CISA PRACTICE QUESTION ALL

2009 CISA PRACTICE QUESTION ALL(800) QUESTIONS: 1、Which of the following antispam filtering techniques would BEST prevent a valid, variable-length e-mail message containing a heavily weighted spam keyword from being labeled as spam? A、Heuristic (rule-based) B、Signature-based C、Pattern matching D、Bayesian (statistical) ANSWER:D NOTE:Bayesian filtering applies statistical modeling to messages, by performing a frequency analysis on each word within the message and then evaluating the message as a whole. Therefore, it can ignore a suspicious keyword if the entire message is within normal bounds. Heuristic filtering is less effective, since new exception rules may need to be defined when a valid message is labeled as spam. Signature-based filtering is useless against variable-length messages, because the calculated MD5 hash changes all the time. Finally, pattern matching is actually a degraded rule-based technique, where the rules operate at the word level using wildcards, and not at higher levels. 2、An offsite information processing facility with electrical wiring, air conditioning and flooring, but no computer or communications equipment, is a: A、cold site. B、warm site. C、dial-up site. D、duplicate processing facility. ANSWER:A NOTE:A cold site is ready to receive equipment but does not offer any components at the site in advance of the need. A warm site is an offsite backup facility that is partially configured with network connections and selected peripheral equipmentsuch as disk and tape units, controllers and CPUsto operate an information processing facility. A duplicate information processing facility is a dedicated, self-developed recovery site that can back up critical applications. 3、Which of the following is MOST directly affected by network performance monitoring tools? A、Integrity B、Availability C、Completeness D、Confidentiality ANSWER:B NOTE:In case of a disruption in service, one of the key functions of network performance monitoring tools is to ensure that the information has remained unaltered. It is a function of security monitoring to assure confidentiality by using such tools as encryption. However, the most important aspect of network performance is assuring the ongoing dependence on connectivity to run the business. Therefore, the characteristic that benefits the most from network monitoring is availability. 4、An IS auditor invited to a development project meeting notes that no project risks have been documented. When the IS auditor raises this issue, the project manager responds that it is too early to identify risks and that, if risks do start impacting the project, a risk manager will be hired. The appropriate response of the IS auditor would be to: A、stress the importance of spending time at this point in the project to consider and document risks, and to develop contingency plans. B、accept the project managers position as the project manager is accountable for the outcome of the project. C、offer to work with the risk manager when one is appointed. D、inform the project manager that the IS auditor will conduct a review of the risks at the completion of the requirements definition phase of the project. ANSWER:A NOTE:The majority of project risks can typically be identified before a project begins, allowing mitigation/avoidance plans to be put in place to deal with these risks. A project should have a clear link back to corporate strategy and tactical plans to support this strategy. The process of setting corporate strategy, setting objectives and developing tactical plans should include the consideration of risks. Appointing a risk manager is a good practice but waiting until the project has been impacted by risks is misguided. Risk management needs to be forward looking; allowing risks to evolve into issues that adversely impact the project represents a failure of risk management. With or without a risk manager, persons within and outside of the project team need to be consulted and encouraged to comment when they believe new risks have emerged or risk priorities have changed. The IS auditor has an obligation to the project sponsor and the organization to advise on appropriate project management practices. Waiting for the possible appointment of a risk manager represents an unnecessary and dangerous delay to implementing risk management. 5、In a public key infrastructure, a registration authority: A、verifies information supplied by the subject requesting a certificate. B、issues the certificate after the required attributes are verified and the keys are generated. C、digitally signs a message to achieve nonrepudiation of the signed message. D、registers signed messages to protect them from future repudiation. ANSWER:A NOTE:A registration authority is responsible for verifying information supplied by the subject requesting a certificate, and verifies the requestors right to request certificate attributes and that the requestor actually possesses the private key corresponding to the public key being sent. Certification authorities, not registration authorities, actually issue certificates once verification of the information has been completed; because of this, choice B is incorrect. On the other hand, the sender who has control of their private key signs the message, not the registration authority. Registering signed messages is not a task performed by registration authorities. 