Nt1310 Final Exam
1. Which of the following statements is true?
a. The concept of defense-in-depth reflects the fact that security involves the use of a few sophisticated technical controls. (Incorrect. The concept of defense-in-depth is based on the idea that, given enough time and resources, any single control, no matter how sophisticated, can be overcome—therefore, the use of redundant, overlapping controls maximizes security.) b. Information security is necessary for protecting confidentiality, privacy, integrity of processing, and availability of information resources. (Correct. As Figure 8-2 shows, security is the foundation for achieving the other four components of system reliability.)
c. The time-based model of security can be expressed in the following formula: P < D + C …show more content…
(Incorrect. The formula is P > D + C.)
d. Information security is primarily an IT issue, not a managerial concern. (Incorrect. Security is primarily a managerial issue because only management can choose the most appropriate risk response to protect the organization’s information resources.)
2. Which of the following is a preventive control? a. training (Correct. Training is designed to prevent employees from falling victim to social engineering attacks and unsafe practices such as clicking on links embedded in e-mail from unknown sources.)
b. log analysis (Incorrect. Log analysis involves examining a record of events to discover anomalies. Thus, it is a detective control.)
c. CIRT (Incorrect. The purpose of a computer incident response team is to respond to and remediate problems and incidents. Thus, it is a corrective control.)
d. virtualization (Incorrect. Virtualization involves using one physical computer to run multiple virtual machines. It is primarily a cost-control measure, not an information security control procedure.)
3. The control procedure designed to restrict what portions of an information system an employee can access and what actions he or she can perform is called.
a. authentication (Incorrect. Authentication is the process of verifying a user’s identity to decide whether or not to grant that person access.) b. authorization (Correct. Authorization is the process of controlling what actions—read, write, delete, etc.—a user is permitted to perform.)
c. intrusion prevention (Incorrect. Intrusion prevention systems monitor patterns in network traffic to identify and stop attacks.)
d. intrusion detection (Incorrect. Intrusion detection is a detective control that identifies when an attack has occurred.)
4. A weakness that an attacker can take advantage of to either disable or take control of a system is called a(n)_____.
a. exploit (Incorrect. An exploit is the software code used to take advantage of a weakness.)
b. patch (Incorrect. A patch is code designed to fix a weakness.) c. vulnerability (Correct. A vulnerability is any weakness that can be used to disable or take control of a system.)
d. attack (Incorrect. An attack is the action taken against a system. To succeed, it exploits a vulnerability.)
5. Which of the following is a corrective control designed to fix vulnerabilities?
a. virtualization (Incorrect. Virtualization involves using one physical computer to run multiple virtual machines. It is primarily a cost-control measure, not an information security control procedure.) b. patch management (Correct. Patch management involves replacing flawed code that represents a vulnerability with corrected code, called a patch.)
c. penetration testing (Incorrect. Penetration testing is detective control.)
d. authorization (Incorrect. Authorization is a preventive control used to restrict what users can do.)
6. Which of the following is a detective control?
a. Endpoint hardening (Incorrect. Hardening is a preventive control that seeks to eliminate vulnerabilities by reconfiguring devices and software.)
b. Physical access controls (Incorrect. Physical access controls are a preventive control designed to restrict access to a system.) c. Penetration testing (Correct. Penetration testing is a detective control designed to identify how long it takes to exploit a vulnerability.)
d. Patch management (Incorrect. Patch management is a corrective control that fixes vulnerabilities.)
7. A firewall that implements perimeter defense by examining only information in the packet header of a single IP packet in isolation is using a technique referred to as _______.
a. deep packet inspection (Incorrect. Deep packet inspection examines the contents of the data in the body of the IP packet, not just the information in the packet header.) b. static packet filtering (Correct. Static packet filtering examines the headers of individual IP packets.)
c. stateful packet filtering (Incorrect. Stateful packet filtering examines not only the headers of individual IP packets but also a state table to determine whether incoming packets are part of an already established connection.)
d. single packet inspection (Incorrect. There is no such thing.)
8. Which of the following techniques is the most effective way to protect the perimeter? a. deep packet inspection (Correct. Deep packet inspection examines the contents of the data in the body of the IP packet, not just the information in the packet header. This is the best way to catch malicious code.)
b. static packet filtering (Incorrect. Static packet filtering examines the headers of individual IP packets. It can be fooled by attacks that pretend to be sending a response to earlier outbound messages.)
c. stateful packet filtering (Incorrect. Stateful packet filtering maintains information about “state” or connections initiated by the organization, but it examines only the information in the packet header. Therefore, it cannot detect malware in the payload of a message.)
d. All of the above are equally effective (Incorrect. Choices b and c are less effective than choice a.)
