CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISA—Certified Information Systems Auditor - Part 261
1. Accountability for the maintenance of appropriate security measures over information assets resides with the:
A) security administrator.
B) systems administrator.
C) data and systems owners.
D) systems operations group.
2. The GREATEST risk when end users have access to a database at its system level, instead of through the application, is that the users can:
A) make unauthorized changes to the database directly, without an audit trail.
B) make use of a system query language (SQL) to access information.
C) remotely access the database.
D) update data without authentication.
3. To determine who has been given permission to use a particular system resource, an IS auditor should review:
A) activity lists.
B) access control lists.
C) logon ID lists.
D) password lists.
4. Which of the following is the MOST effective control when granting temporary access to vendors?
A) Vendor access corresponds to the service level agreement (SLA).
B) User accounts are created with expiration dates and are based on services provided.
C) Administrator access is provided for a limited period.
D) User IDs are deleted when the work is completed.
5. During a logical access controls review, an IS auditor observes that user accounts are shared. The GREATEST risk resulting from this situation is that:
A) an unauthorized user may use the ID to gain access.
B) user access management is time consuming.
C) passwords are easily guessed.
D) user accountability may not be established.
A) security administrator.
B) systems administrator.
C) data and systems owners.
D) systems operations group.
2. The GREATEST risk when end users have access to a database at its system level, instead of through the application, is that the users can:
A) make unauthorized changes to the database directly, without an audit trail.
B) make use of a system query language (SQL) to access information.
C) remotely access the database.
D) update data without authentication.
3. To determine who has been given permission to use a particular system resource, an IS auditor should review:
A) activity lists.
B) access control lists.
C) logon ID lists.
D) password lists.
4. Which of the following is the MOST effective control when granting temporary access to vendors?
A) Vendor access corresponds to the service level agreement (SLA).
B) User accounts are created with expiration dates and are based on services provided.
C) Administrator access is provided for a limited period.
D) User IDs are deleted when the work is completed.
5. During a logical access controls review, an IS auditor observes that user accounts are shared. The GREATEST risk resulting from this situation is that:
A) an unauthorized user may use the ID to gain access.
B) user access management is time consuming.
C) passwords are easily guessed.
D) user accountability may not be established.
1. Right Answer: C
Explanation: Management should ensure that all information assets (data and systems) have an appointed owner who makes decisions about classification and access rights.System owners typically delegate day-to-day custodianship to the systems delivery/operations group and security responsibilities to a security administrator.Owners, however, remain accountable for the maintenance of appropriate security measures.
2. Right Answer: A
Explanation: Having access to the database could provide access to database utilities, which can update the database without an audit trail and without using the application.Using SQL only provides read access to information, in a networked environment, accessing the database remotely does not make a difference.What is critical is what is possible or completed through this access. To access a database, it is necessary that a user is authenticated using a user ID.
3. Right Answer: B
Explanation: Access control lists are the authorization tables that document the users who have been given permission to use a particular system resource and the types of access they have been granted. The other choices would not document who has been given permission to use (access) specific system resources.
4. Right Answer: B
Explanation: The most effective control is to ensure that the granting of temporary access is based on services to be provided and that there is an expiration date (hopefully automated) associated with each ID. The SLA may have a provision for providing access, but this is not a control; it would merely define the need for access.Vendors require access for a limited period during the time of service. However, it is important to ensure that the access during this period is monitored. Deleting these user, I Dafter the work is completed is necessary, but if not automated, the deletion could be overlooked.
5. Right Answer: D
Explanation: The use of a single user ID by more than one individual precludes knowing who in fact used that ID to access a system; therefore, it is literally impossible to hold anyone accountable. All user IDs, not just shared IDs, can be used by unauthorized individuals. Access management would not be any different with shared IDs, and shared user IDs do not necessarily have easily guessed passwords.
Explanation: Management should ensure that all information assets (data and systems) have an appointed owner who makes decisions about classification and access rights.System owners typically delegate day-to-day custodianship to the systems delivery/operations group and security responsibilities to a security administrator.Owners, however, remain accountable for the maintenance of appropriate security measures.
2. Right Answer: A
Explanation: Having access to the database could provide access to database utilities, which can update the database without an audit trail and without using the application.Using SQL only provides read access to information, in a networked environment, accessing the database remotely does not make a difference.What is critical is what is possible or completed through this access. To access a database, it is necessary that a user is authenticated using a user ID.
3. Right Answer: B
Explanation: Access control lists are the authorization tables that document the users who have been given permission to use a particular system resource and the types of access they have been granted. The other choices would not document who has been given permission to use (access) specific system resources.
4. Right Answer: B
Explanation: The most effective control is to ensure that the granting of temporary access is based on services to be provided and that there is an expiration date (hopefully automated) associated with each ID. The SLA may have a provision for providing access, but this is not a control; it would merely define the need for access.Vendors require access for a limited period during the time of service. However, it is important to ensure that the access during this period is monitored. Deleting these user, I Dafter the work is completed is necessary, but if not automated, the deletion could be overlooked.
5. Right Answer: D
Explanation: The use of a single user ID by more than one individual precludes knowing who in fact used that ID to access a system; therefore, it is literally impossible to hold anyone accountable. All user IDs, not just shared IDs, can be used by unauthorized individuals. Access management would not be any different with shared IDs, and shared user IDs do not necessarily have easily guessed passwords.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment