Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 115

  1. During an IS audit, one of your auditor has observed that some of the critical servers in your organization can be accessed ONLY by using shared/common user name and password. What should be the auditor’s PRIMARY concern be with this approach?

    • Password sharing
    • Accountability
    • Shared account management
    • Difficulty in auditing shared account


    The keyword PRIMARY is used in the question. Accountability should be the primary concern if critical servers can be accessed only by using shared user id and password. It would be very difficult to track the changes done by employee on critical server.

    For your exam you should know the information below:

    Ultimately one of the drivers behind strong identification, authentication, auditing and session management is accountability. Accountability is fundamentally about being able to determine who or what is responsible for an action and can be held responsible. A closely related information assurance topic is non-repudiation. Repudiation is the ability to deny an action, event, impact or result. Non-repudiation is the process of ensuring a user may not deny an action. Accountability relies heavily on non-repudiation to ensure users, processes and actions
    may be held responsible for impacts.

    The following contribute to ensuring accountability of actions:
    Strong identification
    Strong authentication
    User training and awareness
    Comprehensive, timely and thorough monitoring
    Accurate and consistent audit logs
    Independent audits
    Policies enforcing accountability
    Organizational behavior supporting accountability

    The following answers are incorrect:

    The other options are also valid concern. But the primary concern should be accountability.

    CISA review manual 2014 Page number 328 and 329
    Official ISC2 guide to CISSP CBK 3rd Edition Page number 114

  2. Which of the following protocol is PRIMARILY used to provide confidentiality in a web based application thus protecting data sent across a client machine and a server?

    • SSL
    • FTP
    • SSH
    • S/MIME

    The Secure Socket Layer (SSL) Protocol is primarily used to provide confidentiality to the information sent across clients and servers.

    For your exam you should know the information below:

    The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of a message transmitted over a public network such as the Internet.

    SSL has recently been succeeded by Transport Layer Security (TLS), which is based on SSL.SSL uses a program layer located between the Internet’s Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers.

    SSL is included as part of both the Microsoft and Netscape browsers and most Web server products.

    Developed by Netscape, SSL also gained the support of Microsoft and other Internet client/server developers as well and became the de facto standard until evolving into Transport Layer Security. The “sockets” part of the term refers to the sockets method of passing data back and forth between a client and a server program in a network or between program layers in the same computer. SSL uses the public-and-private key encryption system from RSA, which also includes the use of a digital certificate. Later on SSL uses a Session Key along a Symmetric Cipher for the bulk of the data.

    TLS and SSL are an integral part of most Web browsers (clients) and Web servers. If a Web site is on a server that supports SSL, SSL can be enabled and specific Web pages can be identified as requiring SSL access. Any Web server can be enabled by using Netscape’s SSLRef program library which can be downloaded for noncommercial use or licensed for commercial use.

    TLS and SSL are not interoperable. However, a message sent with TLS can be handled by a client that handles SSL but not TLS.

    The SSL handshake
    A HTTP-based SSL connection is always initiated by the client using a URL starting with https:// instead of with http://. At the beginning of an SSL session, an SSL handshake is performed. This handshake produces the cryptographic parameters of the session. A simplified overview of how the SSL handshake is processed is shown in the diagram below.

    SSL Handshake

    CISA Certified Information Systems Auditor Part 115 Q02 215
    CISA Certified Information Systems Auditor Part 115 Q02 215

    The client sends a client “hello” message that lists the cryptographic capabilities of the client (sorted in client preference order), such as the version of SSL, the cipher suites supported by the client, and the data compression methods supported by the client. The message also contains a 28-byte random number.

    The server responds with a server “hello” message that contains the cryptographic method (cipher suite) and the data compression method selected by the server, the session ID, and another random number.

    The client and the server must support at least one common cipher suite, or else the handshake fails. The server generally chooses the strongest common cipher suite.

    The server sends its digital certificate. (In this example, the server uses X.509 V3 digital certificates with SSL.)

    If the server uses SSL V3, and if the server application (for example, the Web server) requires a digital certificate for client authentication, the server sends a “digital certificate request” message. In the “digital certificate request” message, the server sends a list of the types of digital certificates supported and the distinguished names of acceptable certificate authorities.

    The server sends a server “hello done” message and waits for a client response. Upon receipt of the server “hello done” message, the client (the Web browser) verifies the validity of the server’s digital certificate and checks that the server’s “hello” parameters are acceptable.

    If the server requested a client digital certificate, the client sends a digital certificate, or if no suitable digital certificate is available, the client sends a “no digital certificate” alert. This alert is only a warning, but the server application can fail the session if client authentication is mandatory.

    The client sends a “client key exchange” message. This message contains the pre-master secret, a 46-byte random number used in the generation of the symmetric encryption keys and the message authentication code (MAC) keys, encrypted with the public key of the server.

