Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 113

  1. The drives of a tile server are backed up at a hot site. Which of the following is the BEST way to duplicate the files stored on the server for forensic analysis?

    • Capture a bit-by-bit image of the file server’s drives. 
    • Run forensic analysis software on the backup drive.
    • Create a logical copy of the file server’s drives.
    • Replicate the server’s volatile data to another drive.
  2. Which of the following statement is NOT true about Voice-Over IP (VoIP)?

    • VoIP uses circuit switching technology
    • Lower cost per call or even free calls, especially for long distance call
    • Lower infrastructure cost
    • VoIP is a technology where voice traffic is carried on top of existing data infrastructure

    Explanation:

    The NOT is a keyword used in the question. You need to find out invalid statement about VoIP. VoIP uses packet switching and not circuit switching.

    For your exam you should know below information about VoIP:

    Voice-Over-IP
    IP telephony, internet telephony, is the technology that makes it possible to have a voice conversation over the Internet or over any dedicated IP network instead of dedicated transmission lines. The protocol is used to carry the signal over the IP network are commonly referred as Voice-Over-IP (VoIP).VoIP is a technology where voice traffic is carried on top of existing data infrastructure. Sounds are digitalized into IP packets and transferred through the network layer before being decode back into the original voice.

    VoIP allows the elimination of circuit switching and the associated waste of bandwidth. Instead, packet switching is used, where IP packets with voice data are sent over the network only when data needs to be sent.

    It has advantages over traditional telephony:

    Unlike traditional telephony, VoIP innovation progresses at market rates rather than at the rates of multilateral committee process of the International Telecommunication Union (ITU)

    Lower cost per call or even free calls, especially for long distance call

    Lower infrastructure costs. Once IP infrastructure is installed, no or little additional telephony infrastructure is needed

    VoIP Security Issues
    With the introduction of VoIP, the need for security is more important because it is needed to protect two assets – the data and the voice.

    Protecting the security of conversation is vital now.
    In VoIP, packets are sent over the network from the user’s computer or VoIP phone to similar equipment at other end. Packets may pass through several intermediate systems that are not under the control of the user’s ISP.The current Internet architecture does not provide same physical wire security as phone line.

    The main concern of VoIP solution is that while, in the case of traditional telephones, if data system is disrupted, then the different sites of the organization could still be reached via telephone. Thus a backup communication facility should be planned for if the availability of communication is vital to organization.
    Another issue might arise with the fact that IP telephones and their supporting equipment require the same care and maintenance as computer system do.
    To enhance the protection of the telephone system and data traffic, the VoIP infrastructure should be segregated using Virtual Local Area Network (VLAN).
    In many cases, session border controllers (SBCs) are utilized to provide security features for VoIP traffic similar to that provided by firewalls.

    The following were incorrect answers:

    Lower cost per call or even free calls, especially for long distance call – This is a valid statement about VoIP. In fact it is an advantage of VoIP.

    Lower infrastructure cost – This is a valid statement and advantage of using VoIP as compare to traditional telephony system.

    VoIP is a technology where voice traffic is carried on top of existing data infrastructure – This is also valid statement about VoIP.

    Reference:
    CISA review manual 2014 Page number355

  3. Private Branch Exchange(PBX) environment involves many security risks, one of which is the people both internal and external to an organization. Which of the following risks are NOT associated with Private Branch Exchange?

    1. Theft of service
    2. Disclosure of information
    3. Data Modifications
    4. Denial of service
    5. Traffic Analysis

    • 3 and 4
    • 4 and 5
    • 1-4
    • They are ALL risks associated with PBX
    Explanation:

    The NOT is a keyword used in the question. You need to find out the risks which are NOT associated with PBX. All the risk listed within the options are associated with PBX.

    The threat of the PBX telephone system is many, depending on the goals of these attackers, and include:

    Theft of service – Toll fraud, probably the most common of motives for attacker.

    Disclosure of Information – Data disclosed without authorization, either by deliberate actionably accident. Examples includes eavesdropping on conversation and unauthorized access to routing and address data.

    Data Modification – Data altered in some meaningful way by recording, deleting or modifying it. For example, an intruder may change billing information or modify system table to gain additional services.

    Unauthorized access – Actions that permit an unauthorized user to gain access to system resources or privileges.

    Denial of service – Actions that prevent the system from functioning in accordance with its intended purpose. A piece of equipment or entity may be rendered inoperable or forced to operate in a degraded state; operations that depend on timeliness may be delayed.

    Traffic Analysis – A form of passive attack in which an intruder observes information about calls and make inferences, e.g. from the source and destination number or frequency and length of messages. For example, an intruder observes a high volume of calls between a company’s legal department and patent office, and conclude that a patent is being filed.

    The following were incorrect answers:

    All the risks presented in options are associated with PBX. So other options are not valid.

    Reference:
    CISA review manual 2014 Page number356

  4. Which of the following is a sophisticated computer based switch that can be thought of as essentially a small in-house phone company for the organization?

    • Private Branch Exchange
    • Virtual Local Area Network
    • Voice over IP
    • Dial-up connection
    Explanation:

    A Private Branch Exchange(PBX) is a sophisticated computer based switch that can be thought of as essentially a small in-house phone company for the organization that operates it. Protection of PBX is thus a height priority. Failure to secure PBX can result in exposing the organization to toll fraud, theft of proprietary or confidential information, loss of revenue or legal entanglements.
    PBX environment involves many security risks, presented by people both internal and external to an organization. The threat of the PBX telephone system is many, depending on the goals of these attackers, and include:

    Theft of service – Toll fraud, probably the most common of motives for attacker.

