESTION 700.doc

2008 cisa practice question questions: 1、the extent to which data will be collected during an is audit should be determined based on the: a、availability of critical and required information. b、auditors familiarity with the circumstances. c、auditees ability to find relevant evidence. d、purpose and scope of the audit being done. answer: d note: the extent to which data will be collected during an is audit should be related directly to the scope and purpose of the audit. an audit with a narrow purpose and scope would result most likely in less data collection, than an audit with a wider purpose and scope. the scope of an is audit should not be constrained by the ease of obtaining the information or by the auditors familiarity with the area being audited. collecting all the required evidence is a required element of an is audit, and the scope of the audit should not be limited by the auditees ability to find relevant evidence. 2、which of the following ensures a senders authenticity and an e-mails confidentiality? a、encrypting the hash of the message with the senders private key and thereafter encrypting the hash of the message with the receivers public key b、the sender digitally signing the message and thereafter encrypting the hash of the message with the senders private key c、encrypting the hash of the message with the senders private key and thereafter encrypting the message with the receivers public key d、encrypting the message with the senders private key and encrypting the message hash with the receivers public key answer: c note: to ensure authenticity and confidentiality, a message must be encrypted twice: first with the senders private key, and then with the receivers public key. the receiver can decrypt the message, thus ensuring confidentiality of the message. thereafter, the decrypted message can be decrypted with the public key of the sender, ensuring authenticity of the message. encrypting the message with the senders private key enables anyone to decrypt it. 3、which of the following is the greatest advantage of elliptic curve encryption over rsa encryption? a、computation speed b、ability to support digital signatures c、simpler key distribution d、greater strength for a given key length answer: a note: the main advantage of elliptic curve encryption over rsa encryption is its computation speed. this method was first independently suggested by neal koblitz and victor s. miller. both encryption methods support digital signatures and are used for public key encryption and distribution. however, a stronger key per se does not necessarily guarantee better performance, but rather the actual algorithm employed. 4、which of the following controls would provide the greatest assurance of database integrity? a、audit log procedures b、table link/reference checks c、query/table access time checks d、rollback and rollforward database features answer: b note: performing table link/reference checks serves to detect table linking errors (such as completeness and accuracy of the contents of the database), and thus provides the greatest assurance of database integrity. audit log procedures enable recording of all events that have been identified and help in tracing the events. however, they only point to the event and do not ensure completeness or accuracy of the databases contents. querying/monitoring table access time checks helps designers improve database performance, but not integrity. rollback and rollforward database features ensure recovery from an abnormal disruption. they assure the integrity of the transaction that was being processed at the time of disruption, but do not provide assurance on the integrity of the contents of the database. 5、a benefit of open system architecture is that it: a、facilitates interoperability. b、facilitates the integration of proprietary components. c、will be a basis for volume discounts from equipment vendors. d、allows for the achievement of more economies of scale for equipment. answer: a note: open systems are those for which suppliers provide components whose interfaces are defined by public standards, thus facilitating interoperability between systems made by different vendors. in contrast, closed system components are built to proprietary standards so that other suppliers systems cannot or will not interface with existing systems. 6、an is auditor discovers that developers have operator access to the command line of a production environment operating system. which of the following controls would best mitigate the risk of undetected and unauthorized program changes to the production environment? a、commands typed on the command line are logged b、hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs c、access to the operating system command line is granted through an access restriction tool with preapproved rights d、software development tools and compilers have been removed from the production environment answer: b note: the matching of hash keys over time would allow detection of changes to files. choice a is incorrect because having a log is not a control, reviewing the log is a control. choice c is incorrect because the access was already grantedit does not matter how. choice d is wrong because files can be copied to and from the production environment. 