9. Which of the following combinations of credentials is an example of multifactor authentication?
a. voice recognition and a fingerprint reader (Incorrect. This is a combination of two bio-metric credentials and is an example of multimodal authentication.) b. a PIN and an ATM card (Correct. The PIN is something a person knows, the ATM card is something the person has.)
c. password and a user ID (Incorrect. These are both things a person knows and thus represent an example of multimodal authentication.)
d. all of the above (Incorrect. Only choice b is correct.)
10. Modifying default configurations to turn off unnecessary programs and features to improve security is called ______.
a. user account management (Incorrect. User account management is a preventive control that limits what a user can do.)
b. defense-in-depth (Incorrect. Defense-in-depth is the general security principle of using multiple overlapping controls to protect a system.)
c. vulnerability scanning (Incorrect. Vulnerability scanning is a detective control designed to identify weaknesses.) d. hardening (Correct. This is the definition of hardening.)
1. Which of the following statements is true?
a. Encryption is sufficient to protect confidentiality and privacy. (Incorrect. Encryption is not sufficient, because sensitive information cannot be encrypted at all times—it must be decrypted during processing, when displayed on a monitor, or included in a printed report.) b. Cookies are text files that only store information. They cannot perform any actions. (Correct. Cookies are text files, not executable programs. They can, however, store sensitive information, so they should be protected.)
c. The controls for protecting confidentiality are not effective for protecting privacy. (Incorrect. The same set of controls—encryption, access controls, and training—can be used to protect both confidentiality and privacy.)
d. All of the above are true. (Incorrect. Statements a and c are false.)
2. A digital signature is ____________. a. created by hashing a document and then encrypting the hash with the signer’s private key (Correct. Creating a hash provides a way to verify the integrity of a document, and encrypting it with the signer’s private key provides a way to prove that the sender created the document.)
b. created by hashing a document and then encrypting the hash with the signer’s public key (Incorrect. Anyone could encrypt something with the signer’s public key. Therefore, this process cannot be used to prove who created a document.)
c. created by hashing a document and then encrypting the hash with the signer’s symmetric key (Incorrect. A symmetric key is possessed by more than one party, so encrypting something with it does not provide a means to prove who created a document).
d. none of the above (Incorrect. Only choices b and c are incorrect; choice a is correct.)
3. Able wants to send a file to Baker over the Internet and protect the file so that only Baker can read it and can verify that it came from Able. What should Able do?
a. Encrypt the file using Able’s public key, and then encrypt it again using Baker’s private key. (Incorrect. Able does not know Baker’s private key.)
b. Encrypt the file using Able’s private key, and then encrypt it again using Baker’s private key. (Incorrect. Able does not know Baker’s private key.)
c. Encrypt the file using Able’s public key, and then encrypt it again using Baker’s public key. (Incorrect. Baker does not know Able’s private key and therefore cannot decrypt the file encrypted with Able’s public key.) b. Encrypt the file using Able’s private key, and then encrypt it again using Baker’s public key. (Correct. Encrypting it with Baker’s public key means that only Baker can decrypt it. Then, Baker can use Able’s public key to decrypt the file—if the result is understandable, it had to have been created by Able and encrypted with Able’s private key.)
4. Which of the following statements is true?
a. Encryption and hashing are both reversible (can be decoded). (Incorrect. Hashing is irreversible.) b. Encryption is reversible, but hashing is not. (Correct. Encryption can be reversed to decrypt the ciphertext, but hashing cannot be reversed.)
c. Hashing is reversible, but encryption is not. (Incorrect. Hashing is irreversible, but encryption is reversible.)
d. Neither hashing nor encryption is reversible. (Incorrect. Encryption is reversible, a process called decryption.)
5. Confidentiality focuses on protecting ____________.
a. personal information collected from customers (Incorrect. Protecting customers’ personal information relates to the principle of privacy.)
b. a company’s annual report stored on its Web site (Incorrect. A company’s annual report is meant to be available to the public.) c. merger and acquisition plans (Correct. Merger and acquisition plans are sensitive information that should not be made public until the deal is consummated.)
d. all of the above (Incorrect. Statements a and b are false.)
6. Which of the following statements about obtaining consent to collect and use a customer’s personal information is true?
a. The default policy in Europe is opt-out, but in the United States the default is opt-in. (Incorrect. The default policy in Europe is opt-in, and in the United States it is opt-out.) b. The default policy in Europe is opt-in, but in the United States the default is opt-out. (Correct.)
c. The default policy in both Europe and the United States is opt-in. (Incorrect. The default policy in Europe is opt-in, and in the United States it is opt-out.)
d. The default policy in both Europe and the United States is opt-out. (Incorrect. The default policy in Europe is opt-in and in the U.S. it is opt-out.)
