Which of the following security controls would best prevent unauthorized access to sensitive data through an unattended data terminal directly connected to a mainframe?

A ____uniquely identifies the sender of an electronic message A valid digital signature does not verify the identity of the private key's owner. It only proves that the message was sent by the owner of the private key T/FEmployees are often identified by something they possess, such as an ID card. T/F......Their disadvantage: They can be lost, stolen, or given away.

Since no single authentication method is foolproof, multi-factor authentication, such as requiring a smart card and a password, provides much stronger authentication than either method alone T/F

digital signature trueTrueTrue

True

Biometric devices would not able to adapt to slight personal changes, such as bloodshot eyes. T/FThey may allow access to unauthorized people. T/F

The biometric templates (the digital representation of an individual's fingerprints or voice) must be stored. Any compromise would not create an issue.

False -yes it canTrue -- malfunctions happenFalse - Any compromise of those templates would cause serious problems for people.

Which of the following security controls would best prevent unauthorized access to sensitive data via an unattended data terminal directly connected to a mainframe?Use of a screen saver with a passwordPrevention of booting from a diskette by removing the diskette driveEncryption of data files

Automatic log-off of inactive users

Automatic log-off of inactive usersAutomatic log-off of inactive data terminals may prevent the viewing of sensitive data on an unattended data terminal.Screen savers do not prevent the viewing of data on an unattended data terminal.Data terminals do not have diskette drives.

Encryption of data files will not prevent the viewing of data on an unattended data terminal.

In traditional information systems, computer operators are generally responsible for backing up software and data files on a regular basis. In distributed or cooperative systems, ensuring that adequate backups are taken is the responsibility of PROGRAMMERSRANDOM___ means providing the ability for a firm to engage in continuous operation. A ____plan would incorporate more than a disaster recovery plan, which only deals with recovery (and continuity) of the computer processing capability of the organization.

False - it is user management

Business continuity

Backup files can be transported to the remote site in two ways1. Physically (mail,etc)2. Electronic Vaulting. Two ways to do this......a. ___ approach - company slectronically sends items to be backed up .....b ___ pull approach -- electronic vault service installs its software on the company computers and automatically backs up the data

To protect data privacy, all data should be ___before being transmitted.

Batch processing files are backed up using the ___When a master file is updated, a new master file is created.A destroyed master file can be recreated using prior generations of the master file and the appropriate transaction file. For example, if Wednesday's master file is destroyed it could be recreated using Tuesday's master file and Wednesday's transaction file.

If Tuesday's master file was also destroyed, it could be recreated using Monday's master file and Tuesday's transaction file.

grandfather-father-son concept.

Online databases are also backed up.1. a ___ is created when a copy of the database in the point in time is made.2. The checkpoint data is stored on a separate storage medium. T/F

3. A database is re-created from the last check point t/f

A critical aspect of a disaster recovery plan is to be able to regain operational capability as soon as possible. In order to accomplish this, an organization can have an arrangement with its computer hardware vendor to have a fully operational facility available that is configured to the user's specific needs. This is best known as a cold site

false -a hot site A hot site is a completely operational data processing facility configured to meet the user's requirements that can be made available to a disaster-stricken organization on short notice.

A cold site is a location that provides everything necessary to quickly install computer equipment in the event of a disaster striking an organization.

A ____site is a location that provides everything necessary to quickly install computer equipment in the event of a disaster striking an organization.A ___site is a completely operational data processing facility configured to meet the user's requirements that can be made available to a disaster-stricken organization on short notice.

Which of the following statements does not describe how routers control the flow of information on the internet?Data is divided into packets and transmitted to recreate the original message or data.Every internet protocol packet contains two parts: a header and a body.The router reads the destination address in the IP body to determine where it is to be sent.

A border router connects the information system to the internet.

The router reads the destination address in the IP body to determine where it is to be sent

A router reads the destination address in the header (not the body) to determine where the information is to be sent.

A company's management is aware that it cannot foresee every contingency even with the best planning. Management believes, however, that a more thorough recovery plan increases the ability to resume operations quickly after an interruption and thus to:maintain the same level of employment.minimize the cost of facility repair.fulfill its obligations to customers.receive the maximum benefit from planning.

fulfill its obligations to customers.The better the recovery plans, the more likely the company would be to resume operations quickly and fulfill its obligations to customers.

Thorough planning may or may not minimize the cost of facility repair, i.e., the best approach may be to undergo more expensive repair sooner in order to resume operations sooner.

Which of the following risks is more likely to be encountered in an end-user computing (EUC) environment as compared to a mainframe computer system?Inability to afford adequate uninterruptible power supply systemsUser input screens without a graphical user interface (GUI)Applications that are difficult to integrate with other information systems

Lack of adequate utility programs

Applications that are difficult to integrate with other information systems

Applications that are difficult to integrate with other information systems are a risk that is considered unique to end-user computer (EUC) system development.

Which of the following describes the primary purpose of a disaster recovery plan?To document how data will be backed up to expedite recoveryTo document the location of off-site replacement facilitiesTo test how well prepared the company is to recover dataTo specify the steps required to resume operations

To specify the steps required to resume operations

The primary purpose of a disaster recovery plan is to specify the steps required to efficiently and effectively restore/resume data processing operations when there is a disaster

PC hard drives can be backed up on CDs, diskettes, and tape files. T/F

The company should periodically practice restoring a system from the backup data so employees know how to quickly restart the system if a failure occurs. T/F

The performance audit report of an information technology department indicated that the department lacked a disaster recovery plan. Which of the following steps should management take first to correct this condition?Bulletproof the information security architectureDesignate a hot siteDesignate a cold site

Prepare a statement of responsibilities for tasks included in a disaster recovery plan

Prepare a statement of responsibilities for tasks included in a disaster recovery plan

Disaster Recovery Plans IncludeSetting ___prioritiesProviding the necessary ___Providing for backup computer and telecommunications facilities T/FHaving procedures for periodic ___ and ___

Complete ___of the process

recovery insurancestruetesting and revision

documentation

Greater reliance of management on information systems increases the exposure to:unauthorized third-party access to systems.systematic programming errors.inadequate knowledge bases.business interruption.

