Which of the following functions is performed by a virtual
private network (VPN)?
A. Hiding information from sniffers on the net
B. Enforcing security policies
C. Detecting misuse or mistakes
D. Regulating access
During the review of an organization's disaster recovery and
business continuity plan, the IS auditor found that a paper
test was performed to verify the existence of all necessary
procedures and actions within the recovery plan. This is a:
A. preparedness test.
B. module test.
C. full test.
D. walk-through test.
Which of the following BEST describes the objectives of
following a standard system development methodology?
A. To ensure that appropriate staffing is assigned and to
provide a method of controlling costs and schedules
B. To provide a method of controlling costs and schedules
and to ensure communication among users, IS auditors,
management and IS personnel
C. To provide a method of controlling costs and schedules
and an effective means of auditing project development
D. To ensure communication among users, IS auditors,
management and personnel and to ensure that appropriate
staffing is assigned
Which of the following will help detect changes made by an
intruder to the system log of a server?
A. Mirroring of the system log on another server
B. Simultaneously duplicating the system log on a write-once
C. Write protecting the directory containing the system log
D. Storing the backup of the system log offsite
Java applets and ActiveX controls are distributed executable
programs that execute in the background of a web browser
client. This practice is considered reasonable when:
A. a firewall exists.
B. a secure web connection is used.
C. the source of the executable is certain.
D. the host website is part of your organization.
An organization is developing a new business system. Which
of the following will provide the MOST assurance that the
system provides the required functionality?
A. Unit testing
B. Regression testing
C. Acceptance testing
D. Integration testing
Access rules normally are included in which of the following
A. Technical reference documentation
B. User manuals
C. Functional design specifications
D. System development methodology documents
An IS auditor reviewing operating system access discovers
that the system is not secured properly. In this situation,
the IS auditor is LEAST likely to be concerned that the user
A. create new users.
B. delete database and log files.
C. access the system utility tools.
D. access the system writeable directories.
An internal audit department, that organizationally reports
exclusively to the chief financial officer (CFO) rather than
to an audit committee, is MOST likely to:
A. have its audit independence questioned.
B. report more business-oriented and relevant findings.
C. enhance the implementation of the auditor's recommendations.
D. result in more effective action being taken on the
Which of the following is the MOST critical and contributes
the MOST to the quality of data in a data warehouse?
A. Accuracy of the source data
B. Credibility of the data source
C. Accuracy of the extraction process
D. Accuracy of the data transformation
A company has recently upgraded its purchase system to
incorporate EDI transmissions. Which of the following
controls should be implemented in the EDI interface in order
to provide for efficient data mapping?
A. Key verification
B. One-for-one checking
C. Manual recalculations
D. Functional acknowledgements
An IS auditor performing a review of the backup processing
facilities should be MOST concerned that:
A. adequate fire insurance exists.
B. regular hardware maintenance is performed.
C. offsite storage of transaction and master files exists.
D. backup processing facilities are tested fully.
A single digitally signed instruction was given to a
financial institution to credit a customer's account. The
financial institution received the instruction three times
and credited the account three times. Which of the following
would be the MOST appropriate control against such multiple
A. Encrypting the hash of the payment instruction with the
public key of the financial institution.
B. Affixing a time stamp to the instruction and using it to
check for duplicate payments.
C. Encrypting the hash of the payment instruction with the
private key of the instructor.
D. Affixing a time stamp to the hash of the instruction
before being digitally signed by the instructor.
Which of the following physical access controls would
provide the highest degree of security over unauthorized access?
A. Bolting door lock
B. Cipher lock
C. Electronic door lock
D. Fingerprint scanner