7. One of the ten Generally Accepted Privacy Principles concerns security. According to GAPP, what is the nature of the relationship between security and privacy?
a. Privacy is a necessary, but not sufficient, precondition to effective security. (Incorrect. Security is one of the ten criteria in GAPP because you need security in order to have privacy. Security alone, however, is not enough—that is why there are nine other criteria in GAPP.)
b. Privacy is both necessary and sufficient to effective security. (Incorrect. Security is one of the ten criteria in GAPP because you need security in order to have privacy. Security alone, however, is not enough—that is why there are nine other criteria in GAPP.) c. Security is a necessary, but not sufficient, precondition to protect privacy. (Correct.)
d. Security is both necessary and sufficient to protect privacy. (Incorrect. Security is one of the ten criteria in GAPP because you need security in order to have privacy. Security alone, however, is not enough—that is why there are nine other criteria in GAPP.)
8. Which of the following statements is true?
a. Symmetric encryption is faster than asymmetric encryption and can be used to provide nonrepudiation of contracts. (Incorrect. Symmetric encryption cannot be used for non-repudiation because both parties share the key, so there is no way to prove who created and encrypted a document.) b. Symmetric encryption is faster than asymmetric encryption but cannot be used to provide nonrepudiation of contracts. (Correct. Symmetric encryption is faster than asymmetric encryption, but it cannot be used for nonrepudiation; the key is shared by both parties, so there is no way to prove who created and encrypted a document.)
c. Asymmetric encryption is faster than symmetric encryption and can be used to provide nonrepudiation of contracts. (Incorrect. Symmetric encryption is faster than asymmetric encryption.)
d. Asymmetric encryption is faster than symmetric encryption but cannot be used to provide nonrepudiation of contracts. (Incorrect. Symmetric encryption is faster than asymmetric encryption. Also, asymmetric encryption can be used to provide nonrepudiation, because encrypting a contract with the creator’s private key proves that the encrypter did indeed create the contract.)
9. Which of the following statements is true?
a. VPNs protect the confidentiality of information while it is in transit over the Internet. (Incorrect. This statement is true, but so are the others.)
b. Encryption limits firewalls’ ability to filter traffic. (Incorrect. This statement is true— firewalls cannot apply their rules to encrypted packets—but so are the others.)
c. A digital certificate contains that entity’s public key. (Incorrect. This statement is true, but so are the others.) b.
All of the above are true. (Correct. All three statements are true.)
10. Which of the following can organizations use to protect the privacy of a customer’s personal information when giving programmers a realistic data set with which to test a new application?
a. digital signature (Incorrect. A digital signature is used for nonrepudiation. However, because it is an encrypted hash, it cannot be used to test programming logic.)
b. digital watermark (Incorrect. A digital watermark is used to identify proprietary data, but it does not protect privacy.)
c. data loss prevention (Incorrect. Data loss prevention is designed to protect confidentiality by filtering outgoing messages to prevent sensitive data from leaving the company.) d. data masking (Correct. Masking replaces actual values with fake ones, but the result is still the same type of data, which can then be used to test program logic.)
1. Which of the following is a characteristic of auditing?
a. Auditing is a systematic, step-by-step process. (Incorrect. While this is true, it is not the only correct answer.)
b. Auditing involves the collection and review of evidence. (Incorrect. While this is true, it is not the only correct
answer.)
c. Auditing involves the use of established criteria to evaluate evidence. (Incorrect. While this is true, it is not the only correct answer.) d. All of the above are characteristics of auditing. (Correct. Auditing is a systematic, step-by-step process that involves the collection and review of evidence and uses established criteria to evaluate evidence.)
2. Which of the following is NOT a reason an internal auditor should participate in internal control reviews during the design of new systems?
a. It is more economical to design controls during the design stage than to do so later. (Incorrect. Internal audit should participate in internal control reviews because it is far less expensive to design controls during systems design than to try and implement controls after the system has been designed.) b. It eliminates the need for testing controls during regular audits. (Correct. Even if the auditor participates in internal control reviews, the auditor will still have to test controls to determine whether they are in place and working as intended.)
c. It minimizes the need for expensive modifications after the system is implemented. (Incorrect. Internal auditors should participate in internal control reviews because it reduces the likelihood of post-system-implementation modifications.)
d. It permits the design of audit trails while they are economical. (Incorrect. Internal auditors should participate in internal control reviews because their participation in systems design does facilitate the design of effective audit trails.)
