You are on page 1of 11

1.

A virtual private network (VPN) provides data confidentiality by using:


1)Secure Sockets Layer (SSL) 2)Tunnelling 3)Digital signatures 4)Phishing5)
You have selected 0. But Right Answer is: 2

2.To minimize the cost of a software project, quality management techniques should
be applied
1)as close to their writing (i.e., point of origination) as possible 2)primarily at project
start-up to ensure that the project is established in accordance with organizational
governance standards 3)continuously throughout the project with an emphasis on
finding and fixing defects primarily during testing to maximize the defect detection
rate 4)mainly at project close-down to capture lessons learned that can be applied to
future projects5)
You have selected 0. But Right Answer is: 3

3.An organization has been recently downsized. In light of this, an IS auditor decides
to test logical access controls. The IS auditor's PRIMARY concern should be that
1)all system access is authorized and appropriate for an individual's role and
responsibilities. 2)management has authorized appropriate access for all newly-hired
individuals 3)only the system administrator has authority to grant or modify access to
individuals 4)access authorization forms are used to grant or modify access to
individuals5)
You have selected 0. But Right Answer is: 1

4.An organization is considering connecting a critical PC-based system to the


Internet. Which of the following would provide the BEST protection against hacking?
1)An application-level gateway 2)A remote access server 3)A proxy server 4)Port
scanning5)
You have selected 0. But Right Answer is: 1

5.In an organization where an IT security baseline has been defined, an IS auditor


should FIRST ensure
1)implementation 2)compliance 3)documentation 4)sufficiency.5)
You have selected 0. But Right Answer is: 4

6.Which of the following BEST ensures the integrity of a server's operating system?
1)Protecting the server in a secure location 2)Setting a boot password 3)Hardening
the server configuration 4)Implementing activity logging5)
You have selected 0. But Right Answer is: 3

7.A company uses a bank to process its weekly payroll. Time sheets and payroll
adjustment forms (e.g., hourly rate changes, terminations) are completed and
delivered to the bank, which prepares checks (cheques) and reports for distribution.
To BEST ensure payroll data accuracy:
1)payroll reports should be compared to input forms 2)gross payroll should be
recalculated manually 3)checks (cheques) should be compared to input forms
4)checks (cheques) should be reconciled with output reports5)
You have selected 0. But Right Answer is: 1

8.Which of the following is the BEST audit procedure to determine if a firewall is


configured in compliance with an organization's security policy?
1)Review the parameter settings. 2)Interview the firewall administrator 3)Review the
actual procedures 4)Review the device's log file for recent attacks5)
You have selected 0. But Right Answer is: 1

9.With the help of a security officer, granting access to data is the responsibility of:
1)data owners 2)programmers 3)system analysts 4)librarians5)
You have selected 0. But Right Answer is: 1

10.Which of the following tests performed by an IS auditor would be the MOST


effective in determining compliance with an organization's change control
procedures?
1)Review software migration records and verify approvals 2)Identify changes that
have occurred and verify approvals 3)Review change control documentation and
verify approvals 4)Ensure that only appropriate staff can migrate changes into
production.5)
You have selected 0. But Right Answer is: 2

11.Which of the following represents the GREATEST potential risk in an EDI


environment?
1)Transaction authorization 2)Loss or duplication of EDI transmissions
3)Transmission delay 4)Deletion or manipulation of transactions prior to or after
establishment of application controls5)
You have selected 0. But Right Answer is: 1

12.A sender of an e-mail message applies a digital signature to the digest of the
message. This action provides assurance of the
1)date and time stamp of the message 2)identity of the originating computer
3)confidentiality of the message's content 4)authenticity of the sender5)
You have selected 0. But Right Answer is: 4

13.In a public key infrastructure (PKI), which of the following may be relied upon to
prove that an online transaction was authorized by a specific customer?
1)Nonrepudiation 2)Encryption 3)Authentication 4)Integrity5)
You have selected 0. But Right Answer is: 1

14.Which of the following virus prevention techniques can be implemented through


hardware?
1)Remote booting 2)Heuristic scanners 3)Behavior blockers 4)Immunizers5)
You have selected 0. But Right Answer is: 1

15.The use of digital signatures


1)requires the use of a one-time password generator 2)provides encryption to a
message 3)validates the source of a message. 4)ensures message confidentiality5)
You have selected 0. But Right Answer is: 3

