Sheet1
1、The extent to which data will be collected during an IS audit should be determined based on the: 1、在信息系统审计中,关于所收集数据的广度的决定应该基于:
A、availability of critical and required information. A、关键及需要的信息的可用性
B、auditor's familiarity with the circumstances. B、审计师对(审计)情况的熟悉程度
C、auditee's ability to find relevant evidence. C、被审计对象找到相关证据的能力
D、purpose and scope of the audit being done. D、此次审计的目标和范围
ANSWER: D
NOTE: The extent to which data will be collected during an IS audit should be related directly to the scope and purpose of the audit. An audit with a narrow purpose and scope would result most likely in less data collection, than an audit with a wider purpose and scope. The scope of an IS audit should not be constrained by the ease of obtaining the information or by the auditor's familiarity with the area being audited. Collecting all the required evidence is a required element of an IS audit, and the scope of the audit should not be limited by the auditee's ability to find relevant evidence. 说明:所收集数据的广度与审计的目标和范围直接相关,目标与范围较窄的审计所收集的数据很可能比目标与范围较宽的审计要少。审计范围不应该受信息获取的容易程度或者审计师对审计领域的熟悉程度限制。收集所需的所有证据是审计的必要要素,审计范围也不应受限于被审计对象找到相关证据的能力。
2、Which of the following ensures a sender's authenticity and an e-mail's confidentiality? 2、下列那一项能保证发送者的真实性和e-mail的机密性?
A、Encrypting the hash of the message with the sender's private key and thereafter encrypting the hash of the message with the receiver's public key A、用发送者的私钥加密消息散列(hash),然后用接收者的公钥加密消息散列(hash)
B、The sender digitally signing the message and thereafter encrypting the hash of the message with the sender's private key B、发送者对消息进行数字签名然后用发送者的私钥加密消息散列(hash)
C、Encrypting the hash of the message with the sender's private key and thereafter encrypting the message with the receiver's public key C、用发送者的私钥加密消息散列(hash),然后用接收者的公钥加密消息。
D、Encrypting the message with the sender's private key and encrypting the message hash with the receiver's public key D、用发送者的私钥加密消息,然后用接收者的公钥加密消息散列(hash)
ANSWER: C
NOTE: To ensure authenticity and confidentiality, a message must be encrypted twice: first with the sender's private key, and then with the receiver's public key. The receiver can decrypt the message, thus ensuring confidentiality of the message. Thereafter, the decrypted message can be decrypted with the public key of the sender, ensuring authenticity of the message. Encrypting the message with the sender's private key enables anyone to decrypt it. 说明:为了保证真实性与机密性,一条消息必须加密两次:首先用发送者的私钥,然后用接收者的公钥。接收者可以解密消息,这样就保证了机密性。然后,解密的消息可以用发送者的公钥再解密,保证了消息的真实性。用发送者的私钥加密的话,任何人都可以解密它。
3、Which of the following is the GREATEST advantage of elliptic curve encryption over RSA encryption? 3、下列那一条是椭圆曲线加密方法相对于RSA加密方法最大的优势?
A、Computation speed A、计算速度
B、Ability to support digital signatures B、支持数字签名的能力
C、Simpler key distribution C、密钥发布更简单
D、Greater strength for a given key length D、给定密钥长度的情况下(保密性)更强
ANSWER: A
NOTE: The main advantage of elliptic curve encryption over RSA encryption is its computation speed. This method was first independently suggested by Neal Koblitz and Victor S. Miller. Both encryption methods support digital signatures and are used for public key encryption and distribution. However, a stronger key per se does not necessarily guarantee better performance, but rather the actual algorithm employed. 说明:椭圆曲线加密相对于RSA加密最大的优点是它的计算速度。这种算法最早由Neal Koblitz 和Victor S. Miller独立提出。两种加密算法都支持数字签名,都可用于公钥分发。然而,(下面的se似乎是单词不完整)
4、Which of the following controls would provide the GREATEST assurance of database integrity? 4、下列哪种控制可以对数据完整性提供最大的保证?
A、Audit log procedures A、审计日志程序
B、Table link/reference checks B、表链接/引用检查
C、Query/table access time checks C、查询/表访问时间检查
D、Rollback and rollforward database features D、回滚与前滚数据库特性
ANSWER: B
NOTE: Performing table link/reference checks serves to detect table linking errors (such as completeness and accuracy of the contents of the database), and thus provides the greatest assurance of database integrity. Audit log procedures enable recording of all events that have been identified and help in tracing the events. However, they only point to the event and do not ensure completeness or accuracy of the database's contents. Querying/monitoring table access time checks helps designers improve database performance, but not integrity. Rollback and rollforward database features ensure recovery from an abnormal disruption. They assure the integrity of the transaction that was being processed at the time of disruption, but do not provide assurance on the integrity of the contents of the database. 说明:
5、A benefit of open system architecture is that it: 5、开放式系统架构的一个好处是:
A、facilitates interoperability. A、有助于协同工作
B、facilitates the integration of proprietary components. B、有助于各部分集成
C、will be a basis for volume discounts from equipment vendors. C、会成为从设备供应商获得量大折扣的基础
D、allows for the achievement of more economies of scale for equipment. D、可以达到设备的规模效益
ANSWER: A
NOTE: Open systems are those for which suppliers provide components whose interfaces are defined by public standards, thus facilitating interoperability between systems made by different vendors. In contrast, closed system components are built to proprietary standards so that other suppliers' systems cannot or will not interface with existing systems.
6、An IS auditor discovers that developers have operator access to the command line of a production environment operating system. Which of the following controls would BEST mitigate the risk of undetected and unauthorized program changes to the production environment? 6、一个信息系统审计师发现开发人员拥有对生产环境操作系统的命令行操作权限。下列哪种控制能最好地减少未被发现和未授权的产品环境更改的风险?
A、Commands typed on the command line are logged A、命令行输入的所有命令都被记录
B、Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs B、定期计算程序的hash键(散列值)并与最近授权过的程序版本的hash键比较
C、Access to the operating system command line is granted through an access restriction tool with preapproved rights C、操作系统命令行访问权限通过一个预先权限批准的访问限制工具来授权
D、Software development tools and compilers have been removed from the production environment D、将软件开发工具与编译器从产品环境中移除
ANSWER: B
NOTE: The matching of hash keys over time would allow detection of changes to files. Choice A is incorrect because having a log is not a control, reviewing the log is a control. Choice C is incorrect because the access was already granted—it does not matter how. Choice D is wrong because files can be copied to and from the production environment.
7、Which of the following BEST ensures the integrity of a server's operating system? 7、下列那一项能最大的保证服务器操作系统的完整性?
A、Protecting the server in a secure location A、用一个安全的地方来存放(保护)服务器
B、Setting a boot password B、设置启动密码
C、Hardening the server configuration C、加强服务器设置
D、Implementing activity logging D、实施行为记录
ANSWER: C
NOTE: Hardening a system means to configure it in the most secure manner (install latest security patches, properly define the access authorization for users and administrators, disable insecure options and uninstall unused services) to prevent nonprivileged users from gaining the right to execute privileged instructions and thus take control of the entire machine, jeopardizing the OS's integrity. Protecting the server in a secure location and setting a boot password are good practices, but do not ensure that a user will not try to exploit logical vulnerabilities and compromise the OS. Activity logging has two weaknesses in this scenario—it is a detective control (not a preventive one), and the attacker who already gained privileged access can modify logs or disable them.
8、An investment advisor e-mails periodic newsletters to clients and wants reasonable assurance that no one has modified the newsletter. This objective can be achieved by: 8、一个投资顾问定期向客户发送业务通讯(newsletter)e-mail,他想要确保没有人修改他的newsletter。这个目标可以用下列的方法达到:
A、encrypting the hash of the newsletter using the advisor's private key. A、用顾问的私钥加密newsletter的散列(hash)
B、encrypting the hash of the newsletter using the advisor's public key. B、用顾问的公钥加密newsletter的散列(hash)
C、digitally signing the document using the advisor's private key. C、用顾问的私钥对文件数据签名
D、encrypting the newsletter using the advisor's private key. D、用顾问的私钥加密newsletter
ANSWER: A
NOTE: There is no attempt on the part of the investment advisor to prove their identity or to keep the newsletter confidential. The objective is to assure the receivers that it came to them without any modification, ., it has message integrity. Choice A is correct because the hash is encrypted using the advisor's private key. The recipients can open the newsletter, recompute the hash and decrypt the received hash using the advisor's public key. If the two hashes are equal, the newsletter was not modified in transit. Choice B is not feasible, for no one other than the investment advisor can open it. Choice C addresses sender authentication but not message integrity. Choice D addresses confidentiality, but not message integrity, because anyone can obtain the investment advisor's public key, decrypt the newsletter, modify it and send it to others. The interceptor will not be able to use the advisor's private key, because they do not have it. Anything encrypted using the interceptor's private key can be decrypted by the receiver only by using their public key.
9、In reviewing the IS short-range (tactical) plan, an IS auditor should determine whether: 9、在审查信息系统短期(战术性)计划时,一个信息系统审计师应该确定是否:
A、there is an integration of IS and business staffs within projects. A、计划中包含了信息系统和业务员工
B、there is a clear definition of the IS mission and vision. B、明确定义了信息系统的任务与远景
C、a strategic information technology planning methodology is in place. C、有一套战略性的信息技术计划方法
D、the plan correlates business objectives to IS goals and objectives. D、该计划将企业目标与信息系统目标联系起来
ANSWER: A
NOTE: The integration of IS and business staff in projects is an operational issue and should be considered while reviewing the short-range plan. A strategic plan would provide a framework for the IS short-range plan. Choices B, C and D are areas covered by a strategic plan.
10、An IS auditor is performing an audit of a network operating system. Which of the following is a user feature the IS auditor should review? 10、一个信息系统审计师正在执行对一个网络操作系统的审计。下列哪一项是信息系统审计师应该审查的用户特性?
A、Availability of online network documentation A、可以获得在线网络文档
B、Support of terminal access to remote hosts B、支持远程主机终端访问
C、Handling file transfer between hosts and interuser communications C、在主机间以及用户通讯中操作文件传输
D、Performance management, audit and control D、性能管理,审计和控制
ANSWER: A
NOTE: Network operating system user features include online availability of network documentation. Other features would be user access to various resources of network hosts, user authorization to access particular resources, and the network and host computers used without special user actions or commands. Choices B, C and D are examples of network operating systems functions.
11、An installed Ethernet cable run in an unshielded twisted pair (UTP) network is more than 100 meters long. Which of the following could be caused by the length of the cable? 11、在一个非屏蔽双绞线(UTP)网络中的一根以太网电缆长于100米。这个电缆长度可能引起下列哪一种后果?
A、Electromagnetic interference (EMI) A、电磁干扰
B、Cross-talk B、串扰
C、Dispersion C、离散
D、Attenuation D、衰减
ANSWER: D
NOTE: Attenuation is the weakening of signals during transmission. When the signal becomes weak, it begins to read a 1 for a 0, and the user may experience communication problems. UTP faces attenuation around 100 meters. Electromagnetic interference (EMI) is caused by outside electromagnetic waves affecting the desired signals, which is not the case here. Cross-talk has nothing to do with the length of the UTP cable.
12、Which of the following encrypt/decrypt steps provides the GREATEST assurance of achieving confidentiality, message integrity and nonrepudiation by either sender or recipient? 12、下列哪一项加密/解密措施对保密性、消息完整性、抗否认(包括发送方和接收方)提供最强的保证?
A、The recipient uses their private key to decrypt the secret key. A、接收方使用他们的私钥解密密钥
B、The encrypted prehash code and the message are encrypted using a secret key. B、预先散列计算的编码和消息均用一个密钥加密
C、The encrypted prehash code is derived mathematically from the message to be sent. C、预先散列计算的编码是以数学方法从消息衍生来的
D、The recipient uses the sender's public key, verified with a certificate authority, to decrypt the prehash code. D、接收方用发送方经过授权认证中心(CA)认证的公钥来解密预先散列计算的编码
ANSWER: D
NOTE: Most encrypted transactions use a combination of private keys, public keys, secret keys, hash functions and digital certificates to achieve confidentiality, message integrity and nonrepudiation by either sender or recipient. The recipient uses the sender's public key to decrypt the prehash code into a posthash code, which when equaling the prehash code, verifies the identity of the sender and that the message has not been changed in route; this would provide the greatest assurance. Each sender and recipient has a private key known only to themselves and a public key, which can be known by anyone. Each encryption/decryption process requires at least one public key and one private key, and both must be from the same party. A single, secret key is used to encrypt the message, because secret key encryption requires less processing power than using public and private keys. A digital certificate, signed by a certificate authority, validates senders' and recipients' public keys.
13、To determine how data are accessed across different platforms in a heterogeneous environment, an IS auditor should FIRST review: 13、为了确定在一个具有不同系统的环境中数据是如何通过不同的平台访问的,信息系统审计师首先必须审查:
A、business software. A、业务软件
B、infrastructure platform tools. B、基础平台工具
C、application services. C、应用服务
D、system development tools. D、系统开发工具
ANSWER: C
NOTE: Projects should identify the complexities of the IT Infrastructure that can be simplified or isolated by the development of application services. Application services isolate system developers from the complexities of the IT infrastructure and offer common functionalities that are shared by many applications. Application services take the form of interfaces, middleware, etc. Business software focuses on business processes, whereas application services bridge the gap between applications and the IT Infrastructure components. Infrastructure platform tools are related to core hardware and software components required for development of the IT infrastructure. Systems development tools represent development components of the IT infrastructure development.
14、The MOST significant security concern when using flash memory (., USB removable disk) is that the: 14、使用闪存(比方说USB可移动盘)最重要的安全考虑是:
A、contents are highly volatile. A、内容高度不稳定
B、data cannot be backed up. B、数据不能备份
C、data can be copied. C、数据可以被拷贝
D、device may not be compatible with other peripherals. D、设备可能与其他外设不兼容
ANSWER: C
NOTE: Unless properly controlled, flash memory provides an avenue for anyone to copy any content with ease. The contents stored in flash memory are not volatile. Backing up flash memory data is not a control concern, as the data are sometimes stored as a backup. Flash memory will be accessed through a PC rather than any other peripheral; therefore, compatibility is not an issue.
15、To ensure message integrity, confidentiality and nonrepudiation between two parties, the MOST effective method would be to create a message digest by applying a cryptographic hashing algorithm against: 15、为了保证两方之间的消息完整性,保密性和抗否认性,最有效的方法是生成一个消息摘要,生成摘要的方法是将加密散列(hash)算法应用在:
A、the entire message, enciphering the message digest using the sender's private key, enciphering the message with a symmetric key and enciphering the key by using the receiver's public key. A、整个消息上,用发送者的私钥加密消息摘要,用对称密钥加密消息,用接收者的公钥加密(对称)密钥。
B、any part of the message, enciphering the message digest using the sender's private key, enciphering the message with a symmetric key and enciphering the key using the receiver's public key. B、消息的任何部分上,用发送者的私钥加密消息摘要,用对称密钥加密消息,用接收者的公钥加密(对称)密钥。
C、the entire message, enciphering the message digest using the sender's private key, enciphering the message with a symmetric key and enciphering both the encrypted message and digest using the receiver's public key. C、整个消息,用发送者的私钥加密消息摘要,用对称密钥加密消息,用接收者的公钥加密密文和摘要。
D、the entire message, enciphering the message digest using the sender's private key and enciphering the message using the receiver's public key. D、整个消息,用发送者的私钥加密消息摘要,用接收者的公钥加密消息。
ANSWER: A
NOTE: Applying a cryptographic hashing algorithm against the entire message addresses the message integrity issue. Enciphering the message digest using the sender's private key addresses nonrepudiation. Encrypting the message with a symmetric key, thereafter allowing the key to be enciphered using the receiver's public key, most efficiently addresses the confidentiality of the message as well as the receiver's nonrepudiation. The other choices would address only a portion of the requirements.
16、To ensure compliance with a security policy requiring that passwords be a combination of letters and numbers, an IS auditor should recommend that: 16、为了确保符合“密码必须是字母和数字的组合”的安全政策,信息系统审计师应该建议:
A、the company policy be changed. A、改变公司政策
B、passwords are periodically changed. B、密码定期更换
C、an automated password management tool be used. C、使用一个自动密码管理工具
D、security awareness training is delivered. D、履行安全意识培训
ANSWER: C
NOTE: The use of an automated password management tool is a preventive control measure. The software would prevent repetition (semantic) and would enforce syntactic rules, thus making the passwords robust. It would also provide a method for ensuring frequent changes and would prevent the same user from reusing their old password for a designated period of time. Choices A, B and D do not enforce compliance.
17、In the context of effective information security governance, the primary objective of value delivery is to: 17、在有效的信息安全治理背景中,价值传递的主要目标是:
A、optimize security investments in support of business objectives. A、优化安全投资来支持业务目标
B、implement a standard set of security practices. B、实施一套标准安全实践
C、institute a standards-based solution. C、制定一套标准解决方案
D、implement a continuous improvement culture. D、建立一个持续进步的文化
ANSWER: A
NOTE: In the context of effective information security governance, value delivery is implemented to ensure optimization of security investments in support of business objectives. The tools and techniques for implementing value delivery include implementation of a standard set of security practices, institutionalization and commoditization of standards-based solutions, and implementation of a continuous improvement culture considering security as a process, not an event.
18、In an organization where an IT security baseline has been defined, an IS auditor should FIRST ensure: 18、在一个组织中信息技术安全的基线已经被定义了,那么信息系统审计师应该首先确认它的:
A、implementation. A、实施
B、compliance. B、遵守
C、documentation. C、文件
D、sufficiency. D、足够(充分)
ANSWER: D
NOTE: An IS auditor should first evaluate the definition of the minimum baseline level by ensuring the sufficiency of controls. Documentation, implementation and compliance are further steps.
19、During an implementation review of a multiuser distributed application, an IS auditor finds minor weaknesses in three areas-the initial setting of parameters is improperly installed, weak passwords are being used and some vital reports are not being checked properly. While preparing the audit report, the IS auditor should: 19、在对一个多用户分布式应用程序的实施进行审计时,信息系统审计师在三个地方发现小缺陷——参数的初始设置没有被正确安装,弱口令,一些重要报告没有被正确检查。在准备审计报告时,信息系统审计师应该:
A、record the observations separately with the impact of each of them marked against each respective finding. A、分别记录每项发现以及他们各自的影响
B、advise the manager of probable risks without recording the observations, as the control weaknesses are minor ones. B、告诉经理可能存在的风险,不在报告中记录这些发现,因为这些控制缺陷很小
C、record the observations and the risk arising from the collective weaknesses. C、记录这些发现以及这些缺陷综合带来的风险
D、apprise the departmental heads concerned with each observation and properly document it in the report. D、将每项发现通知部门领导,正确地在报告中记录它
ANSWER: C
NOTE: Individually the weaknesses are minor; however, together they have the potential to substantially weaken the overall control structure. Choices A and D reflect a failure on the part of an IS auditor to recognize the combined affect of the control weakness. Advising the local manager without reporting the facts and observations would conceal the findings from other stakeholders.
20、During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that: 20、在审查一份业务持续性计划时,信息系统审计师注意到什么情况被宣布为一个危机没有被定义。这一点关系到的主要风险是:
A、assessment of the situation may be delayed. A、对这种情况的评估可能会延迟
B、execution of the disaster recovery plan could be impacted. B、灾难恢复计划的执行可能会被影响
C、notification of the teams might not occur. C、团队通知可能不会发生
D、potential crisis recognition might be ineffective. D、对潜在危机的识别可能会无效
ANSWER: B
NOTE: Execution of the business continuity plan would be impacted if the organization does not know when to declare a crisis. Choices A, C and D are steps that must be performed to know whether to declare a crisis. Problem and severity assessment would provide information necessary in declaring a disaster. Once a potential crisis is recognized, the teams responsible for crisis management need to be notified. Delaying this step until a disaster has been declared would negate the effect of having response teams. Potential crisis recognition is the first step in responding to a disaster.
21、Which of the following tests performed by an IS auditor would be the MOST effective in determining compliance with an organization's change control procedures? 21 在测试组织的变更控制程序的符合性方面,IS审计师执行的下列哪项测试最有效?
A、Review software migration records and verify approvals. A 检查软件迁移记录和验证审批
B、Identify changes that have occurred and verify approvals. B 识别已发生的变更和验证审批
C、Review change control documentation and verify approvals. C 检查变更控制文档和验证审批
D、Ensure that only appropriate staff can migrate changes into production. D 确保只有适当的员工才能将变更迁移到生产环境
ANSWER: B
NOTE: The most effective method is to determine through code comparisons what changes have been made and then verify that they have been approved. Change control records and software migration records may not have all changes listed. Ensuring that only appropriate staff can migrate changes into production is a key control process, but in itself does not verify compliance.
22、IT operations for a large organization have been outsourced. An IS auditor reviewing the outsourced operation should be MOST concerned about which of the following findings? 22 一个大型组织的IT业务实行外包。在检查这个外包业务时,IS审计师应该最关注以下哪一项发现?
A、The outsourcing contract does not cover disaster recovery for the outsourced IT operations. A 外包合同没有包含IT业务的灾难恢复
B、The service provider does not have incident handling procedures. B 服务提供商没有事件处理程序
C、Recently a corrupted database could not be recovered because of library management problems. C 近期有崩溃的数据库由于程序库管理问题无法恢复
D、Incident logs are not being reviewed. D 事件日志没有被检查过
ANSWER: A
NOTE: The lack of a disaster recovery provision presents a major business risk. Incorporating such a provision into the contract will provide the outsourcing organization leverage over the service provider. Choices B, C and D are problems that should be addressed by the service provider, but are not as important as contract requirements for disaster recovery.
23、Which of the following sampling methods is MOST useful when testing for compliance? 23 以下哪种抽样方法在符合性测试时最有用?
A、Attribute sampling A 属性抽样
B、Variable sampling B 变量抽样
C、Stratified mean per unit C 分层单位平均估计抽样
D、Difference estimation D 差额估计抽样
ANSWER: A
NOTE: Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. The other choices are used in substantive testing, which involves testing of details or quantity.
24、Which of the following should be included in an organization's IS security policy? 24 下列哪一项应该被包括在组织的IS安全政策中?
A、A list of key IT resources to be secured A 需要被保护的关键IT资源清单
B、The basis for access authorization B 访问授权的基本策略
C、Identity of sensitive security features C 敏感的安全特性的标识
D、Relevant software security features D 相关软件安全特性
ANSWER: B
NOTE: The security policy provides the broad framework of security, as laid down and approved by senior management. It includes a definition of those authorized to grant access and the basis for granting the access. Choices A, B and C are more detailed than that which should be included in a policy.
25、The MAJOR advantage of the risk assessment approach over the baseline approach to information security management is that it ensures: 25 对于信息安全管理,风险评估的方法比起基线的方法,主要的优势在于它确保:
A、information assets are overprotected. A 信息资产被过度保护
B、a basic level of protection is applied regardless of asset value. B 不考虑资产的价值,基本水平的保护都会被实施
C、appropriate levels of protection are applied to information assets. C 对信息资产实施适当水平的保护
D、an equal proportion of resources are devoted to protecting all information assets. D 对所有信息资产保护都投入相同的资源
ANSWER: C
NOTE: Full risk assessment determines the level of protection most appropriate to a given level of risk, while the baseline approach merely applies a standard set of protection regardless of risk. There is a cost advantage in not overprotecting information. However, an even bigger advantage is making sure that no information assets are over- or underprotected. The risk assessment approach will ensure an appropriate level of protection is applied, commensurate with the level of risk and asset value and, therefore, considering asset value. The baseline approach does not allow more resources to be directed toward the assets at greater risk, rather than equally directing resources to all assets.
26、When reviewing the IT strategic planning process, an IS auditor should ensure that the plan: 26 检查IT战略规划过程时,IS审计师应该确保这个规划:
A、incorporates state of the art technology. A 符合技术水平现状
B、addresses the required operational controls. B 匹配所需的操作控制
C、articulates the IT mission and vision. C 明晰IT的任务与远景目标
D、specifies project management practices. D 详细说明项目管理实务
ANSWER: C
NOTE: The IT strategic plan must include a clear articulation of the IT mission and vision. The plan need not address the technology, operational controls or project management practices.
27、Which of the following activities should the business continuity manager perform FIRST after the replacement of hardware at the primary information processing facility? 27 在信息处理设施(IPF)的硬件更换之后,业务连续性流程经理首先应该实施下列哪项活动?
A、Verify compatibility with the hot site. A 验证与热门站点的兼容性
B、Review the implementation report. B 检查实施报告
C、Perform a walk-through of the disaster recovery plan. C 进行灾难恢复计划的演练
D、Update the IS assets inventory. D 更新信息资产清单
ANSWER: D
NOTE: An IS assets inventory is the basic input for the business continuity/disaster recovery plan, and the plan must be updated to reflect changes in the IS infrastructure. The other choices are procedures required to update the disaster recovery plan after having updated the required assets inventory.
28、Which of the following is a control over component communication failure/errors? 28 以下哪种是对组件通讯故障的控制?
A、Restricting operator access and maintaining audit trails A 限制操作员访问并保持审计痕迹
B、Monitoring and reviewing system engineering activity B 监视并检查系统活动
C、Providing network redundancy C 提供网络冗余
D、Establishing physical barriers to the data transmitted over the network D 对被传送的数据设置物理隔离
ANSWER: C
NOTE: Redundancy by building some form of duplication into the network components, such as a link, router or switch to prevent loss, delays or data duplication is a control over component communication failure or error. Other related controls are loop/echo checks to detect line errors, parity checks, error correction codes and sequence checks. Choices A, B and D are communication network controls.
29、A disaster recovery plan for an organization should: 29 组织的灾难恢复计划应该:
A、reduce the length of the recovery time and the cost of recovery. A 减少恢复时间,降低恢复费用
B、increase the length of the recovery time and the cost of recovery. B 增加恢复时间,提高恢复费用
C、reduce the duration of the recovery time and increase the cost of recovery. C 减少恢复的持续时间,提高恢复费用
D、affect neither the recovery time nor the cost of recovery. D 对恢复时间和费用都不影响
ANSWER: A
NOTE: One of the objectives of a disaster recovery plan is to reduce the duration and cost of recovering from a disaster. A disaster recovery plan would increase the cost of operations before and after the disaster occurs, but should reduce the time to return to normal operations and the cost that could result from a disaster.
30、If a database is restored using before-image dumps, where should the process begin following an interruption? 30 如果数据库用前象存储进行还原,接着这个中断,流程应该从哪里开始?
A、Before the last transaction A 在最后一个事务之前
B、After the last transaction B 在最后一个事务之后
C、As the first transaction after the latest checkpoint C 最新的检查点之后的第一个事务
D、As the last transaction before the latest checkpoint D 最新的检查点之前的最后一个事务
ANSWER: A
NOTE: If before images are used, the last transaction in the dump will not have updated the database prior to the dump being taken. The last transaction will not have updated the database and must be reprocessed. Program checkpoints are irrelevant in this situation.
31、The Secure Sockets Layer (SSL) protocol addresses the confidentiality of a message through: 31 安全套接字层协议通过什么实现保密性?
A、symmetric encryption. A 对称加密
B、message authentication code. B 消息验证码
C、hash function. C 哈希函数
D、digital signature certificates. D 数字签名验证
ANSWER: A
NOTE: SSL uses a symmetric key for message encryption. A message authentication code is used for ensuring data integrity. Hash function is used for generating a message digest; it does not use public key encryption for message encryption. Digital signature certificates are used by SSL for server authentication.
32、The MOST likely explanation for the use of applets in an Internet application is that: 32 在Internet应用中使用applets,最可能的解释是:
A、it is sent over the network from the server. A 它由服务器通过网络传送
B、the server does not run the program and the output is not sent over the network. B 服务器没有运行程序,输出也没有经网络传送
C、they improve the performance of the web server and network. C 改进了web服务和网络的性能
D、it is a JAVA program downloaded through the web browser and executed by the web server of the client machine. D 它是一个通过网络浏览器下载的JAVA程序,由web服务器执行
ANSWER: C
NOTE: An applet is a JAVA program that is sent over the network from the web server, through a web browser and to the client machine; the code is then run on the machine. Since the server does not run the program and the output is not sent over the network, the performance on the web server and network—over which the server and client are connected—drastically improves through the use of applets. Performance improvement is more important than the reasons offered in choices A and B. Since JAVA virtual machine (JVM) is embedded in most web browsers, the applet download through the web browser runs on the client machine from the web browser, not from the web server, making choice D incorrect.
33、Which of the following virus prevention techniques can be implemented through hardware? 33 下列哪项病毒防护技术能够通过硬件实施?
A、Remote booting A 远程启动
B、Heuristic scanners B 启发式扫描
C、Behavior blockers C 行为阻断
D、Immunizers D 免疫
ANSWER: A
NOTE: Remote booting (., diskless workstations) is a method of preventing viruses, and can be implemented through hardware. Choice C is a detection, not a prevention, although it is hardware-based. Choices B and D are not hardware-based.
34、To protect a VoIP infrastructure against a denial-of-service (DoS) attack, it is MOST important to secure the: 34 为了保护VoIP设备免于拒绝服务攻击,最重要的是确保什么的安全?
A、access control servers. A 访问控制服务器
B、session border controllers. B 会话边界控制
C、backbone gateways. C 骨干网关
D、intrusion detection system (IDS). D 入侵检测系统
ANSWER: B
NOTE: Session border controllers enhance the security in the access network and in the core. In the access network, they hide a user's real address and provide a managed public address. This public address can be monitored, minimizing the opportunities for scanning and denial-of-service (DoS) attacks. Session border controllers permit access to clients behind firewalls while maintaining the firewall's effectiveness. In the core, session border controllers protect the users and the network. They hide network topology and users' real addresses. They can also monitor bandwidth and quality of service. Securing the access control server, backbone gateways and intrusion detection systems (IDSs) does not effectively protect against DoS attacks.
35、Which of the following is the GREATEST risk when implementing a data warehouse? 35 当实施一个数据仓库时,哪一项是最大的风险?
A、Increased response time on the production systems A 在生成系统上增加的响应时间
B、Access controls that are not adequate to prevent data modification B 在数据修改上不充分的访问控制
C、Data duplication C 数据重复
D、Data that is not updated or current D 过期或不正确的数据
ANSWER: B
NOTE: Once the data is in a warehouse, no modifications should be made to it and access controls should be in place to prevent data modification. Increased response time on the production systems is not a risk, because a data warehouse does not impact production data. Based on data replication, data duplication is inherent in a data warehouse. Transformation of data from operational systems to a data warehouse is done at predefined intervals, and as such, data may not be current.
36、To minimize the cost of a software project, quality management techniques should be applied: 36 为了使软件项目的开销最小,质量管理技术应该被应用
A、as close to their writing (., point of origination) as possible. A 尽可能与技术条文相一致
B、primarily at project start-up to ensure that the project is established in accordance with organizational governance standards. B 主要在项目开始的时候,以保证项目的建立与组织的管理标准相一致
C、continuously throughout the project with an emphasis on finding and fixing defects primarily during testing to maximize the defect detection rate. C 在整个项目过程中持续进行,强调找出并解决缺陷,增大测试期间的缺陷发现率
D、mainly at project close-down to capture lessons learned that can be applied to future projects. D 主要在项目结束的时候,以获得可以在将来的项目中吸取的教训
ANSWER: C
NOTE: While it is important to properly establish a software development project, quality management should be effectively practiced throughout the project. The major source of unexpected costs on most software projects is rework. The general rule is that the earlier in the development life cycle that a defect occurs, and the longer it takes to find and fix that defect, the more effort will be needed to correct it. A well-written quality management plan is a good start, but it must also be actively applied. Simply relying on testing to identify defects is a relatively costly and less effective way of achieving software quality. For example, an error in requirements discovered in the testing phase can result in scrapping significant amounts of work. Capturing lessons learned will be too late for the current project. Additionally, applying quality management techniques throughout a project is likely to yield its own insights into the causes of quality problems and assist in staff development.
37、Which of the following is a distinctive feature of the Secure Electronic Transactions (SET) protocol when used for electronic credit card payments? 37 当用作电子信用卡付款时,以下哪一项是安全电子交易协议的特性?
A、The buyer is assured that neither the merchant nor any other party can misuse their credit card data. A 买方被保证无论是商家还是任何第三方都不能滥用他们的信用卡数据
B、All personal SET certificates are stored securely in the buyer's computer. B 所有的个人SET证书都被安全存储在买方的电脑中
C、The buyer is liable for any transaction involving his/her personal SET certificates. C 买方有义务为任何涉及到的交易提供个人SET证书
D、The payment process is simplified, as the buyer is not required to enter a credit card number and an expiration date. D 由于不要求买方输入信用卡号和有效期,付款过程变得简单
ANSWER: C
NOTE: The usual agreement between the credit card issuer and the cardholder stipulates that the cardholder assumes responsibility for any use of their personal SET certificates for e-commerce transactions. Depending upon the agreement between the merchant and the buyer's credit card issuer, the merchant will have access to the credit card number and expiration date. Secure data storage in the buyer's computer (local computer security) is not part of the SET standard. Although the buyer is not required to enter their credit card data, they will have to handle the wallet software.
38、The security level of a private key system depends on the number of: 38 私钥体系的安全级别依赖于什么的数目?
A、encryption key bits. A 密钥位
B、messages sent. B 发送的信息
C、keys. C 密钥
D、channels used. D 使用的信道
ANSWER: A
NOTE: The security level of a private key system depends on the number of encryption key bits. The larger the number of bits, the more difficult it would be to understand or determine the algorithm. The security of the message will depend on the encryption key bits used. More than keys by themselves, the algorithm and its complexity make the content more secured. Channels, which could be open or secure, are the mode for sending the message.
39、When implementing an IT governance framework in an organization the MOST important objective is: 39 在组织内实施IT治理框架时,最重要的目标是
A、IT alignment with the business. A IT与业务目标相一致
B、accountability. B 可说明性
C、value realization with IT. C IT价值实现
D、enhancing the return on IT investments. D 增加IT投资回报
ANSWER: A
NOTE: The goals of IT governance are to improve IT performance, to deliver optimum business value and to ensure regulatory compliance. The key practice in support of these goals is the strategic alignment of IT with the business (choice A). To achieve alignment, all other choices need to be tied to business practices and strategies.
40、An organization has recently installed a security patch, which crashed the production server. To minimize the probability of this occurring again, an IS auditor should: 40 某组织近期安装了一个安全补丁,但与产品服务器相冲突。为了把再次出现这种情况的可能性降到最低,IS审计师应该:
A、apply the patch according to the patch's release notes. A 按照补丁的发行说明实施补丁
B、ensure that a good change management process is in place. B 确保良好的变更管理流程在运行
C、thoroughly test the patch before sending it to production. C 发送到生产环境之前全面测试这个补丁
D、approve the patch after doing a risk assessment. D 进行风险评估后核准这个补丁
ANSWER: B
NOTE: An IS auditor must review the change management process, including patch management procedures, and verify that the process has adequate controls and make suggestions accordingly. The other choices are part of a good change management process but are not an IS auditor's responsibility.
41、A review of wide area network (WAN) usage discovers that traffic on one communication line between sites, synchronously linking the master and standby database, peaks at 96 percent of the line capacity. An IS auditor should conclude that: 41.通过对广域网的检测发现,在连接两个节点的用于同步主从数据库的通信线路上的峰值数据流量达到了这条线路带宽的96%。一个信息系统审计师应该得出结论:
A、analysis is required to determine if a pattern emerges that results in a service loss for a short period of time. A.需要分析来确定是否有数据表明存在短时间内的服务缺失
B、WAN capacity is adequate for the maximum traffic demands since saturation has not been reached. B.广域网带宽是足够满足最大流量需求的,因为还未达到最大饱和状态
C、the line should immediately be replaced by one with a larger capacity to provide approximately 85 percent saturation. C.应该马上用一条更大带宽的线路来取代现有线路,新的线路应该确保最大不超过85%的线路饱和
D、users should be instructed to reduce their traffic demands or distribute them across all service hours to flatten bandwidth consumption. D.应该指导用户减少对流量的需求或把流量需求平均分布在整个的工作时间内来使得对带宽的消耗平缓化
ANSWER: A
NOTE: The peak at 96 percent could be the result of a one-off incident, ., a user downloading a large amount of data; therefore, analysis to establish whether this is a regular pattern and what causes this behavior should be carried out before expenditure on a larger line capacity is recommended. Since the link provides for a standby database, a short loss of this service should be acceptable. If the peak is established to be a regular occurrence without any other opportunities for mitigation (usage of bandwidth reservation protocol, or other types of prioritizing network traffic), the line should be replaced as there is the risk of loss of service as the traffic approaches 100 percent. If, however, the peak is a one-off or can be put in other time frames, then user education may be an option.
42、Which of the following is a feature of an intrusion detection system (IDS)? 42. 下面那一个是入侵检测系统(IDS)的特征?
A、Gathering evidence on attack attempts A.收集尝试攻击的证据
B、Identifying weaknesses in the policy definition B.确定策略定义的弱点
C、Blocking access to particular sites on the Internet C. 屏蔽对特定互联网站点的访问
D、Preventing certain users from accessing specific servers D.防止某些用户访问特定的服务器
ANSWER: A
NOTE: An IDS can gather evidence on intrusive activity such as an attack or penetration attempt. Identifying weaknesses in the policy definition is a limitation of an IDS. Choices C and D are features of firewalls, while choice B requires a manual review, and therefore is outside the functionality of an IDS.
43、When reviewing an implementation of a VoIP system over a corporate WAN, an IS auditor should expect to find: 43. 当审查构建在企业广域网上的IP语音系统的实施时,信息系统审计师应该期望找到:
A、an integrated services digital network (ISDN) data link. A. 一条综合服务数字网(ISDN)线路
B、traffic engineering. B. 流量工程
C、wired equivalent privacy (WEP) encryption of data. C. 对数据的WEP加密
D、analog phone terminals. D. 模拟电话终端
ANSWER: B
NOTE: To ensure that quality of service requirements are achieved, the Voice-over IP (VoIP) service over the wide area network (WAN) should be protected from packet losses, latency or jitter. To reach this objective, the network performance can be managed using statistical techniques such as traffic engineering. The standard bandwidth of an integrated services digital network (ISDN) data link would not provide the quality of services required for corporate VoIP services. WEP is an encryption scheme related to wireless networking. The VoIP phones are usually connected to a corporate local area network (LAN) and are not analog.
44、An audit charter should: 44.一份审计章程应该:
A、be dynamic and change often to coincide with the changing nature of technology and the audit profession. A.为了与变化的现实和审计的专业相符合,而动态和经常变化的。
B、clearly state audit objectives for, and the delegation of, authority to the maintenance and review of internal controls. B.清晰地陈述对于维护和审查内部控制的审计目标,委托和职权。
C、document the audit procedures designed to achieve the planned audit objectives. C.记录为了达到预先计划的审计目标而设计的审计程序
D、outline the overall authority, scope and responsibilities of the audit function. D.略述审计职能的全面职权,范围和责任
ANSWER: D
NOTE: An audit charter should state management's objectives for and delegation of authority to IS audit. This charter should not significantly change over time and should be approved at the highest level of management. An audit charter would not be at a detailed level and, therefore, would not include specific audit objectives or procedures.
45、An IS auditor selects a server for a penetration test that will be carried out by a technical specialist. Which of the following is MOST important? 45.一个信息系统审计师选择一台服务器做渗透测试,由一个技术专家来执行。下面哪个是最重要的?
A、The tools used to conduct the test A. 用于实施测试的工具
B、Certifications held by the IS auditor B. 信息系统审计师拥有的认证
C、Permission from the data owner of the server C. 服务器上的数据拥有者的允许
D、An intrusion detection system (IDS) is enabled D. 一个入侵检测系统(IDS)被使用起来
ANSWER: C
NOTE: The data owner should be informed of the risks associated with a penetration test, what types of tests are to be conducted and other relevant details. All other choices are not as important as the data owner's responsibility for the security of the data assets.
46、During the review of a web-based software development project, an IS auditor realizes that coding standards are not enforced and code reviews are rarely carried out. This will MOST likely increase the likelihood of a successful: 46.在审查一个基于web的软件开放项目的过程中,信息系统审计师意识到编程代码标准不是强制性的,并且代码的审查也很少执行。 这将会最可能增加下列哪个选项发生的可能性:
A、buffer overflow. A.缓冲区溢出
B、brute force attack. B.强力攻击
C、distributed denial-of-service attack. C.分布式拒绝服务攻击
D、war dialing attack. D.战争(扫描)拨号攻击
ANSWER: A
NOTE: Poorly written code, especially in web-based applications, is often exploited by hackers using buffer overflow techniques. A brute force attack is used to crack passwords. A distributed denial-of-service attack floods its target with numerous packets, to prevent it from responding to legitimate requests. War dialing uses modem-scanning tools to hack PBXs.
47、In a small organization, an employee performs computer operations and, when the situation demands, program modifications. Which of the following should the IS auditor recommend? 47.在一个小型机构中,一个雇员日常从事电脑操作,并且在情况需要时,也负责程序修改。下列哪个选项是信息系统审计师应该建议实施的?
A、Automated logging of changes to development libraries A.对开发库修改的自动日志
B、Additional staff to provide separation of duties B.加入别的职员来实现职责分离
C、Procedures that verify that only approved program changes are implemented C.核实只有被批准的程序修改可以被实施的操作手续
D、Access controls to prevent the operator from making program modifications D.防止操作员进行程序修改的访问控制
ANSWER: C
NOTE: While it would be preferred that strict separation of duties be adhered to and that additional staff is recruited as suggested in choice B, this practice is not always possible in small organizations. An IS auditor must look at recommended alternative processes. Of the choices, C is the only practical one that has an impact. An IS auditor should recommend processes that detect changes to production source and object code, such as code comparisons, so the changes can be reviewed on a regular basis by a third party. This would be a compensating control process. Choice A, involving logging of changes to development libraries, would not detect changes to production libraries. Choice D is in effect requiring a third party to do the changes, which may not be practical in a small organization.
48、To ensure that audit resources deliver the best value to the organization, the FIRST step would be to: 48.为了确保审计资源会给组织带来最大的价值,第一步应该:
A、schedule the audits and monitor the time spent on each audit. A.安排审计的时间表,并且监控每个审计活动所花费的时间
B、train the IS audit staff on current technology used in the company. B.培训信息系统审计职员熟悉公司当前使用的技术
C、develop the audit plan on the basis of a detailed risk assessment. C.以详细的风险评估为基础,制定审计计划
D、monitor progress of audits and initiate cost control measures. D.监控审计进展和发起成本控制措施
ANSWER: C
NOTE: Monitoring the time (choice A) and audit programs (choice D), as well as adequate training (choice B), will improve the IS audit staff's productivity (efficiency and performance), but that which delivers value to the organization are the resources and efforts being dedicated to, and focused on, the higher-risk areas.
49、Which of the following is a risk of cross-training? 49.下列哪个选项是交叉(跨职位)培训的风险?
A、Increases the dependence on one employee A.增加对单个雇员的依赖
B、Does not assist in succession planning B.无助于职位继承计划
C、One employee may know all parts of a system C.一个职员可能了解一个系统的所有部分
D、Does not help in achieving a continuity of operations D.对达成运营的连续性没有帮助
ANSWER: C
NOTE: When cross-training, it would be prudent to first assess the risk of any person knowing all parts of a system and what exposures this may cause. Cross-training has the advantage of decreasing dependence on one employee and, hence, can be part of succession planning. It also provides backup for personnel in the event of absence for any reason and thereby facilitates the continuity of operations.