    If the client sent a digital certificate to the server, the client sends a “digital certificate verify” message signed with the client’s private key. By verifying the signature of this message, the server can explicitly verify the ownership of the client digital certificate.

    An additional process to verify the server digital certificate is not necessary. If the server does not have the private key that belongs to the digital certificate, it cannot decrypt the pre-master secret and create the correct keys for the symmetric encryption algorithm, and the handshake fails.

    The client uses a series of cryptographic operations to convert the pre-master secret into a master secret, from which all key material required for encryption and message authentication is derived. Then the client sends a “change cipher spec” message to make the server switch to the newly negotiated cipher suite. The next message sent by the client (the “finished” message) is the first message encrypted with this cipher method and keys.

    The server responds with a “change cipher spec” and a “finished” message of its own.
    The SSL handshake ends, and encrypted application data can be sent.

    The following answers are incorrect:

    FTP – File Transfer Protocol (FTP) is a standard Internet protocol for transmitting files between computers on the Internet. Like the Hypertext Transfer Protocol (HTTP), which transfers displayable Web pages and related files, and the Simple Mail Transfer Protocol (SMTP), which transfers e-mail, FTP is an application protocol that uses the Internet’s TCP/IP protocols. FTP is commonly used to transfer Web page files from their creator to the computer that acts as their server for everyone on the Internet. It’s also commonly used to download programs and other files to your computer from other servers.

    SSH – Secure Shell (SSH) is a cryptographic network protocol for secure data communication, remote command-line login, remote command execution, and other secure network services between two networked computers. It connects, via a secure channel over an insecure network, a server and a client running SSH server and SSH client programs, respectively.

    S/MIME – S/MIME (Secure Multi-Purpose Internet Mail Extensions) is a secure method of sending e-mail that uses the Rivets-Shamir-Adelman encryption system. S/MIME is included in the latest versions of the Web browsers from Microsoft and Netscape and has also been endorsed by other vendors that make messaging products. RSA has proposed S/MIME as a standard to the Internet Engineering Task Force (IETF).

    CISA review manual 2014 Page number 352
    Official ISC2 guide to CISSP CBK 3rd Edition Page number 256

  3. Which of the following method is recommended by security professional to PERMANENTLY erase sensitive data on magnetic media?

    • Degaussing
    • Overwrite every sector of magnetic media with pattern of 1’s and 0’s
    • Format magnetic media
    • Delete File allocation table

    PERMANENTLY is the keyword used in the question. You need to find out data removal method which remove data permanently from magnetic media.

    Degaussing is the most effective method out of all provided choices to erase sensitive data on magnetic media provided magnetic media is not requiring to be reuse. Some degausses can destroy drives. The security professional should exercise caution when recommending or using degausses on media for reuse.

    A device that performs degaussing generates a coercive magnetic force that reduces the magnetic flux density of the storage media to zero. This magnetic force is what properly erases data from media. Data are stored on magnetic media by the representation of the polarization of the atoms. Degaussing changes this polarization (magnetic alignment) by using a type of large magnet to bring it back to its original flux (magnetic alignment).

    For your exam you should know the information below:

    When media is to be reassigned (a form of object reuse), it is important that all residual data is carefully removed.

    Simply deleting files or formatting the media does not actually remove the information. File deletion and media formatting often simply remove the pointers to the information. Providing assurance for object reuse requires specialized tools and techniques according to the type of media on which the data resides.

    Specialized hardware devices known as degausses can be used to erase data saved to magnetic media. The measure of the amount of energy needed to reduce the magnetic field on the media to zero is known as coercivity. It is important to make sure that the coercivity of the degasser is of sufficient strength to meet object reuse requirements when erasing data. If a degasser is used with insufficient coercivity, then a remanence of the data will exist.

    Remanence is the measure of the existing magnetic field on the media; it is the residue that remains after an object is degaussed or written over. Data is still recoverable even when the remanence is small. While data remanence exists, there is no assurance of safe object reuse. Some degausses can destroy drives. The security professional should exercise caution when recommending or using degausses on media for reuse.

    Software tools also exist that can provide object reuse assurance. These tools overwrite every sector of magnetic media with a random or predetermined bit pattern. Overwrite methods are effective for all forms of electronic media with the exception of read-only optical media. There is a drawback to using overwrite software. During normal write operations with magnetic media, the head of the drive moves back-and-forth across the media as data is written. The track of the head does not usually follow the exact path each time. The result is a miniscule amount of data remanence with each pass. With specialized equipment, it is possible to read data that has been overwritten.