    Disclosure of Information – Data disclosed without authorization, either by deliberate actionably accident. Examples includes eavesdropping on conversation and unauthorized access to routing and address data.

    Data Modification – Data altered in some meaningful way by recording, deleting or modifying it. For example, an intruder may change billing information or modify system table to gain additional services.

    Unauthorized access – Actions that permit an unauthorized user to gain access to system resources or privileges.

    Denial of service – Actions that prevent the system from functioning in accordance with its intended purpose. A piece of equipment or entity may be rendered inoperable or forced to operate in a degraded state; operations that depend on timeliness may be delayed.

    Traffic Analysis – A form of passive attack in which an intruder observes information about calls and make inferences, e.g. from the source and destination number or frequency and length of messages. For example, an intruder observes a high volume of calls between a company’s legal department and patent office, and conclude that a patent is being filed.

    The following were incorrect answers:

    Virtual Local Area Network – A virtual local area network (VLAN) is a logical group of workstations, servers and network devices that appear to be on the same LAN despite their geographical distribution. A VLAN allows a network of computers and users to communicate in a simulated environment as if they exist in a single LAN and are sharing a single broadcast and multicast domain. VLANs are implemented to achieve scalability, security and ease of network management and can quickly adapt to change in network requirements and relocation of workstations and server nodes.

    Voice over IP – VoIP is a technology where voice traffic is carried on top of existing data infrastructure. Sounds are digitalized into IP packets and transferred through the network layer before being decode back into the original voice.

    Dial-up connection – Dial-up refers to an Internet connection that is established using a modem. The modem connects the computer to standard phone lines, which serve as the data transfer medium. When a user initiates a dial-up connection, the modem dials a phone number of an Internet Service Provider (ISP) that is designated to receive dial-up calls. The ISP then establishes the connection, which usually takes about ten seconds and is accompanied by several beeping an buzzing sounds.

    Reference:

    CISA review manual 2014 Page number 356

  5. Which of the following PBX feature provides the possibility to break into a busy line to inform another user of an important message?

    • Account Codes
    • Access Codes
    • Override
    • Tenanting
    Explanation:

    Override feature of PBS provides for the possibility to break into a busy line to inform another user an important message.

    For CISA exam you should know below mentioned PBS features and Risks

    System Features
    Description
    Risk
    Automatic Call distribution

    Allows a PBX to be configured so that incoming calls are distributed to the next available agent or placed on-hold until one become available

    Tapping and control of traffic
    Call forwarding
    Allow specifying an alternate number to which calls will be forwarded based on certain condition
    User tracking
    Account codes

    Used to:
    Track calls made by certain people or for certain projects for appropriate billing
    Dial-In system access (user dials from outside and gain access to normal feature of the PBX)
    Changing the user class of service so a user can access a different set of features (i.e. the override feature)

    Fraud, user tracking, non authorized features

    Access Codes
    Key for access to specific feature from the part of users with simple instruments, i.e. traditional analog phones.

    Non-authorized features
    Silent Monitoring
    Silently monitors other calls
    Eavesdropping
    Conferencing

    Allows for conversation among several users

    Eavesdropping, by adding unwanted/unknown parties to a conference
    override(intrude)

    Provides for the possibility to break into a busy line to inform another user an important message
    Eavesdropping
    Auto-answer

    Allows an instrument to automatically go when called usually gives an auditor or visible warning which can easily turned off

    Gaining information not normally available, for various purpose

    Tenanting
    Limits system user access to only those users who belong to the same tenant group – useful when one company leases out part of its building to other companies and tenants share an attendant, trunk lines,etc

    Illegal usage, fraud, eavesdropping

    Voice mail
    Stores messages centrally and – by using a password – allows for retrieval from inside or outside lines.
    Disclosure or destruction of all messages of a user when that user’s password in known or discovered by an intruder, disabling of the voice mail system and even the entire switch by lengthy messages or embedded codes, illegal access to external lines.

    Privacy release
    Supports shared extensions among several devices, ensuring that only one device at a time can use an extension. Privacy release disables the security by allowing devices to connect to an extension already in use.

    Eavesdropping
    No busy extension
    Allows calls to an in-use extension to be added to a conference when that extension is on conference and already off-hook

    Eavesdropping a conference in progress
    Diagnostics
    Allows for bypassing normal call restriction procedures. This kind of diagnostic is sometimes available from any connected device. It is a separate feature, in addition to the normal maintenance terminal or attendant diagnostics

    Fraud and illegal usage

    Camp-on or call waiting
    When activated, sends a visual audible warning to an off-hook instrument that is receiving another call. Another option of this feature is to conference with the camped-on or call waiting

    Making the called individual a party to a conference without knowing it.

    Dedicated connections
    Connections made through the PBX without using the normal dialing sequences. It can be used to create hot-lines between devices i.e. one rings when the other goes off-hook. It is also used for data connections between devices and the central processing facility

    Eavesdropping on a line

    The following were incorrect answers:

    Account Codes – that are used to:
    Track calls made by certain people or for certain projects for appropriate billing
    Dial-In system access (user dials from outside and gain access to normal feature of the PBX)
    Changing the user class of service so a user can access a different set of features (i.e. the override feature)

    Access Codes – Key for access to specific feature from the part of users with simple instruments, i.e. traditional analog phones.

