Test Bank for Accounting Information Systems 14th
Edition Romney
To download the complete and accurate content document, go to: https://testbankbell.com/download/test-bank-for-accounting-information-systems-14th -edition-romney/
Accounting Information Systems, 14e (Romney/Steinbart)
Chapter 8 Controls for Information Security
1 Explain how security and the other four principles in the Trust Services Framework affect systems reliability.
1) The Trust Services Framework reliability principle that states that users must be able to enter, update, and retrieve data during agreed-upon times is known as
A) availability.
B) security.
C) maintainability.
D) integrity.
Answer: A
Concept: The trust services framework
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytical Thinking
2) According to the Trust Services Framework, the reliability principle of integrity is achieved when the system produces data that
A) is available for operation and use at times set forth by agreement.
B) is protected against unauthorized physical and logical access.
C) can be maintained as required without affecting system availability, security, and integrity.
D) is complete, accurate, and valid.
Answer: D
Concept: The trust services framework
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytical Thinking
3) According to the Trust Services Framework, the reliability principle of availability is achieved when the system produces data that
A) is available for operation and use at times set forth by agreement.
B) is protected against unauthorized physical and logical access.
C) can be maintained as required without affecting system availability, security, and integrity.
D) is complete, accurate, and valid.
Answer: A
Concept: The trust services framework
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytical Thinking
4) According to the Trust Services Framework, the confidentiality principle of integrity is achieved when the system produces data that
A) is available for operation and use at times set forth by agreement.
B) is protected against unauthorized physical and logical access.
C) can be maintained as required without affecting system availability, security, and integrity.
D) is complete, accurate, and valid.
Answer: B
Concept: The trust services framework
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytical Thinking
5) Kuzman Jovan called a meeting of the top management at Jovan Capital Management. Number one on the agenda was computer system security. "The risk of security breach incidents has become unacceptable," he said, and turned to the Chief Information Officer. "What do you intend to do?" Which of the following is the best answer?
A) Evaluate and modify the system using COBOL.
B) Evaluate and modify the system using the CTC checklist.
C) Evaluate and modify the system using the Trust Services framework
D) Evaluate and modify the system using the COSO Internal Control Framework.
Answer: C
Concept: The trust services framework
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytical Thinking
6) Which of the following is not one of the essential criteria for successfully implementing each of the principles that contribute to systems reliability, as discussed in the Trust Services Framework?
A) Developing and documenting policies.
B) Effectively communicating policies to all outsiders.
C) Designing and employing appropriate control procedures to implement policies.
D) Monitoring the system and taking corrective action to maintain compliance with policies.
Answer: B
Concept: The trust services framework
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytical Thinking
7) Identify a party below who was involved with developing the Trust Services Framework.
A) FASB
B) COSO
C) AICPA
D) PCAOB
Answer: C
Concept: The trust services framework
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytical Thinking
8) Information security procedures protect information integrity by
A) preventing fictitious transactions.
B) reducing the system cost.
C) making the system more efficient.
D) making it impossible for unauthorized users to access the system.
Answer: A
Concept: The trust services framework
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytical Thinking
9) The Trust Services Framework reliability principle that states sensitive information be protected from unauthorized disclosure is known as
A) availability.
B) security.
C) confidentiality.
D) integrity.
Answer: C
Concept: The trust services framework
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytical Thinking
10) The Trust Services Framework reliability principle that states personal information should be protected from unauthorized disclosure is known as
A) availability.
B) security.
C) privacy.
D) integrity.
Answer: C
Concept: The trust services framework
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytical Thinking
11) The Trust Services Framework reliability principle that states access to the system and its data should be controlled and restricted to legitimate users is known as
A) availability.
B) security.
C) privacy.
D) integrity.
Answer: B
Concept: The trust services framework
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytical Thinking
12) The Trust Services Framework reliability principle that states access to the system and its data should be accessible to meet operational and contractual obligations to legitimate users is known as
A) availability.
B) security.
C) privacy.
D) integrity.
Answer: A
Concept: The trust services framework
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytical Thinking
13) Describe the five principles of the Trust Services Framework. Select one of the principles and discuss the why it is important to an organization.