Biz interruption

Greater reliance of management on information systems increases the exposure to business interruption. As management relies more on information systems for crucial functions, system failures have the potential to interrupt business.

A company has a significant e-commerce presence and self-hosts its website. To assure continuity in the event of a natural disaster, the firm should adopt which of the following strategies?Back up the server database dailyStore records off-sitePurchase and implement RAID technology

Establish an off-site mirrored web server

Establish an off-site mirrored web server

A natural disaster could destroy the onsite web server as well as any backup server at the same location. A disaster could also destroy communications channels to that site. A second identical server (a mirror) with separate communications channels located remotely would facilitate continuity in a disaster.

A new accounts receivable clerk, working for a wholesaler, noticed that a customer had apparently changed addresses. The clerk had accessed the customer's computer file and revised all addresses. One week later the customer complained that goods were being sent to the wrong address. The primary control to prevent this occurrence is TRAINING ON DATA ENTRY

False - It is database security

The primary control to prevent someone from accessing the customer's computer file and revising all addresses is database security. Proper security would prevent changes by an accounts receivable clerk.

All of the following are classifications of controls used to make systems more secure except:nonphysical access controls.segregation of system duties.logical access controls.

internet and telecommunications controls.

nonphysical access controls.

Nonphysical access controls are not one of the five classifications of controls used to make systems more secure.

The five classifications of controls used to make systems more secure are:

segregation of duties, physical access controls, logical access controls, personal computers and client/server network protection,

internet and telecommunications controls.

During the process of electronically transmitting data, which of the following IT controls would provide the most assurance that unauthorized disclosure of sensitive information would be prevented?EncryptionRestricted accessA strongly worded confidentiality warningSeparate transmission of the data file and its password

encryption

Encryption provides the most assurance that unauthorized disclosure of sensitive information is prevented. Encryption is transforming data, called plaintext, into unreadable gibberish, called ciphertext. Decryption reverses this process, transforming ciphertext back into plaintext.

A digital signature is used primarily to determine that a message is:unaltered in transmission.not intercepted en route.received by the intended recipient.

sent to the correct address.

unaltered

A digital signature allows the creator of a message to digitally “sign” the data and provides proof of authorization. Because a digital signature cannot be altered, it allows the recipient to determine that a message has been unaltered in transmission.

SOC 2: Report on Controls at a Service Organization Relevant to: CAPS ....CAPS SOC (Suck)

ConfidentialityAvailabilityProcessing Integrity

Security

SOC REPORTS In a ____ report, the service auditor provides an opinion as to whether the service organization’s description “fairly presents” the system that was designed and implemented, and whether the controls were suitably designed to meet the criteria as of a specified date.

In a ____report, the service auditor provides an opinion on whether the service organization’s description “fairly presents” the system that was designed and implemented; the controls were suitably designed to meet the criteria; the controls operated effectively during the specified period of time; and the service organization is in compliance with the commitments in its statement of privacy practices, if the report covers the privacy principle.

Which of the following is an objective of logical security controls for information systems?To ensure complete and accurate recording of dataTo ensure complete and accurate processing of dataTo restrict access to specific data and resourcesTo provide an audit trail of the results of processing

To restrict access to specific data and resourcesLogical security controls for information systems are used to restrict access to specific data and resources.Input controls ensure complete and accurate recording of data.Processing controls ensure complete and accurate processing of data.

Output controls provide an audit trail of results of processing.

LOGICAL CONTROLSSeveral levels of logical access are needed:____which ensures that unauthorized users and devices are not allowed to access any part of the system___, which makes sure the system can recognize authorized users, but restrict their access to:a.) Data they're Not allowed to use

b.) the functions they're authorized to perform.

Authentication,

Authorization

Unauthorized alteration of online records can be prevented by employing:key verification.computer sequence checks.computer matching.

database access controls.

Database access controls

Users can gain access to databases from terminals only through established recognition and authorization procedures; thus, unauthorized access is prevented.

In spite of management's insistence on following procedures, there have been occasions, usually associated with emergencies, in which a program in the test library was used for the company's operations. A risk of using test library programs in emergency situations is that:the personnel preparing the programs may not be authorized to write or modify them.the programs may not be further tested before being placed into production permanently.the integrity of the production library is threatened under such circumstances.operational personnel may not be fully satisfied with the output of the programs.

the programs may not be further tested before being placed into production permanently.

A risk associated with such programs is that the programs may not be tested further before being placed into production permanently. The temptation is to place the test library program into production if it appeared to run satisfactorily.

A controller is developing a disaster recovery plan for a corporation's computer systems. In the event of a disaster that makes the company's facilities unusable, the controller has arranged for the use of an alternate location and the delivery of duplicate computer hardware to this alternate location. Which of the following recovery plans would best describe this arrangement?

A checkpoint/restart procedure is primarily designed to recover from:programming errors.data input errors.computer operator errors.

hardware failures.

