An organization provides information to its supply-chain
partners and customers through an extranet infrastructure.
Which of the following should be the GREATEST concern to an
IS auditor reviewing the firewall security architecture?
A. A secure socket layer (SSL) has been implemented for user
authentication and remote administration of the firewall.
B. On the basis of changing requirements, firewall policies
are updated.
C. Inbound traffic is blocked unless the traffic type and
connections have been specifically permitted.
D. The firewall is placed on top of the commercial operating
system with all installation options.
- 1 Answers
- 6923 Views
- I also Faced
- E-Mail Answers
Answer / guest
Answer: D
The greatest concern when implementing firewalls on top of
commercial operating systems is the potential presence of
vulnerabilities that could undermine the security posture of
the firewall platform itself. In most circumstances when
commercial firewalls are breached, that breach is
facilitated by vulnerabilities in the underlying operating
system. Keeping all installation options available on the
system further increases the risks of vulnerabilities and
exploits. Using SSL for firewall administration (choice A)
is important, changes in user and supply chain partners'
roles and profiles will be dynamic and it is appropriate to
maintain the firewall policies daily (choice B), and it is a
prudent policy to block all inbound traffic unless permitted
(choice C).
| Is This Answer Correct ? | 2 Yes | 0 No |
A referential integrity constraint consists of: A. ensuring the integrity of transaction processing. B. ensuring that data are updated through triggers. C. ensuring controlled user updates to database. D. rules for designing tables and queries.
To reduce the possibility of losing data during processing, the FIRST point at which control totals should be implemented is: A. during data preparation. B. in transit to the computer. C. between related computer runs. D. during the return of the data to the user department.
Which of the following controls would BEST detect intrusion? A. User ids and user privileges are granted through authorized procedures. B. Automatic logoff is used when a workstation is inactive for a particular period of time. C. Automatic logoff of the system after a specified number of unsuccessful attempts. D. Unsuccessful logon attempts are monitored by the security administrator.
A B-to-C e-commerce web site as part of its information security program wants to monitor, detect and prevent hacking activities and alert the system administrator when suspicious activities occur. Which of the following infrastructure components could be used for this purpose? A. Intrusion detection systems B. Firewalls C. Routers D. Asymmetric encryption
During the course of an audit, the IS auditor discovers that the human resources (HR) department uses a cloud-based application to manage employee records. The HR department engaged in a contract outside of the normal vendor management process and manages the application on its own. Which of the following choices is of MOST concern? A. Maximum acceptable downtime metrics have not been defined in the contract. B. The IT department does not manage the relationship with the cloud vendor. C. The help desk call center is in a different country, with different privacy requirements. D. Company-defined security policies are not applied to the cloud application.
Which of the following would MOST likely ensure that a system development project meets business objectives? A. Maintenance of program change logs B. Development of a project plan identifying all development activities C. Release of application changes at specific times of the year D. User involvement in system specification and acceptance
Once an organization has finished the business process reengineering (BPR) of all its critical operations, the IS auditor would MOST likely focus on a review of: A. pre-BPR process flowcharts. B. post-BPR process flowcharts. C. BPR project plans. D. continuous improvement and monitoring plans.
Which of the following is the MOST likely reason why e-mail systems have become a useful source of evidence for litigation? A. Multiple cycles of backup files remain available. B. Access controls establish accountability for e-mail activity. C. Data classification regulates what information should be communicated via e-mail. D. Within the enterprise, a clear policy for using e-mail ensures that evidence is available.
The difference between whitebox testing and blackbox testing is that whitebox testing: A. involves the IS auditor. B. is performed by an independent programmer team. C. examines a program's internal logical structure. D. uses the bottom-up approach.
The review of router access control lists should be conducted during a/an: A. environmental review. B. network security review. C. business continuity review. D. data integrity review.
In planning an audit, the MOST critical step is the identification of the:
Which of the following would be included in an IS strategic plan? A. Specifications for planned hardware purchases B. Analysis of future business objectives C. Target dates for development projects D. Annual budgetary targets for the IS department
Cisco Certifications 