Answer: The Trust Services Framework organizes IT-related controls into five principles that jointly contribute to systems reliability. (1) Security-access (both physical and logical) to the system and its data is controlled and restricted to legitimate users. (2) Confidentiality-sensitive organizational information (e.g., marketing plans, trade secrets) is protected from unauthorized disclosure. (3) Privacy-personal information about customers, employees, suppliers, or business partners is collected, used, disclosed, and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure. (4) Processing Integrity-data are processed accurately, completely, in a timely manner, and only with proper authorization. (5)Availability-the system and its information are available to meet operational and contractual obligations. Students' answers may vary depending on which principle they select to discuss in more details.
Concept: The trust services framework
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Reflective Thinking
2 Explain two fundamental concepts: why information security is a management issue, and the time-based model of information security.
1) Which of the following is not one of the three fundamental information security concepts?
A) Information security is a technology issue based on prevention.
B) Security is a management issue, not a technology issue.
C) The idea of defense-in-depth employs multiple layers of controls.
D) The time-based model of security focuses on the relationship between preventive, detective and corrective controls.
Answer: A
Concept: Information security concepts
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytical Thinking
2) If the time an attacker takes to break through the organization's preventive controls is greater than the sum of the time required to detect the attack and the time required to respond to the attack, then security is
A) effective.
B) ineffective.
C) overdone.
D) undermanaged.
Answer: A
Concept: Information security concepts
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytical Thinking
3) It was 8:03 A.M. when Jiao Jan, the Network Administrator for South Asian Technologies, was informed that the intrusion detection system had identified an ongoing attempt to breach network security. By the time that Jiao had identified and blocked the attack, the hacker had accessed and downloaded several files from the company's server. Using the notation for the time-based model of security, in this case
A) D > P
B) P > D
C) P > C
D) C > P
Answer: A
Concept: Information security concepts
Objective: Learning Objective 2
Difficulty: Challenging
AACSB: Reflective Thinking
4) There are "white hat" hackers and "black hat" hackers. Cowboy451 was one of the "black hat" hackers. He had researched an exploit and determined that he could penetrate the target system, download a file containing valuable data, and cover his tracks in eight minutes. Six minutes into the attack he was locked out of the system. Using the notation of the time-based model of security, which of the following must be true?
A) P < 6
B) D = 6
C) P = 6
D) P > 6
Answer: D
Concept: Information security concepts
Objective: Learning Objective 2
Difficulty: Challenging
AACSB: Reflective Thinking
5) Security is a technology issue and not just a management issue.
Answer: FALSE
Concept: Information security concepts
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytical Thinking
6) In the time-based model of information security, P represents
A) the time it takes to respond to and stop the attack.
B) the time it takes for the organization to detect that an attack is in progress.
C) the time it takes an attacker to break through the various controls that protect the organization's information assets.
D) the time it takes to assess threats and select risk response.
Answer: C
Concept: Information security concepts
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytical Thinking
7) In the time-based model of information security, D represents
A) the time it takes to respond to and stop the attack.
B) the time it takes for the organization to detect that an attack is in progress.
C) the time it takes an attacker to break through the various controls that protect the organization's information assets.
D) the time it takes to assess threats and select risk response.
Answer: B
Concept: Information security concepts
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytical Thinking
8) In the time-based model of information security, R represents
A) the time it takes to respond to and stop the attack.
B) the time it takes for the organization to detect that an attack is in progress.
C) the time it takes an attacker to break through the various controls that protect the organization's information assets.
D) the time it takes to assess threats and select risk response.
Answer: A
Concept: Information security concepts
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytical Thinking
9) Describe the steps in the security life cycle.
Answer: There are four steps in the security life cycle. The first step in the security life cycle is to assess the information security-related threats that the organization faces and select an appropriate response. The second step involves developing information security policies and communicating them to all employees. The third step involves the acquisition or building of specific technological tools. The final step in the security life cycle entails regular monitoring of performance to evaluate the effectiveness of the organization's information security program.