3. Which type of audit involves a review of general and application controls, with a focus on determining if there is compliance with policies and adequate safeguarding of assets? a. information systems audit (Correct. An information systems audit reviews general and application controls, with a focus on determining whether there is compliance with policies and adequate safeguarding of assets.)
b. financial audit (Incorrect. A financial audit examines the reliability of accounting records.)
c. operational audit (Incorrect. An operational audit is concerned with the efficient use of resources and the accomplishment of entity objectives.)
d. compliance audit (Incorrect. A compliance audit is concerned with reviewing whether an entity is meeting prescribed policies, rules, and laws.)
4. At what step in the audit process do the concepts of reasonable assurance and materiality enter into the auditor’s decision process?
a. planning (Incorrect. Although materiality and reasonable assurance enter into the auditor’s decision process during planning, they are also important in other steps in the audit process.)
b. evidence collection (Incorrect. Although materiality and reasonable assurance enter into the auditor’s decision process during evidence collection, they are also important in other steps in the audit process.)
c. evidence evaluation (Incorrect. Although materiality and reasonable assurance enter into the auditor’s decision process during evidence evaluation, they are also important in other steps in the audit process.) d. They are important in all three steps. (Correct. Materiality and reasonable assurance are important when the auditor plans an audit and when the auditor collects and evaluates evidence.)
5. What is the four-step approach to internal control evaluation that provides a logical framework for carrying out an audit?
a. inherent risk analysis (Incorrect. Inherent risk is the susceptibility to material risk in the absence of controls.)
b. systems review (Incorrect. Systems review involves reviewing system documentation and interviewing appropriate personnel to determine whether the necessary procedures are in place.)
c. tests of controls (Incorrect. Tests of controls are conducted to determine whether control policies and procedures are satisfactorily followed.) d. risk-based approach to auditing (Correct. The risk-based audit approach is a four-step approach to carrying out an audit. The four steps are determining threats, identifying control procedures, evaluating control procedures, and evaluating weaknesses.)
6. Which of the following procedures is NOT used to detect unauthorized program changes?
a. source code comparison (Incorrect. Source code comparison is used to detect unauthorized program changes by thoroughly testing a newly developed program and keeping a copy of its source code.)
b. parallel simulation (Incorrect. To use parallel simulation to detect unauthorized program changes, an auditor writes a version of the program, reprocesses the company’s data, compares the results to the company’s results, and investigates any differences.)
c. reprocessing (Incorrect. To use reprocessing to detect unauthorized program changes, the auditor verifies the integrity of an application program, saves it, and on a surprise basis uses the program to reprocess data and compare that output with the company’s output.) d. reprogramming code (Correct. Reprogramming code is not used to test for unauthorized program changes.)
7. Which of the following is a concurrent audit technique that monitors all transactions and collects data on those that meet certain characteristics specified by the auditor?
a. integrated test facility (Incorrect. An integrated test facility inserts a dummy company or division into a computer system to test transaction data without affecting real data.)
b. snapshot techniques (Incorrect. The snapshot technique records the content of both a transaction record and a related master file record before each processing step.) c. SCARF (Correct. System control audit review file is a concurrent audit technique that embeds audit modules into application software to monitor continuously all transaction activity.)
d. audit hooks (Incorrect. An audit hook is a concurrent audit technique that embeds audit routines into application software to flag certain kinds of transactions that might be indicative of fraud.)
8. Which of the following is a computer technique that assists an auditor in understanding program logic by identifying all occurrences of specific variables?
a. mapping program (Incorrect. Mapping programs are activated during regular processing and provide information about portions of the application program that were not executed.)
b. program tracing (Incorrect. Program tracing is a technique used to determine application program logic in order to test program controls.)
c. automated flowcharting (Incorrect. Automated flowcharting interprets source code and generates a flowchart of that program.) d. scanning routine (Correct. Scanning routine software programs search for particular variable names or specific characters.)
9. Which of the following is a computer program written especially for audit use? a. GAS (Correct. Generalized audit software is a software program written especially for audit uses, such as testing data files. Examples are ACL and IDEA.)
b. CATAS (Incorrect. CATAS has no meaning in information systems auditing. Computer-assisted audit techniques (CAATS) is the name given to all computer-assisted techniques used to audit computers.)
c. ITF (Incorrect. An integrated test facility places a small set of fictitious records in master files. Transactions are processed for these records, and the actual and expected results are compared.)
d. CIS (Incorrect. Continuous and intermittent simulation embeds an audit module in a DBMS that examines all transactions that update the database.)