6、Which of the following should be of MOST concern to an IS auditor reviewing the BCP? A、The disaster levels are based on scopes of damaged functions, but not on duration. B、The difference between low-level disaster and software incidents is not clear. C、The overall BCP is documented, but detailed recovery steps are not specified. D、The responsibility for declaring a disaster is not identified. ANSWER:D NOTE:If nobody declares the disaster, the response and recovery plan would not be invoked, making all other concerns mute. Although failure to consider duration could be a problem, it is not as significant as scope, and neither is as critical as the need to have someone invoke the plan. The difference between incidents and low-level disasters is always unclear and frequently revolves around the amount of time required to correct the damage. The lack of detailed steps should be documented, but their absence does not mean a lack of recovery, if in fact someone has invoked the plan. 7、Which of the following is the key benefit of control self-assessment (CSA)? A、Management ownership of the internal controls supporting business objectives is reinforced. B、Audit expenses are reduced when the assessment results are an input to external audit work. C、Improved fraud detection since internal business staff are engaged in testing controls D、Internal auditors can shift to a consultative approach by using the results of the assessment. ANSWER:A NOTE:The objective of control self-assessment is to have business management become more aware of the importance of internal control and their responsibility in terms of corporate governance. Reducing audit expenses is not a key benefit of control self-assessment (CSA). Improved fraud detection is important, but not as important as ownership, and is not a principal objective of CSA. CSA may give more insights to internal auditors, allowing them to take a more consultative role; however, this is an additional benefit, not the key benefit. 8、An IS auditor evaluating logical access controls should FIRST: A、document the controls applied to the potential access paths to the system. B、test controls over the access paths to determine if they are functional. C、evaluate the security environment in relation to written policies and practices. D、obtain an understanding of the security risks to information processing. ANSWER:D NOTE:When evaluating logical access controls, an IS auditor should first obtain an understanding of the security risks facing information processing by reviewing relevant documentation, by inquiries, and by conducting a risk assessment. Documentation and evaluation is the second step in assessing the adequacy, efficiency and effectiveness, thus identifying deficiencies or redundancy in controls. The third step is to test the access pathsto determine if the controls are functioning. Lastly, the IS auditor evaluates the security environment to assess its adequacy by reviewing the written policies, observing practices and comparing them to appropriate security best practices. 9、The logical exposure associated with the use of a checkpoint restart procedure is: A、denial of service. B、an asynchronous attack. C、wire tapping. D、computer shutdown. ANSWER:B NOTE:Asynchronous attacks are operating system-based attacks. A checkpoint restart is a feature that stops a program at specified intermediate points for later restart in an orderly manner without losing data at the checkpoint. The operating system saves a copy of the computer programs and data in their current state as well as several system parameters describing the mode and security level of the program at the time of stoppage. An asynchronous attack occurs when an individual with access to this information is able to gain access to the checkpoint restart copy of the system parameters and change those parameters such that upon restart the program would function at a higher-priority security level. 10、Many organizations require an employee to take a mandatory vacation (holiday) of a week or more to: A、ensure the employee maintains a good quality of life, which will lead to greater productivity. B、reduce the opportunity for an employee to commit an improper or illegal act. C、provide proper cross-training for another employee. D、eliminate the potential disruption caused when an employee takes vacation one day at a time. ANSWER:B NOTE:Required vacations/holidays of a week or more in duration in which someone other than the regular employee performs the job function is often mandatory for sensitive positions, as this reduces the opportunity to commit improper or illegal acts. During this time it may be possible to discover any fraudulent activity that was taking place. Choices A, C and D could all be organizational benefits from a mandatory vacation policy, but they are not the reason why the policy is established. 11、To determine how data are accessed across different platforms in a heterogeneous environment, an IS auditor should FIRST review: A、business software. B、infrastructure platform tools. C、application services. D、system development tools. ANSWER:C NOTE:Projects should identify the complexities of the IT Infrastructure that can be simplified or isolated by the development of application services. Application services isolate system developers from the complexities of the IT infrastructure and offer common functionalities that are shared by many applications. Application services take the form of interfaces, middleware, etc. Business software focuses on business processes, whereas application services bridge the gap between applications and the IT Infrastructure components. Infrastructure platform tools are related to core hardware and software components required for development of the IT infrastructure. Systems development tools represent development components of the IT infrastructure development. 