IF You Want To Purchase A+ Work Then
Click The Link Below , Instant Download
Accounting
Information Systems, 12e (Romney/Steinbart)
Chapter 8
Information Systems Controls for System ReliabilityPart
1: Information Security
1)
The Trust Services Framework reliability principle that states that users must
be able to enter, update, and retrieve data during agreed-upon times is known
as
A)
availability.
B)
security.
C)
maintainability.
D)
integrity.
Page
Ref: 221
2)
Which of the following is not a useful control procedure to control
access to system outputs?
A)
Allowing visitors to move through the building without supervision
B)
Coding reports to reflect their importance
C)
Requiring employees to log out of applications when leaving their desk
D)
Restricting access to rooms with printers
Page
Ref: 229
3)
According to the Trust Services Framework, the reliability principle of
integrity is achieved when the system produces data that
A)
is available for operation and use at times set forth by agreement.
B)
is protected against unauthorized physical and logical access.
C)
can be maintained as required without affecting system availability, security,
and integrity.
D)
is complete, accurate, and valid.
Page
Ref: 221
4)
Which of the following is not one of the three fundamental information
security concepts?
A)
Information security is a technology issue based on prevention.
B)
Security is a management issue, not a technology issue.
C)
The idea of defense-in-depth employs multiple layers of controls.
D)
The time-based model of security focuses on the relationship between
preventive, detective and corrective controls.
Page
Ref: 222-224
5)
Which of the following is not one of the essential criteria for
successfully implementing each of the principles that contribute to systems
reliability, as discussed in the Trust Services Framework?
A)
Developing and documenting policies
B)
Effectively communicating policies to all outsiders
C)
Designing and employing appropriate control procedures to implement policies
D)
Monitoring the system and taking corrective action to maintain compliance with
policies
Page
Ref: 223
6)
If the time an attacker takes to break through the organization's preventive
controls is greater than the sum of the time required to detect the attack and
the time required to respond to the attack, then security is
A)
effective.
B)
ineffective.
C)
overdone.
D)
undermanaged.
7)
Verifying the identity of the person or device attempting to access the system
is
A)
authentication.
B)
authorization.
C)
identification.
D)
threat monitoring.
Page
Ref: 226
8)
Restricting access of users to specific portions of the system as well as
specific tasks, is
A)
authentication.
B)
authorization.
C)
identification.
D)
threat monitoring.
9)
Which of the following is an example of a preventive control?
A)
Encryption
B)
Log analysis
C)
Intrusion detection
D)
Emergency response teams
10)
Which of the following is an example of a detective control?
A)
Physical access controls
B)
Encryption
C)
Log analysis
D)
Emergency response teams
Page
Ref: 237
11)
Which of the following is an example of a corrective control?
A)
Physical access controls
B)
Encryption
C)
Intrusion detection
D)
Incident response teams
Page
Ref: 239
12)
Which of the following is not a requirement of effective passwords?
A)
Passwords should be changed at regular intervals.
B)
Passwords should be no more than 8 characters in length.
C)
Passwords should contain a mixture of upper and lowercase letters, numbers and
characters.
D)
Passwords should not be words found in dictionaries.
Page
Ref: 227
13)
Multi-factor authentication
A)
involves the use of two or more basic authentication methods.
B)
is a table specifying which portions of the systems users are permitted to
access.
C)
provides weaker authentication than the use of effective passwords.
D)
requires the use of more than one effective password.
14)
An access control matrix
A)
does not have to be updated.
B)
is a table specifying which portions of the system users are permitted to
access.
C)
is used to implement authentication controls.
D)
matches the user's authentication credentials to his authorization.
15)
Perimeter defense is an example of which of the following preventive controls
that are necessary to provide adequate security?
A)
Training
B)
Controlling physical access
C)
Controlling remote access
D)
Host and application hardening
Page
Ref: 230
16)
Which of the following preventive controls are necessary to provide adequate
security for social engineering threats?
