CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
1. In an online banking application, which of the following would BEST protect against identity theft?
A) Encryption of personal password
B) Restricting the user to a specific terminal
C) Two-factor authentication
D) Periodic review of access logs
2. Which of the following is the BEST method for preventing the leakage of confidential information in a laptop computer?
A) Encrypt the hard disk with the owner's public key.
B) Enable the boot password (hardware-based password).
C) Use a biometric authentication device.
D) Use two-factor authentication to logon to the notebook.
3. The responsibility for authorizing access to application data should be with the:
A) data custodian.
B) database administrator (DBA).
C) data owner.
D) security administrator.
4. During an audit of the logical access control of an ERP financial system an IS auditor found some user accounts shared by multiple individuals. The user IDs were based on roles rather than individual identities. These accounts allow access to financial transactions on the ERP. What should the IS auditor do next?
A) Look for compensating controls.
B) Review financial transactions logs.
C) Review the scope of the audit.
D) Ask the administrator to disable these accounts.
5. Minimum password length and password complexity verification are examples of:
A) detection controls.
B) control objectives.
C) audit objectives.
D) control procedures.
A) Encryption of personal password
B) Restricting the user to a specific terminal
C) Two-factor authentication
D) Periodic review of access logs
2. Which of the following is the BEST method for preventing the leakage of confidential information in a laptop computer?
A) Encrypt the hard disk with the owner's public key.
B) Enable the boot password (hardware-based password).
C) Use a biometric authentication device.
D) Use two-factor authentication to logon to the notebook.
3. The responsibility for authorizing access to application data should be with the:
A) data custodian.
B) database administrator (DBA).
C) data owner.
D) security administrator.
4. During an audit of the logical access control of an ERP financial system an IS auditor found some user accounts shared by multiple individuals. The user IDs were based on roles rather than individual identities. These accounts allow access to financial transactions on the ERP. What should the IS auditor do next?
A) Look for compensating controls.
B) Review financial transactions logs.
C) Review the scope of the audit.
D) Ask the administrator to disable these accounts.
5. Minimum password length and password complexity verification are examples of:
A) detection controls.
B) control objectives.
C) audit objectives.
D) control procedures.
1. Right Answer: C
Explanation: Two-factor authentication requires two independent methods for establishing identity and privileges. Factors include something you know, such as a password; something you have, such as a token; and something you are, which is biometric. Requiring two of these factors makes identity theft more difficult. A password could be guessed or broken. Restricting the user to a specific terminal is not a practical alternative for an online application. Periodic review of access logs is a detective control and does not protect against identity theft.
2. Right Answer: A
Explanation: Only encryption of the data with a secure key will prevent the loss of confidential information. In such a case, confidential information can be accessed only with knowledge of the owner's private key, which should never be shared. Choices B, C and D deal with authentication and not with confidentiality of information. An individual can remove the hard drive from the secured laptop and install it on an unsecured computer, gaining access to the data.
3. Right Answer: C
Explanation: Data owners should have the authority and responsibility for granting access to the data and applications for which they are responsible. Data custodians are responsible only for storing and safeguarding the data. The database administrator (DBA) is responsible for managing the database and the security administrator is responsible for implementing and maintaining IS security. The ultimate responsibility for data resides with the data owner.
4. Right Answer: A
Explanation: The best logical access control practice is to create user IDs for each individual to define accountability. This is possible only by establishing a one-to-one relationship between IDs and individuals. However, if the user IDs are created based on role designations, an IS auditor should first understand the reasons and then evaluate the effectiveness and efficiency of compensating controls. Reviewing transactions logs is not relevant to an audit of logical access control nor is reviewing the scope of the audit relevant. Asking the administrator to disable the shared accounts should not be recommended by an IS auditor before understanding the reasons and evaluating the compensating controls. It is not an IS auditor's responsibility to ask for disabling accounts during an audit.
5. Right Answer: D
Explanation: Control procedures are practices established by management to achieve specific control objectives. Password controls are preventive controls, not detective controls. Control objectives are declarations of expected results from implementing controls and audit objectives are the specific goals of an audit.
Explanation: Two-factor authentication requires two independent methods for establishing identity and privileges. Factors include something you know, such as a password; something you have, such as a token; and something you are, which is biometric. Requiring two of these factors makes identity theft more difficult. A password could be guessed or broken. Restricting the user to a specific terminal is not a practical alternative for an online application. Periodic review of access logs is a detective control and does not protect against identity theft.
2. Right Answer: A
Explanation: Only encryption of the data with a secure key will prevent the loss of confidential information. In such a case, confidential information can be accessed only with knowledge of the owner's private key, which should never be shared. Choices B, C and D deal with authentication and not with confidentiality of information. An individual can remove the hard drive from the secured laptop and install it on an unsecured computer, gaining access to the data.
3. Right Answer: C
Explanation: Data owners should have the authority and responsibility for granting access to the data and applications for which they are responsible. Data custodians are responsible only for storing and safeguarding the data. The database administrator (DBA) is responsible for managing the database and the security administrator is responsible for implementing and maintaining IS security. The ultimate responsibility for data resides with the data owner.
4. Right Answer: A
Explanation: The best logical access control practice is to create user IDs for each individual to define accountability. This is possible only by establishing a one-to-one relationship between IDs and individuals. However, if the user IDs are created based on role designations, an IS auditor should first understand the reasons and then evaluate the effectiveness and efficiency of compensating controls. Reviewing transactions logs is not relevant to an audit of logical access control nor is reviewing the scope of the audit relevant. Asking the administrator to disable the shared accounts should not be recommended by an IS auditor before understanding the reasons and evaluating the compensating controls. It is not an IS auditor's responsibility to ask for disabling accounts during an audit.
5. Right Answer: D
Explanation: Control procedures are practices established by management to achieve specific control objectives. Password controls are preventive controls, not detective controls. Control objectives are declarations of expected results from implementing controls and audit objectives are the specific goals of an audit.
0 Comments
Leave a comment
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
