CISA Practice Questions With Correct
Solutions!!
In a public key infrastructure (PKI), which of the following may be relied upon to
prove that an online transaction was authorized by a specific customer?
Correct A. Nonrepudiation
B. Encryption
C. Authentication
D. Integrity
. - ANSWERYou are correct, the answer is A.
A. Nonrepudiation, achieved through the use of digital signatures, prevents the
senders from later denying that they generated and sent the message.
B. Encryption may protect the data transmitted over the Internet, but may not prove
that the transactions were made.
C. Authentication is necessary to establish the identification of all parties to a
communication.
D. Integrity ensures that transactions are accurate but does not provide the
identification of the customer
Which of the following BEST ensures the integrity of a server's operating system
(OS)?
A. Protecting the server in a secure location
B. Setting a boot password
Correct C. Hardening the server configuration
D. Implementing activity logging - ANSWERYou are correct, the answer is C.
A. Protecting the server in a secure location is a good practice, but does not ensure
that a user will not try to exploit logical vulnerabilities and compromise the operating
system (OS).
B. Setting a boot password is a good practice, but does not ensure that a user will
not try to exploit logical vulnerabilities and compromise the OS.
,C. Hardening a system means to configure it in the most secure manner (install
latest security patches, properly define access authorization for users and
administrators, disable insecure options and uninstall unused services) to prevent
nonprivileged users from gaining the right to execute privileged instructions and,
thus, take control of the entire machine, jeopardizing the integrity of the OS.
D. Activity logging has two weaknesses in this scenario—it is a detective control (not
a preventive one), and the attacker who already gained privileged access can modify
logs or disable them.
A. Digital signatures are used for authentication and nonrepudiation, and are not
commonly used in databases. As a result, this is not an area in which the IS auditor
should investigate.
B. A nonce is defined as a "parameter that changes over time" and is similar to a
number generated to authenticate one specific user session. Nonces are not related
to database security (they are commonly used in encryption schemes).
C. A media access control (MAC) address is the hardware address of a network
interface. MAC address authentication is sometimes used with wireless local area
network (WLAN) technology, but is not related to database security.
D. When a database is opened, many of its configuration options are governed by
initialization parameters. These parameters are usually governed by a file ("init.ora"
in the case of Oracle DBMS), which contains many settings. The system initialization
parameters address many "global" database settings, including authentication,
remote access and other critical security areas. To effectively audit a database
implementation, the IS auditor must examine the database initialization parameters.
Which of the following processes will be MOST effective in reducing the risk that
unauthorized software on a backup server is distributed to the production server?
A. Manually copy files to accomplish replication.
B. Review changes in the software version control system.
Incorrect C. Ensure that developers do not have access to the backup server.
D. Review the access control log of the backup server. - ANSWERYou answered C.
The correct answer is B.
The IS auditor is reviewing an organization's human resources (HR) database
implementation. The IS auditor discovers that the database servers are clustered for
high availability, all default database accounts have been removed and database
audit logs are kept and reviewed on a weekly basis. What other area should the IS
auditor check to ensure that the databases are appropriately secured?
A. Database digital signatures
,Incorrect B. Database encryption nonces and other variables
C. Database media access control (MAC) address authentication
D. Database initialization parameters - ANSWERYou answered B. The correct
answer is D.
A. Even if replication is be conducted manually with due care, there still remains a
risk to copying unauthorized software from one server to another.
B. It is common practice for software changes to be tracked and controlled using
version control software. An IS auditor should review reports or logs from this system
to identify the software that is promoted to production. Only moving the versions on
the version control system (VCS) program will prevent the transfer of development or
earlier versions.
C. If unauthorized code was introduced onto the backup server by developers,
controls on the production server and the software version control system should
mitigate this risk.
D. Review of the access log will identify staff access or the operations performed;
however, it may not provide enough information to detect the release of unauthorized
software.
A consulting firm has created a File Transfer Protocol (FTP) site for the purpose of
receiving financial data and has communicated the site's address, user ID and
password to the financial services company in separate email messages. The
company is to transmit its data to the FTP site after manually encrypting the data.
The IS auditor's GREATEST concern with this process is that:
Correct A. the users may not remember to manually encrypt the data before
transmission.
B. the site credentials were sent to the financial services company via email.
C. personnel at the consulting firm may obtain access to sensitive data.
D. the use of a shared user ID to the FTP site does not allow for user accountability.
- ANSWERYou are correct, the answer is A.
A. If the data is not encrypted, an unauthorized external party may download
sensitive company data.
B. Even though the possibility exists that the logon information was captured from
the emails, data should be encrypted, so the theft of the data would not allow the
attacker to read it.
, C. Some of the employees at the consulting firm will have access to the sensitive
data and the consulting firm must have procedures in place to protect the data.
D. Tracing accountability is of minimal concern compared to the compromise of
sensitive data.
In the course of performing a risk analysis, an IS auditor has identified threats and
potential impacts. Next, the IS auditor should:
A. identify and assess the risk assessment process used by management.
B. identify information assets and the underlying systems.
C. disclose the threats and impacts to management.
Correct D. identify and evaluate the existing controls. - ANSWERYou are correct, the
answer is D.
A. The review of the risk assessment process should be done at the start of the risk
analysis. Because the threats and impact have already been determined, there must
already be a risk assessment process in place.
B. It would be impossible to determine impact without first having identified the
assets affected; therefore, this must already have been completed.
C. Upon completion of a risk assessment, an IS auditor should describe and discuss
with management the threats and potential impacts on the assets as well as
recommendations for addressing the risk. However, this cannot be done until the
controls have been identified and the likelihood of the threat has been calculated.
D. It is important for an IS auditor to identify and evaluate the existence and
effectiveness of existing and planned controls so that the risk level can be calculated
after the potential threats and possible impacts are identified.
The PRIMARY purpose of an IT forensic audit is:
A. to participate in investigations related to corporate fraud.
B. the systematic collection and analysis of evidence after a system irregularity.
C. to assess the correctness of an organization's financial statements.
Incorrect D. to preserve evidence of criminal activity. - ANSWERYou answered D.
The correct answer is B.
A. Forensic audits are not limited to corporate fraud.
Solutions!!
In a public key infrastructure (PKI), which of the following may be relied upon to
prove that an online transaction was authorized by a specific customer?
Correct A. Nonrepudiation
B. Encryption
C. Authentication
D. Integrity
. - ANSWERYou are correct, the answer is A.
A. Nonrepudiation, achieved through the use of digital signatures, prevents the
senders from later denying that they generated and sent the message.
B. Encryption may protect the data transmitted over the Internet, but may not prove
that the transactions were made.
C. Authentication is necessary to establish the identification of all parties to a
communication.
D. Integrity ensures that transactions are accurate but does not provide the
identification of the customer
Which of the following BEST ensures the integrity of a server's operating system
(OS)?
A. Protecting the server in a secure location
B. Setting a boot password
Correct C. Hardening the server configuration
D. Implementing activity logging - ANSWERYou are correct, the answer is C.
A. Protecting the server in a secure location is a good practice, but does not ensure
that a user will not try to exploit logical vulnerabilities and compromise the operating
system (OS).
B. Setting a boot password is a good practice, but does not ensure that a user will
not try to exploit logical vulnerabilities and compromise the OS.
,C. Hardening a system means to configure it in the most secure manner (install
latest security patches, properly define access authorization for users and
administrators, disable insecure options and uninstall unused services) to prevent
nonprivileged users from gaining the right to execute privileged instructions and,
thus, take control of the entire machine, jeopardizing the integrity of the OS.
D. Activity logging has two weaknesses in this scenario—it is a detective control (not
a preventive one), and the attacker who already gained privileged access can modify
logs or disable them.
A. Digital signatures are used for authentication and nonrepudiation, and are not
commonly used in databases. As a result, this is not an area in which the IS auditor
should investigate.
B. A nonce is defined as a "parameter that changes over time" and is similar to a
number generated to authenticate one specific user session. Nonces are not related
to database security (they are commonly used in encryption schemes).
C. A media access control (MAC) address is the hardware address of a network
interface. MAC address authentication is sometimes used with wireless local area
network (WLAN) technology, but is not related to database security.