50、Which of the following is BEST suited for secure communications within a small group? 50.下面哪个选项对一个小组的安全通信最合适?
A、Key distribution center A.密钥分发中心
B、Certification authority B.证书授权中心(CA)
C、Web of trust C.信任网系统
D、Kerberos Authentication System D. Kerberos 认证系统
ANSWER: C
NOTE: Web of trust is a key distribution method suitable for communication in a small group. It ensures pretty good privacy (PGP) and distributes the public keys of users within a group. Key distribution center is a distribution method suitable for internal communication for a large group within an institution, and it will distribute symmetric keys for each session. Certification authority is a trusted third party that ensures the authenticity of the owner of the certificate. This is necessary for large groups and formal communication. A Kerberos Authentication System extends the function of a key distribution center, by generating “tickets” to define the facilities on networked machines which are accessible to each user.
51、When an employee is terminated from service, the MOST important action is to: 51.当一个雇员被解雇时,最重要的手续是:
A、hand over all of the employee's files to another designated employee. A.把该雇员的所有文档交接给另一个指定的雇员
B、complete a backup of the employee's work. B.对该雇员的工作成果做完整的备份
C、notify other employees of the termination. C.把对该雇员的解雇通知其他雇员
D、disable the employee's logical access. D.取消该雇员对系统的逻辑访问权
ANSWER: D
NOTE: There is a probability that a terminated employee may misuse access rights; therefore, disabling the terminated employee's logical access is the most important action to take. All the work of the terminated employee needs to be handed over to a designated employee; however, this should be performed after implementing choice D. All the work of the terminated employee needs to be backed up and the employees need to be notified of the termination of the employee, but this should not precede the action in choice D.
52、Which of the following is the PRIMARY objective of an IT performance measurement process? 52.下面哪一个是IT绩效评估流程的主要目标?
A、Minimize errors A.使错误最小化
B、Gather performance data B.收集绩效数据
C、Establish performance baselines C.建立绩效基准
D、Optimize performance D.优化绩效
ANSWER: D
NOTE: An IT performance measurement process can be used to optimize performance, measure and manage products/services, assure accountability and make budget decisions. Minimizing errors is an aspect of performance, but not the primary objective of performance management. Gathering performance data is a phase of the IT measurement process and would be used to evaluate the performance against previously established performance baselines.
53、The use of digital signatures: 53.数字签名的使用:
A、requires the use of a one-time password generator. A.需要使用一次性口令产生器
B、provides encryption to a message. B.提供了对消息的加密
C、validates the source of a message. C.验证消息的来源
D、ensures message confidentiality. D.确保消息的私密性
ANSWER: C
NOTE: The use of a digital signature verifies the identity of the sender, but does not encrypt the whole message, and hence is not enough to ensure confidentiality. A one-time password generator is an option, but is not a requirement for using digital signatures.
54、A company uses a bank to process its weekly payroll. Time sheets and payroll adjustment forms (., hourly rate changes, terminations) are completed and delivered to the bank, which prepares checks (cheques) and reports for distribution. To BEST ensure payroll data accuracy: 54.一家公司选择一间银行来处理每周的薪酬事务。工时卡和薪酬调整表(例如小时工资变化,解雇)制作完成并被传送给银行,银行接着准备支票和分发报告。为了确保薪酬数据的准确性:
A、payroll reports should be compared to input forms. A.薪酬报告应该和原始输入表比照
B、gross payroll should be recalculated manually. B.薪酬总额应该被手工重计算
C、checks (cheques) should be compared to input forms. C.支票应该和原始输入表比照
D、checks (cheques) should be reconciled with output reports. D.支票应该与最终的输出报告一致
ANSWER: A
NOTE: The best way to confirm data accuracy, when input is provided by the company and output is generated by the bank, is to verify the data input (input forms) with the results of the payroll reports. Hence, comparing payroll reports with input forms is the best mechanism of verifying data accuracy. Recalculating gross payroll manually would only verify whether the processing is correct and not the data accuracy of inputs. Comparing checks (cheques) to input forms is not feasible as checks (cheques) have the processed information and input forms have the input data. Reconciling checks (cheques) with output reports only confirms that checks (cheques) have been issued as per output reports.
55、An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the IS auditor recommend to avoid this situation? 55.信息系统审计师在一个数据库的一些表中发现了超出范围的数据。下列哪个控制措施是信息系统审计师应该推荐实施来防止这种情况?
A、Log all table update transactions. A.将所有的表更新操作都做日志
B、Implement before-and-after image reporting. B.实施事前和事后镜像报告
C、Use tracing and tagging. C.使用跟踪和标签
D、Implement integrity constraints in the database. D.在数据库中实施完整性约束
ANSWER: D
NOTE: Implementing integrity constraints in the database is a preventive control, because data is checked against predefined tables or rules preventing any undefined data from being entered. Logging all table update transactions and implementing before-and-after image reporting are detective controls that would not avoid the situation. Tracing and tagging are used to test application systems and controls and could not prevent out-of-range data.
56、In an online banking application, which of the following would BEST protect against identity theft? 56.在一个在线银行应用中,下面哪一个是最好的应对身份窃取的措施?
A、Encryption of personal password A.对个人口令的加密
B、Restricting the user to a specific terminal B.限制用户只能使用特定的终端
C、Two-factor authentication C.双因素认证
D、Periodic review of access logs D.定期审查访问日志
ANSWER: C
NOTE: Two-factor authentication requires two independent methods for establishing identity and privileges. Factors include something you know, such as a password; something you have, such as a token; and something you are, which is biometric. Requiring two of these factors makes identity theft more difficult. A password could be guessed or broken. Restricting the user to a specific terminal is not a practical alternative for an online application. Periodic review of access logs is a detective control and does not protect against identity theft.
57、Which of the following antivirus software implementation strategies would be the MOST effective in an interconnected corporate network? 57.下面哪种反病毒软件的实施策略对一个互联的企业网最有效?
A、Server antivirus software A.服务器反病毒软件
B、Virus walls B.防病毒墙
C、Workstation antivirus software C.工作站反病毒软件
D、Virus signature updating D.病毒特征值更新
ANSWER: B
NOTE: An important means of controlling the spread of viruses is to detect the virus at the point of entry, before it has an opportunity to cause damage. In an interconnected corporate network, virus scanning software, used as an integral part of firewall technologies, is referred to as a virus wall. Virus walls scan incoming traffic with the intent of detecting and removing viruses before they enter the protected network. The presence of virus walls does not preclude the necessity for installing virus detection software on servers and workstations within the network, but network-level protection is most effective the earlier the virus is detected. Virus signature updating is a must in all circumstances, networked or not.
58、When auditing the proposed acquisition of a new computer system, an IS auditor should FIRST establish that: 58.在审计一个计划中要采用的新电脑系统时,信息系统审计师首先应该确定
A、a clear business case has been approved by management. A.作为一个清晰的业务专案得到管理层的批准
B、corporate security standards will be met. B.企业安全标准将会被遵从
C、users will be involved in the implementation plan. C.系统的用户将参与到实施计划中
D、the new system will meet all required user functionality. D.新系统将满足用户的所有功能性需求
ANSWER: A
NOTE: The first concern of an IS auditor should be to establish that the proposal meets the needs of the business, and this should be established by a clear business case. Although compliance with security standards is essential, as is meeting the needs of the users and having users involved in the implementation process, it is too early in the procurement process for these to be an IS auditor's first concern.
59、A decision support system (DSS): 59.一个决策支持系统(DSS):
A、is aimed at solving highly structured problems. A.是为了解决高度结构化的问题
B、combines the use of models with nontraditional data access and retrieval functions. B.组合使用模型和非传统数据的访问及存取功能
C、emphasizes flexibility in the decision making approach of users. C.强调用户的决策方法的灵活性
D、supports only structured decision making tasks. D.只支持结构化的决策任务
ANSWER: C
NOTE: DSS emphasizes flexibility in the decision making approach of users. It is aimed at solving less structured problems, combines the use of models and analytic techniques with traditional data access and retrieval functions, and supports semistructured decision making tasks.
60、An organization is considering connecting a critical PC-based system to the Internet. Which of the following would provide the BEST protection against hacking? 60.一个组织正在考虑把一个关键的基于PC的系统连接到internet,下面哪个选项提供了最好的防止黑客的保护措施?
A、An application-level gateway A.应用层网关
B、A remote access server B.远程访问服务器
C、A proxy server 服务器
D、Port scanning D.端口扫描
ANSWER: A
NOTE: An application-level gateway is the best way to protect against hacking because it can define with detail rules that describe the type of user or connection that is or is not permitted. It analyzes in detail each package, not only in layers one through four of the OSI model but also layers five through seven, which means that it reviews the commands of each higher-level protocol (HTTP, FTP, SNMP, etc.). For a remote access server, there is a device (server) that asks for a username and password before entering the network. This is good when accessing private networks, but it can be mapped or scanned from the Internet creating security exposure. Proxy servers can provide protection based on the IP address and ports. However, an individual is needed who really knows how to do this, and applications can use different ports for the different sections of the program. Port scanning works when there is a very specific task to complete, but not when trying to control what comes from the Internet, or when all the ports available need to be controlled. For example, the port for Ping (echo request) could be blocked and the IP addresses would be available for the application and browsing, but would not respond to Ping.
61、What process uses test data as part of a comprehensive test of program controls in a continuous online manner? 61 ,什么进程使用的测试数据的一部分,一个全面的测试计划,控制在一个连续在线的方式呢?
A、Test data/deck a、测试数据/甲板
B、Base-case system evaluation b、基地的情况下,系统评价
C、Integrated test facility (ITF) c ,综合测试基金
D、Parallel simulation d、发展,并行仿真
ANSWER: B
NOTE: A base-case system evaluation uses test data sets developed as part of comprehensive testing programs. It is used to verify correct systems operations before acceptance, as well as periodic validation. Test data/deck simulates transactions through real programs. An ITF creates fictitious files in the database with test transactions processed simultaneously with live input. Parallel simulation is the production of data processed using computer programs that simulate application program logic. 基地的情况下,系统评价使用测试数据集开发的一部分,全面的测试程序。它是用来验证系统的正确的行动之前,接受,以及定期验证。测试数据/甲板模拟交易通过实时节目。创新及科技基金创造了一个虚拟的档案资料库与测试交易同步处理,与生活的投入。并行仿真是生产所处理的数据,利用计算机程序模拟应用程序的逻辑。
62、A retail outlet has introduced radio frequency identification (RFID) tags to create unique serial numbers for all products. Which of the following is the PRIMARY concern associated with this initiative? 62 ,零售商店推出了无线电频率识别( RFID )标签,以创造独特的序号的所有产品。下列哪些是人们首要关心的与此相关的倡议?
A、Issues of privacy A、发布保密性
B、Wavelength can be absorbed by the human body B、波长可以由人体吸收
C、RFID tags may not be removable C、RFID标记可能不是可移动的
D、RFID eliminates line-of-sight reading D、RFID消灭视线阅读
ANSWER: A
NOTE: The purchaser of an item will not necessarily be aware of the presence of the tag. If a tagged item is paid for by credit card, it would be possible to tie the unique ID of that item to the identity of the purchaser. Privacy violations are a significant concern because RFID can carry unique identifier numbers. If desired it would be possible for a firm to track individuals who purchase an item containing an RFID. Choices B and C are concerns of less importance. Choice D is not a concern. 注:购买一个项目,将不一定知道在场的标记。如果一个标记的项目是支付的信用卡,将有可能以配合独特的ID该项目的身份购买。隐私权的侵犯是一个重大的关注,是因为RFID的可携带独特的识别号码。如果想要将有可能为公司跟踪个人谁购买物品含有一个RFID 。选择B和C是关注的程度较低的重要性。选择D是不是一个关注的问题。
63、The output of the risk management process is an input for making: 63 ,输出的风险管理过程是一个投入决策
A、business plans. a、业务计划
B、audit charters. b ,审计章程。
C、security policy decisions. c ,安全政策决定。
D、software design decisions. d、发展,软件设计的决定。
ANSWER: C
NOTE: The risk management process is about making specific, security-related decisions, such as the level of acceptable risk. Choices A, B and D are not ultimate goals of the risk management process.
64、An organization has a number of branches across a wide geographical area. To ensure that all aspects of the disaster recovery plan are evaluated in a cost effective manner, an IS auditor should recommend the use of a: 64 ,一个组织具有的分行数目全国广泛的地理区域。以确保各方面的灾难恢复计划的评估,具有成本效益的方式,一个是核数师应建议使用 :
A、data recovery test. a,数据恢复测试。
B、full operational test. b ,充分的业务测试。
C、posttest. c ,后测。
D、preparedness test. d、发展,准备测试。
ANSWER: D
NOTE: A preparedness test should be performed by each local office/area to test the adequacy of the preparedness of local operations in the event of a disaster. This test should be performed regularly on different aspects of the plan and can be a cost-effective way to gradually obtain evidence of the plan's adequacy. A data recovery test is a partial test and will not ensure that all aspects are evaluated. A full operational test is not the most cost effective test in light of the geographical dispersion of the branches, and a posttest is a phase of the test execution process. 1准备测试应该由每一个当地办事处/地区,以测试是否足够准备的本地业务,在发生灾害。这项测试应定期对不同方面的计划,并可以具有成本效益的方式,逐步取得证据,该计划的充足。数据恢复测试是一个局部的试验,并不会确保各方面的评价。充分的业务测试是不是最符合成本效益的测试,在因应地理上分散的分支机构,及后测是一个阶段的测试执行的过程。
65、A lower recovery time objective (RTO) results in: 较低的恢复时间目标(道路交通条例)的结果如下:
A、higher disaster tolerance. a ,更高的容灾。
B、higher cost. b ,成本较高。
C、wider interruption windows. c ,更广泛的Windows中断。
D、more permissive data loss. d, 发展,更宽容的数据丢失。
ANSWER: B
NOTE: A recovery time objective (RTO) is based on the acceptable downtime in case of a disruption of operations. The lower the RTO, the higher the cost of recovery strategies. The lower the disaster tolerance, the narrower the interruption windows, and the lesser the permissive data loss. 一恢复时间目标(道路交通条例)的基础上,可以接受的停机时间在案件破坏行动。较低的道路交通条例,更高的成本回收的策略。越低,容灾,狭义中断的Windows ,以及较低的许可数据丢失。
66、When a new system is to be implemented within a short time frame, it is MOST important to: 66 ,当一个新的系统是要落实在很短的时间内,这是最重要的是要:
A、finish writing user manuals. a,完成写作用户手册
B、perform user acceptance testing. b ,执行用户验收测试。
C、add last-minute enhancements to functionalities. c ,添加在最后一分钟的增强功能。
D、ensure that the code has been documented and reviewed. D,发展,确保该代码已被记录和审阅。
ANSWER: B
NOTE: It would be most important to complete the user acceptance testing to ensure that the system to be implemented is working correctly. The completion of the user manuals is similar to the performance of code reviews. If time is tight, the last thing one would want to do is add another enhancement, as it would be necessary to freeze the code and complete the testing, then make any other changes as future enhancements. It would be appropriate to have the code documented and reviewed, but unless the acceptance testing is completed, there is no guarantee that the system will work correctly and meet user requirements.
67、The PRIMARY objective of a logical access control review is to: 67 ,主要目的是合乎逻辑的访问控制的检讨是:
A、review access controls provided through software. a,审查的访问控制提供了通过软件。
B、ensure access is granted per the organization's authorities. b ,确保在获得授权的百分之组织的有关当局。
C、walk through and assess the access provided in the IT environment. c ,步行通过,并评估准入提供的IT环境。
D、provide assurance that computer hardware is adequately protected against abuse. d,发展,提供了保证计算机硬件,是充分保护,以防滥用。
ANSWER: B
NOTE: The scope of a logical access control review is primarily to determine whether or not access is granted per the organization's authorizations. Choices A and C relate to procedures of a logical access control review, rather than objectives. Choice D is relevant to a physical access control review. 合乎逻辑的访问控制,主要是检讨,以决定是否或没有获得授权的百分之该组织的授权。选择A组和C组涉及到的程序逻辑访问控制检讨,而非目标。选择D是相关的物理访问控制审查。
68、An IS auditor interviewing a payroll clerk finds that the answers do not support job descriptions and documented procedures. Under these circumstances, the IS auditor should: 68 ,一个是核数师面谈,一个发薪秘书认为,答案是不支持的职务说明和记录的程序。在这种情况下,核数师应是:
A、conclude that the controls are inadequate. a,得出结论认为,管制是不够的。
B、expand the scope to include substantive testing. b ,扩大范围,以包括实质性测试
C、place greater reliance on previous audits. c ,地方更多地依赖以前的审计。
D、suspend the audit. d,发展,暂停审核。
ANSWER: B
NOTE: If the answers provided to an IS auditor's questions are not confirmed by documented procedures or job descriptions, the IS auditor should expand the scope of testing the controls and include additional substantive tests. There is no evidence that whatever controls might exist are either inadequate or adequate. Placing greater reliance on previous audits or suspending the audit are inappropriate actions as they provide no current knowledge of the adequacy of the existing controls. 如果答案提供给一个是核数师的问题,现尚未确定,由记录的程序或职务说明,是核数师应扩大测试的管制和包括额外的实质性测试。没有任何证据表明,无论控制可能存在的都是不足或足够的。把更加依赖以往审计或暂停审计是不恰当的行动,因为他们没有提供当前的知识是否足够,现有的控制..
69、An organization has implemented a disaster recovery plan. Which of the following steps should be carried out next? 69 ,组织实施了灾难恢复计划。下列哪些步骤应进行下一步如何?
A、Obtain senior management sponsorship. a ,取得高级管理人员赞助。
B、Identify business needs. b ,确定的业务需求。
C、Conduct a paper test. c ,进行文件的考验。
D、Perform a system restore test. d,发展,执行系统还原的考验。
ANSWER: C
NOTE: A best practice would be to conduct a paper test. Senior management sponsorship and business needs identification should have been obtained prior to implementing the plan. A paper test should be conducted first, followed by system or full testing. 最佳做法,将进行文件的考验。高级管理人员赞助和业务需要,确定应已获得之前实施这一计划。一份文件,测试应进行第一,其次是系统或全面的测试。
70、During the requirements definition phase of a software development project, the aspects of software testing that should be addressed are developing: 70 ,在需求定义阶段的软件开发项目,该方面的软件测试应当加以处理的发展:
A、test data covering critical applications. a,试验数据,包括关键应用。
B、detailed test plans. b ,详细的测试计划。
C、quality assurance test specifications. c ,质量保证的测试规格。
D、user acceptance testing specifications. d发展,用户验收测试规格。
ANSWER: D
NOTE: A key objective in any software development project is to ensure that the developed software will meet the business objectives and the requirements of the user. The users should be involved in the requirements definition phase of a development project and user acceptance test specification should be developed during this phase. The other choices are generally performed during the system testing phase. 一个关键目标,在任何软件开发项目,是要确保发达国家软件能满足业务目标和要求的用户。用户应参与,在需求定义阶段的发展项目和用户验收测试规格应发展在这一阶段。其他的选择,一般表现在系统测试阶段。
71、Change control for business application systems being developed using prototyping could be complicated by the: 71 ,变更控制的商业应用系统正在开发使用原型可复杂,由:
A、iterative nature of prototyping. a,迭代性质的原型。
B、rapid pace of modifications in requirements and design. b ,快速的步伐,修改,在需求和设计。
C、emphasis on reports and screens. c ,侧重于报告和屏幕上。
D、lack of integrated tools. d,发展,缺乏综合工具。
ANSWER: B
NOTE: Changes in requirements and design happen so quickly that they are seldom documented or approved. Choices A, C and D are characteristics of prototyping, but they do not have an adverse effect on change control. 变化的需求和设计发生这么快,他们很少记载或核准。选择A , C和D的特征原型,但他们并不有不良影响的变化控制。
72、In addition to the backup considerations for all systems, which of the following is an important consideration in providing backup for online systems? 72中,除了备份的考虑因素,所有的系统,下列哪一项是一个重要的考虑因素,在提供在线备份系统?
A、Maintaining system software parameters a,保持系统软件参数
B、Ensuring periodic dumps of transaction logs b ,确保定期倾卸场的交易记录
C、Ensuring grandfather-father-son file backups c ,确保祖父-父亲-儿子备份档案
D、Maintaining important data at an offsite location d,发展,保持了重要的数据在现场的位置
ANSWER: B
NOTE: Ensuring periodic dumps of transaction logs is the only safe way of preserving timely historical data. The volume of activity usually associated with an online system makes other more traditional methods of backup impractical. 确保定期倾卸场的交易记录是唯一安全的方式保存,及时历史数据。量的活动,通常与一个在线系统,使其他更传统的方法备份是不切实际的。
73、The BEST filter rule for protecting a network from being used as an amplifier in a denial of service (DoS) attack is to deny all: 73 ,最好的筛选规则,为保护一个网络被用来作为一个放大器在一个拒绝服务( DoS )攻击是拒绝所有:
A、outgoing traffic with IP source addresses external to the network. a,即将卸任的交通与IP的来源地址的外部网络。
B、incoming traffic with discernible spoofed IP source addresses. b ,传入流量与辨别假冒的IP源地址。
C、incoming traffic with IP options set. c ,传入流量与IP选项的设置。
D、incoming traffic to critical hosts. d,发展,传入流量的关键主机。
ANSWER: A
NOTE: Outgoing traffic with an IP source address different than the IP range in the network is invalid. In most of the cases, it signals a DoS attack originated by an internal user or by a previously compromised internal machine; in both cases, applying this filter will stop the attack. 即将卸任的交通与IP源地址不同的IP范围在网络中是无效的。在大多数情况下,它的信号DoS攻击来源于一个内部用户或由先前妥协的内部机器,在这两种情况下,应用此过滤器将停止攻击。
74、Which of the following is widely accepted as one of the critical components in networking management? 74 ,下列哪一项是被广泛接受,作为其中的关键部件在网络管理?
