CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISA—Certified Information Systems Auditor - Part 263
1. To prevent unauthorized entry to the data maintained in a dial-up, fast response system, an IS auditor should recommend:
A) online terminals are placed in restricted areas.
B) online terminals are equipped with key locks.
C) ID cards are required to gain access to online terminals.
D) online access is terminated after a specified number of unsuccessful attempts.
2. An IS auditor conducting an access control review in a client-server environment discovers that all printing options are accessible by all users. In this situation, theIS auditor is MOST likely to conclude that:
A) exposure is greater, since information is available to unauthorized users.
B) operating efficiency is enhanced, since anyone can print any report at any time.
C) operating procedures are more effective, since information is easily available.
D) user friendliness and flexibility is facilitated, since there is a smooth flow of information among users.
3. Sign-on procedures include the creation of a unique user ID and password. However, an IS auditor discovers that in many cases the username and password are the same. The BEST control to mitigate this risk is to:
A) change the company's security policy.
B) educate users about the risk of weak passwords.
C) build in validations to prevent this during user creation and password change.
D) require a periodic review of matching user ID and passwords for detection and correction.
4. The PRIMARY objective of a logical access control review is to:
A) review access controls provided through software.
B) ensure access is granted per the organization's authorities.
C) walk through and assess the access provided in the IT environment.
D) provide assurance that computer hardware is adequately protected against abuse.
5. Naming conventions for system resources are important for access control because they:
A) ensure that resource names are not ambiguous.
B) reduce the number of rules required to adequately protect resources.
C) ensure that user access to resources is clearly and uniquely identified.
D) ensure that internationally recognized names are used to protect resources.
A) online terminals are placed in restricted areas.
B) online terminals are equipped with key locks.
C) ID cards are required to gain access to online terminals.
D) online access is terminated after a specified number of unsuccessful attempts.
2. An IS auditor conducting an access control review in a client-server environment discovers that all printing options are accessible by all users. In this situation, theIS auditor is MOST likely to conclude that:
A) exposure is greater, since information is available to unauthorized users.
B) operating efficiency is enhanced, since anyone can print any report at any time.
C) operating procedures are more effective, since information is easily available.
D) user friendliness and flexibility is facilitated, since there is a smooth flow of information among users.
3. Sign-on procedures include the creation of a unique user ID and password. However, an IS auditor discovers that in many cases the username and password are the same. The BEST control to mitigate this risk is to:
A) change the company's security policy.
B) educate users about the risk of weak passwords.
C) build in validations to prevent this during user creation and password change.
D) require a periodic review of matching user ID and passwords for detection and correction.
4. The PRIMARY objective of a logical access control review is to:
A) review access controls provided through software.
B) ensure access is granted per the organization's authorities.
C) walk through and assess the access provided in the IT environment.
D) provide assurance that computer hardware is adequately protected against abuse.
5. Naming conventions for system resources are important for access control because they:
A) ensure that resource names are not ambiguous.
B) reduce the number of rules required to adequately protect resources.
C) ensure that user access to resources is clearly and uniquely identified.
D) ensure that internationally recognized names are used to protect resources.
1. Right Answer: D
Explanation: The most appropriate control to prevent unauthorized entry is to terminate connection after a specified number of attempts. This will deter access through the guessing of IDs and passwords. The other choices are physical controls, which are not effective in deterring unauthorized accesses via telephone lines.
2. Right Answer: A
Explanation: Information in all its forms needs to be protected from unauthorized access. Unrestricted access to the report option results in an exposure. Efficiency and effectiveness are not relevant factors in this situation. Greater control over reports will not be accomplished since reports need not be in a printed form only.Information could be transmitted outside as electronic files, because print options allow for printing in an electronic form as well.
3. Right Answer: C
Explanation: The compromise of the password is the highest risk. The best control is a preventive control through validation at the time the password is created or changed.Changing the company's security policy and educating users about the risks of weak passwords only provides information to users, but does little to enforce this control. Requiring a periodic review of matching user ID and passwords for detection and ensuring correction is a detective control.
4. Right Answer: B
Explanation: The scope of a logical access control review is primarily to determine whether or not access is granted per the organization's authorizations. Choices A and C relate to procedures of a logical access control review, rather than objectives. Choice D is relevant to a physical access control review.
5. Right Answer: B
Explanation: Naming conventions for system resources are important for the efficient administration of security controls. The conventions can be structured, so resources beginning with the same high-level qualifier can be governed by one or more generic rules. This reduces the number of rules required to adequately protect resources, which in turn facilitates security administration and maintenance efforts. Reducing the number of rules required to protect resources allows for the grouping of resources and files by application, which makes it easier to provide access. Ensuring that resource names are not ambiguous cannot be achieved through the use of naming conventions. Ensuring the clear and unique identification of user access to resources is handled by access control rules, not naming conventions. Internationally recognized names are not required to control access to resources. Naming conventions tend to be based on how each organization wants to identify its resources.
Explanation: The most appropriate control to prevent unauthorized entry is to terminate connection after a specified number of attempts. This will deter access through the guessing of IDs and passwords. The other choices are physical controls, which are not effective in deterring unauthorized accesses via telephone lines.
2. Right Answer: A
Explanation: Information in all its forms needs to be protected from unauthorized access. Unrestricted access to the report option results in an exposure. Efficiency and effectiveness are not relevant factors in this situation. Greater control over reports will not be accomplished since reports need not be in a printed form only.Information could be transmitted outside as electronic files, because print options allow for printing in an electronic form as well.
3. Right Answer: C
Explanation: The compromise of the password is the highest risk. The best control is a preventive control through validation at the time the password is created or changed.Changing the company's security policy and educating users about the risks of weak passwords only provides information to users, but does little to enforce this control. Requiring a periodic review of matching user ID and passwords for detection and ensuring correction is a detective control.
4. Right Answer: B
Explanation: The scope of a logical access control review is primarily to determine whether or not access is granted per the organization's authorizations. Choices A and C relate to procedures of a logical access control review, rather than objectives. Choice D is relevant to a physical access control review.
5. Right Answer: B
Explanation: Naming conventions for system resources are important for the efficient administration of security controls. The conventions can be structured, so resources beginning with the same high-level qualifier can be governed by one or more generic rules. This reduces the number of rules required to adequately protect resources, which in turn facilitates security administration and maintenance efforts. Reducing the number of rules required to protect resources allows for the grouping of resources and files by application, which makes it easier to provide access. Ensuring that resource names are not ambiguous cannot be achieved through the use of naming conventions. Ensuring the clear and unique identification of user access to resources is handled by access control rules, not naming conventions. Internationally recognized names are not required to control access to resources. Naming conventions tend to be based on how each organization wants to identify its resources.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment