Last Updated on December 13, 2021 by Admin 3

 CISA : Certified Information Systems Auditor : Part 160

  1. The PRIMARY objective of a logical access control review is to:

    • review access controls provided through software.
    • ensure access is granted per the organization’s authorities.
    • walk through and assess the access provided in the IT environment.
    • provide assurance that computer hardware is adequately protected against abuse.

    The scope of a logical access control review is primarily to determine whether or not access is granted per the organization’s authorizations. Choices A and C relate to procedures of a logical access control review, rather than objectives. Choice D is relevant to a physical access control review.

  2. Naming conventions for system resources are important for access control because they:

    • ensure that resource names are not ambiguous.
    • reduce the number of rules required to adequately protect resources.
    • ensure that user access to resources is clearly and uniquely identified.
    • ensure that internationally recognized names are used to protect resources.
    Naming conventions for system resources are important for the efficient administration of security controls. The conventions can be structured, so resources beginning with the same high-level qualifier can be governed by one or more generic rules. This reduces the number of rules required to adequately protect resources, which in turn facilitates security administration and maintenance efforts. Reducing the number of rules required to protect resources allows for the grouping of resources and files by application, which makes it easier to provide access. Ensuring that resource names are not ambiguous cannot be achieved through the use of naming conventions. Ensuring the clear and unique identification of user access to resources is handled by access control rules, not naming conventions. Internationally recognized names are not required to control access to resources. Naming conventions tend to be based on how each organization wants to identify its resources.
  3. Which of the following exposures could be caused by a line grabbing technique?

    • Unauthorized data access
    • Excessive CPU cycle usage
    • Lockout of terminal polling
    • Multiplexor control dysfunction
    Line grabbing will enable eavesdropping, thus allowing unauthorized data access, it will not necessarily cause multiplexor dysfunction, excessive CPU usage or lockout of terminal polling.
  4. Electromagnetic emissions from a terminal represent an exposure because they:

    • affect noise pollution.
    • disrupt processor functions.
    • produce dangerous levels of electric current.
    • can be detected and displayed.
    Emissions can be detected by sophisticated equipment and displayed, thus giving unauthorized person access to data. They should not cause disruption of CPUs or effect noise pollution.
  5. Security administration procedures require read-only access to:

    • access control tables.
    • security log files.
    • logging options.
    • user profiles.
    Security administration procedures require read-only access to security log files to ensure that, once generated, the logs are not modified. Logs provide evidence and track suspicious transactions and activities. Security administration procedures require write access to access control tables to manage and update the privileges according to authorized business requirements. Logging options require write access to allow the administrator to update the way the transactions and user activities are monitored, captured, stored, processed and reported.
  6. With the help of a security officer, granting access to data is the responsibility of:

    • data owners.
    • programmers.
    • system analysts.
    • librarians.
    Data owners are responsible for the use of data. Written authorization for users to gain access to computerized information should be provided by the data owners. Security administration with the owners’ approval sets up access rules stipulating which users or group of users are authorized to access data or files and the level of authorized access (e.g., read or update).
  7. The FIRST step in data classification is to:

    • establish ownership.
    • perform a criticality analysis.
    • define access rules.
    • create a data dictionary.
    Data classification is necessary to define access rules based on a need-to-do and need-to- know basis. The data owner is responsible for defining the access rules; therefore, establishing ownership is the first step in data classification. The other choices are incorrect. A criticality analysis is required for protection of data, which takes input from data classification. Access definition is complete after data classification and input for a data dictionary is prepared from the data classification process.
  8. Which of the following provides the framework for designing and developing logical access controls?

    • Information systems security policy
    • Access control lists
    • Password management
    • System configuration files
    The information systems security policy developed and approved by an organization’s top management is the basis upon which logical access control is designed and developed. Access control lists, password management and systems configuration files are tools for implementing the access controls. 
  9. A hacker could obtain passwords without the use of computer tools or programs through the technique of:

    • social engineering.
    • sniffers.
    • back doors.
    • Trojan horses.
    Social engineering is based on the divulgence of private information through dialogues, interviews, inquiries, etc., in which a user may be indiscreet regarding their or someone else’s personal data. A sniffer is a computer tool to monitor the traffic in networks. Back doors are computer programs left by hackers to exploit vulnerabilities. Trojan horses are computer programs that pretend to supplant a real program; thus, the functionality of the program is not authorized and is usually malicious in nature.
  10. The reliability of an application system’s audit trail may be questionable if:

    • user IDs are recorded in the audit trail.
    • the security administrator has read-only rights to the audit file.
    • date and time stamps are recorded when an action occurs.
    • users can amend audit trail records when correcting system errors.
    An audit trail is not effective if the details in it can be amended.
  11. Which of the following user profiles should be of MOST concern to an IS auditor when performing an audit of an EFT system?