    Tenanting – Limits system user access to only those users who belong to the same tenant group useful when one company leases out part of its building to other companies and tenants share an attendant, trunk lines,etc

    Reference:

    CISA review manual 2014 Page number 358

  6. Which of the following PBX feature allows a PBX to be configured so that incoming calls are distributed to the next available agent or placed on-hold until one become available?

    • Automatic Call distribution
    • Call forwarding
    • Tenanting
    • Voice mail
    Explanation:

    Automatic Call distribution allows a PBX to be configured so that incoming calls are distributed to the next available agent or placed on-hold until one become available

    For your exam you should know below mentioned PBX features and Risks:

    System Features
    Description
    Risk

    Automatic Call distribution
    Allows a PBX to be configured so that incoming calls are distributed to the next available agent or placed on-hold until one become available

    Tapping and control of traffic

    Call forwarding

    Allow specifying an alternate number to which calls will be forwarded based on certain condition

    User tracking
    Account codes

    Used to:
    Track calls made by certain people or for certain projects for appropriate billing
    Dial-In system access (user dials from outside and gain access to normal feature of the PBX)
    Changing the user class of service so a user can access a different set of features (i.e. the override feature)

    Fraud, user tracking, non authorized features

    Access Codes
    Key for access to specific feature from the part of users with simple instruments, i.e. traditional analog phones.

    Non-authorized features
    Silent Monitoring

    Silently monitors other calls

    Eavesdropping
    Conferencing

    Allows for conversation among several users
    Eavesdropping, by adding unwanted/unknown parties to a conference
    override(intrude)

    Provides for the possibility to break into a busy line to inform another user an important message

    Eavesdropping
    Auto-answer

    Allows an instrument to automatically go when called usually gives an auditor or visible warning which can easily turned off

    Gaining information not normally available, for various purpose

    Tenanting
    Limits system user access to only those users who belong to the same tenant group – useful when one company leases out part of its building to other companies and tenants share an attendant, trunk lines,etc

    Illegal usage, fraud, eavesdropping

    Voice mail
    Stores messages centrally and – by using a password – allows for retrieval from inside or outside lines.

    Disclosure or destruction of all messages of a user when that user’s password in known or discovered by an intruder, disabling of the voice mail system and even the entire switch by lengthy messages or embedded codes, illegal access to external lines.

    Privacy release
    Supports shared extensions among several devices, ensuring that only one device at a time can use an extension. Privacy release disables the security by allowing devices to connect to an extension already in use.

    Eavesdropping
    No busy extension
    Allows calls to an in-use extension to be added to a conference when that extension is on conference and already off-hook

    Eavesdropping a conference in progress

    Diagnostics
    Allows for bypassing normal call restriction procedures. This kind of diagnostic is sometimes available from any connected device. It is a separate feature, in addition to the normal maintenance terminal or attendant diagnostics

    Fraud and illegal usage
    Camp-on or call waiting
    When activated, sends a visual audible warning to an off-hook instrument that is receiving another call. Another option of this feature is to conference with the camped-on or call waiting

    Making the called individual a party to a conference without knowing it.

    Dedicated connections
    Connections made through the PBX without using the normal dialing sequences. It can be used to create hot-lines between devices i.e. one rings when the other goes off-hook. It is also used for data connections between devices and the central processing facility

    Eavesdropping on a line

    The following were incorrect answers:

    Call forwarding – Allow specifying an alternate number to which calls will be forwarded based on certain condition

    Tenanting – Limits system user access to only those users who belong to the same tenant group useful when one company leases out part of its building to other companies and tenants share an attendant, trunk lines,etc
    Voice Mail – Stores messages centrally and – by using a password – allows for retrieval from inside or outside lines.

    Reference:
    CISA review manual 2014 Page number 358

  7. Which of the following PBX feature supports shared extensions among several devices, ensuring that only one device at a time can use an extension?

    • Call forwarding
    • Privacy release
    • Tenanting
    • Voice mail
    Explanation:

    Privacy release supports shared extensions among several devices, ensuring that only one device at a time can use an extension.

    For your exam you should know below mentioned PBX features and Risks:

    System Features
    Description
    Risk

    Automatic Call distribution
    Allows a PBX to be configured so that incoming calls are distributed to the next available agent or placed on-hold until one become available

    Tapping and control of traffic

    Call forwarding
    Allow specifying an alternate number to which calls will be forwarded based on certain condition

    User tracking
    Account codes

    Used to:
    Track calls made by certain people or for certain projects for appropriate billing
    Dial-In system access (user dials from outside and gain access to normal feature of the PBX)
    Changing the user class of service so a user can access a different set of features (i.e. the override feature)

    Fraud, user tracking, non authorized features

    Access Codes
    Key for access to specific feature from the part of users with simple instruments, i.e. traditional analog phones.

    Non-authorized features
    Silent Monitoring

    Silently monitors other calls
    Eavesdropping
    Conferencing

    Allows for conversation among several users
    Eavesdropping, by adding unwanted/unknown parties to a conference
    override(intrude)

    Provides for the possibility to break into a busy line to inform another user an important message

    Eavesdropping
    Auto-answer

    Allows an instrument to automatically go when called usually gives an auditor or visible warning which can easily turned off

    Gaining information not normally available, for various purpose

    Tenanting
    Limits system user access to only those users who belong to the same tenant group – useful when one company leases out part of its building to other companies and tenants share an attendant, trunk lines,etc

    Illegal usage, fraud, eavesdropping

    Voice mail
    Stores messages centrally and – by using a password – allows for retrieval from inside or outside lines.