A、Configuration management a,配置管理
B、Topological mappings b ,拓扑映射
C、Application of monitoring tools c ,应用监测工具
D、Proxy server troubleshooting d,发展,代理服务器疑难解答
ANSWER: A
NOTE: Configuration management is widely accepted as one of the key components of any network, since it establishes how the network will function internally and externally. It also deals with the management of configuration and monitoring performance. Topological mappings provide outlines of the components of the network and its connectivity. Application monitoring is not essential and proxy server troubleshooting is used for troubleshooting purposes. 配置管理是被广泛接受的一个重要组成部分,任何网络,因为它确立了如何将网络功能的内部和外部。它还涉及管理的配置和性能监测。拓扑映射提供纲要的组成部分的网络及其连接。应用监测是没有必要和Proxy Server故障排除是用于故障排除的目的。
75、The difference between a vulnerability assessment and a penetration test is that a vulnerability assessment: 75 ,区别脆弱性评估和渗透测试是一个脆弱性评估:
A、searches and checks the infrastructure to detect vulnerabilities, whereas penetration testing intends to exploit the vulnerabilities to probe the damage that could result from the vulnerabilities. a,搜查和检查的基础设施,以发现脆弱性,而渗透测试打算利用这些漏洞,以探针的损害,可能导致的脆弱性。
B、and penetration tests are different names for the same activity. B ,以及渗透测试不同的名称为同一活动。
C、is executed by automated tools, whereas penetration testing is a totally manual process. c ,是执行的自动化工具,而渗透测试是一种完全的手动过程。
D、is executed by commercial tools, whereas penetration testing is executed by public processes. d,发展,是执行的商业工具,而渗透测试是执行公共进程。
ANSWER: A
NOTE: The objective of a vulnerability assessment is to find the security holds in the computers and elements analyzed; its intent is not to damage the infrastructure. The intent of penetration testing is to imitate a hacker's activities and determine how far they could go into the network. They are not the same; they have different approaches. Vulnerability assessments and penetration testing can be executed by automated or manual tools or processes and can be executed by commercial or free tools. 客观的一个漏洞,评估的是找到安全举行,在计算机和元素分析,其意图是,不要损害的基础设施。意图渗透测试是模仿黑客的活动,并决定如何到目前为止,他们可以进入该网络。他们是不一样的,他们有不同的态度。脆弱性评估和渗透测试可以执行自动或手动工具或程序以及可以执行的商业或免费工具。
76、Which of the following would BEST ensure continuity of a wide area network (WAN) across the organization? 76 ,下列哪一项最能确保连续性的一个广域网( WAN )在整个组织?
A、Built-in alternative routing a,内置的替代路由
B、Completing full system backup daily b ,完成了完整的系统备份每日
C、A repair contract with a service provider c ,修理合同与服务提供商
D、A duplicate machine alongside each server d,发展,重复的机器一起每台服务器
ANSWER: A
NOTE: Alternative routing would ensure the network would continue if a server is lost or if a link is severed as message rerouting could be automatic. System backup will not afford immediate protection. The repair contract is not as effective as permanent alternative routing. Standby servers will not provide continuity if a link is severed. 注:替代路由将确保该网络将继续如果服务器是遗失或如果一个链接是切断邮件路由可以自动的。系统备份将没有能力即时保护。维修合同是不是有效的作为永久的替代路由。备用服务器将不会提供连续性,如果一个链接是割断的。
77、Functionality is a characteristic associated with evaluating the quality of software products throughout their life cycle, and is BEST described as the set of attributes that bear on the: 77 ,功能是一个特点,相关的质量评估软件产品在其整个生命周期,是最好的形容为一套属性,承担对:
A、existence of a set of functions and their specified properties. a,存在一套的职能和其指定的属性。
B、ability of the software to be transferred from one environment to another. b ,有能力的软件将其转移出一个环境到另一个。
C、capability of software to maintain its level of performance under stated conditions. c ,有能力的软件,以维持其性能水平下,说明情况。
D、relationship between the performance of the software and the amount of resources used. d,发展,关系的表现,软件和大量的资源使用。
ANSWER: A
NOTE: Functionality is the set of attributes that bears on the existence of a set of functions and their specified properties. The functions are those that satisfy stated or implied needs. Choice B refers to portability, choice C refers to reliability and choice D refers to efficiency. 功能,是一套属性,关系的存在,一套职能和其指定的属性。职能是指那些满足明示或暗示的需要。选择b是指可携性,选择c指的可靠性和选择d是指效率。
78、What is the BEST backup strategy for a large database with data supporting online sales? 78 ,什么是最好的备份策略为一个大型数据库与数据支持在线销售?
A、Weekly full backup with daily incremental backup a ,每周完整备份与每日增量备份
B、Daily full backup b ,每日完整备份
C、Clustered servers c ,群集服务器
D、Mirrored hard disks d,发展,镜像硬盘
ANSWER: A
NOTE: Weekly full backup and daily incremental backup is the best backup strategy; it ensures the ability to recover the database and yet reduces the daily backup time requirements. A full backup normally requires a couple of hours, and therefore it can be impractical to conduct a full backup every day. Clustered servers provide a redundant processing capability, but are not a backup. Mirrored hard disks will not help in case of disaster. 注:每周完整备份和日常增量备份是最好的备份策略;确保能力恢复数据库,但减少了每天的备份时间的要求。一次完整的备份通常需要几个小时,因此,它可以是不切实际的进行一次完整的备份每一天。群集服务器提供一个多余的处理能力,但并没有备份。镜像硬盘,将不利于在案件的灾难。
79、The rate of change in technology increases the importance of: 79 ,变化的速率在增加,技术的重要性:
A、outsourcing the IS function. a,外包是功能。
B、implementing and enforcing good processes. b ,实施和执行良好的进程。
C、hiring personnel willing to make a career within the organization. c ,雇用人员愿意作出的职业生涯在本组织内。
D、meeting user requirements. d,发展,满足用户的要求。
ANSWER: B
NOTE: Change requires that good change management processes be implemented and enforced. Outsourcing the IS function is not directly related to the rate of technological change. Personnel in a typical IS department are highly qualified and educated; usually they do not feel their jobs are at risk and are prepared to switch jobs frequently. Although meeting user requirements is important, it is not directly related to the rate of technological change in the IS environment. 注意:改变需要良好的变更管理流程实施和执行。外包是功能是没有直接关系,利率为技术变革。工作人员在一个典型的是总署现正的高素质和高教育水平;通常他们不觉得他们的工作处于危险,并准备转业频繁。虽然满足用户的要求是很重要的,这是没有直接关系,利率为技术变革,在是环境。
80、Which of the following methods of suppressing a fire in a data center is the MOST effective and environmentally friendly?
A、Halon gas a,哈龙气体
B、Wet-pipe sprinklers b ,湿管洒水器
C、Dry-pipe sprinklers c ,干管洒水器
D、Carbon dioxide gas d,发展,二氧化碳气体
ANSWER: C
NOTE: Water sprinklers, with an automatic power shutoff system, are accepted as efficient because they can be set to automatic release without threat to life, and water is environmentally friendly. Sprinklers must be dry-pipe to prevent the risk of leakage. Halon is efficient and effective as it does not threaten human life and, therefore, can be set to automatic release, but it is environmentally damaging and very expensive. Water is an acceptable medium but the pipes should be empty to avoid leakage, so a full system is not a viable option. Carbon dioxide is accepted as an environmentally acceptable gas, but it is less efficient because it cannot be set to automatic release in a staffed site since it threatens life. 注:水洒水器,具有自动电源堵系统,被接受为有效率的,因为他们可以设置为自动释放,没有生命威胁,和水是环保。洒水灭火系统必须干管,以防止泄漏的危险。哈龙是效率和有效的,因为它不会威胁人的生命,因此,可以设置为自动释放,但它是对环境的破坏和非常昂贵。水是一个可以接受的中等,但管道应该是空白的,以避免渗漏,因此,完整的系统是不是一个可行的选择。二氧化碳是接受作为一个环境可以接受的气体,但它是效率较低,因为它不能设置为自动释放,在工作人员的网站,因为它威胁到生命。
81、Which of the following is an example of a passive attack initiated through the Internet? 81,下列哪一项是透过互联网发起被动攻击的实例?
A、Traffic analysis A、流量分析
B、Masquerading B、伪装
C、Denial of service C、拒绝服务
D、E-mail spoofing D、电子邮件欺骗
ANSWER: A
NOTE: Internet security threats/vulnerabilities are divided into passive and active attacks. Examples of passive attacks include network analysis, eavesdropping and traffic analysis. Active attacks include brute force attacks, masquerading, packet replay, message modification, unauthorized access through the Internet or web-based services, denial-of-service attacks, dial-in penetration attacks, e-mail bombing and spamming, and e-mail spoofing. 互联网安全威胁/脆弱性分为被动和主动攻击。被动攻击的例子,包括网络分析,窃听和流量分析。主动攻击,包括暴力攻击,伪装,包重放,修改信息,透过互联网或基于Web的服务的未经授权的访问,拒绝服务攻击,拨号渗透攻击,电子邮件轰炸和垃圾邮件,和电子邮件欺骗。
82、Is it appropriate for an IS auditor from a company that is considering outsourcing its IS processing to request and review a copy of each vendor's business continuity plan? 82、IS审计师在为公司考虑其外包计算机系统业务需要复核并检查每个供应商的业务连续性计划是否合适?
A、Yes, because an IS auditor will evaluate the adequacy of the service bureau's plan and assist their company in implementing a complementary plan. A、是的, 因为IS审计师会评估服务商计划的充分性并且协助他们的公司实施一项补充计划.
B、Yes, because based on the plan, an IS auditor will evaluate the financial stability of the service bureau and its ability to fulfill the contract. B、是的, 因为基于计划, 系统审计师会评估服务尚的财务状况及其履行合同的能力
C、No, because the backup to be provided should be specified adequately in the contract. C、不, 因为提供的备份已在合同中充分说明.
D、No, because the service bureau's business continuity plan is proprietary information. D、不,因为服务商的业务连续性计划是专有信息 .
ANSWER: A
NOTE: The primary responsibility of an IS auditor is to assure that the company assets are being safeguarded. This is true even if the assets do not reside on the immediate premises. Reputable service bureaus will have a well-designed and tested business continuity plan. 审计师的首要职责是确保公司资产的安全保证,及时该资产还没有实现,有信誉的服务商将有一个良好的设计和测试业务连续性计划。
83、A financial institution that processes millions of transactions each day has a central communications processor (switch) for connecting to automated teller machines (ATMs). Which of the following would be the BEST contingency plan for the communications processor? 83、一个每天处理百万交易的金融机构,会有一个中央通信处理器,用于连接自动柜员机,下面哪些是为通信处理的最好的应变计划.
A、Reciprocal agreement with another organization A、与另一个组织签订互助协议.
B、Alternate processor in the same location B、在同一地点设立候补处理器
C、Alternate processor at another network node C、候补处理器在另一个网络节点
D、Installation of duplex communication links D、安装全双工的通讯联系
ANSWER: C
NOTE: The unavailability of the central communications processor would disrupt all access to the banking network. This could be caused by an equipment, power or communications failure. Reciprocal agreements make an organization dependent on the other organization and raise privacy, competition and regulatory issues. Having an alternate processor in the same location resolves the equipment problem, but would not be effective if the failure was caused by environmental conditions (., power disruption). The installation of duplex communication links would only be appropriate if the failure were limited to the communication link. 无效的中央通讯处理器会破坏所有进入银行网络的通道。这可能是造成设备,电源或通信失败。互惠协议,使一个组织依赖于其他组织和不利于隐私权,竞争及规管事宜。一个候补处理器在同一地点只解决设备问题,如果是环境原因引起的失败(如,电力中断)就不起效果. 。仅当失败限于通信链路时建立双方通信链路才适当.
84、Which of the following is a feature of Wi-Fi Protected Access (WPA) in wireless networks? 84、下列哪一项是Wi - Fi在无线网络中保护访问(WPA)的一项功能?
A、Session keys are dynamic A、会话密钥是动态的
B、Private symmetric keys are used B、私人对称密钥的使用
C、Keys are static and shared C、密钥是静态的和共享
D、Source addresses are not encrypted or authenticated D、源地址是未加密或认证的
ANSWER: A ANSWER: A
NOTE: WPA uses dynamic session keys, achieving stronger encryption than wireless encryption privacy (WEP), which operates with static keys (same key is used for everyone in the wireless network). All other choices are weaknesses of WEP. NOTE: WPA的使用动态会话密钥,实现强大的加密技术比无线加密保密( WEP ) ,( WEP )使用静态钥匙(同样的钥匙在一个无线网络中每个人都使用),其他选项都是WEP的弱点
85、Disaster recovery planning (DRP) addresses the: 85、灾难性恢复计划 (DRP) 基于:
A、technological aspect of business continuity planning. A、技术方面的业务连续性规划.
B、operational piece of business continuity planning. B、进行一块业务连续性规划.
C、functional aspect of business continuity planning. C、功能方面的业务连续性规划.
D、overall coordination of business continuity planning. D、总体协调的业务连续性规划.
ANSWER: A ANSWER: A
NOTE: Disaster recovery planning (DRP) is the technological aspect of business continuity planning. Business resumption planning addresses the operational part of business continuity planning. NOTE: 灾难恢复规划( DRP的)是技术方面的业务连续性规划。 商业恢复计划是运作于部分商业持续性计划.
86、The database administrator (DBA) suggests that DB efficiency can be improved by denormalizing some tables. This would result in: 86、数据库管理员建议数据库的效率可以提高,通过denormalizing一些表。这将导致:
A、loss of confidentiality. A、保密的失败
B、increased redundancy. B、增加冗余.
C、unauthorized accesses. C、未经授权的访问.
D、application malfunctions. D、应用故障.
ANSWER: B ANSWER: B
NOTE: Normalization is a design or optimization process for a relational database (DB) that minimizes redundancy; therefore, denormalization would increase redundancy. Redundancy which is usually considered positive when it is a question of resource availability is negative in a database environment, since it demands additional and otherwise unnecessary data handling efforts. Denormalization is sometimes advisable for functional reasons. It should not cause loss of confidentiality, unauthorized accesses or application malfunctions. NOTE: 正常在设计或优化的一个关系型数据库,尽量减少冗余.因此, denormalization会增加冗余.冗余在数据环境的资源一定的环境下被视为问题,冗余会要求额外的和不必要的数据处理.denormalization ,有时是可取是功能的原因。它应该不会造成保密性失败,未经授权的存取或应用故障.
87、The ultimate purpose of IT governance is to: 87、 IT治理的最终目的是:
A、encourage optimal use of IT. A、鼓励最优地运用计算机.
B、reduce IT costs. B、降低IT成本.
C、decentralize IT resources across the organization. C、在组织中分散IT资源.
D、centralize control of IT. D、集中控制IT.
ANSWER: A ANSWER: A
NOTE: IT governance is intended to specify the combination of decision rights and accountability that is best for the enterprise. It is different for every enterprise. Reducing IT costs may not be the best IT governance outcome for an enterprise. Decentralizing IT resources across the organization is not always desired, although it may be desired in a decentralized environment. Centralizing control of IT is not always desired. An example of where it might be desired is an enterprise desiring a single point of customer contact. NOTE: IT治理的用意是为企业指定相结合的决策权和问责制。这对每一个企业是不同的。 降低IT成本,未必是最好的IT治理成果,对企业而言。分散的IT资源的组织并不总是理想的,虽然它可能会想要在一个权力下放的环境。集中控制,它并不总是理想。一个例子,那里可能是理想的,一个企业渴望单独与客户联络。
88、For locations 3a, 1d and 3d, the diagram indicates hubs with lines that appear to be open and active. Assuming that is true, what control, if any, should be recommended to mitigate this weakness? 88、对于地点的第3 A ,一维和三维,图表显示,集线器与线,似乎是开放和活跃。假设这是事实,什么控制,如有的话,应建议,以减轻这一弱点?
A、Intelligent hub A、智能枢纽
B、Physical security over the hubs B、物理安全集线器
C、Physical security and an intelligent hub C、物理安全和智能集线器
D、No controls are necessary since this is not a weakness D、没有控制是必要的,因为这不是一个弱点
ANSWER: C ANSWER: C
NOTE: Open hubs represent a significant control weakness because of the potential to access a network connection easily. An intelligent hub would allow the deactivation of a single port while leaving the remaining ports active. Additionally, physical security would also provide reasonable protection over hubs with active ports. NOTE: 开放的枢纽的一个重要的控制弱点,因为可能要访问的网络连接很容易。智能枢纽的地位将使的失活一个单一的港口,而离开其余港口的活跃。此外,人身安全也将提供合理的保障,超过集线器与积极的端口。
89、This question refers to the following diagram. 89,这个问题是指下列图
To detect attack attempts that the firewall is unable to recognize, an IS auditor should recommend placing a network intrusion detection system (IDS) between the: 防火墙是无法识别检测攻击企图的,如果审计师应建议放置一个网络入侵检测系统( IDS )在?之间
A、firewall and the organization's network. A、防火墙和组织的网络.
B、Internet and the firewall. B、互联网和防火墙
C、Internet and the web server. C、互联网和Web服务器.
D、web server and the firewall. D、Web服务器和防火墙.
ANSWER: A ANSWER: A
NOTE: Attack attempts that could not be recognized by the firewall will be detected if a network-based intrusion detection system is placed between the firewall and the organization's network. A network-based intrusion detection system placed between the Internet and the firewall will detect attack attempts, whether they do or do not enter the firewall. NOTE:攻击的企图无法得到承认,防火墙会发现,如果一个基于网络的入侵检测系统是放在之间的防火墙和组织的网络之间。基于网络的入侵检测系统放在互联网和防火墙将检测攻击企图,他们是否攻击防火墙.
90、A local area network (LAN) administrator normally would be restricted from: 90、局域网( LAN )管理员通常会受到限制,从:
A、having end-user responsibilities. A、行使最终用户的责任.
B、reporting to the end-user manager. B、报告最终用户经理.
C、having programming responsibilities. C、行使编程的权利
D、being responsible for LAN security administration. D、负责局域网安全管理.
ANSWER: C ANSWER: C
NOTE: A LAN administrator should not have programming responsibilities but may have end-user responsibilities. The LAN administrator may report to the director of the IPF or, in a decentralized operation, to the end-user manager. In small organizations, the LAN administrator may also be responsible for security administration over the LAN. NOTE: 1个局域网管理员不应该有编程的权限,但可能有最终用户的权限,局域网管理员可能会报告最终用户经理。在小组织,局域网管理员也可能是负责安全管理局域网 .
91、Two-factor authentication can be circumvented through which of the following attacks? 91、双因素认证,可规避下列哪些攻击?
A、Denial-of-service A、拒绝服务
B、Man-in-the-middle B、中间人
C、Key logging C、键盘记录
D、Brute force D、暴力攻击
ANSWER: B ANSWER: B
NOTE: A man-in-the-middle attack is similar to piggybacking, in that the attacker pretends to be the legitimate destination, and then merely retransmits whatever is sent by the authorized user along with additional transactions after authentication has been accepted. A denial-of-service attack does not have a relationship to authentication. Key logging and brute force could circumvent a normal authentication but not a two-factor authentication. NOTE:中间人攻击类似于piggybacking,攻击者假装是合法的访问者,随着额外的交易身份验证后已被接受。拒绝服务攻击没有联系。键盘记录和野蛮武力可以绕过正常的身份验证,但不是一个双因素认证。
92、The optimum business continuity strategy for an entity is determined by the: 92、一个实体的最佳的业务连续性战略由什么决定的?
A、lowest downtime cost and highest recovery cost. A、最低的停机时间成本和最高的重置成本.
B、lowest sum of downtime cost and recovery cost. B、最低的停机时间成本总和和重置成本的总和.
C、lowest recovery cost and highest downtime cost. C、最低的重置成本和最高的停机时间成本.
D、average of the combined downtime and recovery cost. D、重置成本和停机时间成本的加总平均
ANSWER: B ANSWER: B
NOTE: Both costs have to be minimized, and the strategy for which the costs are lowest is the optimum strategy. The strategy with the highest recovery cost cannot be the optimum strategy. The strategy with the highest downtime cost cannot be the optimum strategy. The average of the combined downtime and recovery cost will be higher than the lowest combined cost of downtime and recovery. NOTE: 两者的费用要尽量减少,成本是最低的策略是最佳策略,最高的重置成本不能成为最佳策略.,最高的停机成本不能成为最佳策略,平均合并的停机时间和恢复的成本将高于最低成本相结合的停机时间和恢复
93、The MAIN purpose of a transaction audit trail is to: 93、交易审计痕迹的主要目的是?:
A、reduce the use of storage media. A、减少使用存储媒介.
B、determine accountability and responsibility for processed transactions. B、为处理交易确定问责制和责任制.
C、help an IS auditor trace transactions. C、帮助系统审计师进行细微审查.
D、provide useful information for capacity planning. D、为能力规划提供有益的信息.
ANSWER: B ANSWER: B
NOTE: Enabling audit trails aids in establishing the accountability and responsibility for processed transactions by tracing them through the information system. Enabling audit trails increases the use of disk space. A transaction log file would be used to trace transactions, but would not aid in determining accountability and responsibility. The objective of capacity planning is the efficient and effective use of IT resources and requires information such as CPU utilization, bandwidth, number of users, etc. NOTE: 使审计线索在建立问责制和责任制,为便于处理交易的追查。使用审计线索增加了使用的磁盘空间。交易日志文件将被用于纪录交易痕迹,在确定的问责制和责任方面不会有帮助。能力规划的目标是有效率的和有效的计算机资源的使用情况和需要的信息,如CPU使用率,带宽,用户数目等.
