Answer: C

Parameters that are not set correctly would be the greatest
concern when implementing an application software package.
The other choices, though important, are a concern of the
provider, not the organization that is implementing the
software itself.

Answer: D

Packet replay is a combination of passive and active modes
of attack. This form of attack is particularly effective
when the receiving end of the communication channel is
automated and acts on the receipt and interpretation of
information packets without human intervention.

Answer: A

Outsourcing is a contractual arrangement whereby the
organization relinquishes control over part or all of the
information processing to an external party. This is
frequently done to acquire additional resources or expertise
that is not obtainable from inside the organization.

Answer: D

Optical character recognition (choice D) is used for
capturing handwritten data from forms and converting the
data to an electronic format. MICR is a specialized ink used
on checks (cheques) for the identification of the
instrument, and it is used in reader sorter units present in
bank clearinghouses. Intelligent voice recognition is not an
imaging technology and bar code readers read the bar codes
which identify a specific item (product).

Answer: B

Operations documentation should contain recovery/restart
procedures, so operations can return to normal processing in
a timely manner. Turning off the UPS and then turning off
the power might create a situation for recovery and restart,
but the negative effect on operations would prove this
method to be undesirable. The review of program code and
documentation generally does not provide evidence regarding
recovery/restart procedures.

Answer: D

Only RAD uses prototyping as its core development tool. OOD
and DOD use continuously developing models, and BPR attempts
to convert an existing business process rather than make
dynamic changes.

Answer: A

"Online monitors measure telecommunication transmissions and
determine whether transmissions are completed accurately.
Downtime reports track the availability of telecommunication
lines and circuits

help desk reports handle problems occurring in the normal
course of operations

and response time reports identify the time it takes for a
command entered at a terminal to be answered by the computer."

Answer: C

One risk of a VPN implementation is the chance of allowing
high-risk computers onto the enterprise's network. All
machines that are allowed onto the virtual network should be
subject to the same security policy. Home computers are
least subject to the corporate security policies and hence
are high-risk computers. Once a computer is hacked and
?owned?, any network that trusts that computer is at risk.
Implementation and adherence to corporate security policy is
easier when all computers on the network are on the
enterprise's campus. Internally to an enterprise's physical
network, there should be security policies in place to
detect and halt an outside attack that uses an internal
machine as a staging platform. Computers at the back up site
are subject to the corporate security policy. Hence, not
high-risk computers. Computers on the network that are at
the enterprise's remote offices, perhaps with different IS
and security employees who have different ideas about
security are more risky than choices A and B, but obviously
less risky than home computers.

Answer: A

One of the objectives of a DRP is to reduce both the
duration and cost of recovering from a disaster. DRP would
increase the cost of operations before and after the
disaster occurs, but should reduce the time to return to
normal operations and the cost that could result from a
disaster.

Answer: A

One of the major benefits of object-oriented design and
development is the ability to reuse modules. The other
options do not normally benefit from the object-oriented
technique.

Answer: A

On the basis of the evaluation of the entire business
process, correctly defining the areas to be reviewed is the
first step in a BPR project. On the basis of the definition
of the areas to be reviewed, the project plan is developed.
Understanding the process under review is important, but the
subject of the review must be defined first. Thereafter, the
process can be reengineered, streamlined, implemented and
monitored for continuous improvement.

Answer: D

Old (legacy) systems that have been corrected, adapted and
enhanced extensively require reengineering to continue to be
maintainable. Reengineering is a rebuilding activity to
incorporate new technologies into existing systems. Using
program language statements, reverse engineering involves
reversing a program's machine code into the source code in
which it was written to identify malicious content in a
program such as a virus, or to adapt a program written for
use with one processor for use with a differently designed
processor. Prototyping is development of a system through
controlled trial and error. Software reuse is the process of
planning, analyzing and using previously developed software
components. The reusable components are integrated into the
current software product systematically.

Answer: C

Of the choices, the hardware and access control software
generally is irrelevant as long as the functionality,
availability and security can be affected, which would be a
specific contractual obligation. Similarly, the development
methodology should be of no real concern. The contract must,
however, specify who owns the intellectual property (i.e.,
information being processed, application programs).
Ownership of intellectual property will have a significant
cost and is a key aspect to be defined in an outsourcing
contract.

Answer: A

Of the choices, a backup of compiled object programs is the
most important in a successful recovery. A reciprocal
processing agreement is not as important, because
alternative equipment can be found after a disaster occurs.
A phone contact list may aid in the immediate aftermath, as
would an accessible supply of special forms, but neither is
as important as having access to required programs.

Answer: A

Observation is considered to be the best test to ensure that
an employee understands and practices good preventive and
detective security.