    Disclosure or destruction of all messages of a user when that user’s password in known or discovered by an intruder, disabling of the voice mail system and even the entire switch by lengthy messages or embedded codes, illegal access to external lines.

    Privacy release
    Supports shared extensions among several devices, ensuring that only one device at a time can use an extension. Privacy release disables the security by allowing devices to connect to an extension already in use.

    Eavesdropping

    No busy extension
    Allows calls to an in-use extension to be added to a conference when that extension is on conference and already off-hook

    Eavesdropping a conference in progress

    Diagnostics
    Allows for bypassing normal call restriction procedures. This kind of diagnostic is sometimes available from any connected device. It is a separate feature, in addition to the normal maintenance terminal or attendant diagnostics

    Fraud and illegal usage
    Camp-on or call waiting
    When activated, sends a visual audible warning to an off-hook instrument that is receiving another call. Another option of this feature is to conference with the camped-on or call waiting

    Making the called individual a party to a conference without knowing it.

    Dedicated connections
    Connections made through the PBX without using the normal dialing sequences. It can be used to create hot-lines between devices i.e. one rings when the other goes off-hook. It is also used for data connections between devices and the central processing facility

    Eavesdropping on a line

    The following were incorrect answers:

    Call forwarding – Allow specifying an alternate number to which calls will be forwarded based on certain condition

    Tenanting -Limits system user access to only those users who belong to the same tenant group – useful when one company leases out part of its building to other companies and tenants share an attendant, trunk lines,etc

    Voice Mail -Stores messages centrally and – by using a password – allows for retrieval from inside or outside lines.

    Reference:

    CISA review manual 2014 Page number358

  8. Which of the following option INCORRECTLY describes PBX feature?

    • Voice mail -Stores messages centrally and – by using a password – allows for retrieval from inside or outside lines.
    • Tenanting-Provides for the possibility to break into a busy line to inform another user an important message
    • Automatic Call Distribution – Allows a PBX to be configured so that incoming calls are distributed to the next available agent or placed on-hold until one become available
    • Diagnostics -Allows for bypassing normal call restriction procedures
    Explanation:

    The word INCORRECTLY was the keyword used in the question. You need to find out the incorrectly described PBX feature from given options. The Tenanting feature is incorrectly described.

    Tenanting limits system user access to only those users who belong to the same tenant group – useful when one company leases out part of its building to other companies and tenants share an attendant, trunk lines,etc

    For your exam you should know below mentioned PBX features and Risks:

    System Features
    Description
    Risk

    Automatic Call distribution
    Allows a PBX to be configured so that incoming calls are distributed to the next available agent or placed on-hold until one become available

    Tapping and control of traffic

    Call forwarding
    Allow specifying an alternate number to which calls will be forwarded based on certain condition

    User tracking
    Account codes

    Used to:

    Track calls made by certain people or for certain projects for appropriate billing

    Dial-In system access (user dials from outside and gain access to normal feature of the PBX)
    Changing the user class of service so a user can access a different set of features (i.e. the override feature)

    Fraud, user tracking, non authorized features

    Access Codes
    Key for access to specific feature from the part of users with simple instruments, i.e. traditional analog phones.

    Non-authorized features
    Silent Monitoring

    Silently monitors other calls

    Eavesdropping
    Conferencing

    Allows for conversation among several users
    Eavesdropping, by adding unwanted/unknown parties to a conference
    override(intrude)

    Provides for the possibility to break into a busy line to inform another user an important message

    Eavesdropping

    Auto-answer
    Allows an instrument to automatically go when called usually gives an auditor or visible warning which can easily turned off

    Gaining information not normally available, for various purpose

    Tenanting
    Limits system user access to only those users who belong to the same tenant group – useful when one company leases out part of its building to other companies and tenants share an attendant, trunk lines,etc

    Illegal usage, fraud, eavesdropping

    Voice mail
    Stores messages centrally and – by using a password – allows for retrieval from inside or outside lines.

    Disclosure or destruction of all messages of a user when that user’s password in known or discovered by an intruder, disabling of the voice mail system and even the entire switch by lengthy messages or embedded codes, illegal access to external lines.

    Privacy release
    Supports shared extensions among several devices, ensuring that only one device at a time can use an extension. Privacy release disables the security by allowing devices to connect to an extension already in use.

    Eavesdropping

    No busy extension
    Allows calls to an in-use extension to be added to a conference when that extension is on conference and already off-hook

    Eavesdropping a conference in progress

    Diagnostics
    Allows for bypassing normal call restriction procedures. This kind of diagnostic is sometimes available from any connected device. It is a separate feature, in addition to the normal maintenance terminal or attendant diagnostics

    Fraud and illegal usage

    Camp-on or call waiting
    When activated, sends a visual audible warning to an off-hook instrument that is receiving another call. Another option of this feature is to conference with the camped-on or call waiting

    Making the called individual a party to a conference without knowing it.

    Dedicated connections
    Connections made through the PBX without using the normal dialing sequences. It can be used to create hot-lines between devices i.e. one rings when the other goes off-hook. It is also used for data connections between devices and the central processing facility

    Eavesdropping on a line

    The following were incorrect answers:
    The other options presented correctly describes PBX features thus not the right choice.