16.The MOST significant security concern when using flash memory (e.g., USB
removable disk) is that the:
1)contents are highly volatile 2)data cannot be backed up 3)data can be copied
4)device may not be compatible with other peripherals5)
You have selected 0. But Right Answer is: 3
17.A local area network (LAN) administrator normally would be restricted from
1)having end-user responsibilities 2)reporting to the end-user manager 3)having
programming responsibilities 4)being responsible for LAN security administration5)
You have selected 0. But Right Answer is: 3

18.Two-factor authentication can be circumvented through which of the following


attacks?
1)Denial-of-service 2)Man-in-the-middle 3)Key logging 4)Brute force5)
You have selected 0. But Right Answer is: 2

19.In a small organization, an employee performs computer operations and, when the
situation demands, program modifications. Which of the following should the IS
auditor recommend?
1)Automated logging of changes to development libraries 2)Additional staff to
provide separation of duties 3)Procedures that verify that only approved program
changes are implemented 4)Access controls to prevent the operator from making
program modifications5)
You have selected 0. But Right Answer is: 3

20.An IS auditor is performing an audit of a network operating system. Which of the


following is a user feature the IS auditor should review?
1)Availability of online network documentation 2)Support of terminal access to
remote hosts 3)Handling file transfer between hosts and interuser communications
4)Performance management, audit and control5)
You have selected 0. But Right Answer is: 1

21.The feature of a digital signature that ensures the sender cannot later deny
generating and sending the message is called:
1)data integrity 2)authentication 3)nonrepudiation 4)replay protection5)
You have selected 0. But Right Answer is: 3

22.In addition to the backup considerations for all systems, which of the following is
an important consideration in providing backup for online systems?
1)Maintaining system software parameters 2)Ensuring periodic dumps of transaction
logs 3)Ensuring grandfather-father-son file backups 4)Maintaining important data at
an offsite location5)
You have selected 0. But Right Answer is: 2

23.When a new system is to be implemented within a short time frame, it is MOST


important to:
1)finish writing user manuals 2)perform user acceptance testing 3)add last-minute
enhancements to functionalities 4)ensure that the code has been documented and
reviewed5)
You have selected 0. But Right Answer is: 2

24.The database administrator (DBA) suggests that DB efficiency can be improved by


denormalizing some tables. This would result in
1)loss of confidentiality 2)increased redundancy 3)unauthorized accesses
4)application malfunctions5)
You have selected 0. But Right Answer is: 2

25.To determine which users can gain access to the privileged supervisory state,
which of the following should an IS auditor review?
1)System access log files 2)Enabled access control software parameters 3)Logs of
access control violations 4)System configuration files for control options used5)
You have selected 0. But Right Answer is: 4

26.The BEST overall quantitative measure of the performance of biometric control


devices is
1)false-rejection rate 2)false-acceptance rate. 3)equal-error rate 4)estimated-error
rate5)
You have selected 0. But Right Answer is: 3

27.To ensure that audit resources deliver the best value to the organization, the FIRST
step would be to:
1)schedule the audits and monitor the time spent on each audit 2)train the IS audit
staff on current technology used in the company 3)develop the audit plan on the basis
of a detailed risk assessment 4)monitor progress of audits and initiate cost control
measures5)
You have selected 0. But Right Answer is: 3

28.Which of the following would be the BEST overall control for an Internet business
looking for confidentiality, reliability and integrity of data?
1)Secure Sockets Layer (SSL) 2)Intrusion detection system (IDS) 3)Public key
infrastructure (PKI) 4)Virtual private network (VPN)5)
You have selected 0. But Right Answer is: 3

29.Which of the following sampling methods is MOST useful when testing for
compliance?
1)Attribute sampling 2)Variable sampling 3)Stratified mean per unit 4)Difference
estimation5)
You have selected 0. But Right Answer is: 1

30.Disaster recovery planning (DRP) addresses the


1)technological aspect of business continuity planning 2)operational piece of
business continuity planning 3)functional aspect of business continuity planning
4)overall coordination of business continuity planning5)
You have selected 0. But Right Answer is: 1

31.An IS auditor performing a review of the backup processing facilities should be


MOST concerned that
1)adequate fire insurance exists. 2)regular hardware maintenance is performed
3)offsite storage of transaction and master files exists 4)backup processing facilities
are fully tested5)
You have selected 0. But Right Answer is: 3

32.The extent to which data will be collected during an IS audit should be determined
based on the
1)availability of critical and required information 2)auditor's familiarity with the
circumstances 3)auditee's ability to find relevant evidence 4)purpose and scope of
the audit being done5)
You have selected 0. But Right Answer is: 4

33.Which of the following will prevent dangling tuples in a database?


