Deck 12: Information Security and Computer Fraud

Encryption and hashing are similar process to maintain data confidentiality.

Disaster recovery planning and business continuity management are preventive controls.

Which of the following statement present an example of a general control for a computerized system?
A. Limiting entry of sales transactions to only valid credit customers.
B. Creating hash totals from social security number for the weekly payroll
C. Restricting entry of accounts payable transactions to only authorized users.
D. Restricting access to the computer center by use of biometric devices.

Spam is a self-replicating program that runs and spreads by modifying other programs or files.

The goal of information security management is to enhance the confidence, integrity and authority (CIA) of a firm's information.

One type of fault tolerance is using redundant units to provide a system the ability to continue functioning when part of the system fails.

Information security is a critical factor in maintaining systems integrity.

Key distribution and key management are problematic under the symmetric-key encryption.

Asymmetric-key encryption is suitable for encrypting large data sets or messages.

A virus is a self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself.

In a large multinational organization, which of the following job responsibilities should be assigned to the network administrator?
A. Managing remote access.
B. Developing application programs.
C. Reviewing security policy.
D. Installing operating system upgrades.

An entity doing business on the internet most likely could use any of the following methods to prevent unauthorized intruders from accessing proprietary information except:
A. Password management.
B. Data encryption
C. Digital certificates.
D. Batch processing.

Integrity of information means the information is:
A. Accurate
B. Complete
C. Accessible
D. A and B are correct.

The fraud triangle includes incentive, opportunity and an attitude to rationalize the fraud.

The symmetric-key encryption method is used to authenticate users.

A Certificate Authority (CA) issues digital certificates to bond the subscriber with a public key and a private key.

Which of the following outcomes is a likely benefit of information technology used for internal control?
A. Processing of unusual or nonrecurring transactions.
B. Enhanced timeliness of information.
C. Potential loss of data.
D. Recording of unauthorized transactions.

Which of the following statements is incorrect about digital signatures?
A. A digital signature can ensure data integrity.
B. A digital signature also authenticates the document creator.
C. A digital signature is an encrypted message digest.
D. A digital signature is a message digest encrypted using the document creator's public key.

The goal of information security management is to maintain confidentiality, integrity and availability of a firm's information.

An information technology director collected the names and locations of key vendors, current hardware configuration, names of team members, and an alternative processing location. What is the director most likely preparing?
A. Data restoration plan.
B. Disaster recovery plan.
C. System security policy.
D. System hardware policy.

Why do Certificate Authority (CA) play an important role in a company's information security management?
A. Using a CA is required by SOX in managing information security.
B. Most companies use CA to manage their employees' public keys.
C. CA creates and maintains both the public and private keys for a company's employees.
D. None of the above is correct.

When computer programs or files can be accessed from terminals, users should be required to enter a(n)
A. Parity check.
B. Password as a personal identification code.
C. Check digit.
D. Echo check.

Encryption is a control that changes plain text into which of the following?
A. Cyberspace.
B. Cryptext.
C. Mnemonic code.
D. Cyphertext.

Which of the following security controls would best prevent unauthorized access to a firm's internal network?
A. Use of a screen saver with a password.
B. Use of a firewall.
C. Encryption of data files.
D. Automatic log-off of inactive users.

Asymmetric-key encryption uses which of the following techniques to allow users to communicate securely?
A. A message digest.
B. A 16-bit encryption key.
C. A public key and a private key.
D. A digital signature.

Which of the following would most likely be used for a secure initial logon process?
A. Symmetric-key encryption.
B. Assymetric-key encryption.
C. Dual-handshake encryption.
D. 56-bit encryption.

A Public Key Infrastructure (PKI) provides the ability to do which of the following?
A. Encrypt messages using a private key.
B. Enable debit and credit card transactions.
C. Read plaintext.
D. Issue, maintain, and revoke digital certificates.

Which of the following does not represent a viable data backup method?
A. Disaster recovery plan
B. Redundant arrays of independent drives
C. Virtualization
D. Cloud computing

Which of the following statements regarding authentication in conducting e-business is incorrect?
A. It is a process that establishes the origin of information or determines the identity of a user, process, or device.
B. One key is used for encryption and decryption purposes in the authentication process.
C. Successful authentication can prevent repudiation in electronic transactions.
D. We need to use asymmetric-key encryption to authenticate the sender of a document or data set.

Bacchus, Inc. is a large multinational corporation with various business units around the world. After a fire destroyed the corporation headquarters and largest manufacturing site, plans for which of the following would help Bacchus ensure a timely recovery?
A. Daily backup.
B. Network security.
C. Business continuity.
D. Backup power.