    Reference:
    CISA review manual 2014 Page number358

  9. Which of the following technique is NOT used by a preacher against a Private Branch Exchange (PBX)?

    • Eavesdropping
    • Illegal call forwarding
    • Forwarding a user to an unused or disabled number
    • SYN Flood
    Explanation:

    The word NOT the keyword used in the question. You need to find out the technique which preacher do not use to exploit PBX.

    SYN Flood -Sends a flood of TCP/SYN packets with forged sender address, causing half-open connections and saturates available connection capacity on the target machine.

    For CISA Exam you should know below mentioned techniques used by preacher for illegal purpose of PBX.

    Eavesdropping on conversation, without the other parties being aware of it
    Eavesdropping on conference call
    Illegal forwarding calls from specific equipment to remote numbers
    Forwarding a user to an unused or disabled number, thereby making it unreachable by external calls.

    The following were incorrect answers:

    The other options presented correctly describes the techniques used preacher for illegal purpose of PBX.

    Reference:
    CISA review manual 2014 Page number 357

  10. Who is primarily responsible for storing and safeguarding the data?

    • Data Owner
    • Data User
    • Data Steward
    • Security Administrator
    Explanation:

    Data Steward or data custodian is responsible for storing and safeguarding the data, and include IS personnel such as system analyst and computer operators.

    For CISA exam you should know below roles in an organization

    Data Owners – These peoples are generally managers and directors responsible for using information for running and controlling the business. Their security responsibilities include authorizing access, ensuring that access rules are updated when personnel changes occur, and regularly review access rule for the data for which they are responsible.

    Data Custodian or Data Steward – These people are responsible for storing and safeguarding the data, and include IS personnel such as system analysis and computer operators.

    Security Administrator -Security administrator is responsible for providing adequate physical and logical security for IS programs, data and equipment.

    Data Users – Data users, including internal and external user community, are the actual user of computerized data. Their level of access into the computer should be authorized by data owners, and restricted and monitor by security administrator.

    The following were incorrect answers:

    Data Owner- These peoples are generally managers and directors responsible for using information for running and controlling the business.

    Data Users – Data users, including internal and external user community, are the actual user of computerized data.

    Security Administrator – Security administrator is responsible for providing adequate and logical security for IS programs, data and equipment.

    Reference:
    CISA review manual 2014 Page number361

  11. Who is responsible for providing adequate physical and logical security for IS program, data and equipment?

    • Data Owner
    • Data User
    • Data Custodian
    • Security Administrator
    Explanation:

    Security administrator are responsible for providing adequate physical and logical security for IS programs, data and equipment.

    For CISA exam you should know below roles in an organization

    Data Owners – These peoples are generally managers and directors responsible for using information for running and controlling the business. Their security responsibilities include authorizing access, ensuring that access rules are updated when personnel changes occur, and regularly review access rule for the data for which they are responsible.

    Data Custodian or Data Steward – These people are responsible for storing and safeguarding the data, and include IS personnel such as system analysis and computer operators.

    Security Administrator -Security administrator is responsible for providing adequate physical and logical security for IS programs, data and equipment.

    Data Users – Data users, including internal and external user community, are the actual user of computerized data. Their level of access into the computer should be authorized by data owners, and restricted and monitor by security administrator.

    The following were incorrect answers:

    Data Owner- These peoples are generally managers and directors responsible for using information for running and controlling the business.
    Data Users – Data users, including internal and external user community, are the actual user of computerized data.
    Data custodian is responsible for storing and safeguarding the data, and include IS personnel such as system analyst and computer operators.

    Reference:
    CISA review manual 2014 Page number 361

  12. Who is responsible for restricting and monitoring access of a data user?

    • Data Owner
    • Data User
    • Data Custodian
    • Security Administrator
    Explanation:

    Security administrator are responsible for providing adequate and logical security for IS programs, data and equipment.

    For CISA exam you should know below roles in an organization

    Data Owners – These peoples are generally managers and directors responsible for using information for running and controlling the business. Their security responsibilities include authorizing access, ensuring that access rules are updated when personnel changes occur, and regularly review access rule for the data for which they are responsible.

    Data Custodian or Data Steward – These people are responsible for storing and safeguarding the data, and include IS personnel such as system analysis and computer operators.

    Security Administrator-Security administrator are responsible for providing adequate physical and logical security for IS programs, data and equipment.

    Data Users – Data users, including internal and external user community, are the actual user of computerized data. Their level of access into the computer should be authorized by data owners, and restricted and monitor by security administrator.

    The following were incorrect answers:

    Data Owner – These peoples are generally managers and directors responsible for using information for running and controlling the business.

    Data Users – Data users, including internal and external user community, are the actual user of computerized data.

    Data custodian is responsible for storing and safeguarding the data, and include IS personnel such as system analyst and computer operators.

    Reference:
    CISA review manual 2014 Page number 361

  13. Who is responsible for authorizing access level of a data user?

    • Data Owner
    • Data User
    • Data Custodian
    • Security Administrator
    Explanation:

    Data owners are responsible for authorizing access level of a data user. These peoples are generally managers and directors responsible for using information for running and controlling the business. Their security responsibilities include authorizing access, ensuring that access rules are updated when personnel changes occur, and regularly review access rule for the data for which they are responsible.

    For your exam you should know below roles in an organization

    Data Owners – Data Owners are generally managers and directors responsible for using information for running and controlling the business. Their security responsibilities include authorizing access, ensuring that access rules are updated when personnel changes occur, and regularly review access rule for the data for which they are responsible.