1)Cyclic integrity 2)Domain integrity 3)Relational integrity 4)Referential integrity5)
You have selected 0. But Right Answer is: 4

34.Which of the following would MOST effectively reduce social engineering


incidents?
1)Security awareness training 2)Increased physical security measures 3)E-mail
monitoring policy 4)Intrusion detection systems5)
You have selected 0. But Right Answer is: 1

35.In a relational database with referential integrity, the use of which of the following
keys would prevent deletion of a row from a customer table as long as the customer
number of that row is stored with live orders on the orders table?
1)Foreign key 2)Primary key 3)Secondary key 4)Public key5)
You have selected 0. But Right Answer is: 1

36.During a review of a business continuity plan, an IS auditor noticed that the point
at which a situation is declared to be a crisis has not been defined. The MAJOR risk
associated with this is that:
1)assessment of the situation may be delayed 2)execution of the disaster recovery
plan could be impacted 3)notification of the teams might not occur 4)potential crisis
recognition might be ineffective5)
You have selected 0. But Right Answer is: 2

37.A disaster recovery plan for an organization should


1)reduce the length of the recovery time and the cost of recovery. 2)increase the
length of the recovery time and the cost of recovery 3)reduce the duration of the
recovery time and increase the cost of recovery 4)affect neither the recovery time nor
the cost of recovery5)
You have selected 0. But Right Answer is: 1

38.What is the BEST backup strategy for a large database with data supporting online
sales?
1)Weekly full backup with daily incremental backup 2)Daily full backup 3)Clustered
servers 4)Mirrored hard disks5)
You have selected 0. But Right Answer is: 1

39.A hacker could obtain passwords without the use of computer tools or programs
through the technique of:
1)social engineering 2)sniffers 3)back doors 4)Trojan horses5)
You have selected 0. But Right Answer is: 1

40.Which of the following is an appropriate test method to apply to a business


continuity plan (BCP)?
1)Pilot 2)Paper 3)Unit 4)System5)
You have selected 0. But Right Answer is: 2

41.Which of the following antivirus software implementation strategies would be the


MOST effective in an interconnected corporate network?
1)Server antivirus software 2)Virus walls 3)Workstation antivirus software 4)Virus
signature updating5)
You have selected 0. But Right Answer is: 2

42.The PRIMARY objective of performing a postincident review is that it presents an


opportunity to:
1)improve internal control procedures 2)harden the network to industry best practices
3)highlight the importance of incident response management to management
4)improve employee awareness of the incident response process5)
You have selected 0. But Right Answer is: 1

43.The vice president of human resources has requested an audit to identify payroll
overpayments for the previous year. Which would be the BEST audit technique to use
in this situation?
1)Test data 2)Generalized audit software (IDEA/ACL) 3)Integrated test facility
4)Embedded audit module5)
You have selected 0. But Right Answer is: 2

44.An IS auditor finds out-of-range data in some tables of a database. Which of the
following controls should the IS auditor recommend to avoid this situation?
1)Log all table update transactions 2)Implement before-and-after image reporting.
3)Use tracing and tagging 4)Implement integrity constraints in the database5)
You have selected 0. But Right Answer is: 4

45.Which of the following is the BEST method for preventing the leakage of
confidential information in a laptop computer?
1)Encrypt the hard disk with the owner's public key 2)Enable the boot password
(hardware-based password). 3)Use a biometric authentication device 4)Use two-
factor authentication to logon to the notebook5)
You have selected 0. But Right Answer is: 1

46.Data flow diagrams are used by IS auditors to:


1)order data hierarchically 2)highlight high-level data definitions 3)graphically
summarize data paths and storage 4)portray step-by-step details of data generation5)
You have selected 0. But Right Answer is: 3

47.An installed Ethernet cable run in an unshielded twisted pair (UTP) network is
more than 100 meters long. Which of the following could be caused by the length of
the cable?
1)Electromagnetic interference (EMI) 2)Cross-talk 3)Dispersion 4)Attenuation5)
You have selected 0. But Right Answer is: 4

48.Which of the following is a feature of Wi-Fi Protected Access (WPA) in wireless


networks?
1)Session keys are dynamic 2)Private symmetric keys are used 3)Keys are static and
shared 4)Source addresses are not encrypted or authenticated5)
You have selected 0. But Right Answer is: 1