The term “____” refers to the periodic copying of the results of a program prior to its actual completion. The copy is written to secondary storage for use in restarting a program, should there be an interruption in the operation of the hardware devices. Restart is initiated from the most current (recent) checkpoint, rather than at the beginning of the program.

checkpoint-restart procedure

Which of the following statements presents an example of a general control for a computerized system?Limiting entry of sales transactions to only valid credit customersCreating hash totals from Social Security numbers for the weekly payrollRestricting entry of accounts payable transactions to only authorized users

Restricting access to the computer center by use of biometric devices

Restricting access to the computer center by use of biometric devices

____ controls apply to all applications processed by the computerized system.

Many organizations are critically dependent on information systems to support daily business operations. Consequently, an organization may incur significant loss of revenues or incur significant expenses if a disaster such as a hurricane or power outage causes information systems processing to be delayed or interrupted. A bank, for example, may incur significant penalties as a result of missed payments.Which of the following management activities is essential to ensure continuity of operations in the event a disaster or catastrophe impairs information systems processing?Review of insurance coverageElectronic vaultingChange control procedures

Contingency planning

Contingency planning

Contingency planning is a management activity which is essential to ensure continuity of operations in the event a disaster impairs information systems processing.

____is a management activity which is essential to ensure continuity of operations in the event a disaster impairs information systems processing.

Which of the following risks can be minimized by requiring all employees accessing the information sys­tem to use passwords?CollusionData entry errorsFailure of server duplicating function

Firewall vulnerability

Firewall vulnerability

Passwords are used to prevent unauthorized access to an information system. If passwords are required, it minimizes the chance of an intruder accessing sensitive data since the firewall will prevent such acces

A ____prevents outsiders and employees from gaining unauthorized access to a system.....It only consists of software T/fFirewalls also unifies internal networks to protect sensitive data from unauthorized internal use. T/FFirewalls often use ___hardware, software, and other information technology to reduce outages and failures.

Firewalls act as filters and only permit packets that meet specific conditions to pass. t/F

firewall False -both software & hardwareFalse - it separates internal networksredundant

True

Firewalls can be penetrated or bypassed, so:all communication network links should be periodically monitored to determine whether a firewall was bypassed by wireless communications links __ and ___ systems should be used to detect any penetrations.

false -continuously

intrusion detection and prevention

Which of the following classifications of security controls includes smoke detectors, generators, security guards, and ID badges?TechnicalPhysicalAdministrative

Logical

A routine part of an organization's disaster recovery plan should require the ongoing preparation of backup files ... t/f

Company A has numerous personal computers (PCs) with full processing capabilities linked into an integrated local area network with a file server which in turn is fully connected to the central mainframe computer. Data entry, comprehensive processing, and inquiry routines are possible at all nodes in the network.A control feature designed to negate the use of utility programs to read files which contain all authorized access user codes for the network are LOG-ON PASSWORDS

FALSE - internally encrypted passwords

Internally encrypted passwords are a form of access control designed to prevent unauthorized access by use of a utility program to identify passwords.

Encryption protection is least likely to be used in which of the following situations?When transactions are transmitted over local area networksWhen wire transfers are made between banksWhen confidential data are sent by satellite transmission

When financial data are sent over dedicated, leased lines

When transactions are transmitted over local area networksEncryption protection is least likely to be used when transactions are transmitted over local area networks. Such protection makes it difficult for intercepted transmissions to be understood or modified. Encoding is important when confidential data are transmitted between geographically separated locations that can be electronically monitored.

Encryption is often used when wire transfers are made between banks, confidential data are sent by satellite transmission, and financial data are sent over dedicated leased lines.

A company's web server has been overwhelmed with a sudden surge of false requests that caused the server to crash. The company has most likely been the target of:

Which of the following would normally be the functions of security software?Authenticates user identification and controls access to information resourcesLogs the activity of the computer system including the time each program is started and when each file is accessedDisplays the data typed into a terminal keyboard

Records and monitors changes to program source code and object code files

Authenticates user identification and controls access to information resourcesAuthentication and subsequent access to computer resources are the primary functions of security software.

Authentication and subsequent access to computer resources are the primary functions of ___

An entity doing business on the Internet most likely could use any of the following methods to prevent unauthorized intruders from accessing proprietary information except:password management.data encryption.digital certificates.batch processing.

Batch ProcessingIn batch processing, items to be processed are collected in groups to permit fast and convenient processing (processed as a group). atch processing does not prevent unauthorized intruders from accessing information on the Internet.

The other answer choices are incorrect because passwords, encryption, and digital certificates are all methods commonly used to restrict unauthorized access to data.

What is a major disadvantage to using a private key to encrypt data?Both sender and receiver must have the private key before this encryption method will work.The private key cannot be broken into fragments and distributed to the receiver.The private key is used by the sender for encryption but not by the receiver for decryption.

The private key is used by the receiver for decryption but not by the sender for encryption.

Both sender and receiver must have the private key before this encryption method will work.A major disadvantage of private key encryption is that both the sender and receiver must have the same (private) key, and this must be securely transmitted to avoid interception and decryption of the message by others.

A SOC 1 reports on the:controls at a service organization relevant to policies and procedures, communications, and monitoring.controls at a service organization relevant to user entities’ internal control over financial reporting (ICFR).controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.

controls at a service organization relevant to access controls, system operations, change management, and risk mitigation.

controls at a service organization relevant to user entities’ internal control over financial reporting (ICFR).A Service Organization Control (SOC) 1 report is on the controls at a service organization relevant to user entities’ internal control over financial reporting (ICFR). SOC 1 reports are based on Statement on Standards for Attestation Engagements (SSAE) 16

SOC 2 and SOC 3 reports are on the controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.