    Data Custodian or Data Steward –are responsible for storing and safeguarding the data, and include IS personnel such as system analysis and computer operators.

    Security Administrator -Security administrator is responsible for providing adequate physical and logical security for IS programs, data and equipment.

    Data Users – Data users, including internal and external user community, are the actual user of computerized data. Their level of access into the computer should be authorized by data owners, and restricted and monitor by security administrator.

    The following were incorrect answers:

    Security Administrator -Security administrator is responsible for providing adequate and logical security for IS programs, data and equipment.

    Data Users – Data users, including internal and external user community, are the actual user of computerized data.
    Data custodian is responsible for storing and safeguarding the data, and include IS personnel such as system analyst and computer operators.

    Reference:
    CISA review manual 2014 Page number 361

  14. During Involuntary termination of an employee, which of the following is the MOST important step to be considered?

    • Get a written NDA agreement from an employee
    • Terminate all physical and logical access
    • Provide compensation in lieu of notice period
    • Do not communicate to the respective employee about the termination
    Explanation:

    For CISA exam you should know below information about Terminated Employee Access

    Termination of employment can occur in the following circumstances:

    On the request of the employee (Voluntary resignation from service)
    Scheduled (On retirement or completion of contract)
    Involuntary (forced by management in special circumstances)

    In case of an involuntary termination of employment, the logical and physical access rights of employees to the IT infrastructure should either be withdrawn completely or highly restricted as early as possible, before the employee become aware of termination or its likelihood.

    This ensures that terminated employees cannot continue to access potentially confidential or damaging information from the IT resources or perform any action that would result in damage of any kind of IT infrastructure, applications and data. Similar procedure in place to terminate access for third parties upon terminating their activities with the organization.

    When it is necessary for employee to continue to have accesses, such access must be monitored carefully and continuously and should take place with senior management’s knowledge and authorization.

    In case of a voluntary or scheduled termination of employment, it is management’s prerogative to decide whether access is restricted or withdrawn. This depends on:

    The specific circumstances associated with each case
    The sensitivity of employee’s access to the IT infrastructure and resources
    The requirement of the organization’s information security policies, standards and procedure.

    The following were incorrect answers:
    The other options presented are incorrectly describes about involuntary termination.

    Reference:
    CISA review manual 2014 Page number 361 and 362

  15. While evaluating logical access control the IS auditor should follow all of the steps mentioned below EXCEPT one?

    1. Obtain general understanding of security risk facing information processing, through a review of relevant documentation, inquiry and observation,etc
    2. Document and evaluate controls over potential access paths into the system to assess their adequacy, efficiency and effectiveness
    3. Test Control over access paths to determine whether they are functioning and effective by applying appropriate audit technique
    4. Evaluate the access control environment to determine if the control objective is achieved by analyzing test result and other audit evidence
    5. Evaluate the security environment to assess its adequacy by reviewing written policies, observing practices and procedures, and comparing them with appropriate security standard or practice and procedures used by other organization.
    6. Evaluate and deploy technical controls to mitigate all identified risks during audit.

    • 2
    • 3
    • 1
    • 6
    Explanation:

    The word EXCEPT is the keyword used in the question. You need find out the item an IS auditor should not perform while evaluating logical access control. It is not an IT auditor’s responsibility to evaluate and deploy technical controls to mitigate all identified risks during audit.

    For CISA exam you should know below information about auditing logical access:

    Obtain general understanding of security risk facing information processing, through a review of relevant documentation, inquiry and observation,etc
    Document and evaluate controls over potential access paths into the system to assess their adequacy, efficiency and effectiveness
    Test Control over access paths to determine whether they are functioning and effective by applying appropriate audit technique
    Evaluate the access control environment to determine if the control objective are achieved by analyzing test result and other audit evidence
    Evaluate the security environment to assess its adequacy by reviewing written policies, observing practices and procedures, and comparing them with appropriate security standard or practice and procedures used by other organization.

    The following were incorrect answers:

    The other options presented are valid choices which IS auditor needs to follow while evaluating logical access control.

    Reference:
    CISA review manual 2014 Page number 362

  16. Identify the correct sequence which needs to be followed as a chain of event in regards to evidence handling in computer forensics?

    • Identify, Analyze, preserve and Present
    • Analyze, Identify, preserve and present
    • Preserve, Identify, Analyze and Present
    • Identify, Preserve, Analyze and Present
    Explanation:

    There are 4 major considerations in the chain of event in regards to evidence in computer forensics:

    Identify -Refers to identification of information that is available and might form evidence of an accident

    Preserve -Refers to the practice of retrieving identified information and preserving it as evidence. The practice generally includes the imaging of original media in presence of an independent third party. The process also requires being able to document chain-of-custody so that it can be established in a court law.

    Analyze – Involves extracting, processing and interpreting the evidence. Extracted data could be unintelligible binary data after it has been processed and converted into human readable format. Interpreting the data requires an in-depth knowledge of how different pieces of evidences may fit together. The analysis should be performed using an image of media and not the original.

    Present -Involves a presentation of the various audiences such as management, attorneys, court, etc.Acceptance of evidence depends upon the manner of presentation, qualification of the presenter, and credibility of the process used to preserve and analyze the evidence.

    The following were incorrect answers:

    The other options presented are not a valid sequence which needs to be followed in the chain of events in regards to evidence in computer forensic.

    Reference:
    CISA review manual 2014 Page number367

  17. In computer forensics, which of the following is the process that allows bit-for-bit copy of a data to avoid damage of original data or information when multiple analysis may be performed?