7、which of the following best ensures the integrity of a servers operating system? a、protecting the server in a secure location b、setting a boot password c、hardening the server configuration d、implementing activity logging answer: c note: hardening a system means to configure it in the most secure manner (install latest security patches, properly define the access authorization for users and administrators, disable insecure options and uninstall unused services) to prevent nonprivileged users from gaining the right to execute privileged instructions and thus take control of the entire machine, jeopardizing the oss integrity. protecting the server in a secure location and setting a boot password are good practices, but do not ensure that a user will not try to exploit logical vulnerabilities and compromise the os. activity logging has two weaknesses in this scenarioit is a detective control (not a preventive one), and the attacker who already gained privileged access can modify logs or disable them. 8、an investment advisor e-mails periodic newsletters to clients and wants reasonable assurance that no one has modified the newsletter. this objective can be achieved by: a、encrypting the hash of the newsletter using the advisors private key. b、encrypting the hash of the newsletter using the advisors public key. c、digitally signing the document using the advisors private key. d、encrypting the newsletter using the advisors private key. answer: a note: there is no attempt on the part of the investment advisor to prove their identity or to keep the newsletter confidential. the objective is to assure the receivers that it came to them without any modification, i.e., it has message integrity. choice a is correct because the hash is encrypted using the advisors private key. the recipients can open the newsletter, recompute the hash and decrypt the received hash using the advisors public key. if the two hashes are equal, the newsletter was not modified in transit. choice b is not feasible, for no one other than the investment advisor can open it. choice c addresses sender authentication but not message integrity. choice d addresses confidentiality, but not message integrity, because anyone can obtain the investment advisors public key, decrypt the newsletter, modify it and send it to others. the interceptor will not be able to use the advisors private key, because they do not have it. anything encrypted using the interceptors private key can be decrypted by the receiver only by using their public key. 9、in reviewing the is short-range (tactical) plan, an is auditor should determine whether: a、there is an integration of is and business staffs within projects. b、there is a clear definition of the is mission and vision. c、a strategic information technology planning methodology is in place. d、the plan correlates business objectives to is goals and objectives. answer: a note: the integration of is and business staff in projects is an operational issue and should be considered while reviewing the short-range plan. a strategic plan would provide a framework for the is short-range plan. choices b, c and d are areas covered by a strategic plan. 10、an is auditor is performing an audit of a network operating system. which of the following is a user feature the is auditor should review? a、availability of online network documentation b、support of terminal access to remote hosts c、handling file transfer between hosts and interuser communications d、performance management, audit and control answer: a note: network operating system user features include online availability of network documentation. other features would be user access to various resources of network hosts, user authorization to access particular resources, and the network and host computers used without special user actions or commands. choices b, c and d are examples of network operating systems functions. 11、an installed ethernet cable run in an unshielded twisted pair (utp) network is more than 100 meters long. which of the following could be caused by the length of the cable? a、electromagnetic interference (emi) b、cross-talk c、dispersion d、attenuation answer: d note: attenuation is the weakening of signals during transmission. when the signal becomes weak, it begins to read a 1 for a 0, and the user may experience communication problems. utp faces attenuation around 100 meters. electromagnetic interference (emi) is caused by outside electromagnetic waves affecting the desired signals, which is not the case here. cross-talk has nothing to do with the length of the utp cable. 12、which of the following encrypt/decrypt steps provides the greatest assurance of achieving confidentiality, message integrity and nonrepudiation by either sender or recipient? a、the recipient uses their private key to decrypt the secret key. b、the encrypted prehash code and the message are encrypted using a secret key. c、the encrypted prehash code is derived mathematically from the message to be sent. d、the recipient uses the senders public key, verified with a certificate authority, to decrypt the prehash code. answer: d note: most encrypted transactions use a combination of private keys, public keys, secret keys, hash functions and digital certificates to achieve confidentiality, message integrity and nonrepudiation by either sender or recipient. the recipient uses the senders public key to decrypt the prehash code into a posthash code, which when equaling the prehash code, verifies the identity of the sender and that the message has not been changed in route; this would provide the greatest assurance. each sender and recipient has a private key known only to themselves and a public key, which can be known by anyone. each encryption/decryption process requires at least one public key and one private key, and both must be from the same party. a single, secret key is used to encrypt the message, because secret key encryption requires less processing