Chapter 14 Test Bank version 1 PDF

Preview

Summary

Download Chapter 14 Test Bank version 1 PDF

Description

Student name:__________ ESSAY. Write your answer in the space provided or on a separate sheet of paper. 1) Describe the process of using asymmetric-key encryption to authenticate the trading partner involved in e-business.

2)

What are the two prerequisites for vulnerability management?

3)

Describe the framework for vulnerability assessment and vulnerability management.

Version 1

1

4) What are included in disaster recovery planning and business continuity management? Are these concepts related?

5) What is a digital signature? How could a digital signature ensure data integrity when conducting e-business?

MULTIPLE CHOICE - Choose the one alternative that best completes the statement or answers the question. 6) In general, the goal of information security management is to protect all of the following except:

A) Confidentiality. B) Integrity. C) Availability. D) Redundancy.

7)

Which of the following statements is incorrect about digital signatures?

Version 1

2

A) B) C) D)

A digital signature can ensure data integrity. A digital signature also authenticates the document creator. A digital signature is an encrypted message digest. A digital signature is a message digest encrypted using the document creator's public

key.

8)

What is the primary objective of data security controls?

A) To establish a framework for controlling the design, security, and use of computer programs throughout an organization. B) To ensure that data storage media are subject to authorization prior to access, change, or destruction. C) To formalize standard, rules, and procedures to ensure the organization's control are properly executed. D) To monitor the use of system software to prevent unauthorized access to system software and computer programs.

9) An entity doing business on the internet most likely could use any of the following methods to prevent unauthorized intruders from accessing proprietary information except:

A) Password management. B) Data encryption. C) Digital certificates. D) Batch processing.

10) When client's accounts payable computer system was relocated, the administrator provided support through a dial-up connection to server. Subsequently, the administrator left the company. No changes were made to the accounts payable system at that time. Which of the following situations represents the greatest security risk?

Version 1

3

A) User passwords are not required to the in alpha-numeric format. B) Management procedures for user accounts are not documented. C) User accounts are not removed upon termination of employees. D) Security logs are not periodically reviewed for violations.

11) An information technology director collected the names and locations of key vendors, current hardware configuration, names of team members, and an alternative processing location. What is the director most likely preparing?

A) Data restoration plan. B) Disaster recovery plan. C) System security policy. D) System hardware policy.

12) Bacchus, Inc. is a large multinational corporation with various business units around the world. After a fire destroyed the corporation headquarters and largest manufacturing site, plans for which of the following would help Bacchus ensure a timely recovery?

A) Daily backup. B) Network security. C) Business continuity. D) Backup power.

13) Which of the following statements regarding authentication in conducting e-business is incorrect?

Version 1

4

A) It is a process that establishes the origin of information or determines the identity of a user, process, or device. B) Only one key is used for encryption and decryption purposes in the authentication process. C) Successful authentication can prevent repudiation in electronic transactions. D) We need to use asymmetric-key encryption to authenticate the sender of a document or data set.

14) Which of the following is not included in the remediation phase for vulnerability management?

A) Risk Response Plan. B) Policy and procedures for remediation. C) Vulnerability Prioritization. D) Control Implementation.

15)

Which of the following does not represent a viable data backup method?

A) Disaster recovery plan. B) Redundant arrays of independent drives. C) Virtualization. D) Cloud computing.

16)

Which of the following statements about asymmetric-key encryption is correct?

Version 1

5

A) When using asymmetric-key encryption method, a total of two keys are necessary in electronic communication between two parties. B) Employees in the same company share the same public key. C) Most companies would like to manage the private keys for their employees. D) Most companies would like to use a Certificate Authority to manage the public keys of their employees. E) Two of the above are correct.

17)

Which of the following statements is incorrect?

A) A fraud prevention program starts with a fraud risk assessment across the entire firm B) The audit committee typically has an oversight role in risk assessment process C) Communicating a firm's policy file to employees is one of the most important responsibilities of management D) A fraud prevention program should include an evaluation on the efficiency of business processes.

18)

A disaster recovery approach should include which of the following elements?

A) Encryption. B) Firewalls. C) Regular backups. D) Surge protectors.

19)

Which of the following is a password security weakness?

Version 1

6

A)

Users are assigned passwords when accounts are created, but do not change them.

B) Users have accounts on several systems with different passwords. C) Users write down their passwords on a note paper, and carry it with them. D) Users select passwords that are not part of an online password dictionary.

20) To prevent invalid data input, a bank added an extra number at the end of each account number and subjected the new number to an algorithm. This technique is known as:

A) B) C) D)

A validation check. check digit verification. A dependency check. A format check.

21) Why do Certificate Authority (CA) play an important role in a company's information security management?

A) B) C) D) employees.