Concept: Information security concepts
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytical Thinking
3 Discuss the steps criminals follow to execute a targeted attack against an organization's information system.
1) The steps that criminals take to study their target's physical layout to learn about the controls it has in place is called
A) scanning and mapping the target.
B) social engineering.
C) research.
D) reconnaissance.
Answer: D
Concept: Understanding targeted attacks
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytical Thinking
2) The steps that criminals take to trick an unsuspecting employee into granting them access is called
A) scanning and mapping the target.
B) social engineering.
C) research.
D) reconnaissance.
Answer: B
Concept: Understanding targeted attacks
Objective: Learning Objective 3
Difficulty: Easy
AACSB: Analytical Thinking
3) The steps that criminals take to identify potential points of remote entry is called
A) scanning and mapping the target.
B) social engineering.
C) research.
D) reconnaissance.
Answer: A
Concept: Understanding targeted attacks
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytical Thinking
4) The steps that criminals take to find known vulnerabilities and learn how to take advantage of those vulnerabilities is called
A) scanning and mapping the target.
B) social engineering.
C) research.
D) reconnaissance.
Answer: C
Concept: Understanding targeted attacks
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytical Thinking
5) Organizations are infrequently the target of deliberate attacks.
Answer: FALSE
Concept: Understanding targeted attacks
Objective: Learning Objective 3
Difficulty: Easy
AACSB: Analytical Thinking
6) Social engineering attacks often take place over the Internet.
Answer: FALSE
Concept: Understanding targeted attacks
Objective: Learning Objective 3
Difficulty: Easy
AACSB: Analytical Thinking
7) Describe the basic steps criminal use to attack an organization's information system. Select one of the steps and find a news story that relates to the step that you have chosen.
Answer: The basic steps criminals use to attack an organization's information system include:
(1) conduct reconnaissance, (2) attempt social engineering, (3) scan and map the target, (4) research, (5) execute the attack, and (6) cover tracks. Students' answers may vary depending on which step they choose to discuss.
Concept: Understanding targeted attacks
Objective: Learning Objective 3
Difficulty: Challenging
AACSB: Reflective Thinking
4 Describe the preventive, detective, and corrective controls that can be used to protect an organization’’s information.
1) Identify the statement below which is not a useful control procedure regarding access to system outputs.
A) Restricting access to rooms with printers.
B) Coding reports to reflect their importance.
C) Allowing visitors to move through the building without supervision.
D) Requiring employees to log out of applications when leaving their desk.
Answer: C
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytical Thinking
2) Verifying the identity of the person or device attempting to access the system is an example of
A) authentication.
B) authorization.
C) identification.
D) threat monitoring.
Answer: A
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytical Thinking
3) Restricting access of users to specific portions of the system as well as specific tasks, is an example of
A) authentication.
B) authorization.
C) identification.
D) threat monitoring.
Answer: B
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytical Thinking
4) ________ is/are an example of a preventive control.
A) Emergency response teams
B) Encryption
C) Log analysis
D) Intrusion detection
Answer: B
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytical Thinking
5) ________ is/are an example of a detective control.
A) Physical access controls
B) Encryption
C) Emergency response teams
D) Log analysis
Answer: D
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytical Thinking
6) ________ is/are an example of a preventive control.
A) Continuous monitoring
B) Encryption
C) Emergency response teams
D) Log analysis
Answer: B
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytical Thinking
7) Which of the following is an example of a corrective control?
A) Physical access controls.
B) Encryption.
C) Intrusion detection.
D) Incident response teams.
Answer: D
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytical Thinking
8) Which of the following is an example of a detective control?
A) Physical access controls.
B) Encryption.
C) Continuous monitoring.
D) Incident response teams.
Answer: C
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytical Thinking
9) Which of the following is an example of a preventive control?
A) The creation of a "security-aware" culture.
B) The creation of a "Log user friendly" culture.
C) The creation of a "continuous monitoring" culture.
D) The creation of a chief information security officer position.
Answer: A
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Moderate
AACSB: Analytical Thinking
10) Which of the following is not a requirement of effective passwords?
A) Passwords should be changed at regular intervals.
B) Passwords should be no more than 8 characters in length.