In general, mainframe computer production programs and data are adequately protected against unauthorized access. Certain utility software may, however, have privileged access to software and data. To compensate for the risk of unauthorized use of privileged software, Information Systems (IS) management can RESTRICT THE PRIVILEGED ACCESS.

False - it can only limit the access

Engaging in traditional electronic data interchange (EDI) provides which of the following benefits?Enhanced audit trailsGuaranteed payments from customersAdded flexibility to entice new partnersReduced likelihood of stockout costs

Reduced likelihood of stockout costs

Which of the following networks provides the least secure means of data transmission?Value-addedPublic-switchedLocal area

Private

Public-switched

Public-switched networks are open to the general public and offer the lowest level of security.

Which of the following information technology (IT) terms is not matched with its appropriate definition?Hadoop: a free, open-source software framework that stores large amounts of dataPredictive analytics technology: uses data, statistical algorithms, and machine-learning techniques to identify the likelihood of future outcomes based on historical dataBig data: a term that describes the large volume of diverse and complex data available to businesses on a day-to-day basis

Data-mining technology: enables entities to analyze text data from the web, comment fields, books, and other text-based sources to uncover insights not previously identified

Data-mining technology: enables entities to analyze text data from the web, comment fields, books, and other text-based sources to uncover insights not previously identifiedText-mining technology (not data mining) enables entities to analyze text data from the web, comment fields, books, and other text-based sources to uncover insights not previously identified.

Text mining uses machine learning or natural language processing technology to comb through documents such as emails, blogs, and Twitter feeds to analyze large amounts of information and discover new topics and term relationships.

____technology, entities can analyze text data from the web, comment fields, books, and other text-based sources to uncover insights not previously identified.

The internal auditor is reviewing a new policy on electronic mail. Appropriate elements of such a policy would include all of the following, except:erasing all employees' electronic mail immediately upon employment termination.encrypting electronic mail messages when transmitted over phone lines.limiting the number of electronic mail packages adopted by the organization.

directing that personnel do not send highly sensitive or confidential messages using electronic mail.

erasing all employees' electronic mail immediately upon employment termination.The company should have access to the business-related e-mail that is left behind. Access to e-mail can also be critical in business or possible criminal investigations. The privacy concerns of the individual case must be mitigated by competing business interest; the need to follow-up on business e-mail and to assist in investigations.

Which of the following statements best characterizes the function of a physical access control?Protects systems from the transmission of Trojan horsesProvides authentication of users attempting to log into the systemSeparates unauthorized individuals from computer resources

Minimizes the risk of incurring a power or hardware failure

Separates unauthorized individuals from computer resources

he best evidence that contingency planning is effective is to have:no processing interruptions during the past year.comprehensive documentation of the plan.sign-off on the plan by the internal audit department.

successful testing of the plan.

successful testing of the plan.

The only way to know whether contingency planning has been effective is to test the plan, by simulating an interruption or by conducting a paper test with a walk-through of recovery procedures.

Which of the following passwords would be most difficult to crack?OrCa!FlSilanguage12 HOUSE 24

pass56word

Passwords containing nonalphanumeric characters are the most difficult to crack because, when compared to simply alphanumeric password combinations, the number of possible combinations increases exponentially when nonalphanumeric characters are used.

Many organizations are critically dependent on information systems to support daily business operations. Consequently, an organization may incur significant loss of revenues or incur significant expenses if a disaster such as a hurricane or power outage causes information systems processing to be delayed or interrupted.Which of the following activities is necessary to determine what would constitute a disaster for an organization?Risk analysisFile and equipment backup requirements analysisVendor supply agreement analysis

Contingent facility contract analysis

Risk AnalysisRisk analysis is necessary to determine an organization's definition of a disaster and evaluate the effect of that disaster.

System backup analysis, vendor supply agreement analysis, and contingent facility contract analysis are all contingency planning strategies to react to a disaster.

Mainframe computer systems include several advanced processing procedures. Two of the most common processing procedures are multiprocessing and multiprogramming. Which of the following statements about these processing procedures is false?Multiprocessing usually involves two or more computers functioning simultaneously.Multiprogramming allows multiple programs to be executed at exactly the same time.Multiprogramming switches back and forth between programs during processing.

Multiprocessing allows the sharing of a central memory during processing.

Multiprogramming allows multiple programs to be executed at exactly the same time.Multiprocessing involves the simultaneous execution of two or more tasks, usually by using two or more processing units that are part of the same system (with a single central memory).

Multiprogramming is the appearance of simultaneous execution of two programs as a single processing unit switches back and forth between the programs.

____involves the simultaneous execution of two or more tasks, usually by using two or more processing units that are part of the same system (with a single central memory).

____is the appearance of simultaneous execution of two programs as a single processing unit switches back and forth between the programs.

Multiprocessing

Multiprogramming

Because of the sensitivity of its data, an online system for developing estimates and generating proposals was implemented with several layers of access control. Control over users' initial log-in is a function of the:integrated test facility.operating system.subschema authorizations.

application software.

nitial log-in to a system is a function of the operating system–level access control software.An integrated test facility is an audit approach to validating processing.Database subschema authorizations control access to specific views of fields in a database.

Access to applications and their data is a function of application level software.

When users request access to data or programs or try to operate the system, a ____can determine if the user is authorized to perform the desired action.