12、An integrated test facility is considered a useful audit tool because it: A、is a cost-efficient approach to auditing application controls. B、enables the financial and IS auditors to integrate their audit tests. C、compares processing output with independently calculated data. D、provides the IS auditor with a tool to analyze a large range of information. ANSWER:C NOTE:An integrated test facility is considered a useful audit tool because it uses the same programs to compare processing using independently calculated data. This involves setting up dummy entities on an application system and processing test or production data against the entity as a means of verifying processing accuracy. 13、An IS auditor evaluates the test results of a modification to a system that deals with payment computation. The auditor finds that 50 percent of the calculations do not match predetermined totals. Which of the following would MOST likely be the next step in the audit? A、Design further tests of the calculations that are in error. B、Identify variables that may have caused the test results to be inaccurate. C、Examine some of the test cases to confirm the results. D、Document the results and prepare a report of findings, conclusions and recommendations. ANSWER:C NOTE:An IS auditor should next examine cases where incorrect calculations occurred and confirm the results. After the calculations have been confirmed, further tests can be conducted and reviewed. Report preparation, findings and recommendations would not be made until all results are confirmed. 14、The PRIMARY objective of performing a postincident review is that it presents an opportunity to: A、improve internal control procedures. B、harden the network to industry best practices. C、highlight the importance of incident response management to management. D、improve employee awareness of the incident response process. ANSWER:A NOTE:A postincident review examines both the cause and response to an incident. The lessons learned from the review can be used to improve internal controls. Understanding the purpose and structure of postincident reviews and follow-up procedures enables the information security manager to continuously improve the security program. Improving the incident response plan based on the incident review is an internal (corrective) control. The network may already be hardened to industry best practices. Additionally, the network may not be the source of the incident. The primary objective is to improve internal control procedures, not to highlight the importance of incident response management (IRM), and an incident response (IR) review does not improve employee awareness. 15、When conducting a penetration test of an organizations internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected on the network? A、Use the IP address of an existing file server or domain controller. B、Pause the scanning every few minutes to allow thresholds to reset. C、Conduct the scans during evening hours when no one is logged-in. D、Use multiple scanning tools since each tool has different characteristics. ANSWER:B NOTE:Pausing the scanning every few minutes avoids overtaxing the network as well as exceeding thresholds that may trigger alert messages to the network administrator. Using the IP address of a server would result in an address contention that would attract attention. Conducting scans after hours would increase the chance of detection, since there would be less traffic to conceal ones activities. Using different tools could increase the likelihood that one of them would be detected by an intrusion detection system. 16、An organization has implemented a disaster recovery plan. Which of the following steps should be carried out next? A、Obtain senior management sponsorship. B、Identify business needs. C、Conduct a paper test. D、Perform a system restore test. ANSWER:C NOTE:A best practice would be to conduct a paper test. Senior management sponsorship and business needs identification should have been obtained prior to implementing the plan. A paper test should be conducted first, followed by system or full testing. 17、This question refers to the following diagram. E-mail traffic from the Internet is routed via firewall-1 to the mail gateway. Mail is routed from the mail gateway, via firewall-2, to the mail recipients in the internal network. Other traffic is not allowed. For example, the firewalls do not allow direct traffic from the Internet to the internal network. The intrusion detection system (IDS) detects traffic for the internal network that did not originate from the mail gateway. The FIRST action triggered by the IDS should be to: A、alert the appropriate staff. B、create an entry in the log. C、close firewall-2. D、close firewall-1. ANSWER:C NOTE:Traffic for the internal network that did not originate from the mail gateway is a sign that firewall-1 is not functioning properly. This may have been be caused by an attack from a hacker. Closing firewall-2 is the first thing that should be done, thus preventing damage to the internal network. After closing firewall-2, the malfunctioning of firewall-1 can be investigated. The IDS should trigger the closing of firewall-2 either automatically or by manual intervention. Between the detection by the IDS and a response from the system administrator valuable time can be lost, in which a hacker could also compromise firewall-2. An entry in the log is valuable for later analysis, but before that, the IDS should close firewall-2. If firewall-1 has already been compromised by a hacker, it might not be possible for the IDS to close it. 18、What is the MOST prevalent security risk when an organization implements remote virtual private network (VPN) access to its network? A、Malicious code could be spread across the network B、VPN logon could be spoofed C、Traffic could be sniffed and decrypted D、VPN gateway could be compr