94、Which of the following is the MOST reasonable option for recovering a noncritical system? 94、下面哪一项是恢复临界系统的最合理方案?
A、Warm site A、温站
B、Mobile site B、移动站
C、Hot site C、热站
D、Cold site D、冷站
ANSWER: D ANSWER: D
NOTE: Generally a cold site is contracted for a longer period at a lower cost. Since it requires more time to make a cold site operational, it is generally used for noncritical applications. A warm site is generally available at a medium cost, requires less time to become operational and is suitable for sensitive operations. A mobile site is a vehicle ready with all necessary computer equipment that can be moved to any cold or warm site depending upon the need. The need for a mobile site depends upon the scale of operations. A hot site is contracted for a shorter time period at a higher cost and is better suited for recovery of vital and critical applications. NOTE: 一般冷战是连续较长时间在一个较低的成本。因为它需要更多时间作出冷战的网站业务,这是通常用于非临界应用。热网是一般可在中等成本,需要较少的时间,成为业务并适合敏感的行动。移动网站是一个车辆随时准备与所有必要的电脑设备可以转移到任何冷或暖的网站取决于需要。需要有一个移动网站,取决于业务规模。一个热门的网站是承包较短的时间内,在更高的成本,是更适合的复苏非常重要和关键的应用.
95、The vice president of human resources has requested an audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation? 95、人力资源的副总要求审计,以确定前一年的超额薪金。最好的审计技术的使用在这种情况下?
A、Test data A、测试数据
B、Generalized audit software B、普通审计软件
C、Integrated test facility C、综合测试设施
D、Embedded audit module D、嵌入式审计模块
ANSWER: B ANSWER: B
NOTE: Generalized audit software features include mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking and recomputations. An IS auditor, using generalized audit software, could design appropriate tests to recompute the payroll, thereby determining if there were overpayments and to whom they were made. Test data would test for the existence of controls that might prevent overpayments, but it would not detect specific, previous miscalculations. Neither an integrated test facility nor an embedded audit module would detect errors for a previous period. NOTE: 普通审计软件的功能包括数学计算,分层,统计分析,序列检查,重复检查和recomputations 。审计师用广义审计软件,可以设计适当的测试,以复算薪金,从而确定是否有过多的发放和向谁发了. 数据测试只能测试多发钱是否有控制,但是不能测试具体的东西.另外两个都不具备检验以前出错的功能.
96、Which of the following is an appropriate test method to apply to a business continuity plan (BCP)? 96、下列哪一项是一个适当的测试方法适用于业务连续性计划 (BCP)?
A、Pilot A、驾驶
B、Paper B、文件
C、Unit C、单元
D、System D、系统
ANSWER: B ANSWER: B
NOTE: A paper test is appropriate for testing a BCP. It is a walkthrough of the entire plan, or part of the plan, involving major players in the plan's execution, who reason out what may happen in a particular disaster. Choices A, C and D are not appropriate for a BCP. NOTE:一个文件测试是适当的测试对业务连续性计划.这是一个完整的计划,或者计划的一部分 涉及主要的参与者在计划的执行中 Choices A, C and D are not appropriate for a BCP.
97、Which of the following is an example of the defense in-depth security principle? 97、下列哪一项是一个例子,美国国防部在深入的安全原则?
A、Using two firewalls of different vendors to consecutively check the incoming network traffic A、使用两个不同供应商的防火墙,连续检查传入的网络通信
B、Using a firewall as well as logical access controls on the hosts to control incoming network traffic B、使用防火墙以及逻辑访问控制对主机的传入信号进行控制
C、Having no physical signs on the outside of a computer center building C、在电脑中心建筑外面没有物理信号.
D、Using two firewalls in parallel to check different types of incoming traffic D、使用两个并列的防火墙检查不同类型的传入流量
ANSWER: B ANSWER: B
NOTE: Defense in-depth means using different security mechanisms that back each other up. When network traffic passes the firewall unintentionally, the logical access controls form a second line of defense. Using two firewalls of different vendors to consecutively check the incoming network traffic is an example of diversity in defense. The firewalls are the same security mechanisms. By using two different products the probability of both products having the same vulnerabilities is diminished. Having no physical signs on the outside of a computer center building is a single security measure. Using two firewalls in parallel to check different types of incoming traffic is a single security mechanism and therefore no different than having a single firewall checking all traffic. .
98、The PRIMARY objective of performing a postincident review is that it presents an opportunity to: 98、进行postincident检查的主要目的是,它提供了一个机会去:
A、improve internal control procedures. A、改善内部控制程序.
B、harden the network to industry best practices. B、为实现企业最佳业务强化网络
C、highlight the importance of incident response management to management. C、管理突出时间响应管理的重要性.
D、improve employee awareness of the incident response process. D、提高员工对时间响应的认识.
ANSWER: A
NOTE: A postincident review examines both the cause and response to an incident. The lessons learned from the review can be used to improve internal controls. Understanding the purpose and structure of postincident reviews and follow-up procedures enables the information security manager to continuously improve the security program. Improving the incident response plan based on the incident review is an internal (corrective) control. The network may already be hardened to industry best practices. Additionally, the network may not be the source of the incident. The primary objective is to improve internal control procedures, not to highlight the importance of incident response management (IRM), and an incident response (IR) review does not improve employee awareness.
99、When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected on the network? 99、当对一个组织的内部网络进行渗透测试时,下列哪些方法最好,使测试的进行在网络中未被发现?
A、Use the IP address of an existing file server or domain controller. A、使用现有的文件服务器或域控制器的IP地址
B、Pause the scanning every few minutes to allow thresholds to reset. B、每隔几分钟,暂停扫描,让阈值重置.
C、Conduct the scans during evening hours when no one is logged-in. C、在傍晚时,当没有人登录时进行扫描
D、Use multiple scanning tools since each tool has different characteristics. D、使用多个扫描工具,因为每个工具都有不同的特色.
ANSWER: B
NOTE: Pausing the scanning every few minutes avoids overtaxing the network as well as exceeding thresholds that may trigger alert messages to the network administrator. Using the IP address of a server would result in an address contention that would attract attention. Conducting scans after hours would increase the chance of detection, since there would be less traffic to conceal ones activities. Using different tools could increase the likelihood that one of them would be detected by an intrusion detection system.
100、Which of the following represents the GREATEST potential risk in an EDI environment? 100、以下哪项代表了在电子数据交换环境最大的潜在危险?
A、Transaction authorization A、交易授权
B、Loss or duplication of EDI transmissions B、损失或重复的电子数据交换传输
C、Transmission delay C、传输延迟
D、Deletion or manipulation of transactions prior to or after establishment of application controls D、交易的删除或操作在应用控制的创立以后之前
ANSWER: A
NOTE: Since the interaction between parties is electronic, there is no inherent authentication occurring; therefore, transaction authorization is the greatest risk. Choices B and D are examples of risks, but the impact is not as great as that of unauthorized transactions. Transmission delays may terminate the process or hold the line until the normal time for processing has elapsed; however, there will be no loss of data.
101、An IS auditor performing a review of the backup processing facilities should be MOST concerned that:
A、adequate fire insurance exists.
B、regular hardware maintenance is performed.
C、offsite storage of transaction and master files exists.
D、backup processing facilities are fully tested.
ANSWER: C
NOTE: Adequate fire insurance and fully tested backup processing facilities are important elements for recovery, but without the offsite storage of transaction and master files, it is generally impossible to recover. Regular hardware maintenance does not relate to recovery.
102、Which of the following is MOST critical for the successful implementation and maintenance of a security policy?
A、Assimilation of the framework and intent of a written security policy by all appropriate parties
B、Management support and approval for the implementation and maintenance of a security policy
C、Enforcement of security rules by providing punitive actions for any violation of security rules
D、Stringent implementation, monitoring and enforcing of rules by the security officer through access control software
ANSWER: A
NOTE: Assimilation of the framework and intent of a written security policy by the users of the system is critical to the successful implementation and maintenance of the security policy. A good password system may exist, but if the users of the system keep passwords written on their desk, the password is of little value. Management support and commitment is no doubt important, but for successful implementation and maintenance of security policy, educating the users on the importance of security is paramount. The stringent implementation, monitoring and enforcing of rules by the security officer through access control software, and provision for punitive actions for violation of security rules, is also required, along with the user's education on the importance of security.
103、A virtual private network (VPN) provides data confidentiality by using:
A、Secure Sockets Layer (SSL)
B、Tunnelling
C、Digital signatures
D、Phishing
ANSWER: B
NOTE: VPNs secure data in transit by encapsulating traffic, a process known as tunnelling. SSL is a symmetric method of encryption between a server and a browser. Digital signatures are not used in the VPN process, while phishing is a form of a social engineering attack.
104、An organization has an integrated development environment (IDE) on which the program libraries reside on the server, but modification/development and testing are done from PC workstations. Which of the following would be a strength of an IDE?
A、Controls the proliferation of multiple versions of programs
B、Expands the programming resources and aids available
C、Increases program and processing integrity
D、Prevents valid changes from being overwritten by other changes
ANSWER: B
NOTE: A strength of an IDE is that it expands the programming resources and aids available. The other choices are IDE weaknesses.
105、In an organization, the responsibilities for IT security are clearly assigned and enforced and an IT security risk and impact analysis is consistently performed. This represents which level of ranking in the information security governance maturity model?
A、Optimized
B、Managed
C、Defined
D、Repeatable
ANSWER: B
NOTE: Boards of directors and executive management can use the information security governance maturity model to establish rankings for security in their organizations. The ranks are nonexistent, initial, repeatable, defined, managed and optimized. When the responsibilities for IT security in an organization are clearly assigned and enforced and an IT security risk and impact analysis is consistently performed, it is said to be “managed and measurable.”
106、In the event of a disruption or disaster, which of the following technologies provides for continuous operations?
A、Load balancing
B、Fault-tolerant hardware
C、Distributed backups
D、High-availability computing
ANSWER: B
NOTE: Fault-tolerant hardware is the only technology that currently supports continuous, uninterrupted service. Load balancing is used to improve the performance of the server by splitting the work between several servers based on workloads. High-availability (HA) computing facilities provide a quick but not continuous recovery, while distributed backups require longer recovery times.
107、What is the MOST effective method of preventing unauthorized use of data files?
A、Automated file entry
B、Tape librarian
C、Access control software
D、Locked library
ANSWER: C
NOTE: Access control software is an active control designed to prevent unauthorized access to data.
108、Which of the following is the BEST method for preventing the leakage of confidential information in a laptop computer?
A、Encrypt the hard disk with the owner's public key.
B、Enable the boot password (hardware-based password).
C、Use a biometric authentication device.
D、Use two-factor authentication to logon to the notebook.
ANSWER: A
NOTE: Only encryption of the data with a secure key will prevent the loss of confidential information. In such a case, confidential information can be accessed only with knowledge of the owner's private key, which should never be shared. Choices B, C and D deal with authentication and not with confidentiality of information. An individual can remove the hard drive from the secured laptop and install it on an unsecured computer, gaining access to the data.
109、An IS auditor should be concerned when a telecommunication analyst:
A、monitors systems performance and tracks problems resulting from program changes.
B、reviews network load requirements in terms of current and future transaction volumes.
C、assesses the impact of the network load on terminal response times and network data transfer rates.
D、recommends network balancing procedures and improvements.
ANSWER: A
NOTE: The responsibilities of a telecommunications analyst include reviewing network load requirements in terms of current and future transaction volumes (choice B), assessing the impact of network load or terminal response times and network data transfer rates (choice C), and recommending network balancing procedures and improvements (choice D). Monitoring systems performance and tracking problems as a result of program changes (choice A) would put the analyst in a self-monitoring role.
110、An IS auditor invited to a development project meeting notes that no project risks have been documented. When the IS auditor raises this issue, the project manager responds that it is too early to identify risks and that, if risks do start impacting the project, a risk manager will be hired. The appropriate response of the IS auditor would be to:
A、stress the importance of spending time at this point in the project to consider and document risks, and to develop contingency plans.
B、accept the project manager's position as the project manager is accountable for the outcome of the project.
C、offer to work with the risk manager when one is appointed.
D、inform the project manager that the IS auditor will conduct a review of the risks at the completion of the requirements definition phase of the project.
ANSWER: A
NOTE: The majority of project risks can typically be identified before a project begins, allowing mitigation/avoidance plans to be put in place to deal with these risks. A project should have a clear link back to corporate strategy and tactical plans to support this strategy. The process of setting corporate strategy, setting objectives and developing tactical plans should include the consideration of risks. Appointing a risk manager is a good practice but waiting until the project has been impacted by risks is misguided. Risk management needs to be forward looking; allowing risks to evolve into issues that adversely impact the project represents a failure of risk management. With or without a risk manager, persons within and outside of the project team need to be consulted and encouraged to comment when they believe new risks have emerged or risk priorities have changed. The IS auditor has an obligation to the project sponsor and the organization to advise on appropriate project management practices. Waiting for the possible appointment of a risk manager represents an unnecessary and dangerous delay to implementing risk management.
111、What is the BEST approach to mitigate the risk of a phishing attack?
A、Implement an intrusion detection system (IDS)
B、Assess web site security
C、Strong authentication
D、User education
ANSWER: D
NOTE: Phishing attacks can be mounted in various ways; intrusion detection systems (IDSs) and strong authentication cannot mitigate most types of phishing attacks. Assessing web site security does not mitigate the risk. Phishing uses a server masquerading as a legitimate server. The best way to mitigate the risk of phishing is to educate users to take caution with suspicious Internet communications and not to trust them until verified. Users require adequate training to recognize suspicious web pages and e-mail.
112、An IS auditor reviewing an organization that uses cross-training practices should assess the risk of:
A、dependency on a single person.
B、inadequate succession planning.
C、one person knowing all parts of a system.
D、a disruption of operations.
ANSWER: C
NOTE: Cross-training is a process of training more than one individual to perform a specific job or procedure. This practice helps decrease the dependence on a single person and assists in succession planning. This provides for the backup of personnel in the event of an absence and, thereby, provides for the continuity of operations. However, in using this approach, it is prudent to have first assessed the risk of any person knowing all parts of a system and the related potential exposures. Cross-training reduces the risks addressed in choices A, B and D.
113、In a public key infrastructure (PKI), which of the following may be relied upon to prove that an online transaction was authorized by a specific customer?
A、Nonrepudiation
B、Encryption
C、Authentication
D、Integrity
ANSWER: A
NOTE: Nonrepudiation, achieved through the use of digital signatures, prevents the claimed sender from later denying that they generated and sent the message. Encryption may protect the data transmitted over the Internet, but may not prove that the transactions were made. Authentication is necessary to establish the identification of all parties to a communication. Integrity ensures that transactions are accurate but does not provide the identification of the customer.
114、An IS auditor is assigned to audit a software development project which is more than 80 percent complete, but has already overrun time by 10 percent and costs by 25 percent. Which of the following actions should the IS auditor take?
A、Report that the organization does not have effective project management.
B、Recommend the project manager be changed.
C、Review the IT governance structure.
D、Review the conduct of the project and the business case.
ANSWER: D
NOTE: Before making any recommendations, an IS auditor needs to understand the project and the factors that have contributed to making the project over budget and over schedule. The organization may have effective project management practices and sound IT governance and still be behind schedule or over budget. There is no indication that the project manager should be changed without looking into the reasons for the overrun.
115、The feature of a digital signature that ensures the sender cannot later deny generating and sending the message is called:
A、data integrity.
B、authentication.
C、nonrepudiation.
D、replay protection.
ANSWER: C
NOTE: All of the above are features of a digital signature. Nonrepudiation ensures that the claimed sender cannot later deny generating and sending the message. Data integrity refers to changes in the plaintext message that would result in the recipient failing to compute the same message hash. Since only the claimed sender has the key, authentication ensures that the message has been sent by the claimed sender. Replay protection is a method that a recipient can use to check that the message was not intercepted and replayed.
116、An organization having a number of offices across a wide geographical area has developed a disaster recovery plan. Using actual resources, which of the following is the MOST cost-effective test of the disaster recovery plan?
A、Full operational test
B、Preparedness test
C、Paper test
D、Regression test
ANSWER: B
NOTE: A preparedness test is performed by each local office/area to test the adequacy of the preparedness of local operations for disaster recovery. A paper test is a structured walk-through of the disaster recovery plan and should be conducted before a preparedness test. A full operational test is conducted after the paper and preparedness test. A regression test is not a disaster recovery planning (DRP) test and is used in software maintenance.
117、With the help of a security officer, granting access to data is the responsibility of:
A、data owners.
B、programmers.
C、system analysts.
D、librarians.
ANSWER: A
NOTE: Data owners are responsible for the use of data. Written authorization for users to gain access to computerized information should be provided by the data owners. Security administration with the owners' approval sets up access rules stipulating which users or group of users are authorized to access data or files and the level of authorized access (., read or update).
118、Which of the following would an IS auditor consider the MOST relevant to short-term planning for an IS department?
A、Allocating resources
B、Keeping current with technology advances
C、Conducting control self-assessment
D、Evaluating hardware needs
ANSWER: A
NOTE: The IS department should specifically consider the manner in which resources are allocated in the short term. Investments in IT need to be aligned with top management strategies, rather than focusing on technology for technology's sake. Conducting control self-assessments and evaluating hardware needs are not as critical as allocating resources during short-term planning for the IS department.
119、A sender of an e-mail message applies a digital signature to the digest of the message. This action provides assurance of the:
A、date and time stamp of the message.
B、identity of the originating computer.
C、confidentiality of the message's content.
D、authenticity of the sender.
ANSWER: D
NOTE: The signature on the digest can be used to authenticate the sender. It does not provide assurance of the date and time stamp or the identity of the originating computer. Digitally signing an e-mail message does not prevent access to its content and, therefore, does not assure confidentiality.
120、An IS auditor conducting a review of disaster recovery planning (DRP) at a financial processing organization has discovered the following:
The existing disaster recovery plan was compiled two years earlier by a systems analyst in the organization's IT department using transaction flow projections from the operations department.
The plan was presented to the deputy CEO for approval and formal issue, but it is still awaiting his/her attention.
The plan has never been updated, tested or circulated to key management and staff, though interviews show that each would know what action to take for its area in the event of a disruptive incident.
The basis of an organization's disaster recovery plan is to reestablish live processing at an alternative site where a similar, but not identical, hardware configuration is already established. An IS auditor should:
A、take no action as the lack of a current plan is the only significant finding.
B、recommend that the hardware configuration at each site is identical.
C、perform a review to verify that the second configuration can support live processing.
D、report that the financial expenditure on the alternative site is wasted without an effective plan.
ANSWER: C
NOTE: An IS auditor does not have a finding unless it can be shown that the alternative hardware cannot support the live processing system. Even though the primary finding is the lack of a proven and communicated disaster recovery plan, it is essential that this aspect of recovery is included in the audit. If it is found to be inadequate, the finding will materially support the overall audit opinion. It is certainly not appropriate to take no action at all, leaving this important factor untested. Unless it is shown that the alternative site is inadequate, there can be no comment on the expenditure, even if this is considered a proper comment for the IS auditor to make. Similarly, there is no need for the configurations to be identical. The alternative site could actually exceed the recovery requirements if it is also used for other work, such as other processing or systems development and testing. The only proper course of action at this point would be to find out if the recovery site can actually cope with a recovery.
121、An organization has a mix of access points that cannot be upgraded to stronger security and newer access points having advanced wireless security. An IS auditor recommends replacing the nonupgradeable access points. Which of the following would BEST justify the IS auditor's recommendation?
A、The new access points with stronger security are affordable.
B、The old access points are poorer in terms of performance.
C、The organization's security would be as strong as its weakest points.
D、The new access points are easier to manage.
ANSWER: C
NOTE: The old access points should be discarded and replaced with products having strong security; otherwise, they will leave security holes open for attackers and thus make the entire network as weak as they are. Affordability is not the auditor's major concern. Performance is not as important as security in this situation. Product manageability is not the IS auditor's concern.
122、During a logical access controls review, an IS auditor observes that user accounts are shared. The GREATEST risk resulting from this situation is that:
A、an unauthorized user may use the ID to gain access.
B、user access management is time consuming.
C、passwords are easily guessed.
D、user accountability may not be established.
ANSWER: D
NOTE: The use of a single user ID by more than one individual precludes knowing who in fact used that ID to access a system; therefore, it is literally impossible to hold anyone accountable. All user IDs, not just shared IDs, can be used by unauthorized individuals. Access management would not be any different with shared IDs, and shared user IDs do not necessarily have easily guessed passwords.
123、The PRIMARY purpose of audit trails is to:
A、improve response time for users.
B、establish accountability and responsibility for processed transactions.
C、improve the operational efficiency of the system.
D、provide useful information to auditors who may wish to track transactions.
ANSWER: B
NOTE: Enabling audit trails helps in establishing the accountability and responsibility of processed transactions by tracing transactions through the system. The objective of enabling software to provide audit trails is not to improve system efficiency, since it often involves additional processing which may in fact reduce response time for users. Enabling audit trails involves storage and thus occupies disk space. Choice D is also a valid reason; however, it is not the primary reason.
124、A data center has a badge-entry system. Which of the following is MOST important to protect the computing assets in the center?
A、Badge readers are installed in locations where tampering would be noticed
B、The computer that controls the badge system is backed up frequently
C、A process for promptly deactivating lost or stolen badges exists
D、All badge entry attempts are logged
ANSWER: C
NOTE: Tampering with a badge reader cannot open the door, so this is irrelevant. Logging the entry attempts may be of limited value. The biggest risk is from unauthorized individuals who can enter the data center, whether they are employees or not. Thus, a process of deactivating lost or stolen badges is important.
The configuration of the system does not change frequently, therefore frequent backup is not necessary.
125、Which of the following will prevent dangling tuples in a database?
