/25 Welcome to your IS Audit Advanced Course Exam Read the full study material ... Click here Start the exam ⇓ 1 / 25 Spoofing is one type of online activity used to launch malicious attacks. Spoofing is: Identity misrepresentation in cyberspace Eavesdropping on information sent by a user to the host computer of a website Trying large numbers of letter and number combinations to access a network Accessing packets flowing through a network 2 / 25 Which of the following statements is false with respect to information security? The chief audit executive should determine that the internal audit activity possesses, or has access to, competent auditing resources to evaluate information security and associated risk exposures Internal auditors should determine that senior management and the board, audit committee, or other governing body have a clear understanding that information reliability and integrity is the responsibility of the internal audit activity Internal auditors should assess the effectiveness of preventive, detective, and mitigative measures against past attacks, as deemed appropriate, and future attempts or incidents deemed likely to occur Internal auditors should periodically assess the organization’s information security practices and recommend, as appropriate, enhancements to, or implementation of, new controls and safeguards 3 / 25 Which of the following passwords would be most difficult to crack? Language O?Ca!FlSi pass56word 12HOUSE24 4 / 25 A client is concerned that a power outage or disaster could impair the computer hardware’s ability to function as designed. The client desires off-site backup hardware facilities that are fully configured and ready to operate within several hours. The client most likely should consider a: Cold site Cool site Warm site Hot site 5 / 25 What is a major disadvantage to using a private key to encrypt data? The private key cannot be broken into fragments and distributed to the receiver Both sender and receiver must have the private key before this encryption method will work The private key is used by the receiver for decryption but not by the sender for encryption The private key is used by the sender for encryption but not by the receiver for decryption 6 / 25 A digital signature is used primarily to determine that a message is: Sent to the correct address Unaltered in transmission Received by the intended recipient Not intercepted in route 7 / 25 Which of the following does not present any risk for an entity under public-key encryption? The security of the information after encryption The complexity of the private key The complexity of the public key The transmission of the private keys between the parties 8 / 25 Passwords for personal computer software programs are designed to prevent: Unauthorized access to the computer Unauthorized use of the software Inaccurate processing of data Incomplete updating of data files 9 / 25 Assigning passwords to computer users is a control to prevent unauthorized access. Because a password does not conclusively identify a specific individual, it must be safeguarded from theft. A method used to protect passwords is to: Set maximum character lengths Eliminate all records of old passwords Require passwords to be changed periodically Require that they be displayed on computer screens but not printed on hard copy output 10 / 25 Which of the following procedures should be included in the disaster recovery plan for an Information Technology department? Identification of critical applications Replacement of personal computers for user departments Physical security of warehouse facilities Cross-training of operating personnel 11 / 25 Which of the following statements best characterizes the function of physical access control? Provides authentication of users attempting to log into the system Protects systems from the transmission of Trojan horses Separates unauthorized individuals from computer resources Minimizes the risk of incurring a power or hardware failure 12 / 25 Computer program libraries should be kept secure by: Installing a logging system for program access Monitoring physical access to program library media Restricting physical and logical access Denying remote access via terminals 13 / 25 Before implementing IT controls (general and application) and policies, an organization should: Design the information system infrastructure Hire and train necessary personnel Develop an audit policy Define how it will manage data internally and share it with external partners 14 / 25 Which of the following would not be appropriate to consider in the physical design of a data center? Design of authorization tables for operating system access Use of biometric access systems Inclusion of an uninterruptible power supply system and surge protection Evaluation of potential risks from railroad lines and highways 15 / 25 Authentication is the process by which the: System verifies the identity of the user System verifies that the user is entitled to enter the transaction requested User indicates to the system that the transaction was processed correctly User identifies himself or herself to the system 16 / 25 The use of message encryption software: Increases system overhead Requires manual distribution of keys Reduces the need for periodic password changes Guarantees the secrecy of data 17 / 25 To ensure privacy in a public-key encryption system, knowledge of which of the following keys would be required to decode the received message? Private Public Neither 1 nor 2 2 Both 1 and 2 1 18 / 25 An organization creates an audit trail of when employees enter the building by having them use a key card to release a magnetic lock. A database records who enters when. Which of the following reduces the risk that the audit trail is incomplete? Have the back door operate via a physical key lock and providing the key only to certain employees Installing the key card matching database server near the door Installing a redundant character check for card verification Policy prohibiting employees from allowing other employees to enter without using their own key card 19 / 25 The basis of effective information security and cybersecurity are: De facto standards Policies Procedures De jure standards 20 / 25 Select the cyberattack which is best associated with extorting an individual or an organization. Phishing Ransomware Software piracy Hacking 21 / 25 Which implemented control would best assist in meeting the control objective that a system has the capability to hold users accountable for functions performed? Activity logging Redundant hardware Programmed cutoff Transaction error logging 22 / 25 An Internet firewall is designed to provide adequate protection against which of the following? A Trojan horse application A computer virus Unauthenticated logins from outside users Insider leaking of confidential information 23 / 25 The best preventive measure against a computer virus is to: Compare software in use with authorized versions of the software Allow only authorized software from known sources to be used on the system Prepare and test a plan for recovering from the incidence of a virus Execute virus exterminator programs periodically on the system 24 / 25 Which of the following IT developments poses the least risk to organizational security? Adoption of wireless technology Use of public-key encryption Enterprise-wide integration of functions Outsourcing of the IT infrastructure 25 / 25 When a user enters a certain entity’s system, a series of questions is asked of the user, including a name and mother’s birth date. These questions are primarily intended to provide: Authentication of the user Authorization for processing Access control to computer hardware Data integrity control 0% Restart quiz