C) Passwords should contain a mixture of upper and lowercase letters, numbers and characters.
D) Passwords should not be words found in dictionaries.
Answer: B
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytical Thinking
11) Multi-factor authentication
A) involves the use of two or more basic authentication methods.
B) is a table specifying which portions of the systems users are permitted to access.
C) provides weaker authentication than the use of effective passwords.
D) requires the use of more than one effective password.
Answer: A
Concept: Protecting information resources
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytical Thinking
12) An access control matrix
A) is the process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform.
B) is used to implement authentication controls.
C) matches the user's authentication credentials to his authorization.
D) is a table specifying which portions of the system users are permitted to access.
Answer: D
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytical Thinking
13) Perimeter defense is an example of which of the following preventive controls that are necessary to provide adequate security?
A) Training.
B) Controlling physical access.
C) Controlling remote access.
D) Host and application hardening.
Answer: C
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytical Thinking
14) Which of the following preventive controls are necessary to provide adequate security for social engineering threats?
A) Controlling physical access.
B) Encryption.
C) Profiling.
D) Awareness training.
Answer: D
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytical Thinking
15) A special purpose hardware device or software running on a general purpose computer, which filters information that is allowed to enter and leave the organization's information system, is known as a(n)
A) demilitarized zone.
B) intrusion detection system.
C) intrusion prevention system.
D) firewall.
Answer: D
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytical Thinking
16) A separate network located outside the organization's internal information system that permits controlled access from the Internet to selected resources is known as a(n)
A) demilitarized zone.
B) intrusion detection system.
C) intrusion prevention system.
D) firewall.
Answer: A
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytical Thinking
17) This protocol specifies the procedures for dividing files and documents into packets to be sent over the Internet.
A) access control list
B) Internet protocol
C) packet switching protocol
D) transmission control protocol
Answer: D
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytical Thinking
18) This protocol specifies the structure of packets sent over the internet and the route to get them to the proper destination.
A) access control list
B) Internet protocol
C) packet switching protocol
D) transmission control protocol
Answer: B
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytical Thinking
19) This network access control determines which IP packets are allowed entry to a network and which are dropped.
A) access control list
B) deep packet inspection
C) stateful packet filtering
D) static packet filtering
Answer: A
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Moderate
AACSB: Analytical Thinking
20) Compatibility tests utilize a(n) ________, which is a list of authorized users, programs, and data files the users are authorized to access or manipulate.
A) validity test
B) biometric matrix
C) logical control matrix
D) access control matrix
Answer: D
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytical Thinking
21) The process that screens individual IP packets based solely on the contents of the source and/or destination fields in the packet header is known as
A) access control list.
B) deep packet inspection.
C) intrusion filtering.
D) packet filtering.
Answer: D
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Moderate
AACSB: Analytical Thinking
22) The process of maintaining a table listing all established connections between the organization's computers and the internet to determine whether an incoming packet is part of an ongoing communication initiated by an internal computer is known as
A) packet filtering.
B) deep packet inspection.
C) access control list.
D) access control matrix
Answer: A
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Moderate
AACSB: Analytical Thinking
23) The process that allows a firewall to be more effective by examining the data in the body of an IP packet, instead of just the header, is known as
A) deep packet inspection.
B) stateful packet filtering.
C) static packet filtering.
D) an intrusion prevention system.
Answer: A
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Moderate
AACSB: Analytical Thinking
24) The security technology that evaluates IP packet traffic patterns in order to identify attacks against a system is known as
A) an intrusion prevention system.
B) stateful packet filtering.
C) static packet filtering.
D) deep packet inspection.
Answer: A
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Moderate
AACSB: Analytical Thinking
25) The process of turning off unnecessary features in the system is known as
A) deep packet inspection.
B) hardening.
C) intrusion detection.
D) modaling.
Answer: B
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytical Thinking
26) The most common input-related vulnerability is called the
A) softening attack.
B) hardening attack.
C) cross-site scripting attack.
D) buffering attack.
Answer: C
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Moderate
AACSB: Analytical Thinking
27) Which of the below keeps a record of the network traffic permitted to pass through a firewall?
