CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
1. The purpose of code signing is to provide assurance that:
A) the software has not been subsequently modified.
B) the application can safely interface with another signed application.
C) the signer of the application is trusted.
D) the private key of the signer has not been compromised.
2. An IS auditor should recommend the use of library control software to provide reasonable assurance that:
A) program changes have been authorized.
B) only thoroughly tested programs are released.
C) modified programs are automatically moved to production.
D) source and executable code integrity is maintained.
3. An organization has recently installed a security patch, which crashed the production server. To minimize the probability of this occurring again, an IS auditor should:
A) apply the patch according to the patch's release notes.
B) ensure that a good change management process is in place.
C) thoroughly test the patch before sending it to production.
D) approve the patch after doing a risk assessment.
4. When reviewing procedures for emergency changes to programs, the IS auditor should verify that the procedures:
A) allow changes, which will be completed using after-the-fact follow-up.
B) allow undocumented changes directly to the production library.
C) do not allow any emergency changes.
D) allow programmers permanent access to production programs.
5. To determine if unauthorized changes have been made to production code the BEST audit procedure is to:
A) examine the change control system records and trace them forward to object code files.
B) review access control permissions operating within the production program libraries.
C) examine object code to find instances of changes and trace them back to change control records.
D) review change approved designations established within the change control system.
A) the software has not been subsequently modified.
B) the application can safely interface with another signed application.
C) the signer of the application is trusted.
D) the private key of the signer has not been compromised.
2. An IS auditor should recommend the use of library control software to provide reasonable assurance that:
A) program changes have been authorized.
B) only thoroughly tested programs are released.
C) modified programs are automatically moved to production.
D) source and executable code integrity is maintained.
3. An organization has recently installed a security patch, which crashed the production server. To minimize the probability of this occurring again, an IS auditor should:
A) apply the patch according to the patch's release notes.
B) ensure that a good change management process is in place.
C) thoroughly test the patch before sending it to production.
D) approve the patch after doing a risk assessment.
4. When reviewing procedures for emergency changes to programs, the IS auditor should verify that the procedures:
A) allow changes, which will be completed using after-the-fact follow-up.
B) allow undocumented changes directly to the production library.
C) do not allow any emergency changes.
D) allow programmers permanent access to production programs.
5. To determine if unauthorized changes have been made to production code the BEST audit procedure is to:
A) examine the change control system records and trace them forward to object code files.
B) review access control permissions operating within the production program libraries.
C) examine object code to find instances of changes and trace them back to change control records.
D) review change approved designations established within the change control system.
1. Right Answer: A
Explanation: Code signing can only ensure that the executable code has not been modified after being signed. The other choices are incorrect and actually represent potential and exploitable weaknesses of code signing.
2. Right Answer: A
Explanation: Library control software should be used to separate test from production libraries in mainframe and/or client server environments. The main objective of library control software is to provide assurance that program changes have been authorized. Library control software is concerned with authorized program changes and would not automatically move modified programs into production and cannot determine whether programs have been thoroughly tested. Library control software provides reasonable assurance that the source code and executable code are matched at the time a source code is moved to production. However, subsequent events such as a hardware failure can result in a lack of consistency between source and executable code.
3. Right Answer: B
Explanation: An IS auditor must review the change management process, including patch management procedures, and verify that the process has adequate controls and make suggestions accordingly. The other choices are part of a good change management process but are not an IS auditor's responsibility.
4. Right Answer: A
Explanation: There may be situations where emergency fixes are required to resolve system problems. This involves the use of special logon IDs that grant programmers temporary access to production programs during emergency situations. Emergency changes should be completed using after-the- fact follow-up procedures, which ensure that normal procedures are retroactively applied; otherwise, production may be impacted. Changes made in this fashion should be held in an emergency library from where they can be moved to the production library, following the normal change management process. Programmers should not directly alter the production library nor should they be allowed permanent access to production programs.
5. Right Answer: C
Explanation: The procedure of examining object code files to establish instances of code changes and tracing these back to change control system records is a substantive test that directly addresses the risk of unauthorized code changes. The other choices are valid procedures to apply in a change control audit but they do not directly address the risk of unauthorized code changes.
Explanation: Code signing can only ensure that the executable code has not been modified after being signed. The other choices are incorrect and actually represent potential and exploitable weaknesses of code signing.
2. Right Answer: A
Explanation: Library control software should be used to separate test from production libraries in mainframe and/or client server environments. The main objective of library control software is to provide assurance that program changes have been authorized. Library control software is concerned with authorized program changes and would not automatically move modified programs into production and cannot determine whether programs have been thoroughly tested. Library control software provides reasonable assurance that the source code and executable code are matched at the time a source code is moved to production. However, subsequent events such as a hardware failure can result in a lack of consistency between source and executable code.
3. Right Answer: B
Explanation: An IS auditor must review the change management process, including patch management procedures, and verify that the process has adequate controls and make suggestions accordingly. The other choices are part of a good change management process but are not an IS auditor's responsibility.
4. Right Answer: A
Explanation: There may be situations where emergency fixes are required to resolve system problems. This involves the use of special logon IDs that grant programmers temporary access to production programs during emergency situations. Emergency changes should be completed using after-the- fact follow-up procedures, which ensure that normal procedures are retroactively applied; otherwise, production may be impacted. Changes made in this fashion should be held in an emergency library from where they can be moved to the production library, following the normal change management process. Programmers should not directly alter the production library nor should they be allowed permanent access to production programs.
5. Right Answer: C
Explanation: The procedure of examining object code files to establish instances of code changes and tracing these back to change control system records is a substantive test that directly addresses the risk of unauthorized code changes. The other choices are valid procedures to apply in a change control audit but they do not directly address the risk of unauthorized code changes.
0 Comments
Leave a comment
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