    To provide higher assurance in this case, it is necessary to overwrite each sector multiple times. Security practitioners should keep in mind that a one-time pass may be acceptable for noncritical information, but sensitive data should be overwritten with multiple passes. Overwrite software can also be used to clear the sectors within solid-state media such as USB thumb drives. It is suggested that physical destruction methods such as incineration or secure recycling should be considered for solid-state media that is no longer used.

    The last form of preventing unauthorized access to sensitive data is media destruction. Shredding, burning, grinding, and pulverizing are common methods of physically destroying media. Degaussing can also be a form of media destruction. High-power degausses are so strong in some cases that they can literally bend and warp the platters in a hard drive.

    Shredding and burning are effective destruction methods for non-rigid magnetic media. Indeed, some shredders are capable of shredding some rigid media such as an optical disk. This may be an effective alternative for any optical media containing nonsensitive information due to the residue size remaining after feeding the disk into the machine.

    However, the residue size might be too large for media containing sensitive information. Alternatively, grinding and pulverizing are acceptable choices for rigid and solid-state media. Specialized devices are available for grinding the face of optical media that either sufficiently scratches the surface to render the media unreadable or actually grinds off the data layer of the disk. Several services also exist which will collect drives, destroy them on site if requested and provide certification of completion. It will be the responsibility of the security professional to help, select, and maintain the most appropriate solutions for media cleansing and disposal.

    The following answers are incorrect:

    Overwrite every sector of magnetic media with pattern of 1’s and 0’s-Less effective than degaussing provided magnetic media is not requiring to be reuse.
    Format magnetic media – Formatting magnetic media does not erase all data. Data can be recoverable after formatting using software tools.
    Delete File allocation table-It will not erase all data. Data can be recoverable using software tools.

    CISA review manual 2014 Page number 338
    Official ISC2 guide to CISSP CBK 3rd Edition Page number 720.

  4. IS management has decided to rewrite a legacy customer relations system using fourth generation languages (4GLs). Which of the following risks is MOST often associated with system development using 4GLs?

    • Inadequate screen/report design facilities
    • Complex programming language subsets
    • Lack of portability across operating systems
    • Inability to perform data intensive operations
    4GLs are usually not suitable for data intensive operations. Instead, they are used mainly for graphic user interface (GUI) design or as simple query/report generators.
  5. Which of the following would be the BEST method for ensuring that critical fields in a master record have been updated properly?

    • Field checks
    • Control totals
    • Reasonableness checks
    • A before-and-after maintenance report
    A before-and-after maintenance report is the best answer because a visual review would provide the most positive verification that updating was proper.
  6. Which of the following is a dynamic analysis tool for the purpose of testing software modules?

    • Blackbox test
    • Desk checking
    • Structured walk-through
    • Design and code
    A blackbox test is a dynamic analysis tool for testing software modules. During the testing of software modules, a blackbox test works first in a cohesive manner as one single unit/entity, consisting of numerous modules and second, with the user data that flows across software modules. In some cases, this even drives the software behavior. In choices B, C and D, the software (design or code) remains static and someone closely examines it by applying their mind, without actually activating the software. Therefore, these cannot be referred to as dynamic analysis tools.
  7. Which of the following is MOST likely to result from a business process reengineering (BPR)


    • An increased number of people using technology
    • Significant cost saving, through a reduction the complexity of information technology
    • A weaker organizational structures and less accountability
    • Increased information protection (IP) risk will increase
    A BPR project more often leads to an increased number of people using technology, and this would be a cause for concern. Incorrect answers:
    B. As BPR is often technology oriented, and this technology is usually more complex and volatile than in the past, cost savings do not often materialize in this area.
    D. There is no reason for IP to conflict with a BPR project, unless the project is not run properly.
  8. Which of the following devices extends the network and has the capacity to store frames and act as a storage and forward device?

    • Router
    • Bridge
    • Repeater
    • Gateway
    A bridge connects two separate networks to form a logical network (e.g., joining an Ethernet and token network) and has the storage capacity to store frames and act as a storage and forward device. Bridges operate at the OSI data link layer by examining the media access control header of a data packet.
  9. Which of the following is a benefit of using callback devices?

    • Provide an audit trail
    • Can be used in a switchboard environment
    • Permit unlimited user mobility
    • Allow call forwarding
    A callback feature hooks into the access control software and logs all authorized and unauthorized access attempts, permitting the follow-up and further review of potential breaches. Call forwarding (choice D) is a means of potentially bypassing callback control. By dialing through an authorized phone number from an unauthorized phone number, a perpetrator can gain computer access. This vulnerability can be controlled through callback systems that are available.
  10. A call-back system requires that a user with an id and password call a remote server through a dial-up line, then the server disconnects and:

    • dials back to the user machine based on the user id and password using a telephone number from its database.
    • dials back to the user machine based on the user id and password using a telephone number provided by the user during this connection.
    • waits for a redial back from the user machine for reconfirmation and then verifies the user id and password using its database.
    • waits for a redial back from the user machine for reconfirmation and then verifies the user id and password using the sender’s database.
    A call-back system in a net centric environment would mean that a user with an id and password calls a remote server through a dial-up line first, and then the server disconnects and dials back to the user machine based on the user id and password using a telephone number from its database. Although the server can depend upon its own database, it cannot know the authenticity of the dialer when the user dials again. The server cannot depend upon the sender’s database to dial back as the same could be manipulated.
  11. Structured programming is BEST described as a technique that:

    • provides knowledge of program functions to other programmers via peer reviews.
    • reduces the maintenance time of programs by the use of small-scale program modules.
    • makes the readable coding reflect as closely as possible the dynamic execution of the program.
    • controls the coding and testing of the high-level functions of the program in the development process.
    A characteristic of structured programming is smaller, workable units. Structured programming has evolved because smaller, workable units are easier to maintain. Structured programming is a style of programming which restricts the kinds of control structures. This limitation is not crippling. Any program can be written with allowed control structures. Structured programming is sometimes referred to as go-to-less programming, since a go-to statement is not allowed. This is perhaps the most well-known restriction of the style, since go-to statements were common at the time structured programming was becoming more popular. Statement labels also become unnecessary, except in languages where subroutines are identified by labels.
  12. Which of the following data validation edits is effective in detecting transposition and transcription errors?

    • Range check
    • Check digit
    • Validity check
    • Duplicate check
    A check digit is a numeric value that is calculated mathematically and is appended to data to ensure that the original data have not been altered or an incorrect, but valid, value substituted. This control is effective in detecting transposition and transcription errors. A range check is checking data that matches a predetermined range of values. A validity check is programmed checking of the data validity in accordance with predetermined criteria. In a duplicate check, newer fresh transactions are matched to those previously entered to ensure that they are not already in the system.
  13. An offsite information processing facility having electrical wiring, air conditioning and flooring, but no computer or communications equipment is a:

    • cold site.
    • warm site.
    • dial-up site.
    • duplicate processing facility.
    A cold site is ready to receive equipment but does not offer any components at the site in advance of the need.
  14. A number of system failures are occurring when corrections to previously detected errors are resubmitted for acceptance testing. This would indicate that the maintenance team is probably not adequately performing which of the following types of testing?

    • Unit testing
    • Integration testing
    • Design walk-throughs
    • Configuration management
    A common system maintenance problem is that errors are often corrected quickly (especially when deadlines are tight), units are tested by the programmer, and then transferred to the acceptance test area. This often results in system problems that should have been detected during integration or system testing. Integration testing aims at ensuring that the major components of the system interface correctly.
  15. In an EDI process, the device which transmits and receives electronic documents is the:

    • communications handler.
    • EDI translator.
    • application interface.
    • EDI interface.
    A communications handler transmits and receives electronic documents between trading partners and/or wide area networks (WANs).
  16. The MOST significant level of effort for business continuity planning (BCP) generally is required during the:

    • testing stage.
    • evaluation stage.
    • maintenance stage.
    • early stages of planning.
    Explanation: in the early stages of a BCP will incur the most significant level of program development effort, which will level out as the BCP moves into maintenance, testing and evaluation stages. It is during the planning stage that an IS auditor will play an important role in obtaining senior management’s commitment to resources and assignment of BCP responsibilities.
  17. Which of the following network configuration options contains a direct link between any two host machines?

    • Bus
    • Ring
    • Star
    • Completely connected (mesh)
    A completely connected mesh configuration creates a direct link between any two host machines.
  18. Which of the following types of data validation editing checks is used to determine if a field contains data, and not zeros or blanks?

    • Check digit
    • Existence check
    • Completeness check
    • Reasonableness check
    A completeness check is used to determine if a field contains data and not zeros or blanks.
  19. Which of the following tests is an IS auditor performing when a sample of programs is selected to determine if the source and object versions are the same?

    • A substantive test of program library controls
    • A compliance test of program library controls
    • A compliance test of the program compiler controls
    • A substantive test of the program compiler controls
    A compliance test determines if controls are operating as designed and are being applied in a manner that complies with management policies and procedures. For example, if the IS auditor is concerned whether program library controls are working properly, the IS auditor might select a sample of programs to determine if the source and object versions are the same. In other words, the broad objective of any compliance test is to provide auditors with reasonable assurance that a particular control on which the auditor plans to rely is operating as the auditor perceived it in the preliminary evaluation.
  20. A data administrator is responsible for:

    • maintaining database system software.
    • defining data elements, data names and their relationship.
    • developing physical database structures.
    • developing data dictionary system software.
    A data administrator is responsible for defining data elements, data names and their relationship. Choices A, C and D are functions of a database administrator (DBA)