A) Intrusion detection system.
B) Vulnerability scan.
C) Log analysis.
D) Penetration test.
Answer: A
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Moderate
AACSB: Analytical Thinking
28) The process that uses automated tools to identify whether a system possesses any wellknown security problems is known as a(n)
A) intrusion detection system.
B) log analysis.
C) penetration test.
D) vulnerability scan.
Answer: D
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Moderate
AACSB: Analytical Thinking
29) ________ is an authorized attempt by an internal audit team or an external security consultant to attempt to break into the organization's information system.
A) Log analysis test
B) Intrusion test
C) Penetration test
D) Vulnerability test
Answer: C
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Moderate
AACSB: Analytical Thinking
30) A well-known hacker started her own computer security consulting business. Many companies pay her to attempt to gain unauthorized access to their network. If she is successful, she offers advice as to how to design and implement better controls. What is the name of the testing for which the hacker is being paid?
A) Penetration test.
B) Vulnerability scan.
C) Deep packet inspection
D) Buffer overflow test.
Answer: A
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Moderate
AACSB: Reflective Thinking
31) Tools called ________ can be used to identify unused and, therefore, unnecessary programs that represent potential security threats.
A) router scanners
B) vulnerabilities scanners
C) deep inspection scanners
D) TCP scanners
Answer: B
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Moderate
AACSB: Analytical Thinking
32) The ________ disseminates information about fraud, errors, breaches and other improper system uses and their consequences.
A) chief information officer
B) chief operations officer
C) chief security officer
D) computer emergency response team
Answer: C
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Moderate
AACSB: Analytical Thinking
33) A major financial institution hired a renowned security firm to attempt to compromise its computer network. A few days later, the security firm reported that it had successfully entered the financial institution's computer system without being detected. The security firm presented an analysis of the vulnerabilities that had been found to the financial institution. This is an example of a
A) preventive control.
B) detective control.
C) corrective control.
D) security control.
Answer: B
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytical Thinking
34) Which of the following is commonly true of the default settings for most commercially available wireless access points?
A) The security level is set at the factory and cannot be changed.
B) Security is set to an adjustable level that changes depending on the wireless network the device is connected.
C) Security is set to the lowest level that the device is capable of handling.
D) Security is set to the highest level that the device is capable of handling.
Answer: C
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Moderate
AACSB: Analytical Thinking
35) In recent years, many of the attacks carried out by hackers have relied on this type of vulnerability in computer software.
A) Code mastication.
B) Boot sector corruption.
C) URL injection.
D) Buffer overflow.
Answer: D
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytical Thinking
36) ShareIt is a social networking site that boasts over a million registered users and a quarterly membership growth rate in the double digits. As a consequence, the size of the information technology department has been growing very rapidly, with many new hires. Each employee is provided with a name badge with a photo and embedded computer chip that is used to gain entry to the facility. This is an example of a(n)
A) authentication control.
B) biometric device.
C) remote access control.
D) authorization control.
Answer: A
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Reflective Thinking
37) New employees of Baker Technologies are assigned user names and appropriate permissions. Their credentials are then entered into the company's information system's access control matrix. This is an example of a(n)
A) authentication control.
B) biometric device.
C) remote access control.
D) authorization control.
Answer: D
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Reflective Thinking
38) New employees of Baker Technologies are assigned user names and appropriate permissions. Each of them were given a company's issued laptop that have an integrated fingerprint reader. In order to log in, the user's fingerprint must be recognized by the reader. This is an example of a(n)
A) authorization control.
B) biometric device.
C) remote access control.
D) defense in depth.
Answer: B
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Reflective Thinking
39) Information technology managers are often in a bind when a new exploit is discovered in the wild. They can respond by updating the affected software or hardware with new code provided by the manufacturer, which runs the risk that a flaw in the update will break the system. Or they can wait until the new code has been extensively tested, but that runs the risk that they will be compromised by the exploit during the testing period. Dealing with these issues is referred to as
A) change management.
B) cloud computing.
C) patch management.
D) user account management.