    • Imaging
    • Extraction
    • Data Protection
    • Data Acquisition
    Explanation:

    Imaging is the process that allows one to obtain a bit-for bit copy of a data to avoid damage to the original data or information when multiple analysis may be performed. The imaging process is made to obtain residual data, such as deleted files, fragments of deleted files and other information present, from the disk for analysis. This is possible because imaging duplicates the disk surface, sector by sector.

    For CISA exam you should know below mentioned key elements of computer forensics during audit planning.

    Data Protection -To prevent sought-after information from being altered, all measures must be in place. It is important to establish specific protocol to inform appropriate parties that electronic evidence will be sought and not destroy it by any means.

    Data Acquisition – All information and data required should transferred into a controlled location; this includes all types of electronic media such as fixed disk drives and removable media. Each device must be checked to ensure that it is write protected. This may be achieved by using device known as write blocker.

    Imaging -The Imaging is a process that allows one to obtain bit-for bit copy of a data to avoid damage of original data or information when multiple analyses may be performed. The imaging process is made to obtain residual data, such as deleted files, fragments of deleted files and other information present, from the disk for analysis. This is possible because imaging duplicates the disk surface, sector by sector.

    Extraction – This process consists of identification and selection of data from the imaged data set. This process should include standards of quality, integrity and reliability. The extraction process includes software used and media where an image was made. The extraction process could include different sources such as system logs, firewall logs, audit trails and network management information.

    Interrogation -Integration is used to obtain prior indicators or relationships, including telephone numbers, IP addresses, and names of individuals from extracted data.

    Investigation/ Normalization -This process converts the information extracted to a format that can be understood by investigator. It includes conversion of hexadecimal or binary data into readable characters or a format suitable for data analysis tool.

    Reporting- The information obtained from computer forensic has limited value when it is not collected and reported in proper way. When an IS auditor writes report, he/she must include why the system was reviewed, how the computer data were reviewed and what conclusion were made from analysis. The report should achieve the following goals

    Accurately describes the details of an incident.

    Be understandable to decision makers.
    Be able to withstand a barrage of legal security
    Be unambiguous and not open to misinterpretation.
    Be easily referenced
    Contains all information required to explain conclusions reached
    Offer valid conclusions, opinions or recommendations when needed
    Be created in timely manner.

    The following were incorrect answers:

    Extraction – This process consists of identification and selection of data from the imaged data set. This process should include standards of quality, integrity and reliability.

    Data Protection -To prevent sought-after information from being altered, all measures must be in place. It is important to establish specific protocol to inform appropriate parties that electronic evidence will be sought and not destroy it by any means.

    Data Acquisition – All information and data required should transferred into a controlled location; this includes all types of electronic media such as fixed disk drives and removable media. Each device must be checked to ensure that it is write protected. This may be achieved by using device known as write blocker.

    Reference:
    CISA review manual 2014 Page number367 and 368

  18. In computer forensic which of the following describe the process that converts the information extracted into a format that can be understood by investigator?

    • Investigation
    • Interrogation
    • Reporting
    • Extraction
    Explanation:

    Investigation is the process that converts the information extracted to a format that can be understood by investigator. It includes conversion of hexadecimal or binary data into readable characters or a format suitable for data analysis tool.

    For CISA exam you should know below mentioned key elements of computer forensics during audit planning.

    Data Protection -To prevent sought-after information from being altered, all measures must be in place. It is important to establish specific protocol to inform appropriate parties that electronic evidence will be sought and not destroy it by any means.

    Data Acquisition – All information and data required should transferred into a controlled location; this includes all types of electronic media such as fixed disk drives and removable media. Each device must be checked to ensure that it is write protected. This may be achieved by using device known as write blocker.

    Imaging -The Imaging is a process that allows one to obtain bit-for bit copy of a data to avoid damage of original data or information when multiple analyses may be performed. The imaging process is made to obtain residual data, such as deleted files, fragments of deleted files and other information present, from the disk for analysis. This is possible because imaging duplicates the disk surface, sector by sector.

    Extraction – This process consists of identification and selection of data from the imaged data set. This process should include standards of quality, integrity and reliability. The extraction process includes software used and media where an image was made. The extraction process could include different sources such as system logs, firewall logs, audit trails and network management information.

    Interrogation -Integration is used to obtain prior indicators or relationships, including telephone numbers, IP addresses, and names of individuals from extracted data.

    Investigation/ Normalization -This process converts the information extracted to a format that can be understood by investigator. It includes conversion of hexadecimal or binary data into readable characters or a format suitable for data analysis tool.

    Reporting- The information obtained from computer forensic has limited value when it is not collected and reported in proper way. When an IS auditor writes report, he/she must include why the system was reviewed, how the computer data were reviewed and what conclusion were made from analysis. The report should achieve the following goals

    Accurately describes the details of an incident.

    Be understandable to decision makers.
    Be able to withstand a barrage of legal security
    Be unambiguous and not open to misinterpretation.
    Be easily referenced
    Contains all information required to explain conclusions reached
    Offer valid conclusions, opinions or recommendations when needed
    Be created in timely manner.

    The following were incorrect answers:

    Interrogation -Integration is used to obtain prior indicators or relationships, including telephone numbers, IP addresses, and names of individuals from extracted data.
    Extraction – This process consists of identification and selection of data from the imaged data set. This process should include standards of quality, integrity and reliability.