Compatibility tests use an ___

compatibility test

access control matrix

Which of the following is not one of the more common types of cybersecurity threats?RansomwareBlockchainMalware

Social engineering

BlockchainA blockchain is a digitized, decentralized, public ledger of all cryptocurrency transactions; it is not an example of a cybersecurity threat.

Social engineering is a tactic designed to trick an individual or entity into revealing sensitive information.

Some of the more common types of cybersecurity threats include the following:____: A type of malicious software designed to extort money by blocking access to files or the computer system until the ransom is paid___is a tactic designed to trick an individual or entity into revealing sensitive information.___: A type of software designed to gain unauthorized access or to cause damage to a computer___The practice of sending fraudulent emails that resemble emails from reputable sources

_____An attack that bombards the receiving server with so much information that it shuts down,

RansomwareSocial engineering MalwarePhishing:

Denial of service (DOS):

Online access controls are absolutely essential in controlling access to and operation of modern computer systems. These controls include:Authorized user code numberpasswordslist of all files and programs

a record of the type of access each user has for each file/program

Which of the following is a network node that is used to set up as a boundary that prevents traffic from one segment to cross over to another?RouterGatewayFirewall

Heuristic

Firewall

A firewall is a method used to isolate the company computers behind a device that acts as a gatekeeper. This gatekeeper prevents traffic from one segment from crossing over to another

Which of the following best describes a hot site?Location within the company that is most vulnerable to a disasterLocation where a company can install data processing equipment on short noticeLocation that is equipped with a redundant hardware and software configuration

Location that is considered too close to a potential disaster area

Location that is equipped with a redundant hardware and software configuration

A _____site is a completely operational data processing facility configured to meet the user's requirements that can be made available to a disaster-stricken organization on short notice. It is a location with redundant hardware & software configuration.

A ____site is a location that provides everything necessary to quickly install computer equipment in the event of a disaster striking an organization.

ho are the intended users of a Service Organization Control (SOC) 2 report?Management of the service organization, user entities, and user auditorsAnyone (no restrictions)Parties that are knowledgeable about the nature of the service provided by the service organization

User auditors

Parties that are knowledgeable about the nature of the service provided by the service organization

SOC 2 reports are restricted and are only for parties that are knowledgeable about the nature of the service provided by the service organization. SOC 1 reports are for management of the service organization, user entities, and user auditors. SOC 3 reports have no restrictions and can be distributed to anyone.

Who are these reports intended for?SOC1SOC2

SOC3

SOC1 - management of the service organization, user entities, user auditorsSoc2 - parties that are knowledgeable about the nature of the service provided by the service org

Soc3 - anybody

To encrypt a document:the data to be encrypted is divided into ___the same length as the ___

the formula is applied to each block of data, producing a ___t version of the data that is the same size as the original.

A large property insurance company has regional centers that customers call to report claims. Although the regional centers are not located in areas known to be prone to natural disasters, the company needs a disaster recovery plan that would restore call answering capacity in the event of a disaster or other extended loss of service. The best plan for restoring capacity in the event of a disaster would be to reroute call traffic to a THIRD PARTY SERVICE CENTER

False - a non-affected regional center

Which of the following is not an area that should be included in an entity’s cybersecurity risk assessment?Identity managementEnd-user educationMalware protection

Disaster recovery/business continuity planning

Malware Protection

Malware protection, along with next-generation firewalls, DNS (domain name system) filtering, antivirus software, and email security solutions, is an example of technology used to protect against the risk of cyber attacks.

CYBERSECURITY RISK ASSESSMENTFrom a business perspective, multiple areas of risk need to be addressed, including:security over networks, applications, data and databases, infrastructure, endpoint devices (computers, smart devices, and routers), mobile devices, and cloud storage;identity management;disaster recovery/business continuity planning; and

end-user education.

An online database management system for sales and receivables was recently expanded to include credit approval transactions. An evaluation of controls was not performed prior to implementation.To prevent unauthorized access to specific data elements, the database management system should contain which of the following controls?Sign-on verification security at the physical terminalsPassword specifications for each data file or elementPeriodic tests of the system using production databases

Terminal security used in lieu of passwords for each data element or file

Password specifications for each data file or element

Which of the following types of business planning focuses on how a company can most effectively restore business operations following a disaster?Capacity planningBudget planningStrategy planning

Continuity planning

continuity planning

A continuity plan explains how a business would recover its operations or move operations to another location after damage by events like natural disasters, theft, or flooding.

The National Cyber Security Alliance (NCSA) guidelines for conducting cyber-risk assessment focus on several key areas. Which of the following is not a risk assessment area?Identify an organization’s most valuable information requiring protectionIdentify the threats and risks facing the organization's valuable informationIdentify the damage an organization would incur should its valuable data be lost or wrongfully exposed

Develop and implement a plan to mitigate cyber risk

Develop and implement a plan to mitigate cyber risk

Developing and implementing a plan to mitigate cyber risk is a key step in providing cybersecurity; however, it is not part of the risk assessment stage.

NCSA’s guidelines for conducting cyber-risk assessments focus on three key areas: identifying an organization’s most __requiring protection, identifying the __ and __facing that information

outlining the ___an organization would incur should that data be lost or wrongfully exposed.

valuable information threats and risks

damage

Notebook computers provide automation outside of the normal office location. Which of the following would provide the least security for sensitive data stored on a notebook computer?Encryption of data files on the notebook computerSetting up a password for the screensaver program on the notebook computerUsing a notebook computer with a removable hard disk drive

Using a locking device that can secure the notebook computer to an immovable obje

Setting up a password for the screensaver program on the notebook computer

Laptops, cell phones, and PDA devices require special attention to prevent their theft and the loss of the data they contain.Employees should always lock their laptops to an _.Store sensitive data on __media, rather than the hard drive, in an encrypted format and lock it up at night.