Answer: C
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Moderate
AACSB: Analytical Thinking
40) The most effective method for protecting an organization from social engineering attacks is providing
A) a firewall.
B) stateful packet filtering.
C) a demilitarized zone.
D) employee awareness training.
Answer: D
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytical Thinking
41) The most effective way to protect network resources that are exposed to the internet, yet reside outside of a network is
A) a firewall.
B) employee training.
C) a demilitarized zone.
D) stateful packet filtering.
Answer: C
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytical Thinking
42) All employees of E.C. Hoxy are required to pass through a gate and present their photo identification cards to the guard before they are admitted. Entry to secure areas, such as the Information Technology Department offices, requires further procedures. This is an example of a(n)
A) authentication control.
B) authorization control.
C) physical access control.
D) hardening procedure.
Answer: C
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytical Thinking
43) Residents in Berryhill received an e-mail stating that there is an armed robber on the loose. The e-mail claimed to be from the Berryhill police department, but it wasn't. Computer forensic experts later determined that the e-mail was sent from a computer lab in the Berryhill's public library. The police were then able to uniquely identify the computer that was used by means of its network interface card's ________ address. Security cameras later help the police to reveal the identity of the individual responsible for the hoax.
A) IDS
B) TCP/IP
C) MAC
D) DMZ
Answer: C
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Challenging
AACSB: Analytical Thinking
44) Identify three ways users can be authenticated and give an example of each.
Answer: Users can be authenticated by verifying: 1. something they know (password). 2. something they have (smart card or ID badge). 3. Something they are (biometric identification of fingerprint).
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Moderate
AACSB: Analytical Thinking
45) Describe four requirements of effective passwords .
Answer: 1. Strong passwords should be long. 2. Passwords should use a mixture of upper and lowercase letters, numbers and characters. 3. Passwords should be random and not words found in dictionaries. 4. Passwords should be changed frequently.
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytical Thinking
46) Explain social engineering.
Answer: Social engineering attacks use deception to obtain unauthorized access to information resources, such as attackers who post as a janitor or as a legitimate system user. Employees must be trained not to divulge passwords or other information about their accounts to anyone who contacts them and claims to be part of the organization's security team.
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Moderate
AACSB: Analytical Thinking
47) Explain the value of penetration testing.
Answer: Penetration testing involves an authorized attempt by an internal audit team or an external security consultant to break into the organization's information system. This type of service is provided by risk management specialists in all the Big Four accounting firms. These specialists spend more than half of their time on security matters. The team attempts to compromise the system using every means possible. With a combination of systems technology skills and social engineering, these teams often find weaknesses in systems that were believed to be secure.
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Moderate
AACSB: Reflective Thinking
48) Identify six physical access controls.
Answer: Require visitors to sign in and receive a visitor badge before being escorted by an employee; require employees to wear photo ID badges that are checked by security guards; physical locks and keys; storing documents and electronic media in a fire-proof safe or cabinet; restrict or prohibit cell phones, iPods and other portable devices; set screen savers to start after a few minutes of inactivity; set computers to lock keyboards after a few minutes of inactivity; utilize screen protection devices; use biometric devices to authorize access to spaces and equipment; attach and lock laptops to immobile objects; utilize magnetic or chip cards to authorize access to spaces and equipment; limit or prohibit windows and glass walls in sensitive areas.
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Moderate
AACSB: Analytical Thinking
49) A border router
A) routes electronic communications within an organization.
B) connects an organization's information system to the Internet.
C) permits controlled access from the Internet to selected resources.
D) serves as the main firewall.
Answer: B
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Moderate
AACSB: Analytical Thinking
50) A demilitarized zone
A) routes electronic communications within an organization.
B) connects an organization's information system to the Internet.
C) permits controlled access from the Internet to selected resources.
D) serves as the main firewall.
Answer: C
Concept: Protecting information resources
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytical Thinking
51) Describe what information security process the term hardening refers to.
Answer: Hardening is the process of modifying the default configuration of a system to eliminate unnecessary settings and services.
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Moderate
AACSB: Analytical Thinking
52) Describe what a man-trap is and how it contributes to information security.