power than using public and private keys. a digital certificate, signed by a certificate authority, validates senders and recipients public keys. 13、to determine how data are accessed across different platforms in a heterogeneous environment, an is auditor should first review: a、business software. b、infrastructure platform tools. c、application services. d、system development tools. answer: c note: projects should identify the complexities of the it infrastructure that can be simplified or isolated by the development of application services. application services isolate system developers from the complexities of the it infrastructure and offer common functionalities that are shared by many applications. application services take the form of interfaces, middleware, etc. business software focuses on business processes, whereas application services bridge the gap between applications and the it infrastructure components. infrastructure platform tools are related to core hardware and software components required for development of the it infrastructure. systems development tools represent development components of the it infrastructure development. 14、the most significant security concern when using flash memory (e.g., usb removable disk) is that the: a、contents are highly volatile. b、data cannot be backed up. c、data can be copied. d、device may not be compatible with other peripherals. answer: c note: unless properly controlled, flash memory provides an avenue for anyone to copy any content with ease. the contents stored in flash memory are not volatile. backing up flash memory data is not a control concern, as the data are sometimes stored as a backup. flash memory will be accessed through a pc rather than any other peripheral; therefore, compatibility is not an issue. 15、to ensure message integrity, confidentiality and nonrepudiation between two parties, the most effective method would be to create a message digest by applying a cryptographic hashing algorithm against: a、the entire message, enciphering the message digest using the senders private key, enciphering the message with a symmetric key and enciphering the key by using the receivers public key. b、any part of the message, enciphering the message digest using the senders private key, enciphering the message with a symmetric key and enciphering the key using the receivers public key. c、the entire message, enciphering the message digest using the senders private key, enciphering the message with a symmetric key and enciphering both the encrypted message and digest using the receivers public key. d、the entire message, enciphering the message digest using the senders private key and enciphering the message using the receivers public key. answer: a note: applying a cryptographic hashing algorithm against the entire message addresses the message integrity issue. enciphering the message digest using the senders private key addresses nonrepudiation. encrypting the message with a symmetric key, thereafter allowing the key to be enciphered using the receivers public key, most efficiently addresses the confidentiality of the message as well as the receivers nonrepudiation. the other choices would address only a portion of the requirements. 16、to ensure compliance with a security policy requiring that passwords be a combination of letters and numbers, an is auditor should recommend that: a、the company policy be changed. b、passwords are periodically changed. c、an automated password management tool be used. d、security awareness training is delivered. answer: c note: the use of an automated password management tool is a preventive control measure. the software would prevent repetition (semantic) and would enforce syntactic rules, thus making the passwords robust. it would also provide a method for ensuring frequent changes and would prevent the same user from reusing their old password for a designated period of time. choices a, b and d do not enforce compliance. 17、in the context of effective information security governance, the primary objective of value delivery is to: a、optimize security investments in support of business objectives. b、implement a standard set of security practices. c、institute a standards-based solution. d、implement a continuous improvement culture. answer: a note: in the context of effective information security governance, value delivery is implemented to ensure optimization of security investments in support of business objectives. the tools and techniques for implementing value delivery include implementation of a standard set of security practices, institutionalization and commoditization of standards-based solutions, and implementation of a continuous improvement culture considering security as a process, not an event. 18、in an organization where an it security baseline has been defined, an is auditor should first ensure: a、implementation. b、compliance. c、documentation. d、sufficiency. answer: d note: an is auditor should first evaluate the definition of the minimum baseline level by ensuring the sufficiency of controls. documentation, implementation and compliance are further steps. 19、during an implementation review of a multiuser distributed application, an is auditor finds minor weaknesses in three areas-the initial setting of parameters is improperly installed, weak passwords are being used and some vital reports are not being checked properly. while preparing the audit report, the is auditor should: a、record the observations separately with the impact of each of them marked against each respective finding. b、advise the manager of probable risks without rec