Install software on laptops so that if it is stolen the laptop will automatically ____to reveal its current location when the thief attempts to use it to connect to the Internet.

immovable objectremovable

dial a toll-free number or use Wi-Fi positioning

An organization uses electronic mail extensively over the Internet. All users have an established password to get into their account. Which of the following statements is correct regarding such security?All messages on the Internet are encrypted, thereby providing enhanced security.Passwords are effective in ensuring that someone attempting to log on under a user's name is prevented from casually accessing the user's data.If someone gains supervisory level access to the file server containing electronic messages, they could still not gain access to the file containing electronic mail messages unless they first decrypted the security control log.

All of these statements are correct.

Passwords are effective in ensuring that someone attempting to log on under a user's name is prevented from casually accessing the user's data.Passwords are effective against the casual intruder.Messages on the Internet are not encrypted. It is the sender's and receiver's responsibility to encrypt confidential information.

If someone gains access to the server, he or she can download the file of messages and gain access to the messages without working with any security log.

The use of message encryption software:guarantees the secrecy of data.requires manual distribution of keys.increases system overhead.reduces the need for periodic password changes.

increase system overhead

The machine instructions necessary to encrypt and decrypt data constitute system overhead, which means that processing may be slowed down.

Good planning will help an organization restore computer operations after a processing outage. Good recovery planning should ensure that:backup/restart procedures have been built into job streams and programs.change control procedures cannot be bypassed by operating personnel.planned changes in equipment capacities are compatible with projected workloads.

service level agreements with owners of applications are documented.

backup/restart procedures have been built into job streams and programs.An essential component of a disaster recovery plan is that the need for backup/restart has been anticipated and provided for in the application systems.

Each day, after all processing is finished, a bank performs a backup of its online deposit files and retains it for seven days. Copies of each day's transaction files are not retained. This approach is:valid, in that having a week's worth of backups permits recovery even if one backup is unreadable.risky, in that restoring from the most recent backup file would omit subsequent transactions.valid, in that it minimizes the complexity of backup/recovery procedures if the online file has to be restored.

risky, in that no checkpoint/restart information is kept with the backup files.

risky, in that restoring from the most recent backup file would omit subsequent transactions.

The practice is risky in that restoring from the most recent backup file would omit transactions occurring since the backup was taken.

Managers at a consumer products company purchased personal computer (PC) software only from recognized vendors and prohibited employees from installing non-authorized software on their PCs. To minimize the likelihood of computer viruses infecting any of its systems, the company should also:restore infected systems with authorized versions.recompile infected programs from source code backups.institute program change control procedures.

test all new software on a stand-alone PC.

test all new software on a stand-alone PC

The best way for the company to minimize the likelihood of computer viruses infecting its systems would be to test all new software on a stand-alone PC before installing it on networked computers in the system..

Which of the following situations would most likely provide the best way to secure data integrity for a personal computer environment?Provision of personal computers to all usersTrained, proficient user groupAll computers linked to a local area network (LAN)

Adequate program documentation

All computers linked to a local area network (LAN)

Data integrity relates to using data for its intended purpose. A local area network would promote data integrity by making data available only to those users having a legitimate reason for access. Centralized access controls would help promote data integrity.

Which of the following is a computer program that appears to be legitimate but performs an illicit activity when it is run?Redundant verificationParallel countWeb crawler

Trojan horse

An information technology director collected the names and locations of key vendors, current hardware configuration, names of team members, and an alternative processing location. What is the director most likely preparing?

A disaster recovery alternate site configured to meet user data processing requirements, including the appropriate hardware, is called a:cold site.remote processing site.reciprocal site.

hot site.

Hot site

A hot site is one that contains all essential hardware to restore the system in a minimal amount of time. A hot site is more costly than a cold site, which includes only appropriate power, air conditioning, and support systems, but no hardware.

Which of the following is an electronic device that separates or isolates a network segment from the main network while maintaining the connection between networks?

Computer program libraries can best be kept secure by:restricting physical and logical access.denying access from remote terminals.monitoring physical access to program library media.installing a logging system for program access.

restricting physical and logical access.

Restricting physical and logical access secures program libraries from unauthorized use, in person and remotely via terminals.

All host devices (PCs and servers where programs reside) and applications (software on those hosts) should be -__

Hardening is the process of modifying the configuration of hosts and application software and deleting, or turning off, unused and unnecessary programs that represent potential security threats.

The primary objective of security software is to:control access to information system resources.restrict access to prevent installation of unauthorized utility software.detect the presence of viruses.

monitor the separation of duties within applications.

control access to info sys. resources

Tunneling is used to create a virtual private network. All of the following statements describe tunneling except:packets are encrypted and sent over the internet.the network is protected by a single firewall.data is split into small internet protocol (IP) packets.

at the destination the packets are decrypted.

the network is protected by a single firewall.

Tunneling is used to create a virtual private network and can also be used to safeguard internal networks. Networks are connected firewall to firewall (i.e., tunneling) via the internet. (multiple firewalls)

The duties properly assigned to an information security officer could include all of the following, except:developing an information security policy for the organization.maintaining and updating the list of user passwords.commenting on security controls in new applications.

monitoring and investigating unsuccessful access attempts.

maintaining and updating the list of user passwords.

T/F regarding digital sigA valid digital signature does not identify the owner of the private key.It uniquely identifies the sender.It is not legally binding as a signature.