A、Cyclic integrity
B、Domain integrity
C、Relational integrity
D、Referential integrity
ANSWER: D
NOTE: Referential integrity ensures that a foreign key in one table will equal null or the value of a primary in the other table. For every tuple in a table having a referenced/foreign key, there should be a corresponding tuple in another table, ., for existence of all foreign keys in the original tables. If this condition is not satisfied, then it results in a dangling tuple. Cyclical checking is the control technique for the regular checking of accumulated data on a file against authorized source documentation. There is no cyclical integrity testing. Domain integrity testing ensures that a data item has a legitimate value in the correct range or set. Relational integrity is performed at the record level and is ensured by calculating and verifying specific fields.
126、An Internet-based attack using password sniffing can:
A、enable one party to act as if they are another party.
B、cause modification to the contents of certain transactions.
C、be used to gain access to systems containing proprietary information.
D、result in major problems with billing systems and transaction processing agreements.
ANSWER: C
NOTE: Password sniffing attacks can be used to gain access to systems on which proprietary information is stored. Spoofing attacks can be used to enable one party to act as if they are another party. Data modification attacks can be used to modify the contents of certain transactions. Repudiation of transactions can cause major problems with billing systems and transaction processing agreements.
127、Which of the following is the MOST important action in recovering from a cyberattack?
A、Creation of an incident response team
B、Use of cyberforensic investigators
C、Execution of a business continuity plan
D、Filing an insurance claim
ANSWER: C
NOTE: The most important key step in recovering from cyberattacks is the execution of a business continuity plan to quickly and cost-effectively recover critical systems, processes and data. The incident response team should exist prior to a cyberattack. When a cyberattack is suspected, cyberforensics investigators should be used to set up alarms, catch intruders within the network, and track and trace them over the Internet. After taking the above steps, an organization may have a residual risk that needs to be insured and claimed for traditional and electronic exposures.
128、Which of the following would MOST effectively reduce social engineering incidents?
A、Security awareness training
B、Increased physical security measures
C、E-mail monitoring policy
D、Intrusion detection systems
ANSWER: A
NOTE: Social engineering exploits human nature and weaknesses to obtain information and access privileges. By increasing employee awareness of security issues, it is possible to reduce the number of successful social engineering incidents. In most cases, social engineering incidents do not require the physical presence of the intruder. Therefore, increased physical security measures would not prevent the intrusion. An e-mail monitoring policy informs users that all e-mail in the organization is subject to monitoring; it does not protect the users from potential security incidents and intruders. Intrusion detection systems are used to detect irregular or abnormal traffic patterns.
129、An IS auditor has audited a business continuity plan (BCP). Which of the following findings is the MOST critical?
A、Nonavailability of an alternate private branch exchange (PBX) system
B、Absence of a backup for the network backbone
C、Lack of backup systems for the users' PCs
D、Failure of the access card system
ANSWER: B
NOTE: Failure of a network backbone will result in the failure of the complete network and impact the ability of all users to access information on the network. The nonavailability of an alternate PBX system will result in users not being able to make or receive telephone calls or faxes; however, users may have alternate means of communication, such as a mobile phone or e-mail. Lack of backup systems for user PCs will impact only the specific users, not all users. Failure of the access card system impacts the ability to maintain records of the users who are entering the specified work areas; however, this could be mitigated by manual monitoring controls.
130、A hacker could obtain passwords without the use of computer tools or programs through the technique of:
A、social engineering.
B、sniffers.
C、back doors.
D、Trojan horses.
ANSWER: A
NOTE: Social engineering is based on the divulgence of private information through dialogues, interviews, inquiries, etc., in which a user may be indiscreet regarding their or someone else's personal data. A sniffer is a computer tool to monitor the traffic in networks. Back doors are computer programs left by hackers to exploit vulnerabilities. Trojan horses are computer programs that pretend to supplant a real program; thus, the functionality of the program is not authorized and is usually malicious in nature.
131、An IS auditor's PRIMARY concern when application developers wish to use a copy of yesterday's production transaction file for volume tests is that:
A、users may prefer to use contrived data for testing.
B、unauthorized access to sensitive data may result.
C、error handling and credibility checks may not be fully proven.
D、the full functionality of the new process may not necessarily be tested.
ANSWER: B
NOTE: Unless the data are sanitized, there is a risk of disclosing sensitive data.
132、The use of residual biometric information to gain unauthorized access is an example of which of the following attacks?
A、Replay
B、Brute force
C、Cryptographic
D、Mimic
ANSWER: A
NOTE: Residual biometric characteristics, such as fingerprints left on a biometric capture device, may be reused by an attacker to gain unauthorized access. A brute force attack involves feeding the biometric capture device numerous different biometric samples. A cryptographic attack targets the algorithm or the encrypted data. In a mimic attack, the attacker reproduces characteristics similar to those of the enrolled user, such as forging a signature or imitating a voice.
133、The development of an IS security policy is ultimately the responsibility of the:
A、IS department.
B、security committee.
C、security administrator.
D、board of directors.
ANSWER: D
NOTE: Normally, the designing of an information systems security policy is the responsibility of top management or the board of directors. The IS department is responsible for the execution of the policy, having no authority in framing the policy. The security committee also functions within the broad security policy framed by the board of directors. The security administrator is responsible for implementing, monitoring and enforcing the security rules that management has established and authorized.
134、This question refers to the following diagram.
E-mail traffic from the Internet is routed via firewall-1 to the mail gateway. Mail is routed from the mail gateway, via firewall-2, to the mail recipients in the internal network. Other traffic is not allowed. For example, the firewalls do not allow direct traffic from the Internet to the internal network.
The intrusion detection system (IDS) detects traffic for the internal network that did not originate from the mail gateway. The FIRST action triggered by the IDS should be to:
A、alert the appropriate staff.
B、create an entry in the log.
C、close firewall-2.
D、close firewall-1.
ANSWER: C
NOTE: Traffic for the internal network that did not originate from the mail gateway is a sign that firewall-1 is not functioning properly. This may have been be caused by an attack from a hacker. Closing firewall-2 is the first thing that should be done, thus preventing damage to the internal network. After closing firewall-2, the malfunctioning of firewall-1 can be investigated. The IDS should trigger the closing of firewall-2 either automatically or by manual intervention. Between the detection by the IDS and a response from the system administrator valuable time can be lost, in which a hacker could also compromise firewall-2. An entry in the log is valuable for later analysis, but before that, the IDS should close firewall-2. If firewall-1 has already been compromised by a hacker, it might not be possible for the IDS to close it.
135、When planning an audit of a network setup, an IS auditor should give highest priority to obtaining which of the following network documentation?
A、Wiring and schematic diagram
B、Users' lists and responsibilities
C、Application lists and their details
D、Backup and recovery procedures
ANSWER: A
NOTE: The wiring and schematic diagram of the network is necessary to carry out a network audit. A network audit may not be feasible if a network wiring and schematic diagram is not available. All other documents are important but not necessary.
136、Data flow diagrams are used by IS auditors to:
A、order data hierarchically.
B、highlight high-level data definitions.
C、graphically summarize data paths and storage.
D、portray step-by-step details of data generation.
ANSWER: C
NOTE: Data flow diagrams are used as aids to graph or chart data flow and storage. They trace the data from its origination to destination, highlighting the paths and storage of data. They do not order data in any hierarchy. The flow of the data will not necessarily match any hierarchy or data generation order.
137、Which of the following would impair the independence of a quality assurance team?
A、Ensuring compliance with development methods
B、Checking the testing assumptions
C、Correcting coding errors during the testing process
D、Checking the code to ensure proper documentation
ANSWER: C
NOTE: Correction of code should not be a responsibility of the quality assurance team as it would not ensure segregation of duties and would impair the team's independence. The other choices are valid quality assurance functions.
138、The FIRST step in managing the risk of a cyberattack is to:
A、assess the vulnerability impact.
B、evaluate the likelihood of threats.
C、identify critical information assets.
D、estimate potential damage.
ANSWER: C
NOTE: The first step in managing risk is the identification and classification of critical information resources (assets). Once the assets have been identified, the process moves onto the identification of threats, vulnerabilities and calculation of potential damages.
139、Which of the following is the PRIMARY purpose for conducting parallel testing?
A、To determine if the system is cost-effective
B、To enable comprehensive unit and system testing
C、To highlight errors in the program interfaces with files
D、To ensure the new system meets user requirements
ANSWER: D
NOTE: The purpose of parallel testing is to ensure that the implementation of a new system will meet user requirements. Parallel testing may show that the old system is, in fact, better than the new system, but this is not the primary reason. Unit and system testing are completed before parallel testing. Program interfaces with files are tested for errors during system testing.
140、Effective IT governance requires organizational structures and processes to ensure that:
A、the organization's strategies and objectives extend the IT strategy.
B、the business strategy is derived from an IT strategy.
C、IT governance is separate and distinct from the overall governance.
D、the IT strategy extends the organization's strategies and objectives.
ANSWER: D
NOTE: Effective IT governance requires that board and executive management extend governance to IT and provide the leadership, organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives, and that the strategy is aligned with business strategy. Choice A is incorrect because it is the IT strategy that extends the organizational objectives, not the opposite. IT governance is not an isolated discipline; it must become an integral part of the overall enterprise governance.
141、In a contract with a hot, warm or cold site, contractual provisions should cover which of the following considerations?
A、Physical security measures
B、Total number of subscribers
C、Number of subscribers permitted to use a site at one time
D、References by other users
ANSWER: C
NOTE: The contract should specify the number of subscribers permitted to use the site at any one time. Physical security measures are not a part of the contract, although they are an important consideration when choosing a third-party site. The total number of subscribers is not a consideration; what is important is whether the agreement limits the number of subscribers in a building or in a specific area. The references that other users can provide is a consideration taken before signing the contract; it is by no means part of the contractual provisions.
142、An organization has been recently downsized. In light of this, an IS auditor decides to test logical access controls. The IS auditor's PRIMARY concern should be that:
A、all system access is authorized and appropriate for an individual's role and responsibilities.
B、management has authorized appropriate access for all newly-hired individuals.
C、only the system administrator has authority to grant or modify access to individuals.
D、access authorization forms are used to grant or modify access to individuals.
ANSWER: A
NOTE: The downsizing of an organization implies a large number of personnel actions over a relatively short period of time. Employees can be assigned new duties while retaining some or all of their former duties. Numerous employees may be laid off. The auditor should be concerned that an appropriate segregation of duties is maintained, that access is limited to what is required for an employee's role and responsibilities, and that access is revoked for those that are no longer employed by the organization. Choices B, C and D are all potential concerns of an IS auditor, but in light of the particular risks associated with a downsizing, should not be the primary concern.
143、To support an organization's goals, an IS department should have:
A、a low-cost philosophy.
B、long- and short-range plans.
C、leading-edge technology.
D、plans to acquire new hardware and software.
ANSWER: B
NOTE: To ensure its contribution to the realization of an organization's overall goals, the IS department should have long- and short-range plans that are consistent with the organization's broader plans for attaining its goals. Choices A and C are objectives, and plans would be needed to delineate how each of the objectives would be achieved. Choice D could be a part of the overall plan but would be required only if hardware or software is needed to achieve the organizational goals.
144、To determine which users can gain access to the privileged supervisory state, which of the following should an IS auditor review?
A、System access log files
B、Enabled access control software parameters
C、Logs of access control violations
D、System configuration files for control options used
ANSWER: D
NOTE: A review of system configuration files for control options used would show which users have access to the privileged supervisory state. Both systems access log files and logs of access violations are detective in nature. Access control software is run under the operating system.
145、In a relational database with referential integrity, the use of which of the following keys would prevent deletion of a row from a customer table as long as the customer number of that row is stored with live orders on the orders table?
A、Foreign key
B、Primary key
C、Secondary key
D、Public key
ANSWER: A
NOTE: In a relational database with referential integrity, the use of foreign keys would prevent events such as primary key changes and record deletions, resulting in orphaned relations within the database. It should not be possible to delete a row from a customer table when the customer number (primary key) of that row is stored with live orders on the orders table (the foreign key to the customer table). A primary key works in one table, so it is not able to provide/ensure referential integrity by itself. Secondary keys that are not foreign keys are not subject to referential integrity checks. Public key is related to encryption and not linked in any way to referential integrity.
146、During an exit interview, in cases where there is disagreement regarding the impact of a finding, an IS auditor should:
A、ask the auditee to sign a release form accepting full legal responsibility.
B、elaborate on the significance of the finding and the risks of not correcting it.
C、report the disagreement to the audit committee for resolution.
D、accept the auditee's position since they are the process owners.
ANSWER: B
NOTE: If the auditee disagrees with the impact of a finding, it is important for an IS auditor to elaborate and clarify the risks and exposures, as the auditee may not fully appreciate the magnitude of the exposure. The goal should be to enlighten the auditee or uncover new information of which an IS auditor may not have been aware. Anything that appears to threaten the auditee will lessen effective communications and set up an adversarial relationship. By the same token, an IS auditor should not automatically agree just because the auditee expresses an alternate point of view.
147、An IS auditor reviewing wireless network security determines that the Dynamic Host Configuration Protocol is disabled at all wireless access points. This practice:
A、reduces the risk of unauthorized access to the network.
B、is not suitable for small networks.
C、automatically provides an IP address to anyone.
D、increases the risks associated with Wireless Encryption Protocol (WEP).
ANSWER: A
NOTE: Dynamic Host Configuration Protocol (DHCP) automatically assigns IP addresses to anyone connected to the network. With DHCP disabled, static IP addresses must be used and represent less risk due to the potential for address contention between an unauthorized device and existing devices on the network. Choice B is incorrect because DHCP is suitable for small networks. Choice C is incorrect because DHCP does not provide IP addresses when disabled. Choice D is incorrect because disabling of the DHCP makes it more difficult to exploit the well-known weaknesses in WEP.
148、The BEST overall quantitative measure of the performance of biometric control devices is:
A、false-rejection rate.
B、false-acceptance rate.
C、equal-error rate.
D、estimated-error rate.
ANSWER: C
NOTE: A low equal-error rate (EER) is a combination of a low false-rejection rate and a low false-acceptance rate. EER, expressed as a percentage, is a measure of the number of times that the false-rejection and false-acceptance rates are equal. A low EER is the measure of the more effective biometrics control device. Low false-rejection rates or low false-acceptance rates alone do not measure the efficiency of the device. Estimated-error rate is nonexistent and therefore irrelevant.
149、Which of the following would be the BEST overall control for an Internet business looking for confidentiality, reliability and integrity of data?
A、Secure Sockets Layer (SSL)
B、Intrusion detection system (IDS)
C、Public key infrastructure (PKI)
D、Virtual private network (VPN)
ANSWER: C
NOTE: PKI would be the best overall technology because cryptography provides for encryption, digital signatures and nonrepudiation controls for confidentiality and reliability. SSL can provide confidentiality. IDS is a detective control. A VPN would provide confidentiality and authentication (reliability).
150、Which of the following is the BEST type of program for an organization to implement to aggregate, correlate and store different log and event files, and then produce weekly and monthly reports for IS auditors?
A、A security information event management (SIEM) product
B、An open-source correlation engine
C、A log management tool
D、An extract, transform, load (ETL) system
ANSWER: C
NOTE: A log management tool is a product designed to aggregate events from many log files (with distinct formats and from different sources), store them and typically correlate them offline to produce many reports (., exception reports showing different statistics including anomalies and suspicious activities), and to answer time-based queries (., how many users have entered the system between 2 . and 4 . over the past three weeks?). A SIEM product has some similar features. It correlates events from log files, but does it online and normally is not oriented to storing many weeks of historical information and producing audit reports. A correlation engine is part of a SIEM product. It is oriented to making an online correlation of events. An extract, transform, load (ETL) is part of a business intelligence system, dedicated to extracting operational or production data, transforming that data and loading them to a central repository (data warehouse or data mart); an ETL does not correlate data or produce reports, and normally it does not have extractors to read log file formats.
151、When installing an intrusion detection system (IDS), which of the following is MOST important?
A、Properly locating it in the network architecture
B、Preventing denial-of-service (DoS) attacks
C、Identifying messages that need to be quarantined
D、Minimizing the rejection errors
ANSWER: A
NOTE: Proper location of an intrusion detection system (IDS) in the network is the most important decision during installation. A poorly located IDS could leave key areas of the network unprotected. Choices B, C and D are concerns during the configuration of an IDS, but if the IDS is not placed correctly, none of them would be adequately addressed.
152、To ensure authentication, confidentiality and integrity of a message, the sender should encrypt the hash of the message with the sender's:
A、public key and then encrypt the message with the receiver's private key.
B、private key and then encrypt the message with the receiver's public key.
C、public key and then encrypt the message with the receiver's public key.
D、private key and then encrypt the message with the receiver's private key.
ANSWER: B
NOTE: Obtaining the hash of the message ensures integrity; signing the hash of the message with the sender's private key ensures the authenticity of the origin, and encrypting the resulting message with the receiver's public key ensures confidentiality. The other choices are incorrect.
153、Which of the following should be a concern to an IS auditor reviewing a wireless network?
A、128-bit static-key WEP (Wired Equivalent Privacy) encryption is enabled.
B、SSID (Service Set IDentifier) broadcasting has been enabled.
C、Antivirus software has been installed in all wireless clients.
D、MAC (Media Access Control) access control filtering has been deployed.
ANSWER: B
NOTE: SSID broadcasting allows a user to browse for available wireless networks and to access them without authorization. Choices A, C and D are used to strengthen a wireless network.
154、An IS auditor observes a weakness in the tape management system at a data center in that some parameters are set to bypass or ignore tape header records. Which of the following is the MOST effective compensating control for this weakness?
A、Staging and job set up
B、Supervisory review of logs
C、Regular back-up of tapes
D、Offsite storage of tapes
ANSWER: A
NOTE: If the IS auditor finds that there are effective staging and job set up processes, this can be accepted as a compensating control. Choice B is a detective control while choices C and D are corrective controls, none of which would serve as good compensating controls.
155、Which of the following is the BEST audit procedure to determine if a firewall is configured in compliance with an organization's security policy?
A、Review the parameter settings.
B、Interview the firewall administrator.
C、Review the actual procedures.
D、Review the device's log file for recent attacks.
ANSWER: A
NOTE: A review of the parameter settings will provide a good basis for comparison of the actual configuration to the security policy and will provide audit evidence documentation. The other choices do not provide audit evidence as strong as choice A.
156、An IS auditor reviews an organizational chart PRIMARILY for:
A、an understanding of workflows.
B、investigating various communication channels.
C、understanding the responsibilities and authority of individuals.
D、investigating the network connected to different employees.
ANSWER: C
NOTE: An organizational chart provides information about the responsibilities and authority of individuals in the organization. This helps an IS auditor to know if there is a proper segregation of functions. A workflow chart would provide information about the roles of different employees. A network diagram will provide information about the usage of various communication channels and will indicate the connection of users to the network.
157、Which of the following is the BEST performance criterion for evaluating the adequacy of an organization's security awareness training?
A、Senior management is aware of critical information assets and demonstrates an adequate concern for their protection.
B、Job descriptions contain clear statements of accountability for information security.
C、In accordance with the degree of risk and business impact, there is adequate funding for security efforts.
D、No actual incidents have occurred that have caused a loss or a public embarrassment.
ANSWER: B
NOTE: Inclusion in job descriptions of security responsibilities is a form of security training and helps ensure that staff and management are aware of their roles with respect to information security. The other three choices are not criterion for evaluating security awareness training. Awareness is a criterion for evaluating the importance that senior management attaches to information assets and their protection. Funding is a criterion that aids in evaluating whether security vulnerabilities are being addressed, while the number of incidents that have occurred is a criterion for evaluating the adequacy of the risk management program.
158、What is the MOST prevalent security risk when an organization implements remote virtual private network (VPN) access to its network?
A、Malicious code could be spread across the network
B、VPN logon could be spoofed
C、Traffic could be sniffed and decrypted
D、VPN gateway could be compromised
ANSWER: A
NOTE: VPN is a mature technology; VPN devices are hard to break. However, when remote access is enabled, malicious code in a remote client could spread to the organization's network. Though choices B, C and D are security risks, VPN technology largely mitigates these risks.
159、The activation of an enterprise's business continuity plan should be based on predetermined criteria that address the:
A、duration of the outage.
B、type of outage.
C、probability of the outage.
D、cause of the outage.
ANSWER: A
NOTE: The initiation of a business continuity plan (action) should primarily be based on the maximum period for which a business function can be disrupted before the disruption threatens the achievement of organizational objectives.
160、An organization with extremely high security requirements is evaluating the effectiveness of biometric systems. Which of the following performance indicators is MOST important?
A、False-acceptance rate (FAR)
B、Equal-error rate (EER)
C、False-rejection rate (FRR)
D、False-identification rate (FIR)
ANSWER: A
NOTE: FAR is the frequency of accepting an unauthorized person as authorized, thereby granting access when it should be denied. In an organization with high security requirements, user annoyance with a higher FRR is less important, since it is better to deny access to an authorized individual than to grant access to an unauthorized individual. EER is the point where the FAR equals the FRR; therefore, it does not minimize the FAR. FIR is the probability that an authorized person is identified, but is assigned a false ID.
161、A structured walk-through test of a disaster recovery plan involves:
A、representatives from each of the functional areas coming together to go over the plan.
B、all employees who participate in the day-to-day operations coming together to practice executing the plan.
C、moving the systems to the alternate processing site and performing processing operations.
D、distributing copies of the plan to the various functional areas for review.
ANSWER: A
NOTE: A structured walk-through test of a disaster recovery plan involves representatives from each of the functional areas coming together to review the plan to determine if the plan pertaining to their area is accurate and complete and can be implemented when required. Choice B is a simulation test to prepare and train the personnel who will be required to respond to disasters and disruptions. Choice C is a form of parallel testing to ensure that critical systems will perform satisfactorily in the alternate site. Choice D is a checklist test.
162、To minimize costs and improve service levels an outsourcer should seek which of the following contract clauses?