A)
Controlling remote access
B)
Encryption
C)
Host and application hardening
D)
Awareness training
Page
Ref: 226
17)
A special purpose hardware device or software running on a general purpose
computer, which filters information that is allowed to enter and leave the
organization's information system, is known as a(n)
A)
demilitarized zone.
B)
intrusion detection system.
C)
intrusion prevention system.
D)
firewall.
Page
Ref: 230
18)
This protocol specifies the procedures for dividing files and documents into
packets to be sent over the Internet.
A)
Access control list
B)
Internet protocol
C)
Packet switching protocol
D)
Transmission control protocol
Page
Ref: 231
19)
This protocol specifies the structure of packets sent over the internet and the
route to get them to the proper destination.
A)
Access control list
B)
Internet protocol
C)
Packet switching protocol
D)
Transmission control protocol
Page
Ref: 231
20)
This network access control determines which IP packets are allowed entry to a
network and which are dropped.
A)
Access control list
B)
Deep packet inspection
C)
Stateful packet filtering
D)
Static packet filtering
Page
Ref: 233
21)
Compatibility tests utilize a(n) ________, which is a list of authorized users,
programs, and data files the users are authorized to access or manipulate.
A)
validity test
B)
biometric matrix
C)
logical control matrix
D)
access control matrix
22)
The process that screens individual IP packets based solely on the contents of
the source and/or destination fields in the packet header is known as
A)
access control list.
B)
deep packet inspection.
C)
stateful packet filtering.
D)
static packet filtering.
Page
Ref: 233
23)
The process that maintains a table that lists all established connections
between the organization's computers and the Internet, to determine whether an
incoming packet is part of an ongoing communication initiated by an internal
computer is known as
A)
access control list.
B)
deep packet inspection.
C)
stateful packet filtering.
D)
static packet filtering.
Page
Ref: 233
24)
The process that allows a firewall to be more effective by examining the data
in the body of an IP packet, instead of just the header, is known as
A)
deep packet inspection.
B)
stateful packet filtering.
C)
static packet filtering.
D)
an intrusion prevention system.
Page
Ref: 233
25)
The security technology that evaluates IP packet traffic patterns in order to
identify attacks against a system is known as
A)
an intrusion prevention system.
B)
stateful packet filtering.
C)
static packet filtering.
D)
deep packet inspection.
Page
Ref: 234
26)
This is used to identify rogue modems (or by hackers to identify targets).
A)
War chalking
B)
War dialing
C)
War driving
D)
none of the above
Page
Ref: 235
27)
The process of turning off unnecessary features in the system is known as
A)
deep packet inspection.
B)
hardening.
C)
intrusion detection.
D)
war dialing.
Page
Ref: 236
28)
The most common input-related vulnerability is
A)
buffer overflow attack.
B)
hardening.
C)
war dialing.
D)
encryption.
Page
Ref: 237
29)
This creates logs of network traffic that was permitted to pass the firewall.
A)
Intrusion detection system
B)
Log analysis
C)
Penetration test
D)
Vulnerability scan
Page
Ref: 238
30)
The process that uses automated tools to identify whether a system possesses
any well-known security problems is known as a(n)
A)
intrusion detection system.
B)
log analysis.
C)
penetration test.
D)
vulnerability scan.
Page
Ref: 236
31)
This is an authorized attempt by an internal audit team or an external security
consultant to attempt to break into the organization's information system.
A)
Intrusion detection system
B)
Log analysis
C)
Penetration test
D)
Vulnerability scan
Page
Ref: 238
32)
A well-known hacker started his own computer security consulting business
shortly after being released from prison. Many companies pay him to attempt to
gain unauthorized access to their network. If he is successful, he offers
advice as to how to design and implement better controls. What is the name of
the testing for which the hacker is being paid?
A)
Penetration test
B)
Vulnerability scan
C)
Deep packet inspection
D)
Buffer overflow test
Page
Ref: 238
33) The ________ disseminates information about
fraud, errors, breaches and other improper system uses and their consequences.