Which of the following describes the primary goals of the CIA approach to information security management?
A. Controls, Innovation, Analysis.
B. Confidentiality, Integrity, Availability.
C. Convenience, Integrity, Awareness.
D. Confidentiality, Innovation, Availability.

Which of the following controls would most likely assure that a company can reconstruct its financial records?
A. Security controls such as firewalls
B. Backup data are tested and stored safely
C. Personnel understand the data very well
D. Paper records

Which of the following best illustrates the use of multifactor authentication?
A. Requiring password changes every 30, 60, or 90 days.
B. Requiring the use of a smart card and a password.
C. Requiring the use of upper case, lower case, numeric, and special characters for a password.
D. The use of a fingerprint scanner for access to a device.

Why would companies want to use digital signatures when conducting e-business?
A. They are cheap.
B. They are always the same so it can be verified easily.
C. They are more convenient than requiring a real signature.
D. They can authenticate the document sender and maintain data integrity.

A disaster recovery approach should include which of the following elements?
A. Encryption.
B. Firewalls.
C. Regular backups.
D. Surge protectors.

Which of the following passwords would be most difficult to crack?
A. Go2Ca!ifornia4fun
B. language
C. jennyjenny
D. pass56word

Which of the following statements is incorrect?
A. A fraud prevention program starts with a fraud risk assessment across the entire firm
B. The audit committee typically has an oversight role in risk assessment process
C. Communicating a firm's policy file to employees is one of the most important responsibilities of management
D. A fraud prevention program should include an evaluation on the efficiency of business processes.

To prevent invalid data input, a bank added an extra number at the end of each account number and subjected the new number to an algorithm. This technique is known as:
A. A validation check.
B. check digit verification
C. A dependency check.
D. A format check.

Which of the following statements about asymmetric-key encryption is correct?
A. When using asymmetric-key encryption method, a total of two keys are necessary in electronic communication between two parties.
B. Employees in the same company share the same public key.
C. Most companies would like to manage the private keys for their employees.
D. Most companies would like to use a Certificate Authority to manage the public keys of their employees.
E. Two of the above are correct.

Which of the following statements is most accurate with regard to business continuity management (BCM) and disaster recovery planning (DRP)?
A. DRP is an important component of BCM.
B. BCM and DRP should be considered independently of each other.
C. BCM is an important component of DRP.
D. DRP should be considered as optional, while BCM should be considered as necessary.

Which of the following statements is true regarding risk management and vulnerability management?
A. They both have the objective of reducing the likelihood that detrimental events occur.
B. Risk management is often conducted using an IT asset-based approach.
C. Vulnerability management is more complex and strategic.
D. Both approaches involve processes that typically take many months or years to complete.

Which of the following describes the recommended prerequisites for managing vulnerabilities?
A. Implement the COSO ERM framework, and identify key vulnerabilities.
B. Determine the main objective of vulnerability management, and assign roles and responsibilities.
C. Identify the key vulnerabilities, and implement appropriate controls to minimize the vulnerabilities.
D. Implement suitable controls, and assess those controls for potential vulnerabilities.

What are included in disaster recovery planning and business continuity management? Are these concepts related?

Describe the framework for vulnerability assessment and vulnerability management.

Which of the following groups is responsible for conducting fraud risk assessment for an organization?
A. The External Auditor.
B. The Audit Committee.
C. The Internal Audit group.
D. Management.

What are the two prerequisites for vulnerability management?

A magnetic tape used to store data backups was lost while it was being transported to an offsite storage location. The data on the tape includes customers' credit card and personal information. Which preventive control(s) should have been used to minimize the potential loss?

Both ISACA and the GTAG define define vulnerability. Which of the following does not represent one of these definitions?
A. The nature of IT resources that can be exploited by a threat to cause damage.
B. An intruder's attempts to exploit weaknesses in IT resources.
C. Weaknesses or exposures in IT assets that may lead to business, compliance, or security risk.
D. All of the other items represent the definitions of vulnerability stated by ISACA and the GTAG.

A RAID array implemented in a data center is an example of which of the following?
A. Virtualization.
B. Uninterruptible power supply.
C. Fault tolerance.
D. SOC 3.

What is a digital signature? How could a digital signature ensure data integrity when conducting e-business?

Which of the following is not one of the main components of vulnerability management and assessment?
A. Identification.
B. Remediation.
C. Internalization.
D. Maintenance.