A、O/S and hardware refresh frequencies
B、Gain-sharing performance bonuses
C、Penalties for noncompliance
D、Charges tied to variable cost metrics
ANSWER: B
NOTE: Because the outsourcer will share a percentage of the achieved savings, gain-sharing performance bonuses provide a financial incentive to go above and beyond the stated terms of the contract and can lead to cost savings for the client. Refresh frequencies and penalties for noncompliance would only encourage the outsourcer to meet minimum requirements. Similarly, tying charges to variable cost metrics would not encourage the outsourcer to seek additional efficiencies that might benefit the client.
163、As updates to an online order entry system are processed, the updates are recorded on a transaction tape and a hard copy transaction log. At the end of the day, the order entry files are backed up on tape. During the backup procedure, a drive malfunctions and the order entry files are lost. Which of the following is necessary to restore these files?
A、The previous day's backup file and the current transaction tape
B、The previous day's transaction file and the current transaction tape
C、The current transaction tape and the current hard copy transaction log
D、The current hard copy transaction log and the previous day's transaction file
ANSWER: A
NOTE: The previous day's backup file will be the most current historical backup of activity in the system. The current day's transaction file will contain all of the day's activity. Therefore, the combination of these two files will enable full recovery up to the point of interruption.
164、Many IT projects experience problems because the development time and/or resource requirements are underestimated. Which of the following techniques would provide the GREATEST assistance in developing an estimate of project duration?
A、Function point analysis
B、PERT chart
C、Rapid application development
D、Object-oriented system development
ANSWER: B
NOTE: A PERT chart will help determine project duration once all the activities and the work involved with those activities are known. Function point analysis is a technique for determining the size of a development task based on the number of function points. Function points are factors such as inputs, outputs, inquiries, logical internal files, etc. While this will help determine the size of individual activities, it will not assist in determining project duration since there are many overlapping tasks. Rapid application development is a methodology that enables organizations to develop strategically important systems faster while reducing development costs and maintaining quality, while object-oriented system development is the process of solution specification and modeling.
165、Sending a message and a message hash encrypted by the sender's private key will ensure:
A、authenticity and integrity.
B、authenticity and privacy.
C、integrity and privacy.
D、privacy and nonrepudiation.
ANSWER: A
NOTE: If the sender sends both a message and a message hash encrypted by its private key, then the receiver can apply the sender's public key to the hash and get the message hash. The receiver can apply the hashing algorithm to the message received and generate a hash. By matching the generated hash with the one received, the receiver is ensured that the message has been sent by the specific sender, ., authenticity, and that the message has not been changed enroute. Authenticity and privacy will be ensured by first using the sender's private key and then the receiver's public key to encrypt the message. Privacy and integrity can be ensured by using the receiver's public key to encrypt the message and sending a message hash/digest. Only nonrepudiation can be ensured by using the sender's private key to encrypt the message. The sender's public key, available to anyone, can decrypt a message; thus, it does not ensure privacy.
166、An IS auditor was hired to review e-business security. The IS auditor's first task was to examine each existing e-business application looking for vulnerabilities. What would be the next task?
A、Report the risks to the CIO and CEO immediately
B、Examine e-business application in development
C、Identify threats and likelihood of occurrence
D、Check the budget available for risk management
ANSWER: C
NOTE: An IS auditor must identify the assets, look for vulnerabilities, and then identify the threats and the likelihood of occurrence. Choices A, B and D should be discussed with the CIO, and a report should be delivered to the CEO. The report should include the findings along with priorities and costs.
167、The PRIMARY purpose of a business impact analysis (BIA) is to:
A、provide a plan for resuming operations after a disaster.
B、identify the events that could impact the continuity of an organization's operations.
C、publicize the commitment of the organization to physical and logical security.
D、provide the framework for an effective disaster recovery plan.
ANSWER: B
NOTE: A business impact analysis (BIA) is one of the key steps in the development of a business continuity plan (BCP). A BIA will identify the diverse events that could impact the continuity of the operations of an organization.
168、A web server is attacked and compromised. Which of the following should be performed FIRST to handle the incident?
A、Dump the volatile storage data to a disk.
B、Run the server in a fail-safe mode.
C、Disconnect the web server from the network.
D、Shut down the web server.
ANSWER: C
NOTE: The first action is to disconnect the web server from the network to contain the damage and prevent more actions by the attacker. Dumping the volatile storage data to a disk may be used at the investigation stage but does not contain an attack in progress. To run the server in a fail-safe mode, the server needs to be shut down. Shutting down the server could potentially erase information that might be needed for a forensic investigation or to develop a strategy to prevent future similar attacks.
169、Which of the following should be included in a feasibility study for a project to implement an EDI process?
A、The encryption algorithm format
B、The detailed internal control procedures
C、The necessary communication protocols
D、The proposed trusted third-party agreement
ANSWER: C
NOTE: Encryption algorithms, third-party agreements and internal control procedures are too detailed for this phase. They would only be outlined and any cost or performance implications shown. The communications protocols must be included, as there may be significant cost implications if new hardware and software are involved, and risk implications if the technology is new to the organization.
170、Which of the following is the MOST effective control when granting temporary access to vendors?
A、Vendor access corresponds to the service level agreement (SLA).
B、User accounts are created with expiration dates and are based on services provided.
C、Administrator access is provided for a limited period.
D、User IDs are deleted when the work is completed.
ANSWER: B
NOTE: The most effective control is to ensure that the granting of temporary access is based on services to be provided and that there is an expiration date (hopefully automated) associated with each ID. The SLA may have a provision for providing access, but this is not a control; it would merely define the need for access. Vendors require access for a limited period during the time of service. However, it is important to ensure that the access during this period is monitored. Deleting these user IDs after the work is completed is necessary, but if not automated, the deletion could be overlooked.
171、An IS auditor who has discovered unauthorized transactions during a review of EDI transactions is likely to recommend improving the:
A、EDI trading partner agreements.
B、physical controls for terminals.
C、authentication techniques for sending and receiving messages.
D、program change control procedures.
ANSWER: C
NOTE: Authentication techniques for sending and receiving messages play a key role in minimizing exposure to unauthorized transactions. The EDI trading partner agreements would minimize exposure to legal issues.
172、From a control perspective, the PRIMARY objective of classifying information assets is to:
A、establish guidelines for the level of access controls that should be assigned.
B、ensure access controls are assigned to all information assets.
C、assist management and auditors in risk assessment.
D、identify which assets need to be insured against losses.
ANSWER: A
NOTE: Information has varying degrees of sensitivity and criticality in meeting business objectives. By assigning classes or levels of sensitivity and criticality to information resources, management can establish guidelines for the level of access controls that should be assigned. End user management and the security administrator will use these classifications in their risk assessment process to assign a given class to each asset.
173、Business units are concerned about the performance of a newly implemented system. Which of the following should an IS auditor recommend?
A、Develop a baseline and monitor system usage.
B、Define alternate processing procedures.
C、Prepare the maintenance manual.
D、Implement the changes users have suggested.
ANSWER: A
NOTE: An IS auditor should recommend the development of a performance baseline and monitor the system's performance, against the baseline, to develop empirical data upon which decisions for modifying the system can be made. Alternate processing procedures and a maintenance manual will not alter a system's performance. Implementing changes without knowledge of the cause(s) for the perceived poor performance may not result in a more efficient system.
174、When developing a business continuity plan (BCP), which of the following tools should be used to gain an understanding of the organization's business processes?
A、Business continuity self-audit
B、Resource recovery analysis
C、Risk assessment
D、Gap analysis
ANSWER: C
NOTE: Risk assessment and business impact assessment are tools for understanding business-for-business continuity planning. Business continuity self-audit is a tool for evaluating the adequacy of the BCP, resource recovery analysis is a tool for identifying a business resumption strategy, while the role gap analysis can play in business continuity planning is to identify deficiencies in a plan. Neither of these is used for gaining an understanding of the business.
175、A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential losses, the team should:
A、compute the amortization of the related assets.
B、calculate a return on investment (ROI).
C、apply a qualitative approach.
D、spend the time needed to define exactly the loss amount.
ANSWER: C
NOTE: The common practice, when it is difficult to calculate the financial losses, is to take a qualitative approach, in which the manager affected by the risk defines the financial loss in terms of a weighted factor (., one is a very low impact to the business and five is a very high impact). An ROI is computed when there is predictable savings or revenues that can be compared to the investment needed to realize the revenues. Amortization is used in a profit and loss statement, not in computing potential losses. Spending the time needed to define exactly the total amount is normally a wrong approach. If it has been difficult to estimate potential losses (., losses derived from erosion of public image due to a hack attack), that situation is not likely to change, and at the end of the day, the result will be a not well-supported evaluation.
176、After observing suspicious activities in a server, a manager requests a forensic analysis. Which of the following findings should be of MOST concern to the investigator?
A、Server is a member of a workgroup and not part of the server domain
B、Guest account is enabled on the server
C、Recently, 100 users were created in the server
D、Audit logs are not enabled for the server
ANSWER: D
NOTE: Audit logs can provide evidence which is required to proceed with an investigation and should not be disabled. For business needs, a server can be a member of a workgroup and, therefore, not a concern. Having a guest account enabled on a system is a poor security practice but not a forensic investigation concern. Recently creating 100 users in the server may have been required to meet business needs and should not be a concern.
177、An organization is implementing a new system to replace a legacy system. Which of the following conversion practices creates the GREATEST risk?
A、Pilot
B、Parallel
C、Direct cutover
D、Phased
ANSWER: C
NOTE: Direct cutover implies switching to the new system immediately, usually without the ability to revert to the old system in the event of problems. All other alternatives are done gradually and thus provide greater recoverability and are therefore less risky.
178、Which of the following is a network diagnostic tool that monitors and records network information?
A、Online monitor
B、Downtime report
C、Help desk report
D、Protocol analyzer
ANSWER: D
NOTE: Protocol analyzers are network diagnostic tools that monitor and record network information from packets traveling in the link to which the analyzer is attached. Online monitors (choice A) measure telecommunications transmissions and determine whether transmissions were accurate and complete. Downtime reports (choice B) track the availability of telecommunication lines and circuits. Help desk reports (choice C) are prepared by the help desk, which is staffed or supported by IS technical support personnel trained to handle problems occurring during the course of IS operations.
179、Which of the following is the initial step in creating a firewall policy?
A、A cost-benefit analysis of methods for securing the applications
B、Identification of network applications to be externally accessed
C、Identification of vulnerabilities associated with network applications to be externally accessed
D、Creation of an applications traffic matrix showing protection methods
ANSWER: B
NOTE: Identification of the applications required across the network should be identified first. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for, and possible methods of, controlling access to these applications. Identifying methods to protect against identified vulnerabilities and their comparative cost-benefit analysis is the third step. Having identified the applications, the next step is to identify vulnerabilities (weaknesses) associated with the network applications. The next step is to analyze the application traffic and create a matrix showing how each type of traffic will be protected.
180、Which of the following components is responsible for the collection of data in an intrusion detection system (IDS)?
A、Analyzer
B、Administration console
C、User interface
D、Sensor
ANSWER: D
NOTE: Sensors are responsible for collecting data. Analyzers receive input from sensors and determine intrusive activity. An administration console and a user interface are components of an IDS.
181、The purpose of a checksum on an amount field in an electronic data interchange (EDI) communication of financial transactions is to ensure: 181、在许多运用电子数据交换处理的财务往来中,支票的目的是为了保证:
A、integrity. A、完整性
B、authenticity. B、有效性
C、authorization. C、授权
D、nonrepudiation. D、抗抵赖
ANSWER: A
NOTE: A checksum calculated on an amount field and included in the EDI communication can be used to identify unauthorized modifications. Authenticity and authorization cannot be established by a checksum alone and need other controls. Nonrepudiation can be ensured by using digital signatures.
182、Minimum password length and password complexity verification are examples of: 182、最短的密码长度以及密码复杂程度确认是下列那一项的实例:
A、detection controls. A、检测控制
B、control objectives. B、控制目标
C、audit objectives. C、审计目标
D、control procedures. D、控制程序
ANSWER: D
NOTE: Control procedures are practices established by management to achieve specific control objectives. Password controls are preventive controls, not detective controls. Control objectives are declarations of expected results from implementing controls and audit objectives are the specific goals of an audit.
183、Disabling which of the following would make wireless local area networks more secure against unauthorized access? 183、下列哪项会使得无线局域网抵制非授权的访问变弱:
A、MAC (Media Access Control) address filtering A、MAC地址过滤
B、WPA (Wi-Fi Protected Access Protocol) B、WPA协议
C、LEAP (Lightweight Extensible Authentication Protocol) C、LEAP轻量级可扩展认证协议
D、SSID (service set identifier) broadcasting D、SSID广播
ANSWER: D
NOTE: Disabling SSID broadcasting adds security by making it more difficult for unauthorized users to find the name of the access point. Disabling MAC address filtering would reduce security. Using MAC filtering makes it more difficult to access a WLAN, because it would be necessary to catch traffic and forge the MAC address. Disabling WPA reduces security. Using WPA adds security by encrypting the traffic. Disabling LEAP reduces security. Using LEAP adds security by encrypting the wireless traffic.
184、Which of the following would be the BEST access control procedure? 184、下面那个是最好的访问控制实务:
A、The data owner formally authorizes access and an administrator implements the user authorization tables. A、数据所有者正式授权访问和管理员实施用户授权表单
B、Authorized staff implements the user authorization tables and the data owner sanctions them. B、经授权的员工运用授权表单和数据所有者批准他们
C、The data owner and an IS manager jointly create and update the user authorization tables. C、数据所有者和信息系统经理共同创建和更新用户授权表单
D、The data owner creates and updates the user authorization tables. D、数据所有者创建和授权用户授权表单
ANSWER: A
NOTE: The data owner holds the privilege and responsibility for formally establishing the access rights. An IS administrator should then implement or update user authorization tables. Choice B alters the desirable order. Choice C is not a formal procedure for authorizing access.
185、Accountability for the maintenance of appropriate security measures over information assets resides with the: 185、合适的信息资产存放的安全措施维护是谁的责任:
A、security administrator. A、安全管理员
B、systems administrator. B、系统管理员
C、data and systems owners. C、数据和系统所有者
D、systems operations group. D、系统运行组
ANSWER: C
NOTE: Management should ensure that all information assets (data and systems) have an appointed owner who makes decisions about classification and access rights. System owners typically delegate day-to-day custodianship to the systems delivery/operations group and security responsibilities to a security administrator. Owners, however, remain accountable for the maintenance of appropriate security measures.
186、Which of the following is a dynamic analysis tool for the purpose of testing software modules? 186、下面哪一个是测试软件的动态分析模型:
A、Black box test A、黑盒测试
B、Desk checking B、部件检测
C、Structured walkthrough C、结构预排
D、Design and code D、设计图和代码
ANSWER: A
NOTE: A black box test is a dynamic analysis tool for testing software modules. During the testing of software modules a black box test works first in a cohesive manner as a single unit/entity consisting of numerous modules, and second with the user data that flows across software modules. In some cases, this even drives the software behavior. In choices B, C and D, the software (design or code) remains static and someone closely examines it by applying their mind, without actually activating the software. Therefore, these cannot be referred to as dynamic analysis tools.
187、In a client-server architecture, a domain name service (DNS) is MOST important because it provides the: 187、在客户端服务器架构中,域名服务器是重要的设备,因为它提供:
A、address of the domain server. A、域名服务器地址
B、resolution service for the name/address. B、名称和地址的转换服务
C、IP addresses for the Internet. C、网络上的IP地址
D、domain name system. D、域名系统
ANSWER: B
NOTE: DNS is utilized primarily on the Internet for resolution of the name/address of the web site. It is an Internet service that translates domain names into IP addresses. As names are alphabetic, they are easier to remember. However, the Internet is based on IP addresses. Every time a domain name is used, a DNS service must translate the name into the corresponding IP address. The DNS system has its own network. If one DNS server does not know how to translate a particular domain name, it asks another one, and so on, until the correct IP address is returned.
188、Which of the following is an advantage of the top-down approach to software testing? 188、下面哪项是自上而下的软件测试的优势:
A、Interface errors are identified early A、界面错误可以尽早识别
B、Testing can be started before all programs are complete B、测试需在所有程序编写完成后进行
C、It is more effective than other testing approaches C、它比其他的方法更有效率
D、Errors in critical modules are detected sooner D、重要模型的错误可以更早的检测出来
ANSWER: A
NOTE: The advantage of the top-down approach is that tests of major functions are conducted early, thus enabling the detection of interface errors sooner. The most effective testing approach is dependent on the environment being tested. Choices B and D are advantages of the bottom-up approach to system testing.
189、An organization currently using tape backups takes one full backup weekly and incremental backups daily. They recently augmented their tape backup procedures with a backup-to-disk solution. This is appropriate because: 189、组织目前使用的磁带备份类型是每周一次完全备份每天一次增量备份。最近增加了磁带备份到磁盘的解决方案。 这是因为:
A、fast synthetic backups for offsite storage are supported. A、支持非现场存储的快速综合备份
B、backup to disk is always significantly faster than backup to tape. B、备份到磁盘比备份到磁带快
C、tape libraries are no longer needed. C、不再需要磁带库
D、data storage on disks is more reliable than on tapes. D、数据存储在磁盘里面比存储在磁带里更可靠
ANSWER: A
NOTE: Disk-to-disk (D2D) backup should not be seen as a direct replacement for backup to tape; rather, it should be viewed as part of a multitiered backup architecture that takes advantage of the best features of both tape and disk technologies. Backups to disks are not dramatically faster than backups to tapes in a balanced environment. Most often than not there is hardly a difference, since the limiting components are not tape or disk drives but the overall sustained bandwidth of the backup server's backplane. The advantage in terms of speed is in restoring performance, since all data are on hand and can be accessed randomly, resulting in a dramatic enhancement in throughput. This makes fast synthetic backups (making a full backup without touching the host's data only by using the existing incremental backups) efficient and easy. Although the cost of disks has been reduced, tape-based backup can offer an overall cost advantage over disk-only solutions. Even if RAID arrays are used for D2D storage, a failed drive must be swapped out and the RAID set rebuilt before another disk drive fails, thus making this kind of backup more risky and not suitable as a solution of last resort. In contrast, a single tape drive failure does not produce any data loss since the data resides on the tape media. In a multidrive library, the loss of the use of a single tape drive has no impact on the overall level of data protection. Conversely, the loss of a disk drive in an array can put all data at risk. This in itself reinforces the benefits of a disk-to-disk-to-any storage hierarchy, as data could be protected by a tertiary stage of disk storage and ultimately tape. Beyond the drive failure issue, tape has an inherent reliability advantage over any disk drive as it has no boot sector or file allocation table that can be infected or manipulated by a virus.
190、An IS auditor reviewing database controls discovered that changes to the database during normal working hours were handled through a standard set of procedures. However, changes made after normal hours required only an abbreviated number of steps. In this situation, which of the following would be considered an adequate set of compensating controls? 190、审计师在审查数据库时发现在正常的工作时间修改或者变更有一套标准的程序控制措施。但是,在不是标准工时的时候,变更只要很少的步骤。在这种情况下,那个是被考虑到的适当的补偿性控制:
A、Allow changes to be made only with the DBA user account. A、变更仅限于数据库管理员帐号
B、Make changes to the database after granting access to a normal user account. B、一般用户账户得到允许后能够对数据库作出变更
C、Use the DBA user account to make changes, log the changes and review the change log the following day. C、用数据库管理员帐号做变更,并记录变更以待审查
D、Use the normal user account to make changes, log the changes and review the change log the following day. D、用一般帐号做出变更,并记录以待日后审查
ANSWER: C
NOTE: The use of a database administrator (DBA) user account is normally set up to log all changes made and is most appropriate for changes made outside of normal hours. The use of a log, which records the changes, allows changes to be reviewed. The use of the DBA user account without logging would permit uncontrolled changes to be made to databases once access to the account was obtained. The use of a normal user account with no restrictions would allow uncontrolled changes to any of the databases. Logging would only provide information on changes made, but would not limit changes to only those that were authorized. Hence, logging coupled with review form an appropriate set of compensating controls.
191、Which of the following message services provides the strongest evidence that a specific action has occurred? 191、下面哪一个信息服务提供了在某一个特定行为发生时最强的证据:
A、Proof of delivery A、交付证据
B、Nonrepudiation B、抗抵赖
C、Proof of submission C、服从证据
D、Message origin authentication D、原始鉴定信息
ANSWER: B
NOTE: Nonrepudiation services provide evidence that a specific action occurred. Nonrepudiation services are similar to their weaker proof counterparts, ., proof of submission, proof of delivery and message origin authentication. However, nonrepudiation provides stronger evidence because the proof can be demonstrated to a third party. Digital signatures are used to provide nonrepudiation. Message origination authentication will only confirm the source of the message and does not confirm the specific action that has been completed.
192、Assessing IT risks is BEST achieved by: 192、评估IT风险被很好的达到,可以通过:
A、evaluating threats associated with existing IT assets and IT projects. A、评估IT资产和IT项目总共的威胁
B、using the firm's past actual loss experience to determine current exposure. B、用公司的以前的真的损失经验来决定现在的弱点和威胁
C、reviewing published loss statistics from comparable organizations. C、审查可比较的组织出版的损失数据
D、reviewing IT control weaknesses identified in audit reports. D、一句审计拔高审查IT控制弱点
ANSWER: A
NOTE: To assess IT risks, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches. Choices B, C and D are potentially useful inputs to the risk assessment process, but by themselves are not sufficient. Basing an assessment on past losses will not adequately reflect inevitable changes to the firm's IT assets, projects, controls and strategic environment. There are also likely to be problems with the scope and quality of the loss data available to be assessed. Comparable organizations will have differences in their IT assets, control environment and strategic circumstances. Therefore, their loss experience cannot be used to directly assess organizational IT risk. Control weaknesses identified during audits will be relevant in assessing threat exposure and further analysis may be needed to assess threat probability. Depending on the scope of the audit coverage, it is possible that not all of the critical IT assets and projects will have recently been audited, and there may not be a sufficient assessment of strategic IT risks.