10. The focus of an operational audit is on which of the following?
a. reliability and integrity of financial information (Incorrect. A financial audit examines the reliability and integrity of financial information.) b. all aspects of information systems management (Correct. An operational audit is concerned with all aspects of information systems management.)
c. internal controls (Incorrect. The focus of an operational audit is much broader than just internal controls.)
d. safeguarding assets (Incorrect. The focus of an operational audit is much broader than just the safeguarding of assets.)
a. The concept of defense-in-depth reflects the fact that security involves the use of a few sophisticated technical controls. (Incorrect. The concept of defense-in-depth is based on the idea that, given enough time and resources, any single control, no matter how sophisticated, can be overcome—therefore, the use of redundant, overlapping controls maximizes security.) b. Information security is necessary for protecting confidentiality, privacy, integrity of processing, and availability of information resources. (Correct. As Figure 8-2 shows, security is the foundation for achieving the other four components of system reliability.)
c. The time-based model of security can be expressed in the following formula: P < D + C …show more content…
(Incorrect. The formula is P > D + C.)
d. Information security is primarily an IT issue, not a managerial concern. (Incorrect. Security is primarily a managerial issue because only management can choose the most appropriate risk response to protect the organization’s information resources.)
2. Which of the following is a preventive control? a. training (Correct. Training is designed to prevent employees from falling victim to social engineering attacks and unsafe practices such as clicking on links embedded in e-mail from unknown sources.)
b. log analysis (Incorrect. Log analysis involves examining a record of events to discover anomalies. Thus, it is a detective control.)
c. CIRT (Incorrect. The purpose of a computer incident response team is to respond to and remediate problems and incidents. Thus, it is a corrective control.)
d. virtualization (Incorrect. Virtualization involves using one physical computer to run multiple virtual machines. It is primarily a cost-control measure, not an information security control procedure.)
3. The control procedure designed to restrict what portions of an information system an employee can access and what actions he or she can perform is called.
a. authentication (Incorrect. Authentication is the process of verifying a user’s identity to decide whether or not to grant that person access.) b. authorization (Correct. Authorization is the process of controlling what actions—read, write, delete, etc.—a user is permitted to perform.)
c. intrusion prevention (Incorrect. Intrusion prevention systems monitor patterns in network traffic to identify and stop attacks.)
d. intrusion detection (Incorrect. Intrusion detection is a detective control that identifies when an attack has occurred.)
4. A weakness that an attacker can take advantage of to either disable or take control of a system is called a(n)_____.
a. exploit (Incorrect. An exploit is the software code used to take advantage of a weakness.)
b. patch (Incorrect. A patch is code designed to fix a weakness.) c. vulnerability (Correct. A vulnerability is any weakness that can be used to disable or take control of a system.)
d. attack (Incorrect. An attack is the action taken against a system. To succeed, it exploits a vulnerability.)
5. Which of the following is a corrective control designed to fix vulnerabilities?
a. virtualization (Incorrect. Virtualization involves using one physical computer to run multiple virtual machines. It is primarily a cost-control measure, not an information security control procedure.) b. patch management (Correct. Patch management involves replacing flawed code that represents a vulnerability with corrected code, called a patch.)
c. penetration testing (Incorrect. Penetration testing is detective control.)
d. authorization (Incorrect. Authorization is a preventive control used to restrict what users can do.)
6. Which of the following is a detective control?
a. Endpoint hardening (Incorrect. Hardening is a preventive control that seeks to eliminate vulnerabilities by reconfiguring devices and software.)
b. Physical access controls (Incorrect. Physical access controls are a preventive control designed to restrict access to a system.) c. Penetration testing (Correct. Penetration testing is a detective control designed to identify how long it takes to exploit a vulnerability.)
d. Patch management (Incorrect. Patch management is a corrective control that fixes vulnerabilities.)
7. A firewall that implements perimeter defense by examining only information in the packet header of a single IP packet in isolation is using a technique referred to as _______.
a. deep packet inspection (Incorrect. Deep packet inspection examines the contents of the data in the body of the IP packet, not just the information in the packet header.) b. static packet filtering (Correct. Static packet filtering examines the headers of individual IP packets.)
c. stateful packet filtering (Incorrect. Stateful packet filtering examines not only the headers of individual IP packets but also a state table to determine whether incoming packets are part of an already established connection.)
d. single packet inspection (Incorrect. There is no such thing.)
8. Which of the following techniques is the most effective way to protect the perimeter? a. deep packet inspection (Correct. Deep packet inspection examines the contents of the data in the body of the IP packet, not just the information in the packet header. This is the best way to catch malicious code.)
b. static packet filtering (Incorrect. Static packet filtering examines the headers of individual IP packets. It can be fooled by attacks that pretend to be sending a response to earlier outbound messages.)
c. stateful packet filtering (Incorrect. Stateful packet filtering maintains information about “state” or connections initiated by the organization, but it examines only the information in the packet header. Therefore, it cannot detect malware in the payload of a message.)
d. All of the above are equally effective (Incorrect. Choices b and c are less effective than choice a.)