Answer: A man-trap is a specially designed room to trap unauthorized individuals. Typically, a man-trap room contains two doors. Entry to the first door requires the person insert and ID card and enter a password. Successful authentication opens the first door, permitting the individual into the room. Once inside the room, the door closes and locks behind the individual. Then, the individual must successfully pass a second set of authentication controls that typically includes a biometric credential. Failure to pass results in the individual being trapped in the room.
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Challenging
AACSB: Reflective Thinking
53) Why does COBIT5 DSS-05.06 stress the importance of restricting physical access to network printers?
A) because hackers can use them to print out sensitive information
B) because hackers often hide inside large network printers until night
C) because document images are often stored on network printers
D) because network printers are easier to hack into than computers
Answer: C
Concept: Protecting information resources
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytical Thinking
54) The most important element of any preventive control is
A) the people.
B) the performance.
C) the procedure(s).
D) the penalty.
Answer: A
Concept: Protecting information resources
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytical Thinking
5 Describe the controls that can be used to timely detect that an organization's information system is under attack.
1) Logs need to be analyzed regularly to detect problems in a timely manner.
Answer: TRUE
Concept: Detecting attacks
Objective: Learning Objective 5
Difficulty: Easy
AACSB: Analytical Thinking
2) A system that creates logs of all network traffic that was permitted to pass the firewall and then analyzes those logs for signs of attempted or successful intrusions is called
A) log analysis.
B) intrusion detection systems.
C) continuous monitoring.
D) defense in depth.
Answer: B
Concept: Detecting attacks
Objective: Learning Objective 5
Difficulty: Easy
AACSB: Analytical Thinking
3) COBIT 5 management practice APO01.08 stresses the importance of ________ of both employee compliance with the organization's information security policies and overall performance of business processes.
A) continuous improvement of
B) continuous reviewing
C) continuous monitoring
D) continuous auditing
Answer: C
Concept: Detecting attacks
Objective: Learning Objective 5
Difficulty: Easy
AACSB: Analytical Thinking
4) Describe the three types of detective controls that enable organizations timely detection of intrusions and problems.
Answer: The three types of detective controls that enable organizations timely detection of intrusions and problems are (1) Log analysis. It is the process of examining logs to identify evidence of possible attacks. (2) Network intrusion detection systems. It consists of a set of sensors and a central monitoring unit that create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions. (3) Continuously Monitoring. COBIT 5 management practice APO01.08 stresses the importance of continuously monitoring both employee compliance with the organization's information security policies and overall performance of business processes. Such monitoring is an important detective control that can timely identify potential problems and identify opportunities to improve existing controls.
Concept: Detecting attacks
Objective: Learning Objective 5
Difficulty: Moderate
AACSB: Analytical Thinking
6 Discuss how organizations can timely respond to attacks against their information system.
1) Timely detection of problems is not enough to protect organizations' information resources.
Answer: TRUE
Concept: Responding to attacks
Objective: Learning Objective 6
Difficulty: Easy
AACSB: Analytical Thinking
2) Many corrective controls rely on human judgment.
Answer: TRUE
Concept: Responding to attacks
Objective: Learning Objective 6
Difficulty: Easy
AACSB: Analytical Thinking
3) Which of the following is not a step in an organization's incident response process?
A) Recognition.
B) Recovery.
C) Isolation.
D) Containment.
Answer: C
Concept: The trust services framework
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytical Thinking
4) Who bears the responsibility for information security in an organization?
A) CIO.
B) CISO.
C) CFO.
D) COO.
Answer: B
Concept: Responding to attacks
Objective: Learning Objective 6
Difficulty: Moderate
AACSB: Analytical Thinking
5) Describe the function of a computer incident response team (CIRT) and the steps that a CIRT should perform following a security incident.
Answer: A CIRT is responsible for dealing with major security incidents and breaches. The team should include technical specialists and senior operations management. In response to a security incident, first the CIRT must recognize that a problem exists. Log analysis, intrusion detection systems can be used to detect problems and alert the CIRT. Second, the problem must be contained, perhaps by shutting down a server or curtailing traffic on the network. Third, the CIRT must focus on recovery. Corrupt programs may need to be reinstalled and data restored from backups. Finally, the CIRT must follow-up to discover how the incident occurred and to design corrective controls to prevent similar incidents in the future.