Using a CA is required by SOX in managing information security. A CA is responsible to generate session keys for encryption purposes. Most companies use CA to manage their employees’ public keys. CA creates and maintains both the public and private keys for a company’s

22) When computer programs or files can be accessed from terminals, users should be required to enter a(n):

A) Parity check. B) Password as a personal identification code. C) Check digit. Version 1

7

D)

Echo check.

23) Which of the following controls would most likely assure that a company can reconstruct its financial records?

A) Security controls such as firewalls. B) Backup data are tested and stored safely. C) Personnel understand the data very well. D) Paper records.

24)

Why would companies want to use digital signatures when conducting e-business?

A) They are cheap. B) They are always the same so it can be verified easily. C) They are more convenient than requiring a real signature. D) They can authenticate the document sender and maintain data integrity.

25)

Select a correct statement regarding encryption methods?

A) To use symmetric-key encryption, each user needs two different keys. B) Most companies prefer using symmetric-key encryption than asymmetric-key encryption method. C) Both symmetric-key and asymmetric-key encryption methods require the involvement of a certificate authority. D) When conducting e-business, most companies use both symmetric-key and asymmetric-key encryption methods.

Version 1

8

26)

Select a correct statement regarding a hashing process.

A) It is reversible. B) The outcome is a message digest. C) It is not necessary to use a hashing process in creating a digital signature. D) It is used for authentication.

27) Which of the following IT controls would best prevent a developer from inappropriately accessing the system?

A) Forced password changes. B) Secondary code review. C) Symmetric encryption. D) Lack of authentication.

28) Which of the following IT controls would best prevent a currency trader from concealing his/her trading errors?

A) End user access to source code. B) Multifactor authentication. C) Symmetric encryption. D) Use of a private key.

29)

Which of the following is not an example of a physical security vulnerability?

A) Unescorted visitors on the premises. B) Poor choice of passwords. C) Lack of a smoke detector in the room housing servers.

Version 1

9

D)

Lack of disaster recovery plan.

30) Which of the following is not an example of vulnerability within the process of IT operations?

A) Software not patched. B) Inappropriate data classification. C) Ineffective training. D) Poor firewall rules.

31) Which of the following is not an example of a vulnerability within an Information System?

A) Outdated intrusion detection/prevention system. B) Lack of a disaster recovery plan. C) Improper system configuration. D) Failure to audit and terminate unused accounts in a timely manner.

32) What could result from the failure to audit and terminate unused accounts in a timely manner?

A) B) C) D)

Version 1

A disgruntled employee may send out phishing emails. A SOC 1 report will be generated. Computer hardware may be taken off premises. A disgruntled employee may tamper with company applications.

10

33) Which of the following describes the primary goals of the CIA approach to information security management?

A) Controls, Innovation, Analysis. B) Confidentiality, Integrity, Availability. C) Convenience, Integrity, Awareness. D) Confidentiality, Innovation, Availability.

34) Which of the following is not one of the common techniques for information security risks and attacks?

A) Spam. B) Botnet. C) TraceRT. D) Social Engineering.

35)

Encryption is a control that changes plain text into which of the following?

A) Cyberspace. B) Cryptext. C) Mnemonic code. D) Cyphertext.

36) Asymmetric-key encryption uses which of the following techniques to allow users to communicate securely?

A) A message digest. B) A 16-bit encryption key. C) A public key and a private key.

Version 1

11

D) A digital signature.

37)

A Public Key Infrastructure (PKI) provides the ability to do which of the following?

A) Encrypt messages using a private key. B) Enable debit and credit card transactions. C) Read plaintext. D) Issue, maintain, and revoke digital certificates.

38)

Which of the following best illustrates the use of multifactor authentication?

A) Requiring password changes every 30, 60, or 90 days. B) Requiring the use of a smart card and a password. C) Requiring the use of upper case, lower case, numeric, and special characters for a password. D) The use of a fingerprint scanner for access to a device.

39) Both ISACA and the GTAG define vulnerability. Which of the following does not represent one of these definitions?

A) The nature of IT resources that can be exploited by a threat to cause damage. B) An organizations’ exposure to disaster. C) Weaknesses or exposures in IT assets that may lead to business, compliance, or security risk. D) All of the other items represent the definitions of vulnerability stated by ISACA and the GTAG.

Version 1

12

40) Which of the following statements is true regarding risk management and vulnerability management?

A)

They both have the objective of reducing the likelihood that detrimental events

occur. B) Risk management is often conducted using an IT asset-based approach. C) Vulnerability management is more complex and strategic. D) Both approaches involve processes that typically take many months or years to complete.

41) Which of the following describes the recommended prerequisites for managing vulnerabilities?

A) Implement the COSO ERM framework, and identify key vulnerabilities. B) Determine the main objective of vulnerability management, and assign roles and responsibilities. C) Identify the key vulnerabilities, and implement appropriate controls to minimize the vulnerabilities. D) Implement suitable controls, and assess those controls for potential vulnerabilities.

42) Which of the following is not one of the main components of vulnerability management and assessment?