A)
chief information officer
B)
chief operations officer
C)
chief security officer
D)
computer emergency response team
Page
Ref: 240
34)
In 2007, a major U.S. financial institution hired a security firm to attempt to
compromise its computer network. A week later, the firm reported that it had
successfully entered the system without apparent detection and presented an
analysis of the vulnerabilities that had been found. This is an example of a
A)
preventive control.
B)
detective control.
C)
corrective control.
D)
standard control.
Page
Ref: 238
35) It was 9:08
A.M. when Jiao Jan, the Network Administrator for Folding Squid Technologies,
was informed that the intrusion detection system had identified an ongoing
attempt to breach network security. By the time that Jiao had identified and
blocked the attack, the hacker had accessed and downloaded several files from
the company's server. Using the notation for the time-based model of security,
in this case
A)
P > D
B)
D > P
C)
C > P
D)
P > C
36) Which of the
following is commonly true of the default settings for most commercially
available wireless access points?
A)
The security level is set at the factory and cannot be changed.
B)
Wireless access points present little danger of vulnerability so security is
not a concern.
C)
Security is set to the lowest level that the device is capable of.
D)
Security is set to the highest level that the device is capable of.
Page
Ref: 235
37) In recent
years, many of the attacks carried out by hackers have relied on this type of
vulnerability in computer software.
A)
Code mastication
B)
Boot sector corruption
C)
Weak authentication
D)
Buffer overflow
Page
Ref: 236
38) Meaningful
Discussions is a social networking site that boasts over a million registered
users and a quarterly membership growth rate in the double digits. As a
consequence, the size of the information technology department has been growing
very rapidly, with many new hires. Each employee is provided with a name badge
with a photo and embedded computer chip that is used to gain entry to the
facility. This is an example of a(an)
A)
authentication control.
B)
biometric device.
C)
remote access control.
D)
authorization control.
Page
Ref: 226
39) When new
employees are hired by Folding Squid Technologies, they are assigned user names
and appropriate permissions are entered into the information system's access
control matrix. This is an example of a(an)
A)
authentication control.
B)
biometric device.
C)
remote access control.
D)
authorization control.
40) When new
employees are hired by Folding Squid Technologies, they are assigned user names
and passwords and provided with laptop computers that have an integrated
fingerprint reader. In order to log in, the user's fingerprint must be
recognized by the reader. This is an example of a(an)
A)
authorization control.
B)
biometric device.
C)
remote access control.
D)
defense in depth.
Page
Ref: 227
41) Information
technology managers are often in a bind when a new exploit is discovered in the
wild. They can respond by updating the affected software or hardware with new
code provided by the manufacturer, which runs the risk that a flaw in the
update will break the system. Or they can wait until the new code has been
extensively tested, but that runs the risk that they will be compromised by the
exploit during the testing period. Dealing with these issues is referred to as
A)
change management.
B)
hardening.
C)
patch management.
D)
defense in depth.
Page
Ref: 240
42) Murray
Snitzel called a meeting of the top management at Snitzel Capital Management.
Number one on the agenda was computer system security. "The risk of
security breach incidents has become unacceptable," he said, and turned to
the Chief Information Officer. "This is your responsibility! What do you
intend to do?" Which of the following is the best answer?
A)
Evaluate and modify the system using the Trust Services framework
B)
Evaluate and modify the system using the COSO Internal Control Framework.
C)
Evaluate and modify the system using the CTC checklist.
D)
Evaluate and modify the system using COBOL.
Page
Ref: 221
43) Which of the
following is the most effective method of protecting against social engineering
attacks on a computer system?
A)
stateful packet filtering
B)
employee awareness training
C)
a firewall
D)
a demilitarized zone
Page
Ref: 226
44) The most
effective way to protect network resources, like email servers, that are
outside of the network and are exposed to the Internet is
A)
stateful packet filtering.
B)
employee training.
C)
a firewall.
