Answer: A

"The objective of a vulnerability assessment is to find the
security holds in the computers and elements analyzed and
its intent is not to damage the infrastructure. The intent
of penetration testing is to imitate a hacker's activities
and determine how far they could go into the network. They
are not the same

they have different approaches. Vulnerability assessments
and penetration testing can be executed both by automated or
manual tools or processes and can be executed by commercial
or free tools."

Answer: B

The network layer switches and routes information (network
layer header). Node-to-node data link services are extended
across a network by this layer. The network layer provides
service for routing packets (units of information at the
network layer) between nodes connected through an arbitrary
network. The data link layer transmits information as
groups-of-bits (logical units called a frame) to adjacent
computer systems (node-to-node). The bits in a frame are
divided into an address field (media access control MAC 48
bit hardware address), control field, data field and error
control field. The transport layer, provides end-to-end data
integrity. To ensure reliable delivery, the transport layer
builds on the error control mechanisms provided by lower
layers. If lower layers do not do an adequate job, the
transport layer is the last chance for error recovery. The
session layer provides the control structure for
communications between applications. It establishes, manages
and terminates connections (sessions) between cooperating
applications and performs access security checking.

Answer: A

The most secure way would be a virtual private network (VPN)
using encryption, authentication and tunneling to allow data
to travel securely from a private network to the Internet.
Choices B, C and D are network connectivity options, which
are normally too expensive to be practical for small- to
medium-sized organizations.

Answer: D

"The most likely audit procedure in systems development is
the review of the functional requirements, since this will
indicate what the new system is supposed to provide and how.
Based on this documentation other testing may be performed
to confirm that the necessary controls and functionality are
in place. The development of test transactions also may be
performed if necessary

however, this would be to assist functional requirements
testing. The use of code comparison utilities compares two
copies of the source code to identify differences and would
normally be used for system maintenance. Audit software
programs are normally used to integrate production data,
thus it would not be appropriate for a system under
development."

Answer: A

The most important issue in reviewing system development
processes to ensure that business objectives are achieved. A
software development project should meet its objectives.
Security and control procedures are to be considered as a
subset of business objectives, because a well-controlled
system that does not meet business needs is of little
benefit to the organization.

Answer: B

The most effective method is to determine through code
comparisons what changes have been made and then verify that
they have been approved. Change control records and software
migration records may not have all changes listed. Ensuring
that only appropriate staff can migrate changes into
production is a key control process, but in itself does not
verify compliance.

Answer: C

"The most difficult problem is effectively estimating a
project's slack time and/or resource requirements for
individual tasks or development activities. This commonly is
done through direct software measures (size-oriented
SLOC-source lines of code

KLOC-thousand lines of code) or indirect software measures
(function points-values for number of user inputs, outputs,
inquiries

number of files and interfaces). The other choices are
project management methods and techniques employed that are
dependent on the effectiveness of methods used in deriving
accurate and reliable software development productivity and
performance measures."

Answer: D

The most comprehensive control in this situation is password
implementation and administration. While firewall
installations are the primary line of defense, they cannot
protect all access and, therefore, an element of risk
remains. A proxy server is a type of firewall installation
and thus the same rules apply. The network administrator may
serve as a control, but typically this would not be
comprehensive enough to serve on multiple and diverse systems.

Answer: D

The most appropriate control to prevent unauthorized entry
is to terminate connection after a specified number of
attempts. This will deter access through the guessing of ids
and passwords. The other choices are physical controls,
which are not effective in deterring unauthorized accesses
via the telephone lines.

Answer: C

The methodology used should provide for business
requirements to be clearly defined before approval of any
development, implementation or modification project. The
phases and deliverables should be decided during the early
planning stages of the project and not throughout its
duration. The phases necessary to complete the project
depend on its size and the type of tolls being used by the
project team (e.g., prototyping tools) In addition, the
selected methodology must fit to a particular organization's
practices and size.

Answer: A

The method of providing telecommunication continuity through
the use of many recovery facilities providing redundant
combinations of local carrier T-1s, microwave and/or coaxial
cable to access the local communication loop in the event of
a disaster is called last mile circuit protection. Providing
diverse long-distance network availabilty utilizing T-1
circuits among major long-distance carriers is called long
haul network diversity. This ensures long-distance access
should any one carrier experience a network failure. The
method of routing traffic through split cable facilities or
duplicate cable facilities is called diverse routing.
Alternative routing is the method of routing information via
an alternative medium, such as copper cable or fiber optics.

Answer: A

The message digest is calculated and included in a digital
signature to prove that the message has not been altered. It
should be the same value as a recalculation performed upon
receipt. It does not define the algorithm or enable the
transmission in digital format and has no effect on the
identity of the user, being there to ensure integrity rather
than identity.

Answer: A

The manual log will most likely contain information on
authorized changes to a program. Deliberate, unauthorized
changes will not be documented by the responsible party. An
automated log, found usually in library management products,
and not a change log would most likely contain date
information for the source and executable modules.

Answer: C

The main purpose of offsite hardware testing is to ensure
the continued compatibility of the contingency facilities.
Specific software tools are available to ensure the ongoing
integrity of the database. Contingency plans should not be
eliminated and program and system documentation should be
reviewed continuously for currency.

Answer: D

The least significant would be the description of computer
hardware. The organization would need to have compatible and
sufficient hardware to be considered a viable service
provider before contract provisions are reviewed.