A) Identification. B) Remediation. C) Internalization. D) Maintenance.

Version 1

13

43) For businesses considering a cloud computing solution, which of the following should they ask the cloud vendor to provide before entering into a contract for critical business operations?

A) FASB 51 Report. B) Audit Report. C) SAS 3 Report. D) SOC 2 Report.

44) Which of the following statements is most accurate with regard to business continuity management (BCM) and disaster recovery planning (DRP)?

A) DRP is an important component of BCM. B) BCM and DRP should be considered independently of each other. C) BCM is an important component of DRP. D) DRP should be considered as optional, while BCM should be considered as necessary.

45)

A RAID array implemented in a data center is an example of which of the following?

A) Virtualization. B) Uninterruptible power supply. C) Fault tolerance. D) SOC 3.

SHORT ANSWER. Write the word or phrase that best completes each statement or answers the question. 46) A magnetic tape used to store data backups was lost while it was being transported to an offsite storage location. The data on the tape includes customers’ credit card and personal information. Which preventive control(s) should have been used to minimize the potential loss? Version 1

14

47) List the following steps regarding computer fraud risk assessments in sequence.(a) Assessing the likelihood and business impact of a control failure and/or a fraud incident.(b) Mapping existing controls to potential fraud schemes and identifying gaps.(c) Identifying potential IT fraud schemes and prioritizing them based on likelihood and impact.(d) Identifying relevant IT fraud risk factors.(e) Testing operating effectiveness of fraud prevention and detection controls.

TRUE/FALSE - Write 'T' if the statement is true and 'F' if the statement is false. 48) The fraud triangle includes incentive, opportunity and an attitude to rationalize the fraud. ⊚ ⊚

true false

49) The goal of information security management is to maintain confidentiality, integrity and availability of a firm's information. ⊚ ⊚

Version 1

true false

15

50) Encryption is a preventive control ensuring data confidentiality and privacy during transmission and for storage. ⊚ ⊚

51)

true false

Asymmetric-key encryption is suitable for encrypting large data sets or messages. ⊚ ⊚

true false

52) Key distribution and key management are problematic under the symmetric-key encryption. ⊚ ⊚

53)

true false

The symmetric-key encryption method is used to authenticate users. ⊚ ⊚

Version 1

true false

16

54) A Certificate Authority (CA) issues digital certificates to bond the subscriber with a public key and a private key. ⊚ ⊚

55)

true false

A company’s audit committee is solely responsible for fraud risk assessments. ⊚ ⊚

true false

56) One type of fault tolerance is using redundant units to provide a system the ability to continue functioning when part of the system fails. ⊚ ⊚

57)

Disaster recovery planning and business continuity management are unrealted. ⊚ ⊚

58)

true false

true false

Information security is a critical factor in maintaining systems integrity.

Version 1

17

⊚ ⊚

true false

59) The goal of information security management is to enhance the confidence, integrity and authority (CIA) of a firm's information. ⊚ ⊚

true false

60) A Trojan Horse is a self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself. ⊚ ⊚

61) files.

Spam is a self-replicating program that runs and spreads by modifying other programs or

⊚ ⊚

62)

true false

true false

Encryption and hashing are similar process to maintain data confidentiality. ⊚ ⊚

Version 1

true false

18

63)

Hashing process can be reversed and it is used for maintaining data confidentiality. ⊚ ⊚

true false

64) When using asymmetric encryption algorithm, for two trading parties to conduct ebusiness, they need to use two keys. ⊚ ⊚

true false

65) Symmetric-key encryption is rarely used today due to key distribution and key management issues. ⊚ ⊚

true false

66) Most companies use both symmetric-key and asymmetric-key encryption methods when conducting e-business. ⊚ ⊚

Version 1

true false

19

67)

The purpose of using a digital signature is for authentication. ⊚ ⊚

Version 1

true false

20

Answer Key Test name: Chapter 14 Test Bank

1) To authenticate a trading partner (TP), the contact person (CP) of a company sends a challenge message to TP. TP uses her private key to encrypt the challenge message and send it to CP. If CP is able to use TP’s public key to decrypt and get the plaintext of the challenge message, CP has authenticated TP successfully. 2) First, determine the main objectives of its vulnerability management. In some case, the firm should determine which laws, regulations, and standards it should comply with. Second, a firm should assign roles and responsibilities for vulnerability management. The management may designate a team to be responsible for developing and implementing the vulnerability management program. 3) The components of vulnerability assessment include identification and risk assessment.Identification process: identifying all critical IT assets, threats and vulnerabilities.Risk assessment process: assessing vulnerabilities and prioritizing vulnerability issues.The components of vulnerability management include remediation and maintenance.Remediation process: making a risk response plan, preparing the policy and requirements for remediation, as well as control implementation.Maintenance: monitoring, ongoing assessment and continuous improvement.

Version 1