49.Which of the following methods of suppressing a fire in a data center is the MOST
effective and environmentally friendly?
1)Halon gas 2)Wet-pipe sprinklers 3)Dry-pipe sprinklers 4)Carbon dioxide gas5)
You have selected 0. But Right Answer is: 1

50.The optimum business continuity strategy for an entity is determined by the


1)lowest downtime cost and highest recovery cost 2)lowest sum of downtime cost
and recovery cost 3)lowest recovery cost and highest downtime cost 4)average of the
combined downtime and recovery cost5)
You have selected 0. But Right Answer is: 2

51.The PRIMARY objective of a logical access control review is to


1)review access controls provided through software 2)ensure access is granted per the
organization's authorities 3)walk through and assess the access provided in the IT
environment. 4)provide assurance that computer hardware is adequately protected
against abuse5)
You have selected 0. But Right Answer is: 2

52.An Internet-based attack using password sniffing can


1)enable one party to act as if they are another party 2)cause modification to the
contents of certain transactions 3)be used to gain access to systems containing
proprietary information 4)result in major problems with billing systems and
transaction processing agreements5)
You have selected 0. But Right Answer is: 3

53.Which of the following controls would provide the GREATEST assurance of


database integrity?
1)Audit log procedures 2)Table link/reference checks 3)Query/table access time
checks 4)Rollback and rollforward database features5)
You have selected 0. But Right Answer is: 2

54.Which of the following is an example of a passive attack initiated through the


Internet?
1)Traffic analysis 2)Masquerading 3)Denial of service 4)E-mail spoofing5)
You have selected 0. But Right Answer is: 1

55.When planning an audit of a network setup, an IS auditor should give highest


priority to obtaining which of the following network documentation?
1)Wiring and schematic diagram 2)Users' lists and responsibilities 3)Application
lists and their details 4)Backup and recovery procedures5)
You have selected 0. But Right Answer is: 1

56.When an employee is terminated from service, the MOST important action is to:
1)hand over all of the employee's files to another designated employee 2)complete a
backup of the employee's work 3)notify other employees of the termination 4)disable
the employee's logical access5)
You have selected 0. But Right Answer is: 4
57.To ensure compliance with a security policy requiring that passwords be a
combination of letters and numbers, an IS auditor should recommend that
1)the company policy be changed 2)passwords are periodically changed 3)an
automated password management tool be used 4)security awareness training is
delivered5)
You have selected 0. But Right Answer is: 3

58.To detect attack attempts that the firewall is unable to recognize, an IS auditor
should recommend placing a network intrusion detection system (IDS) between the
1)firewall and the organization's network. 2)Internet and the firewall 3)Internet and
the web server 4)web server and the firewall5)
You have selected 0. But Right Answer is: 1

59.In an online banking application, which of the following would BEST protect
against identity theft?
1)Encryption of personal password 2)Restricting the user to a specific terminal
3)Two-factor authentication (requires two independent methods for establishing
identity and privileges) 4)Periodic review of access logs5)
You have selected 0. But Right Answer is: 3

60.During a logical access controls review, an IS auditor observes that user accounts
are shared. The GREATEST risk resulting from this situation is that
1)an unauthorized user may use the ID to gain access. 2)user access management is
time consuming 3)passwords are easily guessed 4)user accountability may not be
established5)
You have selected 0. But Right Answer is: 4

61.The MAIN purpose of a transaction audit trail is to


1)reduce the use of storage media 2)determine accountability and responsibility for
processed transactions 3)help an IS auditor trace transactions 4)provide useful
information for capacity planning5)
You have selected 0. But Right Answer is: 2

62.The security level of a private key system depends on the number of:
1)encryption key bits 2)messages sent 3)keys 4)channels used5)
You have selected 0. But Right Answer is: 1

63.Which of the following is a feature of an intrusion detection system (IDS)?


1)Gathering evidence on attack attempts 2)Identifying weaknesses in the policy
definition 3)Blocking access to particular sites on the Internet 4)Preventing certain
users from accessing specific servers5)
You have selected 0. But Right Answer is: 1

64.An IS auditor interviewing a payroll clerk finds that the answers do not support job
descriptions and documented procedures. Under these circumstances, the IS auditor
should:
1)conclude that the controls are inadequate 2)expand the scope to include substantive
testing 3)place greater reliance on previous audits 4)suspend the audit5)
You have selected 0. But Right Answer is: 2
65.The difference between a vulnerability assessment and a penetration test is that a
vulnerability assessment
1)searches and checks the infrastructure to detect vulnerabilities, whereas penetration
testing intends to exploit the vulnerabilities to probe the damage that could result from
the vulnerabilities 2)and penetration tests are different names for the same activity.
3)is executed by automated tools, whereas penetration testing is a totally manual
process 4)is executed by commercial tools, whereas penetration testing is executed
by public processes5)
You have selected 0. But Right Answer is: 1

