CISAβCertified Information Systems Auditor - Part 272
1. An organization is using an enterprise resource management (ERP) application. Which of the following would be an effective access control?
A) User-level permissions
B) Role-based
C) Fine-grained
D) Discretionary
2. What should be the GREATEST concern to an IS auditor when employees use portable media (MP3 players, flash drives)?
A) The copying of sensitive data on them
B) The copying of songs and videos on them
C) The cost of these devices multiplied by all the employees could be high
D) They facilitate the spread of malicious code through the corporate network
3. An IS auditor should expect the responsibility for authorizing access rights to production data and systems to be entrusted to the:
A) process owners.
B) system administrators.
C) security administrator.
D) data owners.
4. An IS auditor has completed a network audit. Which of the following is the MOST significant logical security finding?
A) Network workstations are not disabled automatically after a period of inactivity.
B) Wiring closets are left unlocked
C) Network operating manuals and documentation are not properly secured.
D) Network components are not equipped with an uninterruptible power supply.
5. Which of the following would MOST effectively enhance the security of a challenge- response based authentication system?
A) Selecting a more robust algorithm to generate challenge strings
B) implementing measures to prevent session hijacking attacks
C) increasing the frequency of associated password changes
D) increasing the length of authentication strings
A) User-level permissions
B) Role-based
C) Fine-grained
D) Discretionary
2. What should be the GREATEST concern to an IS auditor when employees use portable media (MP3 players, flash drives)?
A) The copying of sensitive data on them
B) The copying of songs and videos on them
C) The cost of these devices multiplied by all the employees could be high
D) They facilitate the spread of malicious code through the corporate network
3. An IS auditor should expect the responsibility for authorizing access rights to production data and systems to be entrusted to the:
A) process owners.
B) system administrators.
C) security administrator.
D) data owners.
4. An IS auditor has completed a network audit. Which of the following is the MOST significant logical security finding?
A) Network workstations are not disabled automatically after a period of inactivity.
B) Wiring closets are left unlocked
C) Network operating manuals and documentation are not properly secured.
D) Network components are not equipped with an uninterruptible power supply.
5. Which of the following would MOST effectively enhance the security of a challenge- response based authentication system?
A) Selecting a more robust algorithm to generate challenge strings
B) implementing measures to prevent session hijacking attacks
C) increasing the frequency of associated password changes
D) increasing the length of authentication strings
1. Right Answer: B
Explanation: Role-based access controls the system access by defining roles for a group of users. Users are assigned to the various roles and the access is granted based on the user's role. User-level permissions for an ERP system would create a larger administrative overhead. Fine-grained access control is very difficult to implement and maintain in the context of a large enterprise.Discretionary access control may be configured or modified by the users or data owners, and therefore may create inconsistencies in the access control management.
2. Right Answer: A
Explanation: The MAIN concern with MP3 players and flash drives is data leakage, especially sensitive information. This could occur if the devices were lost or stolen. The risk when copying songs and videos is copyright infringement, but this is normally a less important risk than information leakage. Choice C is hardly an issue because employees normally buy the portable media with their own funds. Choice D is a possible risk, but not as important as information leakage and can be reduced by other controls.
3. Right Answer: D
Explanation: Data owners are primarily responsible for safeguarding the data and authorizing access to production data on a need-to-know basis.
4. Right Answer: A
Explanation: Choice A is the only logical security finding. Network logical security controls should be in place to restrict, identify, and report authorized and unauthorized users of the network. Disabling inactive workstations restricts users of the network. Choice D is an environmental issue and choices B and C are physical security issues. Choices B, C and D should be reported to the appropriate entity.
5. Right Answer: B
Explanation: Challenge response-based authentication is prone to session hijacking or man-in-the- middle attacks. Security management should be aware of this and engage in risk assessment and control design when they employ this technology. Selecting a more robust algorithm will enhance the security; however, this may not be as important in terms of risk when compared to man-in- the-middle attacks. Choices C and D are good security practices; however, they are not as effective a preventive measure. Frequently changing passwords is a good security practice; however, the exposures lurking in communication pathways may pose a greater risk.
Explanation: Role-based access controls the system access by defining roles for a group of users. Users are assigned to the various roles and the access is granted based on the user's role. User-level permissions for an ERP system would create a larger administrative overhead. Fine-grained access control is very difficult to implement and maintain in the context of a large enterprise.Discretionary access control may be configured or modified by the users or data owners, and therefore may create inconsistencies in the access control management.
2. Right Answer: A
Explanation: The MAIN concern with MP3 players and flash drives is data leakage, especially sensitive information. This could occur if the devices were lost or stolen. The risk when copying songs and videos is copyright infringement, but this is normally a less important risk than information leakage. Choice C is hardly an issue because employees normally buy the portable media with their own funds. Choice D is a possible risk, but not as important as information leakage and can be reduced by other controls.
3. Right Answer: D
Explanation: Data owners are primarily responsible for safeguarding the data and authorizing access to production data on a need-to-know basis.
4. Right Answer: A
Explanation: Choice A is the only logical security finding. Network logical security controls should be in place to restrict, identify, and report authorized and unauthorized users of the network. Disabling inactive workstations restricts users of the network. Choice D is an environmental issue and choices B and C are physical security issues. Choices B, C and D should be reported to the appropriate entity.
5. Right Answer: B
Explanation: Challenge response-based authentication is prone to session hijacking or man-in-the- middle attacks. Security management should be aware of this and engage in risk assessment and control design when they employ this technology. Selecting a more robust algorithm will enhance the security; however, this may not be as important in terms of risk when compared to man-in- the-middle attacks. Choices C and D are good security practices; however, they are not as effective a preventive measure. Frequently changing passwords is a good security practice; however, the exposures lurking in communication pathways may pose a greater risk.
Comments
0
CA Foundation Business Economics Questions 2023 - Part 32
03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 31
03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 29
03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 28
03 Mar 2023
