Deck 14: Information Security and Computer Fraud

A)A digital signature can ensure data integrity.
B)A digital signature also authenticates the document creator.
C)A digital signature is an encrypted message digest.
D)A digital signature is a message digest encrypted using the document creator's public key.

A)Using a CA is required by SOX in managing information security.
B)A CA is responsible to generate session keys for encryption purposes.
C)Most companies use CA to manage their employees' public keys.
D)CA creates and maintains both the public and private keys for a company's employees.

A)Daily backup.
B)Network security.
C)Business continuity.
D)Backup power.

A)A fraud prevention program starts with a fraud risk assessment across the entire firm
B)The audit committee typically has an oversight role in risk assessment process
C)Communicating a firm's policy file to employees is one of the most important responsibilities of management
D)A fraud prevention program should include an evaluation on the efficiency of business processes.

A)User passwords are not required to the in alpha-numeric format.
B)Management procedures for user accounts are not documented.
C)User accounts are not removed upon termination of employees.
D)Security logs are not periodically reviewed for violations.

A)Encryption.
B)Firewalls.
C)Regular backups.
D)Surge protectors.

A)To use symmetric-key encryption,each user needs two different keys.
B)Most companies prefer using symmetric-key encryption than asymmetric-key encryption method.
C)Both symmetric-key and asymmetric-key encryption methods require the involvement of a certificate authority.
D)When conducting e-business,most companies use both symmetric-key and asymmetric-key encryption methods.

A)It is reversible.
B)The outcome is a message digest.
C)It is not necessary to use a hashing process in creating a digital signature.
D)It is used for authentication.

A)Security controls such as firewalls.
B)Backup data are tested and stored safely.
C)Personnel understand the data very well.
D)Paper records.

A)When using asymmetric-key encryption method,a total of two keys are necessary in electronic communication between two parties.
B)Employees in the same company share the same public key.
C)Most companies would like to manage the private keys for their employees.
D)Most companies would like to use a Certificate Authority to manage the public keys of their employees.
E)Two of the above are correct.

A)Forced password changes.
B)Secondary code review.
C)Symmetric encryption.
D)Lack of authentication.

A)Risk Response Plan.
B)Policy and procedures for remediation.
C)Vulnerability Prioritization.
D)Control Implementation.

A)To establish a framework for controlling the design,security,and use of computer programs throughout an organization.
B)To ensure that data storage media are subject to authorization prior to access,change,or destruction.
C)To formalize standard,rules,and procedures to ensure the organization's control are properly executed.
D)To monitor the use of system software to prevent unauthorized access to system software and computer programs.

A)Parity check.
B)Password as a personal identification code.
C)Check digit.
D)Echo check.

A)They are cheap.
B)They are always the same so it can be verified easily.
C)They are more convenient than requiring a real signature.
D)They can authenticate the document sender and maintain data integrity.

A)A validation check.
B)check digit verification.
C)A dependency check.
D)A format check.

A)Users are assigned passwords when accounts are created,but do not change them.
B)Users have accounts on several systems with different passwords.
C)Users write down their passwords on a note paper,and carry it with them.
D)Users select passwords that are not part of an online password dictionary.

A)Disaster recovery plan.
B)Redundant arrays of independent drives.
C)Virtualization.
D)Cloud computing.

A)Password management.
B)Data encryption.
C)Digital certificates.
D)Batch processing.

A)Data restoration plan.
B)Disaster recovery plan.
C)System security policy.
D)System hardware policy.

A)It is a process that establishes the origin of information or determines the identity of a user,process,or device.
B)Only one key is used for encryption and decryption purposes in the authentication process.
C)Successful authentication can prevent repudiation in electronic transactions.
D)We need to use asymmetric-key encryption to authenticate the sender of a document or data set.

A)Implement the COSO ERM framework,and identify key vulnerabilities.
B)Determine the main objective of vulnerability management,and assign roles and responsibilities.
C)Identify the key vulnerabilities,and implement appropriate controls to minimize the vulnerabilities.
D)Implement suitable controls,and assess those controls for potential vulnerabilities.

A)Identification.
B)Remediation.
C)Internalization.
D)Maintenance.

A)Outdated intrusion detection/prevention system.
B)Lack of a disaster recovery plan.
C)Improper system configuration.
D)Failure to audit and terminate unused accounts in a timely manner.

A)Controls,Innovation,Analysis.
B)Confidentiality,Integrity,Availability.
C)Convenience,Integrity,Awareness.
D)Confidentiality,Innovation,Availability.

A)FASB 51 Report.
B)Audit Report.
C)SAS 3 Report.
D)SOC 2 Report.

A)End user access to source code.
B)Multifactor authentication.
C)Symmetric encryption.
D)Use of a private key.

A)Software not patched.
B)Inappropriate data classification.
C)Ineffective training.
D)Poor firewall rules.

A)They both have the objective of reducing the likelihood that detrimental events occur.
B)Risk management is often conducted using an IT asset-based approach.
C)Vulnerability management is more complex and strategic.
D)Both approaches involve processes that typically take many months or years to complete.

A)A disgruntled employee may send out phishing emails.
B)A SOC 1 report will be generated.
C)Computer hardware may be taken off premises.
D)A disgruntled employee may tamper with company applications.

A)Cyberspace.
B)Cryptext.
C)Mnemonic code.
D)Cyphertext.

A)Virtualization.
B)Uninterruptible power supply.
C)Fault tolerance.
D)SOC 3.

A)Spam.
B)Botnet.
C)TraceRT.
D)Social Engineering.

A)The nature of IT resources that can be exploited by a threat to cause damage.
B)An organizations' exposure to disaster.
C)Weaknesses or exposures in IT assets that may lead to business,compliance,or security risk.
D)All of the other items represent the definitions of vulnerability stated by ISACA and the GTAG.

A)Encrypt messages using a private key.
B)Enable debit and credit card transactions.
C)Read plaintext.
D)Issue,maintain,and revoke digital certificates.

A)A message digest.
B)A 16-bit encryption key.
C)A public key and a private key.
D)A digital signature.

A)Unescorted visitors on the premises.
B)Poor choice of passwords.
C)Lack of a smoke detector in the room housing servers.
D)Lack of disaster recovery plan.

A)Requiring password changes every 30,60,or 90 days.
B)Requiring the use of a smart card and a password.
C)Requiring the use of upper case,lower case,numeric,and special characters for a password.
D)The use of a fingerprint scanner for access to a device.

A)DRP is an important component of BCM.
B)BCM and DRP should be considered independently of each other.
C)BCM is an important component of DRP.
D)DRP should be considered as optional,while BCM should be considered as necessary.