Ensurepass

 

 

QUESTION 641

Java applets and ActiveX controls are distributed executable programs that execute in the background of a web browser client. This practice is considered reasonable when:

 

A.

a firewall exists.

B.

a secure web connection is used.

C.

the source of the executable file is certain.

D.

the host web site is part of the organization.

 

Correct Answer: C

Explanation:

Acceptance of these mechanisms should be based on established trust. The control is provided by only knowing the source and then allowing the acceptance of the applets. Hostile applets can be received from anywhere. It is virtually impossible at thistime to filter at this level. A secure web connection or firewall is considered an external defense. A firewall will find it more difficult to filter a specific file from a trusted source. A secure web connection provides confidentiality. Neither asecure web connection nor a firewall can identify an executable file as friendly. Hosting the web site as part of the organization is impractical. Enabling the acceptance of Java applets and/or Active X controls is an all-or- nothing proposition. Theclient will accept the program if the parameters are established to do so.

 

 

QUESTION 642

An IS auditor is performing a network security review of a telecom company that provides Internet connection services to shopping malls for their wireless customers. The company uses Wireless Transport Layer Security (WTLS) and Secure Sockets Layer (SSL) technology for protecting their customer’s payment information. The IS auditor should be MOST concerned if a hacker:

 

A.

compromises the Wireless Application Protocol (WAP) gateway.

B.

installs a sniffing program in front of the server.

C.

steals a customer’s PDA.

D.

listens to the wireless transmission.

 

Correct Answer: A

Explanation:

In a WAP gateway, the encrypted messages from customers must be decrypted to transmit over the Internet and vice versA. Therefore, if the gateway is compromised, all of the messages would be exposed. SSL protects the messages from sniffing on the Internet, limiting disclosure of the customer’s information. WTLS provides authentication, privacy and integrity and prevents messages from eavesdropping.

 

 

QUESTION 643

The objective of concurrency control in a database system is to:

 

A.

restrict updating of the database to authorized users.

B.

prevent integrity problems when two processes attempt to update the same data at the same time.

C.

prevent inadvertent or unauthorized disclosure of data in the database.

D.

ensure the accuracy, completeness and consistency of data.

 

Correct Answer: B

Explanation:

Concurrency controls prevent data integrity problems, which can arise when two update processes access the same data item at the same time. Access controls restrict updating of the database to authorized users, and controls such as passwords preventthe inadvertent or unauthorized disclosure of data from the database. Quality controls, such as edits, ensure the accuracy, completeness and consistency of data maintained in the database.

 

 

QUESTION 644

When reviewing system parameters, an IS auditor’s PRIMARY concern should be that:

 

A.

they are set to meet security and performance requirements.

B.

changes are recorded in an audit trail and periodically reviewed.

C.

changes are authorized and supported by appropriate documents.

D.< /p>

access to parameters in the system is restricted.

 

Correct Answer: A

Explanation:

The primary concern is to find the balance between security and performance. Recording changes in an audit trail and periodically reviewing them is a detective control; however, if parameters are not set according to business rules, monitoring of changes may not be an effective control. Reviewing changes to ensure they are supported by appropriate documents is also a detective control, if parameters are set incorrectly, the related documentation and the fact that these are authorized does not reduce the impact. Restriction of access to parameters ensures that only authorized staff can access the parameters; however, if the parameters are set incorrectly, restricting access will still have an adverse impact.

 

 

QUESTION 645

To determine which users can gain access to the privileged supervisory state, which of the following should an IS auditor review?

 

A.

System access log files

B.

Enabled access control software parameters

C.

Logs of access control violations

D.

System configuration files for control options used

 

Correct Answer: D

Explanation:

A review of system configuration files for control options used would show which users have access to the privileged supervisory state. Both systems access log files and logs of access violations are detective in nature. Access control software is run under the operating system.

 

 

QUESTION 646

During the audit of a database server, which of the following would be considered the GREATEST exposure?

 

A.

The password does not expire on the administrator account

B.

Default global security settings for the database remain unchanged

C.

Old data have not been purged

D.

Database activity is not fully logged

 

Correct Answer: B

Explanation:

Default security settings for the database could allow issues like blank user passwords or passwords that were the same as the username. Logging all database activity is not practical. Failure to purge old data may present a performance issue but isnot an immediate security concern. Choice A is an exposure but not as serious as B.

 

 

QUESTION 647

In regard to moving an application program from the test environment to the production environment, the BEST control would be to have the:

 

A.

application programmer copy the source program and compiled object module to the production libraries.

B.

application programmer copy the source program to the production libraries and then have the production control group compile the program.

C.

production control group compile the object module to the production libraries using the source program in the test environment.

D.

production control group copy the source program to the production libraries and then compile the program.

 

Correct Answer: D

Explanation:

The best control would be provided by having the production control group copy the source program to the production libraries and then compile the program.

 

 

QUESTION 648

In a small organization, an employee performs computer operations and, when the situation demands, program modifications. Which of the following should the IS auditor recommend?

 

A.

Automated logging of changes to development libraries

B.

Additional staff to provide separation of duties

C.

Procedures that verify that only approved program changes are implemented

D.

Access controls to prevent the operator from making program modifications

 

Correct Answer: C

Explanation:

While it would be preferred that strict separation of duties be adhered to and that additional staff is recruited as suggested in choice B, this practice is not always possible in small organizations. An IS auditor must look at recommended alternative processes. Of the choices, C is the only practical one that has an impact. An IS auditor should recommend processes that detect changes to production source and object code, such as code comparisons, so the changes can be reviewed on a regular basis by a third party. This would be a compensating control process. Choice A, involving logging of changes to development libraries, would not detect changes to production libraries. Choice D is in effect requiring a third party to do the changes, which may not be practical in a small organization.

 

 

 

QUESTION 649

Which of the following would be considered an essential feature of a network management system?

 

A.

A graphical interface to map the network topology

B.

Capacity to interact with the Internet to solve the problems

C.

Connectivity to a help desk for advice on difficult issues

D.

An export facility for piping data to spreadsheets

 

Correct Answer: A

Explanation:

To trace the topology of the network, a graphical interface would be essential. It is not necessary that each network be on the internet and connected to a help desk, while the ability to export to a spreadsheet is not an essential element.

 

 

QUESTION 650

While reviewing the IT infrastructure, an IS auditor notices that storage resources are continuously being added. The IS auditor should:

 

A.

recommend the use of disk mirroring.

B.

review the adequacy of offsite storage.

C.

review the capacity management process.

D.

recommend the use of a compression algorithm.

 

Correct Answer: C

Explanation:

Capacity management is the planning and monitoring of computer resources to ensure that available IT resources are used efficiently and effectively. Business criticality must be considered before recommending a disk mirroring solution and offsite storage is unrelated to the problem. Though data compression may save disk space, it could affect system performance.

 

Free VCE & PDF File for Isaca CISA Real Exam

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

Comments are closed.