9. Which of the following combinations of credentials is an example of multifactor authentication?
a. voice recognition and a fingerprint reader (Incorrect. This is a combination of two bio-metric credentials and is an example of multimodal authentication.) b. a PIN and an ATM card (Correct. The PIN is something a person knows, the ATM card is something the person has.)
c. password and a user ID (Incorrect. These are both things a person knows and thus represent an example of multimodal authentication.)
d. all of the above (Incorrect. Only choice b is correct.)
10. Modifying default configurations to turn off unnecessary programs and features to improve security is called ______.
a. user account management (Incorrect. User account management is a preventive control that limits what a user can do.)
b. defense-in-depth (Incorrect. Defense-in-depth is the general security principle of using multiple overlapping controls to protect a system.)
c. vulnerability scanning (Incorrect. Vulnerability scanning is a detective control designed to identify weaknesses.) d. hardening (Correct. This is the definition of hardening.)
1. Which of the following statements is true?
a. Encryption is sufficient to protect confidentiality and privacy. (Incorrect. Encryption is not sufficient, because sensitive information cannot be encrypted at all times—it must be decrypted during processing, when displayed on a monitor, or included in a printed report.) b. Cookies are text files that only store information. They cannot perform any actions. (Correct. Cookies are text files, not executable programs. They can, however, store sensitive information, so they should be protected.)
c. The controls for protecting confidentiality are not effective for protecting privacy. (Incorrect. The same set of controls—encryption, access controls, and training—can be used to protect both confidentiality and privacy.)
d. All of the above are true. (Incorrect. Statements a and c are false.)
2. A digital signature is ____________. a. created by hashing a document and then encrypting the hash with the signer’s private key (Correct. Creating a hash provides a way to verify the integrity of a document, and encrypting it with the signer’s private key provides a way to prove that the sender created the document.)
b. created by hashing a document and then encrypting the hash with the signer’s public key (Incorrect. Anyone could encrypt something with the signer’s public key. Therefore, this process cannot be used to prove who created a document.)
c. created by hashing a document and then encrypting the hash with the signer’s symmetric key (Incorrect. A symmetric key is possessed by more than one party, so encrypting something with it does not provide a means to prove who created a document).
d. none of the above (Incorrect. Only choices b and c are incorrect; choice a is correct.)
3. Able wants to send a file to Baker over the Internet and protect the file so that only Baker can read it and can verify that it came from Able. What should Able do?
a. Encrypt the file using Able’s public key, and then encrypt it again using Baker’s private key. (Incorrect. Able does not know Baker’s private key.)
b. Encrypt the file using Able’s private key, and then encrypt it again using Baker’s private key. (Incorrect. Able does not know Baker’s private key.)
c. Encrypt the file using Able’s public key, and then encrypt it again using Baker’s public key. (Incorrect. Baker does not know Able’s private key and therefore cannot decrypt the file encrypted with Able’s public key.) b. Encrypt the file using Able’s private key, and then encrypt it again using Baker’s public key. (Correct. Encrypting it with Baker’s public key means that only Baker can decrypt it. Then, Baker can use Able’s public key to decrypt the file—if the result is understandable, it had to have been created by Able and encrypted with Able’s private key.)
4. Which of the following statements is true?
a. Encryption and hashing are both reversible (can be decoded). (Incorrect. Hashing is irreversible.) b. Encryption is reversible, but hashing is not. (Correct. Encryption can be reversed to decrypt the ciphertext, but hashing cannot be reversed.)
c. Hashing is reversible, but encryption is not. (Incorrect. Hashing is irreversible, but encryption is reversible.)
d. Neither hashing nor encryption is reversible. (Incorrect. Encryption is reversible, a process called decryption.)
5. Confidentiality focuses on protecting ____________.
a. personal information collected from customers (Incorrect. Protecting customers’ personal information relates to the principle of privacy.)
b. a company’s annual report stored on its Web site (Incorrect. A company’s annual report is meant to be available to the public.) c. merger and acquisition plans (Correct. Merger and acquisition plans are sensitive information that should not be made public until the deal is consummated.)
d. all of the above (Incorrect. Statements a and b are false.)
6. Which of the following statements about obtaining consent to collect and use a customer’s personal information is true?
a. The default policy in Europe is opt-out, but in the United States the default is opt-in. (Incorrect. The default policy in Europe is opt-in, and in the United States it is opt-out.) b. The default policy in Europe is opt-in, but in the United States the default is opt-out. (Correct.)
c. The default policy in both Europe and the United States is opt-in. (Incorrect. The default policy in Europe is opt-in, and in the United States it is opt-out.)
d. The default policy in both Europe and the United States is opt-out. (Incorrect. The default policy in Europe is opt-in and in the U.S. it is opt-out.)
