Day 4

Total points10/10

(31) Read Only option is always recommended for:

1/1
A. access control matrix/rule.
B. log files for suspected transactions.

C. logging rules
D. user profiles.
Feedback

The correct answer is: B. log files for suspected transactions.

.

Explanation:
Security administration procedures require read-only access to security log files to ensure that,
once generated, the logs are not modified. Logs provide evidence and track suspicious
transactions and activities. Other options may require modification and hence write-access can also
be provided.

(32)Best method to remove confidential data from computer storage is:

1/1
A. hard disk should be demagnetized.

B. hard disk should be formatted.

C. data on the hard disk should be deleted.
D. data on the hard disk should be defragmented.
Feedback

The correct answer is: A. hard disk should be demagnetized.

Explanation:
The hard disk should be demagnetized, since this will cause all of the bits to be set to zero,
eliminating any chance of retrieving information that was previously stored on the disk. Other options
may not be that effective.

(33) The major risk for lack of an authorization process for users of an
application would be:
1/1
A. many users can claim to be a specific user.
B. there is no way to limit role based access.

C. Sharing of user accounts.

D. principle of least privilege can be assured. .
Feedback

The correct answer is: B. there is no way to limit role based access.

Explanation:
(1) The risk that many users can claim to be a specific user can be better addressed by proper
authentication process rather than authorization.
(2) Without an appropriate authorization process, it will be impossible to establish functional limits
and accountability.
(3)Authorization process will not directly impact sharing user accounts. Other controls are required to
prevent sharing of user accounts.
(4)In absence of proper authorization process principle of least privilege cannot be assured.

(34) An IS auditor has been asked to recommend effective control for

providing temporary access rights to outsourced vendors. Which of the
following is the MOST effective control?
1/1
A. Penalty clause in service level agreement (SLA).
B User accounts are created as per defined role (least privilege) with expiration dates.

C. Full access is provided for a limited period.

D. Vendor Management to be given right to delete Ids when work is completed.
Feedback

The correct answer is: B. User accounts are created as per defined role (least privilege) with
expiration dates

Explanation:
(1)Creation of need based user ID and automated revocation of IDs as per expiration date will serve
as most effective control under the given scenario and options.
(2)Penalty clause in SLA may act as a deterrent control but automated revocations of IDs are more
effective method of control.
(3)Providing full access is a risky affair.
(4)Control in terms of providing rights to vendor management for deletion of IDs may not be reliable.

(35)For effective access control, proper naming conventions for system

resources are essential because they:
1/1
A. ensure that resource names are as per their utility.
B. access rules can be structured and better managed.
C. ensure that user access to resources is clearly identified.
D. ensure that international standard for naming is maintained.
Feedback

The correct answer is: B. access rules can be structured and better managed.

Explanation:
(1)Naming conventions helps for efficient management of access rules. It helps for defining
structured access rules. . The conventions can be structured, so resources beginning with the same
high level
qualifier can be governed by one or more generic rules. This reduces the number of rules
required to adequately protect resources, which in turn facilitates security administration and
maintenance efforts.
(2)Though as a generic rule, naming conventions ensures that names represent the utility, it will not
impact access controls.
(3) Naming convention in itself do not ensure that user access to resource is clearly identified.
Ensuring the clear and unique identification of user access to resources is handled by access control
rules and not naming conventions.
(4)Each organisation has its own standard for naming convention. Internationally recognized names
are not required to control access to resources.

(36)Which among the below is the First step in implementation of access

control list:
1/1
A. a categorization of IS resources.
B. the grouping of IS resources.
C. implementation of access control rules.
D. creating inventory of available IS resources.

Feedback

Explanation:
In any given scenario, following are the steps for implementing logical access controls:

(a) Inventory of IS resources.

(b) Classification of IS resources.
(d) Grouping/labelling of IS resources.
(c) Creation of an access control list.

Thus the first step in implementing access controls is an inventory of IS resources, which is the basis
for classification. Grouping of resources cannot be done without first determining the resources'
classifications.

(37) To improve the IS alignment with business, which of the following is the
best practice:
1/1
A. Outsourcing risks are managed.
B. Use of latest technology to operate business.
C. Structured way of sharing of business information.
D. Involvement of top management to mediate between business and information system.

Feedback

The correct answer is: D. Involvement of top management to mediate between business and
information system.

Explanation:

(1)Strategic alignment can be best assured by involvement of top management. Top management
who are very well aware of business objectives can derive maximum benefit from information system
by way of structure alignment.
(2)Management of outsourcing risk is a good practice however it does not necessarily ensures IS
alignment with business.
(3)Use of latest technology and structured way of information sharing may not be effective in
absence of mandate from top management.

(38)IS auditor is reviewing software development process. Which of the

following is best way to ensure that business requirements are met during
software development?
1/1
A. Proper training to developer.
B. Programmers with good business knowledge.
C. Adequate documentation.
D. user engagement in development process.

Feedback

The correct answer is: D. user engagement in development process.

Explanation:
Though other factors are important to ensure all the requirements have been considered, best way is
to ensure that users are frequently engaged from early stage of software development. End users
anchor the value stream. Most software requirements techniques start by asking users what they
want or need the system to do.

(39)Which of the following situation is MOST suitable for implementation of

hot site as a recovery strategy?
1/1
A. disaster tolerance is high
B. recovery point objective (RPO) is high.
C. recovery time objective (RTO) is high.
D. disaster tolerance is low

Feedback

The correct answer is: D. disaster tolerance is low.

Explanation:
Low disaster tolerance indicates that systems are critical and has to be resumed at the earliest. RTO
is low for such systems. Hot sites are used for critical systems where disaster tolerance is low. In
case if disaster tolerance is high (i.e RTO/RPO are high), hot site may not be required and
arrangement can be made through cold/warm site.

(40)Which of the following BEST logical control mechanism to ensure

access to only those functions needed to perform their duties?
1/1
A. Application level access control

B. Data encryption
C. HTTPs protocol
D. Network monitoring device
Feedback

The correct answer is: A. Application level access control

Explanation:
The use of application-level access control programs is a management control that restricts
access by limiting users to only those functions needed to perform their duties.