    Reporting -The information obtained from computer forensic has limited value when it is not collected and reported in proper way. When an IS auditor writes report, he/she must include why the system was reviewed, how the computer data were reviewed and what conclusion were made from analysis.

    Reference:
    CISA review manual 2014 Page number 367 and 368

  19. Which of the following process consist of identification and selection of data from the imaged data set in computer forensics?

    • Investigation
    • Interrogation
    • Reporting
    • Extraction
    Explanation:

    Extraction is the process of identification and selection of data from the imaged data set. This process should include standards of quality, integrity and reliability. The extraction process includes software used and media where an image was made. The extraction process could include different sources such as system logs, firewall logs, audit trails and network management information.

    For CISA exam you should know below mentioned key elements of computer forensics during audit planning.

    Data Protection -To prevent sought-after information from being altered, all measures must be in place. It is important to establish specific protocol to inform appropriate parties that electronic evidence will be sought and not destroy it by any means.

    Data Acquisition – All information and data required should transferred into a controlled location; this includes all types of electronic media such as fixed disk drives and removable media. Each device must be checked to ensure that it is write protected. This may be achieved by using device known as write blocker.

    Imaging -The Imaging is a process that allows one to obtain bit-for bit copy of a data to avoid damage of original data or information when multiple analyses may be performed. The imaging process is made to obtain residual data, such as deleted files, fragments of deleted files and other information present, from the disk for analysis. This is possible because imaging duplicates the disk surface, sector by sector.

    Extraction – This process consists of identification and selection of data from the imaged data set. This process should include standards of quality, integrity and reliability. The extraction process includes software used and media where an image was made. The extraction process could include different sources such as system logs, firewall logs, audit trails and network management information.

    Interrogation -Integration is used to obtain prior indicators or relationships, including telephone numbers, IP addresses, and names of individuals from extracted data.

    Investigation/ Normalization -This process converts the information extracted to a format that can be understood by investigator. It includes conversion of hexadecimal or binary data into readable characters or a format suitable for data analysis tool.

    Reporting- The information obtained from computer forensic has limited value when it is not collected and reported in proper way. When an IS auditor writes report, he/she must include why the system was reviewed, how the computer data were reviewed and what conclusion were made from analysis. The report should achieve the following goals

    Accurately describes the details of an incident.

    Be understandable to decision makers.
    Be able to withstand a barrage of legal security
    Be unambiguous and not open to misinterpretation.
    Be easily referenced
    Contains all information required to explain conclusions reached
    Offer valid conclusions, opinions or recommendations when needed
    Be created in timely manner.

    The following were incorrect answers:

    Investigation/ Normalization -This process converts the information extracted to a format that can be understood by investigator. It includes conversion of hexadecimal or binary data into readable characters or a format suitable for data analysis tool.
    Interrogation -Integration is used to obtain prior indicators or relationships, including telephone numbers, IP addresses, and names of individuals from extracted data.

    Reporting -The information obtained from computer forensic has limited value when it is not collected and reported in proper way. When an IS auditor writes report, he/she must include why the system was reviewed, how the computer data were reviewed and what conclusion were made from analysis.

    Explanation:
    CISA review manual 2014 Page number 367 and 368

  20. There are several types of penetration tests depending upon the scope, objective and nature of a test. Which of the following describes a penetration test where you attack and attempt to circumvent the controls of the targeted network from the outside, usually the Internet?

    • External Testing
    • Internal Testing
    • Blind Testing
    • Targeted Testing
    Explanation:

    External testing refers to attack and control circumvention attempts on a target’s network perimeter from outside the target’s system, usually the Internet.

    For the CISA exam you should know penetration test types listed below:

    External Testing -Refers to attack and control circumvention attempts on a target’s network perimeter from outside the target’s system, usually the Internet

    Internal Testing – Refers to attack and control circumvention attempt on target from within the perimeter. The objective is to identify what would occur if the external perimeter was successfully compromised and/or an authorized user from within the network wanted to compromise security of a specific resource on a network.

    Blind Testing -Refers to the condition of testing when the penetration tester is provided with limited or no knowledge of the target’s information systems. Such testing is expensive, since penetration tester have to research the target and profile it based on publicly available information.

    Double Blind Testing -It is an extension of blind testing, since the administrator and security staff at the target are also not aware of test. Such a testing can effectively evaluate the incident handling and response capability of the target and how well managed the environment is.

    Targeted Testing – Refers to attack and control circumvention attempts on the target, while both the target’s IT team and penetration tester are aware of the testing activities. Penetration testers are provided with information related to target and network design. Additionally, they are also provided with a limited privilege user account to be used as a starting point to identify privilege escalation possibilities in the system.

    The following were incorrect answers:

    Internal Testing – Refers to attack and control circumvention attempt on target from within the perimeter. The objective is to identify what would occur if the external perimeter was successfully compromised and/or an authorized user from within the network wanted to compromise security of a specific resource on a network.

    Blind Testing -Refers to the condition of testing when the penetration tester is provided with limited or no knowledge of the target’s information systems. Such a testing is expensive, since penetration tester have to research the target and profile it based on publicly available information.

    Targeted Testing – Refers to attack and control circumvention attempts on the target, while both the target’s IT team and penetration tester are aware of the testing activities. Penetration testers are provided with information related to target and network design. Additionally, they are also provided with a limited privilege user account to be used as a starting point to identify privilege escalation possibilities in the system.

    Reference:
    CISA review manual 2014 Page number 369