7. One of the ten Generally Accepted Privacy Principles concerns security. According to GAPP, what is the nature of the relationship between security and privacy?
a. Privacy is a necessary, but not sufficient, precondition to effective security. (Incorrect. Security is one of the ten criteria in GAPP because you need security in order to have privacy. Security alone, however, is not enough—that is why there are nine other criteria in GAPP.)
b. Privacy is both necessary and sufficient to effective security. (Incorrect. Security is one of the ten criteria in GAPP because you need security in order to have privacy. Security alone, however, is not enough—that is why there are nine other criteria in GAPP.) c. Security is a necessary, but not sufficient, precondition to protect privacy. (Correct.)
d. Security is both necessary and sufficient to protect privacy. (Incorrect. Security is one of the ten criteria in GAPP because you need security in order to have privacy. Security alone, however, is not enough—that is why there are nine other criteria in GAPP.)
8. Which of the following statements is true?
a. Symmetric encryption is faster than asymmetric encryption and can be used to provide nonrepudiation of contracts. (Incorrect. Symmetric encryption cannot be used for non-repudiation because both parties share the key, so there is no way to prove who created and encrypted a document.) b. Symmetric encryption is faster than asymmetric encryption but cannot be used to provide nonrepudiation of contracts. (Correct. Symmetric encryption is faster than asymmetric encryption, but it cannot be used for nonrepudiation; the key is shared by both parties, so there is no way to prove who created and encrypted a document.)
c. Asymmetric encryption is faster than symmetric encryption and can be used to provide nonrepudiation of contracts. (Incorrect. Symmetric encryption is faster than asymmetric encryption.)
d. Asymmetric encryption is faster than symmetric encryption but cannot be used to provide nonrepudiation of contracts. (Incorrect. Symmetric encryption is faster than asymmetric encryption. Also, asymmetric encryption can be used to provide nonrepudiation, because encrypting a contract with the creator’s private key proves that the encrypter did indeed create the contract.)
9. Which of the following statements is true?
a. VPNs protect the confidentiality of information while it is in transit over the Internet. (Incorrect. This statement is true, but so are the others.)
b. Encryption limits firewalls’ ability to filter traffic. (Incorrect. This statement is true— firewalls cannot apply their rules to encrypted packets—but so are the others.)
c. A digital certificate contains that entity’s public key. (Incorrect. This statement is true, but so are the others.) b.
All of the above are true. (Correct. All three statements are true.)
10. Which of the following can organizations use to protect the privacy of a customer’s personal information when giving programmers a realistic data set with which to test a new application?
a. digital signature (Incorrect. A digital signature is used for nonrepudiation. However, because it is an encrypted hash, it cannot be used to test programming logic.)
b. digital watermark (Incorrect. A digital watermark is used to identify proprietary data, but it does not protect privacy.)
c. data loss prevention (Incorrect. Data loss prevention is designed to protect confidentiality by filtering outgoing messages to prevent sensitive data from leaving the company.) d. data masking (Correct. Masking replaces actual values with fake ones, but the result is still the same type of data, which can then be used to test program logic.)
1. Which of the following is a characteristic of auditing?
a. Auditing is a systematic, step-by-step process. (Incorrect. While this is true, it is not the only correct answer.)
b. Auditing involves the collection and review of evidence. (Incorrect. While this is true, it is not the only correct
answer.)
c. Auditing involves the use of established criteria to evaluate evidence. (Incorrect. While this is true, it is not the only correct answer.) d. All of the above are characteristics of auditing. (Correct. Auditing is a systematic, step-by-step process that involves the collection and review of evidence and uses established criteria to evaluate evidence.)
2. Which of the following is NOT a reason an internal auditor should participate in internal control reviews during the design of new systems?
a. It is more economical to design controls during the design stage than to do so later. (Incorrect. Internal audit should participate in internal control reviews because it is far less expensive to design controls during systems design than to try and implement controls after the system has been designed.) b. It eliminates the need for testing controls during regular audits. (Correct. Even if the auditor participates in internal control reviews, the auditor will still have to test controls to determine whether they are in place and working as intended.)
c. It minimizes the need for expensive modifications after the system is implemented. (Incorrect. Internal auditors should participate in internal control reviews because it reduces the likelihood of post-system-implementation modifications.)
d. It permits the design of audit trails while they are economical. (Incorrect. Internal auditors should participate in internal control reviews because their participation in systems design does facilitate the design of effective audit trails.)