It encrypts a private key of the sender’s message that can only be decoded with a corresponding key.

TTFalse- It is not legally binding as a signatureT

A digital signature is considered to be legally binding.

In one company, the application systems must be in service 24 hours a day. The company's senior management and information systems management have worked hard to ensure that the information systems recovery plan supports the business disaster recovery plan. A crucial aspect of recovery planning for the company is ensuring that:organizational and operational changes are reflected in the recovery plans.

changes to systems are tested thoroughly before being placed into production.

organizational and operational changes are reflected in the recovery plans.

An auditor is planning an audit of a customer information system which uses a local area network (LAN) with personal computers (PCs). Increased risks associated with the company's use of a LAN and PCs, as opposed to use of a mainframe, could include all of the following, except:lack of documentation of procedures to ensure the complete capture of data.poor security of data residing on the PCs.problems with failures of the hardware used for processing data.

incomplete data communications.

problems with failures of the hardware used for processing data.

Problems with failures of the hardware used for processing data are not considered a major risk, as PCs have hardware components similar to mainframe computers. The integrity of the hardware is quite high.

Data access security related to applications may be enforced through all the following, except:user identification and authentication functions incorporated in the application.utility software functions.user identification and authentication functions in access control software.

security functions provided by a database management system.

utility software functions.Data access security related to applications cannot be enforced through utility software functions.

Utility programs are one of the more serious “holes” in data access security since some of them can actually bypass normal access controls.

Utility programs are one of the more serious “holes” in data access security since some of them can actually bypass normal access controls. T/F

An access control matrix consists of:a list of all authorized user ___and ___,a list of all __ and ___ maintained on the system,

a record of the type of ___to which each user is entitled.

code numbers and passwordsfiles and programs

access

Compatibility tests are sometimes employed to determine whether an acceptable user is allowed to proceed. In order to perform compatibility tests, the system must maintain an access control matrix. The one item that is not part of an access control matrix is a:

limit on the number of transaction inquiries that can be made by each user in a specified time period.A limit on transaction totals and frequency is not part of the access control matrix. An access control matrix consists of:a list of all authorized user code numbers and passwords,a list of all files and programs maintained on the system, and

a record of the type of access to which each user is entitled.

Disaster plans must include all of the following factors:A backup for programs and dataAn alternative processing siteOff-site storage of backupIdentification of critical applications

A method for testing the plan

With respect to backup procedures for master files that are magnetic tape as opposed to master files on magnetic disk:a separate backup run is required for both tape and disk.a separate backup run is required only for the tape.a separate backup run is required for disk while the prior master on magnetic tape serves as a backup.

the grandfather cycle is required in either filing situation.

a separate backup run is required for disk while the prior master on magnetic tape serves as a backup.

Disk-oriented systems typically employ destructive updating (i.e., new (updated) master records are written over the old master records, thereby destroying them). Consequently, disk-oriented systems require separate backup procedures. Whereas, tape-oriented systems generate a new master file tape as an output from the updating run, leaving the old master file tape and the transaction file tape for use as backup.

Magnetic tape is a secondary storage medium T/FA master file is used in electronic data processing and contains relatively permanent information used for reference and updated periodically.

A transaction file is a relatively temporary data file containing transaction data that is typically used to update a master file

trueTrue - its like a perm file

True - this is like transactions each month in a bank statement to come to an ending balance

Contingency planning alternatives can vary by computer processing environment. A company is least likely to use a reciprocal processing agreement for:small systems.large batch operations.online teleprocessing facilities.

small batch operations.

online teleprocessing facilities.Online teleprocessing would generally not involve a reciprocal processing agreement.Reciprocal processing agreements are often used for small systems, large batch operations, and small batch operations.

Reciprocal processing agreements are often used for ___systems, ___batch operations, and __batch operations.

Backup computer and telecommunications facilities, which can be arranged by:Establish ___ agreementsSign a contract for a ___ fee____ distributing processing capacity in a multilocation org so organizations can take over if 1 fails

Invest in duplicate ___

ReciprocalContingentFail-soft

software/hardware/data storage devices

Most organizations are concerned about the potential compromise of passwords. Which of the following procedures would be the most effective in controlling against a perpetrator obtaining someone else's password?Allow only the users to change their passwords and encourage them to change passwords frequently.Implement a computer program that tests to see that the password is not easily guessed.Implement the use of “see-through” authentication techniques whereby the user uses a card to generate a password and verifies both the key and the generated password to the system.

Limit password authorization to time of day and location.

Implement the use of “see-through” authentication techniques whereby the user uses a card to generate a password and verifies both the key and the generated password to the system.

“See-through” authentication techniques, such as the one described, require the user to have two important elements to identify one's self to the system, i.e., something they possess (the card used to generate the password) and something they know (the key or password to generate the new password).

____authentication techniques, such as the one described, require the user to have two important elements to identify one's self to the system, i.e., something they possess (the card used to generate the password)

something they know (the key or password to generate the new password).

Risk assessments, recovery plans for data systems, and implementation of safeguards are all components of:

T/F Regarding Personal computers and networks are more vulnerable than mainframes for all of the following reasons except:it is sometimes difficult to segregate duties in a PC environment.PC users are usually not as safety- and control-conscious as mainframe users.networks can only be accessed from work computers.

PCs and laptops are portable and subject to theft.

TTFTnetworks can only be accessed from work computers.Networks can be remotely accessed from almost anywhere using phone lines and the internet.

It is difficult to segregate duties in a PC and network environment, and one person may be responsible for both developing and operating a PC system. PC users are usually not as security- and control-conscious as mainframe users. PC laptops are portable and subject to theft.