    • Three users with the ability to capture and verify their own messages
    • Five users with the ability to capture and send their own messages
    • Five users with the ability to verify other users and to send their own messages
    • Three users with the ability to capture and verify the messages of other users and to send their own messages
    The ability of one individual to capture and verify messages represents an inadequate segregation, since messages can be taken as correct and as if they had already been verified.
  12. An IS auditor performing an independent classification of systems should consider a situation where functions could be performed manually at a tolerable cost for an extended period of time as:

    • critical
    • vital.
    • sensitive.
    • noncritical.
    Sensitive functions are best described as those that can be performed manually at a tolerable cost for an extended period of time. Critical functions are those that cannot be performed unless they are replaced by identical capabilities and cannot be replaced by manual methods. Vital functions refer to those that can be performed manually but only for a brief period of time; this is associated with lower costs of disruption than critical functions. Noncritical functions may be interrupted for an extended period of time at little or no cost to the company, and require little time or cost to restore.
  13. The implementation of access controls FIRST requires:

    • a classification of IS resources.
    • the labeling of IS resources.
    • the creation of an access control list.
    • an inventory of IS resources.
  14. Which of the following is an example of the defense in-depth security principle?

    • Using two firewalls of different vendors to consecutively check the incoming network traffic
    • Using a firewall as well as logical access controls on the hosts to control incoming network traffic
    • Having no physical signs on the outside of a computer center building
    • Using two firewalls in parallel to check different types of incoming traffic
    Defense in-depth means using different security mechanisms that back each other up. When network traffic passes the firewall unintentionally, the logical access controls form a second line of defense. Using two firewalls of different vendors to consecutively check the incoming network traffic is an example of diversity in defense. The firewalls are the same security mechanisms. By using two different products the probability of both products having the same vulnerabilities is diminished. Having no physical signs on the outside of a computer center building is a single security measure. Using two firewalls in parallel to check different types of incoming traffic is a single security mechanism and therefore no different than having a single firewall checking all traffic.
  15. Which of the following would be the BEST access control procedure?

    • The data owner formally authorizes access and an administrator implements the user authorization tables. 
    • Authorized staff implements the user authorization tables and the data owner sanctions them.
    • The data owner and an IS manager jointly create and update the user authorization tables.
    • The data owner creates and updates the user authorization tables.
    The data owner holds the privilege and responsibility for formally establishing the access rights. An IS administrator should then implement or update user authorization tables. Choice B alters the desirable order. Choice C is not a formal procedure for authorizing access.
  16. Which of the following would MOST effectively reduce social engineering incidents?

    • Security awareness training
    • increased physical security measures
    • E-mail monitoring policy
    • intrusion detection systems
    Social engineering exploits human nature and weaknesses to obtain information and access privileges. By increasing employee awareness of security issues, it is possible to reduce the number of successful social engineering incidents. In most cases, social engineering incidents do not require the physical presence of the intruder. Therefore, increased physical security measures would not prevent the intrusion. An e-mail monitoring policy informs users that all e- mail in the organization is subject to monitoring; it does not protect the users from potential security incidents and intruders. Intrusion detection systems are used to detect irregular or abnormal traffic patterns.
  17. An information security policy stating that ‘the display of passwords must be masked or suppressed’ addresses which of the following attack methods?

    • Piggybacking
    • Dumpster diving
    • Shoulder surfing
    • Impersonation
    If a password is displayed on a monitor, any person nearby could look over the shoulder of the user to obtain the password. Piggybacking refers to unauthorized persons following, either physically or virtually, authorized persons into restricted areas. Masking the display of passwords would not prevent someone from tailgating an authorized person. This policy only refers to ‘the display of passwords.’ If the policy referred to ‘the display and printing of passwords’ then it would address shoulder surfing and dumpster diving (looking through an organization’s trash for valuable information), impersonation refers to someone acting as an employee in an attempt to retrieve desired information.
  18. To ensure compliance with a security policy requiring that passwords be a combination of letters and numbers, an IS auditor should recommend that:

    • the company policy be changed.
    • passwords are periodically changed.
    • an automated password management tool be used.
    • security awareness training is delivered.
    The use of an automated password management tool is a preventive control measure. The software would prevent repetition (semantic) and would enforce syntactic rules, thus making the passwords robust. It would also provide a method for ensuring frequent changes and would prevent the same user from reusing their old password for a designated period of time. Choices A, B and D do not enforce compliance.
  19. An IS auditor has identified the lack of an authorization process for users of an application. The IS auditor’s main concern should be that:

    • more than one individual can claim to be a specific user.
    • there is no way to limit the functions assigned to users.
    • user accounts can be shared.
    • users have a need-to-know privilege.
    Without an appropriate authorization process, it will be impossible to establish functional limits and accountability. The risk that more than one individual can claim to be a specific user is associated with the authentication processes, rather than with authorization. The risk that user accounts can be shared is associated with identification processes, rather than with authorization. The need-to-know basis is the best approach to assigning privileges during the authorization process.
  20. An IS auditor reviewing digital rights management (DRM) applications should expect to find an extensive use for which of the following technologies?

    • Digitalized signatures
    • Hashing
    • Parsing
    • Steganography
    Steganography is a technique for concealing the existence of messages or information. An increasingly important stenographical technique is digital watermarking, which hides data within data, e.g., by encoding rights information in a picture or music file without altering the picture or music’s perceivable aesthetic qualities. Digitalized signatures are not related to digital rights management. Hashing creates a message hash or digest, which is used to ensure the integrity of the message; it is usually considered a part of cryptography. Parsing is the process of splitting up a continuous stream of characters for analytical purposes, and is widely applied in the design of programming languages or in data entry editing.