D)
a demilitarized zone.
Page
Ref: 230
45) All
employees of E.C. Hoxy are required to pass through a gate and present their
photo identification cards to the guard before they are admitted. Entry to
secure areas, such as the Information Technology Department offices, requires
further procedures. This is an example of a(an)
A)
authentication control.
B)
authorization control.
C)
physical access control.
D)
hardening procedure.
Page
Ref: 229
46) On February
14, 2008, students enrolled in an economics course at Swingline College
received an email stating that class would be cancelled. The email claimed to
be from the professor, but it wasn't. Computer forensic experts determined that
the email was sent from a computer in one of the campus labs at 9:14 A.M. They
were then able to uniquely identify the computer that was used by means of its
network interface card's ________ address. Security cameras revealed the
identity of the student responsible for spoofing the class.
A)
TCP/IP
B)
MAC
C)
DMZ
D)
IDS
47) There are
"white hat" hackers and "black hat" hackers. Cowboy451 was
one of the "black hat" hackers. He had researched an exploit and
determined that he could penetrate the target system, download a file
containing valuable data, and cover his tracks in eight minutes. Six minutes
into the attack he was locked out of the system. Using the notation of the
time-based model of security, which of the following must be true?
A)
P < 6
B)
D = 6
C)
P = 6
D)
P > 6
48)
Identify three ways users can be authenticated and give an example of each.
Users can be authenticated by verifying: 1.
something they know (password). 2. something they have (smart card or ID badge).
3. Something they are (biometric identification of fingerprint).
Page
Ref: 226
49)
Describe four requirements of effective passwords .
1. Strong passwords should be at least 8
characters. 2. Passwords should use a mixture of upper and lowercase letters,
numbers and characters. 3. Passwords should be random and not words found in
dictionaries. 4. Passwords should be changes frequently.
50)
Explain social engineering.
Social engineering attacks use deception to
obtain unauthorized access to information resources, such as attackers who post
as a janitor or as a legitimate system user. Employees must be trained not to
divulge passwords or other information about their accounts to anyone who
contacts them and claims to be part of the organization's security team.
Page
Ref: 226
51)
Explain the value of penetration testing.
Penetration testing involves an authorized
attempt by an internal audit team or an external security consultant to break
into the organization's information system. This type of service is provided by
risk management specialists in all the Big Four accounting firms. These
specialists spend more than half of their time on security matters. The team attempts
to compromise the system using every means possible. With a combination of
systems technology skills and social engineering, these teams often find
weaknesses in systems that were believed to be secure.
Page
Ref: 238
52)
Describe the function of a computer incident response team (CIRT) and the steps
that a CIRT should perform following a security incident.
CIRT is responsible for dealing with major
security incidents and breaches. The team should include technical specialists
and senior operations management. In response to a security incident, first the
CIRT must recognize that a problem exists. Log analysis, intrusion detection
systems can be used to detect problems and alert the CIRT. Second, the problem
must be contained, perhaps by shutting down a server or curtailing traffic on
the network. Third, the CIRT must focus on recovery. Corrupt programs may need
to be reinstalled and data restored from backups. Finally, the CIRT must
follow-up to discover how the incident occurred and to design corrective
controls to prevent similar incidents in the future.
Page
Ref: 239
53)
Identify six physical access controls.
Require visitors to sign in and receive a
visitor badge before being escorted by an employee; require employees to wear
photo ID badges that are checked by security guards; physical locks and keys;
storing documents and electronic media in a fire-proof safe or cabinet;
restrict or prohibit cell phones, iPods and other portable devices; set screen
savers to start after a few minutes of inactivity; set computers to lock
keyboards after a few minutes of inactivity; utilize screen protection devices;
use biometric devices to authorize access to spaces and equipment; attach and
lock laptops to immobile objects; utilize magnetic or chip cards to authorize
access to spaces and equipment; limit or prohibit windows and glass walls in
sensitive areas.
No comments:
Post a Comment