Objectives of disaster recovery do not include which of the following?Minimize disruption, damage, and loss from disaster.Establish a short-term data processing alternative so the company can quickly resume normal operations.Perform regular preventive maintenance on key system components.

Train and familiarize personnel with emergency procedures.

Perform regular preventive maintenance on key system components.

____is the process of electronically transmitting and storing backups of programs and data at a remote data storage facility.

A data and program backup procedure in which files are electronically transferred to a remote location is called A REMOTE BACKUP FACILITY

False - Electronic Vaultingn

A business continuity plan (often called a disaster recovery plan) is used to smoothly and quickly restore data processing capacity when there is a disaster. 5 steps include: (THIS IS ALSO THE ORDER IT SHOULD HAPPEN IN)Conduct a biz impact ___Design recovery ___develop a recovery ___Test,accept,implement the plan T/F

Conduct ___maintenance

analysisStrategyPlanTrue

Periodic

fter reviewing the end-user computing (EUC) policy of an organization, an internal auditor audits the actuarial function and notices that some minimum control requirements are missing. Which of the following is a risk of using potentially incorrect end-user developed files?Management places the same degree of reliance on the files as they do on files generated from mainframe systems.Management receives limited information for decision making due to a lack of flexibility in EUC files.Management is unable to respond to competitive pressures quickly.Management continues to incur additional cost because it takes more hours to do the tasks using EUC.

Management places the same degree of reliance on the files as they do on files generated from mainframe systems.

End-user computing (EUC) allows users to develop their own information systems, but such systems often do not have the same level of general and application controls applied to the company's mainframe system. Thus, there is an increased risk that data produced by such systems will be inaccurate.

____allows users to develop their own information systems

To prevent interruptions in information systems operation, which of the following controls are typically included in an organization's disaster recovery plan?Backup and data transmission controlsData input and downtime controlsBackup and downtime controls

Disaster recovery and data processing controls

Backup and downtime controls

Three categories of controls are used to ensure information system availability: (1) minimizing system downtime, (2) disaster recovery plan, and (3) data and program file backups

Three categories of controls are used to ensure information system availability & prevent interruptions in an I/S operation. These controls are included in an organizations disaster recovery plan:(1) minimizing system ___(2) disaster recovery ___

(3) data and program file ___

A company switches all processing to an alternate site, and staff members report to the alternate site to verify that they are able to connect to all major systems and perform all core business processes from the alternate site. Which of the following best identifies the activities performed by the staff?Closed loop verificationDisaster recovery planningAuthentication validation

Segregation control testing

Disaster recovery planningHaving an alternate processing site is an example of disaster recovery planning since it allows processing to continue on the alternate site if something should happen to the main processing system. A disaster recovery plan is used to smoothly and quickly restore data processing capacity when there is a disaster.

Authentication validation is a process of ensuring that proper parties are allowed to access the system. It is not related to disaster recovery.

Bacchus, Inc., is a large multinational corporation with various business units around the world. After a fire destroyed the corporate headquarters and largest manufacturing site, plans for which of the following would help Bacchus ensure a timely recovery?Daily backupNetwork securityBusiness continuity

Backup power

Biz Continuity

Business continuity means providing the ability for a firm to engage in continuous operation. A business continuity plan would incorporate more than a disaster recovery plan, which only deals with recovery (and continuity) of the computer processing capability of the organization.

Some companies have been the target of terrorist attacks in recent years. The best approach to avoid having a data center be selected as a terrorist's target is to:ensure that the disaster recovery plans are fully tested.harden the electrical and communications systems against attack.maintain as low a profile as possible for the data center.monitor the locations and activities of known terrorists.

maintain as low a profile as possible for the data center.

The best approach to avoid having the data center identified as a terrorist's target is to establish as low a profile as possible for the data center, e.g., by refraining from (1) identifying the building on the outside as a data center, (2) showcasing the data center through glass windows, of (3) advertising the important role the data center plays in operations.

A company employing an online computer system has CRT terminals located in all operating departments for inquiry and updating purposes. Many of the company's employees have access to and are required to use the CRT terminals. A control the company would incorporate to prevent an employee from making an unauthorized change to computer records unrelated to that employee's job would be to:restrict the physical access to terminals.establish user codes and passwords.use validity checks.

apply a compatibility test to transactions or inquiries entered by the user.

Use of a compatibility test for users would assure that an employee used a CRT only for purposes related to that employee's job description. For example, an accounts receivable clerk would not be allowed access to inventory or fixed asset records since those records would not be compatible with the duties of an accounts receivable clerk.

None of the control measures mentioned in the other answers would specifically prevent an employee from making an unauthorized change in computer records unrelated to that employee's job.

An automobile and personal property insurer has decentralized its information processing to the extent that headquarters had less processing capacity than any of its regional processing centers. These centers are responsible for initiating policies, communicating with policyholders, and adjusting claims. The company uses leased lines from a national telecommunications company. Initially, the company thought there would be little need for inter-region communication, but that has not been the case. The company underestimated the number of customers that would move between regions and the number of customers with claims arising from accidents outside their regions. The company has a regional center in an earthquake-prone area and is planning how to continue processing if that center, or any other single center, were unable to perform its processing.

Unfortunately, the company has not revised its contingency plan since the time when its data processing was mostly centralized at headquarters. The existing plan is likely to be out of date because of:

changes in equipment, data, and software.

because the company has not revised its contingency plan since the decentralization, the existing plan will probably be out of date because of changes in equipment, data, and software.