3. Which type of audit involves a review of general and application controls, with a focus on determining if there is compliance with policies and adequate safeguarding of assets? a. information systems audit (Correct. An information systems audit reviews general and application controls, with a focus on determining whether there is compliance with policies and adequate safeguarding of assets.)
b. financial audit (Incorrect. A financial audit examines the reliability of accounting records.)
c. operational audit (Incorrect. An operational audit is concerned with the efficient use of resources and the accomplishment of entity objectives.)
d. compliance audit (Incorrect. A compliance audit is concerned with reviewing whether an entity is meeting prescribed policies, rules, and laws.)
4. At what step in the audit process do the concepts of reasonable assurance and materiality enter into the auditor’s decision process?
a. planning (Incorrect. Although materiality and reasonable assurance enter into the auditor’s decision process during planning, they are also important in other steps in the audit process.)
b. evidence collection (Incorrect. Although materiality and reasonable assurance enter into the auditor’s decision process during evidence collection, they are also important in other steps in the audit process.)
c. evidence evaluation (Incorrect. Although materiality and reasonable assurance enter into the auditor’s decision process during evidence evaluation, they are also important in other steps in the audit process.) d. They are important in all three steps. (Correct. Materiality and reasonable assurance are important when the auditor plans an audit and when the auditor collects and evaluates evidence.)
5. What is the four-step approach to internal control evaluation that provides a logical framework for carrying out an audit?
a. inherent risk analysis (Incorrect. Inherent risk is the susceptibility to material risk in the absence of controls.)
b. systems review (Incorrect. Systems review involves reviewing system documentation and interviewing appropriate personnel to determine whether the necessary procedures are in place.)
c. tests of controls (Incorrect. Tests of controls are conducted to determine whether control policies and procedures are satisfactorily followed.) d. risk-based approach to auditing (Correct. The risk-based audit approach is a four-step approach to carrying out an audit. The four steps are determining threats, identifying control procedures, evaluating control procedures, and evaluating weaknesses.)
6. Which of the following procedures is NOT used to detect unauthorized program changes?
a. source code comparison (Incorrect. Source code comparison is used to detect unauthorized program changes by thoroughly testing a newly developed program and keeping a copy of its source code.)
b. parallel simulation (Incorrect. To use parallel simulation to detect unauthorized program changes, an auditor writes a version of the program, reprocesses the company’s data, compares the results to the company’s results, and investigates any differences.)
c. reprocessing (Incorrect. To use reprocessing to detect unauthorized program changes, the auditor verifies the integrity of an application program, saves it, and on a surprise basis uses the program to reprocess data and compare that output with the company’s output.) d. reprogramming code (Correct. Reprogramming code is not used to test for unauthorized program changes.)
7. Which of the following is a concurrent audit technique that monitors all transactions and collects data on those that meet certain characteristics specified by the auditor?
a. integrated test facility (Incorrect. An integrated test facility inserts a dummy company or division into a computer system to test transaction data without affecting real data.)
b. snapshot techniques (Incorrect. The snapshot technique records the content of both a transaction record and a related master file record before each processing step.) c. SCARF (Correct. System control audit review file is a concurrent audit technique that embeds audit modules into application software to monitor continuously all transaction activity.)
d. audit hooks (Incorrect. An audit hook is a concurrent audit technique that embeds audit routines into application software to flag certain kinds of transactions that might be indicative of fraud.)
8. Which of the following is a computer technique that assists an auditor in understanding program logic by identifying all occurrences of specific variables?
a. mapping program (Incorrect. Mapping programs are activated during regular processing and provide information about portions of the application program that were not executed.)
b. program tracing (Incorrect. Program tracing is a technique used to determine application program logic in order to test program controls.)
c. automated flowcharting (Incorrect. Automated flowcharting interprets source code and generates a flowchart of that program.) d. scanning routine (Correct. Scanning routine software programs search for particular variable names or specific characters.)
9. Which of the following is a computer program written especially for audit use? a. GAS (Correct. Generalized audit software is a software program written especially for audit uses, such as testing data files. Examples are ACL and IDEA.)
b. CATAS (Incorrect. CATAS has no meaning in information systems auditing. Computer-assisted audit techniques (CAATS) is the name given to all computer-assisted techniques used to audit computers.)
c. ITF (Incorrect. An integrated test facility places a small set of fictitious records in master files. Transactions are processed for these records, and the actual and expected results are compared.)
d. CIS (Incorrect. Continuous and intermittent simulation embeds an audit module in a DBMS that examines all transactions that update the database.)
10. The focus of an operational audit is on which of the following?
a. reliability and integrity of financial information (Incorrect. A financial audit examines the reliability and integrity of financial information.) b. all aspects of information systems management (Correct. An operational audit is concerned with all aspects of information systems management.)
c. internal controls (Incorrect. The focus of an operational audit is much broader than just internal controls.)
d. safeguarding assets (Incorrect. The focus of an operational audit is much broader than just the safeguarding of assets.)