D. When a database is opened, many of its configuration options are governed by
initialization parameters. These parameters are usually governed by a file ("init.ora"
in the case of Oracle DBMS), which contains many settings. The system initialization
parameters address many "global" database settings, including authentication,
remote access and other critical security areas. To effectively audit a database
implementation, the IS auditor must examine the database initialization parameters.
Which of the following processes will be MOST effective in reducing the risk that
unauthorized software on a backup server is distributed to the production server?
A. Manually copy files to accomplish replication.
B. Review changes in the software version control system.
Incorrect C. Ensure that developers do not have access to the backup server.
D. Review the access control log of the backup server. - ANSWERYou answered C.
The correct answer is B.
The IS auditor is reviewing an organization's human resources (HR) database
implementation. The IS auditor discovers that the database servers are clustered for
high availability, all default database accounts have been removed and database
audit logs are kept and reviewed on a weekly basis. What other area should the IS
auditor check to ensure that the databases are appropriately secured?
A. Database digital signatures
,Incorrect B. Database encryption nonces and other variables
C. Database media access control (MAC) address authentication
D. Database initialization parameters - ANSWERYou answered B. The correct
answer is D.
A. Even if replication is be conducted manually with due care, there still remains a
risk to copying unauthorized software from one server to another.
B. It is common practice for software changes to be tracked and controlled using
version control software. An IS auditor should review reports or logs from this system
to identify the software that is promoted to production. Only moving the versions on
the version control system (VCS) program will prevent the transfer of development or
earlier versions.
C. If unauthorized code was introduced onto the backup server by developers,
controls on the production server and the software version control system should
mitigate this risk.
D. Review of the access log will identify staff access or the operations performed;
however, it may not provide enough information to detect the release of unauthorized
software.
A consulting firm has created a File Transfer Protocol (FTP) site for the purpose of
receiving financial data and has communicated the site's address, user ID and
password to the financial services company in separate email messages. The
company is to transmit its data to the FTP site after manually encrypting the data.
The IS auditor's GREATEST concern with this process is that:
Correct A. the users may not remember to manually encrypt the data before
transmission.
B. the site credentials were sent to the financial services company via email.
C. personnel at the consulting firm may obtain access to sensitive data.
D. the use of a shared user ID to the FTP site does not allow for user accountability.
- ANSWERYou are correct, the answer is A.
A. If the data is not encrypted, an unauthorized external party may download
sensitive company data.
B. Even though the possibility exists that the logon information was captured from
the emails, data should be encrypted, so the theft of the data would not allow the
attacker to read it.
, C. Some of the employees at the consulting firm will have access to the sensitive
data and the consulting firm must have procedures in place to protect the data.
D. Tracing accountability is of minimal concern compared to the compromise of
sensitive data.
In the course of performing a risk analysis, an IS auditor has identified threats and
potential impacts. Next, the IS auditor should:
A. identify and assess the risk assessment process used by management.
B. identify information assets and the underlying systems.
C. disclose the threats and impacts to management.
Correct D. identify and evaluate the existing controls. - ANSWERYou are correct, the
answer is D.
A. The review of the risk assessment process should be done at the start of the risk
analysis. Because the threats and impact have already been determined, there must
already be a risk assessment process in place.
B. It would be impossible to determine impact without first having identified the
assets affected; therefore, this must already have been completed.
C. Upon completion of a risk assessment, an IS auditor should describe and discuss
with management the threats and potential impacts on the assets as well as
recommendations for addressing the risk. However, this cannot be done until the
controls have been identified and the likelihood of the threat has been calculated.
D. It is important for an IS auditor to identify and evaluate the existence and
effectiveness of existing and planned controls so that the risk level can be calculated
after the potential threats and possible impacts are identified.
The PRIMARY purpose of an IT forensic audit is:
A. to participate in investigations related to corporate fraud.
B. the systematic collection and analysis of evidence after a system irregularity.
C. to assess the correctness of an organization's financial statements.
Incorrect D. to preserve evidence of criminal activity. - ANSWERYou answered D.
The correct answer is B.
A. Forensic audits are not limited to corporate fraud.