66.An IS auditor has audited a business continuity plan (BCP). Which of the
following findings is the MOST critical?
1)Nonavailability of an alternate private branch exchange (PBX) system 2)Absence
of a backup for the network backbone 3)Lack of backup systems for the users' PCs
4)Failure of the access card system5)
You have selected 0. But Right Answer is: 2

67.Which of the following is the PRIMARY purpose for conducting parallel testing?
1)To determine if the system is cost-effective 2)To enable comprehensive unit and
system testing 3)To highlight errors in the program interfaces with files 4)To ensure
the new system meets user requirements5)
You have selected 0. But Right Answer is: 4

68.What is the MOST effective method of preventing unauthorized use of data files?
1)Automated file entry 2)Tape librarian 3)Access control software 4)Locked
library5)
You have selected 0. But Right Answer is: 3

69.IT operations for a large organization have been outsourced. An IS auditor


reviewing the outsourced operation should be MOST concerned about which of the
following findings?
1)The outsourcing contract does not cover disaster recovery for the outsourced IT
operations. 2)The service provider does not have incident handling procedures
3)Recently a corrupted database could not be recovered because of library
management problems 4)Incident logs are not being reviewed.5)
You have selected 0. But Right Answer is: 1

70.An organization has implemented a disaster recovery plan. Which of the following
steps should be carried out next?
1)Obtain senior management sponsorship 2)Identify business needs 3)Conduct a
paper test 4)Perform a system restore test5)
You have selected 0. But Right Answer is: 3

71.Which of the following is MOST critical for the successful implementation and
maintenance of a security policy?
1)Assimilation of the framework and intent of a written security policy by all
appropriate parties 2)Management support and approval for the implementation and
maintenance of a security policy 3)Enforcement of security rules by providing
punitive actions for any violation of security rules 4)Stringent implementation,
monitoring and enforcing of rules by the security officer through access control
software5)
You have selected 0. But Right Answer is: 1

72.Compliance testing determines


1)whether controls are applied in a manner that complies with the Industry Standards
2)whether controls are applied in a manner that complies with management policies
and procedures 3)whether controls are applied in a manner that complies with
industry best practices 4)None5)
You have selected 0. But Right Answer is: 2

73.Which of the following is the MOST reasonable option for recovering a noncritical
system?
1)Warm site 2)Mobile site 3)Hot site 4)Cold site5)
You have selected 0. But Right Answer is: 4

74.Which of the following is widely accepted as one of the critical components in


networking management
1)Configuration management 2)Topological mappings 3)Application of monitoring
tools 4)Proxy server troubleshooting5)
You have selected 0. But Right Answer is: 1

75.During the requirements definition phase of a software development project, the


aspects of software testing that should be addressed are developing:
1)test data covering critical applications 2)detailed test plans 3)quality assurance test
specifications 4)user acceptance testing specifications5)
You have selected 0. But Right Answer is: 4

76.Which of the following should be included in an organization's IS security policy?


1)A list of key IT resources to be secured 2)The basis for access authorization
3)Identity of sensitive security features 4)Relevant software security features5)
You have selected 0. But Right Answer is: 2

77.An IS auditor reviewing an organization that uses cross-training practices should


assess the risk of:
1)dependency on a single person. 2)inadequate succession planning 3)one person
knowing all parts of a system 4)a disruption of operations5)
You have selected 0. But Right Answer is: 3

78.An IS auditor selects a server for a penetration test that will be carried out by a
technical specialist. Which of the following is MOST important?
1)The tools used to conduct the test 2)Certifications held by the IS auditor
3)Permission from the data owner of the server 4)An intrusion detection system
(IDS) is enabled5)
You have selected 0. But Right Answer is: 3

79.The use of residual biometric information to gain unauthorized access is an


example of which of the following attacks?
1)Replay 2)Brute force 3)Cryptographic 4)Mimic5)
You have selected 0. But Right Answer is: 1
80.In the event of a disruption or disaster, which of the following technologies
provides for continuous operations?
1)Load balancing 2)Fault-tolerant hardware 3)Distributed backups 4)High-
availability computing5)
You have selected 0. But Right Answer is: 2