Concept: Responding to attacks
Objective: Learning Objective 6
Difficulty: Moderate
AACSB: Analytical Thinking
7 Explain how virtualization, cloud computing, and the Internet of Things affect information security.
1) Identify one aspect of systems reliability that is not a source of concern with regards to a public cloud.
A) confidentiality
B) privacy
C) efficiency
D) availability
Answer: C
Concept: Virtualization, cloud computing, and the internet
Objective: Learning Objective 7
Difficulty: Moderate
AACSB: Analytical Thinking
2) Identify the primary means of protecting data stored in a cloud from unauthorized access.
A) authentication
B) authorization
C) virtualization
D) securitization
Answer: A
Concept: Virtualization, cloud computing, and the internet
Objective: Learning Objective 7
Difficulty: Moderate
AACSB: Analytical Thinking
3) Virtualization refers to the ability of
A) running multiple systems simultaneously on one physical computer.
B) eliminating the need for a physical computer.
C) using the Internet to perform all needed system functions.
D) using web-based security to protect an organization.
Answer: A
Concept: Virtualization, cloud computing, and the internet
Objective: Learning Objective 7
Difficulty: Moderate
AACSB: Analytical Thinking
4) Cloud computing can potentially generate significant cost savings for an organization.
Answer: TRUE
Concept: Virtualization, cloud computing, and the internet
Objective: Learning Objective 7
Difficulty: Easy
AACSB: Analytical Thinking
5) Cloud computing is generally more secure than traditional computing.
Answer: FALSE
Concept: Virtualization, cloud computing, and the internet
Objective: Learning Objective 7
Difficulty: Easy
AACSB: Analytical Thinking
6) Describe the differences between virtualization and cloud computing.
Answer: Virtualization takes advantage of the power and speed of modern computers to run multiple systems simultaneously on one physical computer. This cuts hardware costs, because fewer servers need to be purchased. Fewer machines mean lower maintenance costs. Data center costs also fall because less space needs to be rented, which also reduces utility costs. Cloud computing takes advantage of the high bandwidth of the modern global telecommunication network to enable employees to use a browser to remotely access software (software as a service), data storage devices (storage as a service), hardware (infrastructure as a service), and entire application environments (platform as a service).
Concept: Virtualization, cloud computing, and the internet
Objective: Learning Objective 7
Difficulty: Moderate
AACSB: Analytical Thinking
7) Describe the security risks associated with virtualization and cloud computing.
Answer: Virtualization and cloud computing alter the risk of some information security threats. For example, unsupervised physical access in a virtualization environment exposes not just one device but also the entire virtual network to the risk of theft or destruction and compromise. Similarly, compromising a cloud provider's system may provide unauthorized access to multiple systems. Moreover, because public clouds are, by definition, accessible via the Internet, the authentication process is the primary means of protecting your data stored in the cloud from unauthorized access. Public clouds also raise concerns about the other aspects of systems reliability (confidentiality, privacy, processing integrity, and availability) because the organization is outsourcing control of its data and computing resources to a third party.
Concept: Virtualization, cloud computing, and the internet
Objective: Learning Objective 7
Difficulty: Moderate
AACSB: Analytical Thinking
8) Describe the concept of Internet of Things (IoT) and its security implications.
Answer: The term Internet of Things (IoT) refers to the embedding of sensors in a multitude of devices (lights, heating and air conditioning, appliances, etc.) so that those devices can now connect to the Internet. The IoT has significant implications for information security. On the one hand, it makes the design of an effective set of controls much more complex. Traditionally, information security focused on controlling access to a limited number of endpoints: laptops, desktop computers, servers, printers, and mobile devices. The move to the IoT means that many other devices found in work settings now provide a potential means of accessing the corporate network and, therefore, must be secured. On the other hand, the IoT provides an opportunity to enhance physical access control.
Concept: Virtualization, cloud computing, and the internet
Objective: Learning Objective 7
Difficulty: Moderate
AACSB: Analytical Thinking