193、Which of the following exposures could be caused by a line grabbing technique? 193、下面哪个风险是由直线撷取技术引起的:
A、Unauthorized data access A、未授权的数据访问
B、Excessive CPU cycle usage B、额外的CPU使用率
C、Lockout of terminal polling C、终端停工
D、Multiplexor control dysfunction D、多元控制混乱
ANSWER: A
NOTE: Line grabbing will enable eavesdropping, thus allowing unauthorized data access. It will not necessarily cause multiplexor dysfunction, excessive CPU usage or lockout of terminal polling.
194、Which of the following antispam filtering techniques would BEST prevent a valid, variable-length e-mail message containing a heavily weighted spam keyword from being labeled as spam? 194、下面哪个邮件过滤技术能够最好的提供一个有效的,可信的邮件包括重要摘要关键字:
A、Heuristic (rule-based) A、启发式
B、Signature-based B、基于信号
C、Pattern matching C、模式匹配
D、Bayesian (statistical) D、贝叶斯
ANSWER: D
NOTE: Bayesian filtering applies statistical modeling to messages, by performing a frequency analysis on each word within the message and then evaluating the message as a whole. Therefore, it can ignore a suspicious keyword if the entire message is within normal bounds. Heuristic filtering is less effective, since new exception rules may need to be defined when a valid message is labeled as spam. Signature-based filtering is useless against variable-length messages, because the calculated MD5 hash changes all the time. Finally, pattern matching is actually a degraded rule-based technique, where the rules operate at the word level using wildcards, and not at higher levels.
195、IT governance is PRIMARILY the responsibility of the: 195、IT治理最终是谁的责任:
A、chief executive officer. A、CEO
B、board of directors. B、董事会
C、IT steering committee. C、IT指导委员会
D、audit committee. D、审计委员会
ANSWER: B
NOTE: IT governance is primarily the responsibility of the executives and shareholders (as represented by the board of directors). The chief executive officer is instrumental in implementing IT governance per the directions of the board of directors. The IT steering committee monitors and facilitates deployment of IT resources for specific projects in support of business plans. The audit committee reports to the board of directors and should monitor the implementation of audit recommendations.
196、After reviewing its business processes, a large organization is deploying a new web application based on a VoIP technology. Which of the following is the MOST appropriate approach for implementing access control that will facilitate security management of the VoIP web application? 196、在评估完它的业务流程后,一个大型组织整打算配置一个新的基于语音通话的应用。下面哪一个是最合适的实施访问控制并将可以推动语音网络运用的安全管理:
A、Fine-grained access control A、详尽的访问控制
B、Role-based access control (RBAC) B、基于角色的访问控制
C、Access control lists C、访问控制列表
D、Network/service access control D、网络/服务访问控制
ANSWER: B
NOTE: Authorization in this VoIP case can best be addressed by role-based access control (RBAC) technology. RBAC is easy to manage and can enforce strong and efficient access controls in large-scale web environments including VoIP implementation. Access control lists and fine-grained access control on VoIP web applications do not scale to enterprisewide systems, because they are primarily based on individual user identities and their specific technical privileges. Network/service addresses VoIP availability but does not address application-level access or authorization.
197、The GREATEST advantage of rapid application development (RAD) over the traditional system development life cycle (SDLC) is that it: 197、在传统系统开发生命周期中快速应用开发的最大优点是:
A、facilitates user involvement. A、推动用户的参与
B、allows early testing of technical features. B、允许较早的技术特征测试
C、facilitates conversion to the new system. C、推进系统的转化
D、shortens the development time frame. D、减少开发的时间帧
ANSWER: D
NOTE: The greatest advantage of RAD is the shorter time frame for the development of a system. Choices A and B are true, but they are also true for the traditional systems development life cycle. Choice C is not necessarily always true.
198、Web and e-mail filtering tools are PRIMARILY valuable to an organization because they: 198、网关和邮件过滤器对一个组织是非常有价值的,因为:
A、protect the organization from viruses and nonbusiness materials. A、保护组织不受病毒和与业务无关的材料的侵袭
B、maximize employee performance. B、加大员工的表现
C、safeguard the organization's image. C、保护组织的声誉
D、assist the organization in preventing legal issues D、保护组织预防法律问题及纠纷
ANSWER: A
NOTE: The main reason for investing in web and e-mail filtering tools is that they significantly reduce risks related to viruses, spam, mail chains, recreational surfing and recreational e-mail. Choice B could be true in some circumstances (., it would need to be implemented along with an awareness program, so that employee performance can be significantly improved). However, in such cases, it would not be as relevant as choice A. Choices C and D are secondary or indirect benefits.
199、After installing a network, an organization installed a vulnerability assessment tool or security scanner to identify possible weaknesses. Which is the MOST serious risk associated with such tools? 199、安装完网络后,组织又安装了弱点评测工具和安全扫描仪来分辨可能存在的弱点。下面哪一个与这些工具相关的风险最严重:
A、Differential reporting A、权衡报告
B、False-positive reporting B、假阳性报告
C、False-negative reporting C、假阴性报告
D、Less-detail reporting D、详细报告
ANSWER: C
NOTE: False-negative reporting on weaknesses means the control weaknesses in the network are not identified and therefore may not be addressed, leaving the network vulnerable to attack. False-positive reporting is one in which the controls are in place, but are evaluated as weak, which should prompt a rechecking of the controls. Less-detail reporting and differential reporting functions provided by these tools compare scan results over a period of time.
200、IS management recently replaced its existing wired local area network (LAN) with a wireless infrastructure to accommodate the increased use of mobile devices within the organization. This will increase the risk of which of the following attacks? 200、IS管理层最近打算用一个无线下部组件代替现有的无线局域网,以满足组织内日益增多的移动手持设备。这个将会使组织哪方面的危险增加:
A、Port scanning A、端口扫描
B、Back door B、后门
C、Man-in-the-middle C、左右为难
D、War driving D、战争驾驶
ANSWER: D
NOTE: A war driving attack uses a wireless Ethernet card, set in promiscuous mode, and a powerful antenna to penetrate wireless systems from outside. Port scanning will often target the external firewall of the organization. A back door is an opening left in software that enables an unknown entry into a system. Man-in-the-middle attacks intercept a message and either replace or modify it.
201、Which of the following is a mechanism for mitigating risks? 201,下列哪项是一种用于缓解风险的技术?
A、Security and control practices 安全和控制实务
B、Property and liability insurance 财产和责任保险
C、Audit and certification 审计与认证
D、Contracts and service level agreements (SLAs) 合同和服务等级协议
ANSWER: A A
NOTE: Risks are mitigated by implementing appropriate security and control practices. Insurance is a mechanism for transferring risk. Audit and certification are mechanisms of risk assurance, while contracts and SLAs are mechanisms of risk allocation.
202、Which of the following line media would provide the BEST security for a telecommunication network? 202,下列哪一行介质将给电信网络提供最佳安全
A、Broadband network digital transmission 宽带网络数据传输
B、Baseband network 基带网络
C、Dial-up 拨号
D、Dedicated lines 专线
ANSWER: D D
NOTE: Dedicated lines are set apart for a particular user or organization. Since there is no sharing of lines or intermediate entry points, the risk of interception or disruption of telecommunications messages is lower.
203、After initial investigation, an IS auditor has reasons to believe that fraud may be present. The IS auditor should: 203,在最初的调查之后,IS审计员找到了理由相信欺骗可能存在。该IS审计员应当:
A、expand activities to determine whether an investigation is warranted. 扩大行动以决定是否一个调查有必要。
B、report the matter to the audit committee. 向审计委员会报告问题
C、report the possibility of fraud to top management and ask how they would like to proceed. 向最高管理层报告欺骗的可能性并询问应如何继续
D、consult with external legal counsel to determine the course of action to be taken. 与外部法律顾问协商以决定应采取的行动方式
ANSWER: A A
NOTE: An IS auditor's responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended. The IS auditor should notify the appropriate authorities within the organization only if it has determined that the indicators of fraud are sufficient to recommend an investigation. Normally, the IS auditor does not have authority to consult with external legal counsel.
204、The PRIMARY reason for using digital signatures is to ensure data: 204,使用数字签名的主要原因是确保数据:
A、confidentiality. 保密性
B、integrity. 完整性
C、availability. 可用性
D、timeliness. 时效性
ANSWER: B B
NOTE: Digital signatures provide integrity because the digital signature of a signed message (file, mail, document, etc.) changes every time a single bit of the document changes; thus, a signed document cannot be altered. Depending on the mechanism chosen to implement a digital signature, the mechanism might be able to ensure data confidentiality or even timeliness, but this is not assured. Availability is not related to digital signatures.
205、As a driver of IT governance, transparency of IT's cost, value and risks is primarily achieved through: 205,作为IT治理的一个驱动力,IT的成本、价值和风险透明主要通过……取得:
A、performance measurement. 绩效测量
B、strategic alignment. 战略定位
C、value delivery. 价值交付
D、resource management. 资源管理
ANSWER: A A
NOTE: Performance measurement includes setting and monitoring measurable objectives of what the IT processes need to deliver (process outcome) and how they deliver it (process capability and performance). Strategic alignment primarily focuses on ensuring linkage of business and IT plans. Value delivery is about executing the value proposition throughout the delivery cycle. Resource management is about the optimal investment in and proper management of critical IT resources. Transparency is primarily achieved through performance measurement as it provides information to the stakeholders on how well the enterprise is performing when compared to objectives.
206、Which of the following would BEST support 24/7 availability? 206,下列哪一项最好地支持了24/7可用性?
A、Daily backup 日常备份
B、Offsite storage 离线存储
C、Mirroring 镜像
D、Periodic testing 周期性测试
ANSWER: C C
NOTE: Mirroring of critical elements is a tool that facilitates immediate recoverability. Daily backup implies that it is reasonable for restoration to take place within a number of hours but not immediately. Offsite storage and periodic testing of systems do not of themselves support continuous availability.
207、Which of the following would an IS auditor consider to be the MOST important when evaluating an organization's IS strategy? That it: 207,当评估一个组织的IS战略时,下列哪一项应被IS审计员认为是最重要的:
A、has been approved by line management. 已被各级管理者赞成
B、does not vary from the IS department's preliminary budget. 没有与IS部门初步预算区分开来
C、complies with procurement procedures. 遵守采购流程
D、supports the business objectives of the organization. 支持组织的业务目标
ANSWER: D D
NOTE: Strategic planning sets corporate or department objectives into motion. Both long-term and short-term strategic plans should be consistent with the organization's broader plans and business objectives for attaining these goals. Choice A is incorrect since line management prepared the plans.
208、When reviewing an intrusion detection system (IDS), an IS auditor should be MOST concerned about which of the following? 208,当评估一个IDS系统时,IS审计员应当最关注下列哪一项:
A、Number of nonthreatening events identified as threatening 非威胁事件识别成威胁的数量
B、Attacks not being identified by the system 没有系统被识别出来攻击
C、Reports/logs being produced by an automated tool 自动工具生成的报告/日志
D、Legitimate traffic being blocked by the system 被系统阻止的合法流量
ANSWER: B B
NOTE: Attacks not being identified by the system present a higher risk, because they are unknown and no action will be taken to address the attack. Although the number of false-positives is a serious issue, the problem will be known and can be corrected. Often, IDS reports are first analyzed by an automated tool to eliminate known false-positives, which generally are not a problem. An IDS does not block any traffic.
209、Which of the following should be of MOST concern to an IS auditor reviewing the BCP? 209,评估BCP时,下列哪一项应当最被关注:
A、The disaster levels are based on scopes of damaged functions, but not on duration. 灾难等级基于受损功能的范围,而不是持续时间
B、The difference between low-level disaster and software incidents is not clear. 低级别灾难和软件事件之间的区别不清晰
C、The overall BCP is documented, but detailed recovery steps are not specified. 总体BCP被文档化,但详细恢复步骤没有明确
D、The responsibility for declaring a disaster is not identified. 宣布灾难的职责没有定义
ANSWER: D D
NOTE: If nobody declares the disaster, the response and recovery plan would not be invoked, making all other concerns mute. Although failure to consider duration could be a problem, it is not as significant as scope, and neither is as critical as the need to have someone invoke the plan. The difference between incidents and low-level disasters is always unclear and frequently revolves around the amount of time required to correct the damage. The lack of detailed steps should be documented, but their absence does not mean a lack of recovery, if in fact someone has invoked the plan. 如果没有人宣称灾难,反应和恢复计划将不会被实行,它们使其他与之相关的都缄默了。虽然考虑持续时间不足可能是个问题,但它不象范围那般意义重大,并且它们都不如需要某人实行计划这般紧要。事件和低级灾害的区别是总是糊涂和经常地围绕着需要的时间量去修正损失。详细步骤的不足应该纪录在案,但他们的缺席并不意味着缺乏复苏,如果在事实上,有人实行了该计划。
210、A technical lead who was working on a major project has left the organization. The project manager reports suspicious system activities on one of the servers that is accessible to the whole team. What would be of GREATEST concern if discovered during a forensic investigation? 210,一个工作于重要项目的技术领导离开了公司。项目经理报告了一台服务器上可疑的系统行为,该服务器全组可访问。如果这在一次司法调查中被发现,什么是最重点关注的?
A、Audit logs are not enabled for the system 系统审计日志没有启用
B、A logon ID for the technical lead still exists 该技术领导的登录ID仍然存在
C、Spyware is installed on the system 系统中安装了间谍软件
D、A Trojan is installed on the system 系统中安装了一个木马
ANSWER: A A
NOTE: Audit logs are critical to the investigation of the event; however, if not enabled, misuse of the logon ID of the technical lead and the guest account could not be established. The logon ID of the technical lead should have been deleted as soon as the employee left the organization but, without audit logs, misuse of the ID is difficult to prove. Spyware installed on the system is a concern but could have been installed by any user and, again, without the presence of logs, discovering who installed the spyware is difficult. A Trojan installed on the system is a concern, but it can be done by any user as it is accessible to the whole group and, without the presence of logs, investigation would be difficult.
211、To address the risk of operations staff's failure to perform the daily backup, management requires that the systems administrator sign off on the daily backup. This is an example of risk: 211,为了解决操作人员执行日常备份的失误,管理层要求系统管理员签字日常备份,这是一个风险……例子:
A、avoidance. 防止
B、transference. 转移
C、mitigation. 缓解
D、acceptance. 接受
ANSWER: C C
NOTE: Mitigation is the strategy that provides for the definition and implementation of controls to address the risk described. Avoidance is a strategy that provides for not implementing certain activities or processes that would incur risk. Transference is the strategy that provides for sharing risk with partners or taking insurance coverage. Acceptance is a strategy that provides for formal acknowledgement of the existence of a risk and the monitoring of that risk.
212、The GREATEST risk when end users have access to a database at its system level, instead of through the application, is that the users can: 212,当终端用户用系统级别访问数据库而不是通过应用程序,最大的风险在于用户可以:
A、make unauthorized changes to the database directly, without an audit trail. 直接造成未授权的数据库变化,没有审计追踪
B、make use of a system query language (SQL) to access information. 使用SQL访问信息
C、remotely access the database. 远程访问数据库
D、update data without authentication. 未经认证修改数据
ANSWER: A A
NOTE: Having access to the database could provide access to database utilities, which can update the database without an audit trail and without using the application. Using SQL only provides read access to information. In a networked environment, accessing the database remotely does not make a difference.
What is critical is what is possible or completed through this access. To access a database, it is necessary that a user is authenticated using a user ID.
213、Which of the following is a technique that could be used to capture network user passwords? 213,下列哪一项是可以用于捕捉网络用户密码的技术?
A、Encryption 加密
B、Sniffing 嗅
C、Spoofing 哄骗
D、Data destruction 数据毁灭
ANSWER: B B
NOTE: Sniffing is an attack that can be used to capture sensitive pieces of information (., a password) passing through the network. Encryption is a method of scrambling information to prevent unauthorized individuals from understanding the transmission. Spoofing is forging an address and inserting it into a packet to disguise the origin of the communication. Data destruction is erasing information or removing it from its original location.
214、In auditing a web server, an IS auditor should be concerned about the risk of individuals gaining unauthorized access to confidential information through: 214,在审计一个WEB服务器时,IS审计员应该通过……,来关注某些个体获取未经授权访问保密信息的风险?
A、common gateway interface (CGI) scripts. CGI脚本
B、enterprise java beans (EJBs). EJBs
C、applets. JAVA小应用
D、web services. Web 服务
ANSWER: A A
NOTE: Common gateway interface (CGI) scripts are executable machine independent software programs on the server that can be called and executed by a web server page. CGI performs specific tasks such as processing inputs received from clients. The use of CGI scripts needs to be evaluated, because as they run in the server, a bug in them may allow a user to gain unauthorized access to the server and from there gain access to the organization's network. Applets are programs downloaded from a web server and executed on web browsers on client machines to run any web-based applications. Enterprise java beans (EJBs) and web services have to be deployed by the web server administrator and are controlled by the application server. Their execution requires knowledge of the parameters and expected return values.
215、When performing a computer forensic investigation, in regard to the evidence gathered, an IS auditor should be MOST concerned with: 215,当执行一个计算机司法调查时,关于收集到的证据,一个IS审计员应当最关注:
A、analysis. 分析
B、evaluation. 评估
C、preservation. 保存
D、disclosure. 发现
ANSWER: C C
NOTE: Preservation and documentation of evidence for review by law enforcement and judicial authorities are of primary concern when conducting an investigation. Failure to properly preserve the evidence could jeopardize the acceptance of the evidence in legal proceedings. Analysis, evaluation and disclosure are important but not of primary concern in a forensic investigation.
216、Functional acknowledgements are used: 216,功能确认用于:
A、as an audit trail for EDI transactions. 作为EDI交易的审计踪迹
B、to functionally describe the IS department. 功能性地描述IS部门
C、to document user roles and responsibilities. 证明用户角色和职责
D、as a functional description of application software. 作为应用软件的功能描述
ANSWER: A A
NOTE: Functional acknowledgements are standard EDI transactions that tell trading partners that their electronic documents were received. Different types of functional acknowledgments provide various levels of detail and, therefore, can act as an audit trail for EDI transactions. The other choices are not relevant to the description of functional acknowledgements.
217、When using a universal storage bus (USB) flash drive to transport confidential corporate data to an offsite location, an effective control would be to: 217,当使用USB闪存盘传递保密的公司数据到一个离线位置时,一个有效的控制应该是:
A、carry the flash drive in a portable safe. 用便携安全包携带闪盘
B、assure management that you will not lose the flash drive. 向管理层担保不会丢失闪盘
C、request that management deliver the flash drive by courier. 请求管理层用快递公司送闪盘
D、encrypt the folder containing the data with a strong key. 用一个强密码加密存放数据的目录
ANSWER: D D
NOTE: Encryption, with a strong key, is the most secure method for protecting the information on the flash drive. Carrying the flash drive in a portable safe does not guarantee the safety of the information in the event that the safe is stolen or lost. No matter what measures you take, the chance of losing the flash drive still exists. It is possible that a courier might lose the flash drive or that it might be stolen.
218、The FIRST step in a successful attack to a system would be: 218,成功攻击一个系统的第一步应当是:
A、gathering information. 收集信息
B、gaining access. 获取访问权
C、denying services. 拒绝服务
D、evading detection. 逃避检测
ANSWER: A A
NOTE: Successful attacks start by gathering information about the target system. This is done in advance so that the attacker gets to know the target systems and their vulnerabilities. All of the other choices are based on the information gathered.
219、Which of the following would an IS auditor consider to be the MOST helpful when evaluating the effectiveness and adequacy of a computer preventive maintenance program? 219,当评估一个计算机预防维护程序的有效性和充分性,下列哪一项应当认为最有帮助
A、A system downtime log 系统宕机时间日志
B、Vendors' reliability figures 制造商的可靠性数据
C、Regularly scheduled maintenance log 周期性调度的维护日志
D、A written preventive maintenance schedule 书面的预防性维护调度
ANSWER: A A
NOTE: A system downtime log provides information regarding the effectiveness and adequacy of computer preventive maintenance programs.
220、Which of the following would normally be the MOST reliable evidence for an auditor? 220,下列哪一项通常应当审计员是最可靠的证据?
A、A confirmation letter received from a third party verifying an account balance 第三方机构收到的验证会议资产负债表的确认信
B、Assurance from line management that an application is working as designed 各层管理者对应用程序如期工作的担保
C、Trend data obtained from World Wide Web (Internet) sources 从互联网获取的趋势数据
D、Ratio analysis developed by the IS auditor from reports supplied by line management 审计人员通过各层管理人员提供的报告做出的比例分析
ANSWER: A A
NOTE: Evidence obtained from independent third parties almost always is considered to be the most reliable. Choices B, C and D would not be considered as reliable.
221、The implementation of access controls FIRST requires: 221.实施访问控制首先需要进行:
A、a classification of IS resources. 资源分类
B、the labeling of IS resources. 资源标识
C、the creation of an access control list. C.创建访问控制列表
D、an inventory of IS resources. 资源库存
ANSWER: D
NOTE: The first step in implementing access controls is an inventory of IS resources, which is the basis for classification. Labeling of resources cannot be done without first determining the resources' classifications. The access control list (ACL) would not be done without a meaningful classification of resources.
222、Which of the following would help to ensure the portability of an application connected to a database? 222.下面哪个选项有助于保证应用的便携性?
A、Verification of database import and export procedures A.数据库导出/导入过程的核查
B、Usage of a structured query language (SQL) 的使用
C、Analysis of stored procedures/triggers C.存储过程/触发器的分析
D、Synchronization of the entity-relation model with the database physical schema D.实体关系模型和数据库物理结构的同步
ANSWER: B
NOTE: The use of SQL facilitates portability. Verification of import and export procedures with other systems ensures better interfacing with other systems, analyzing stored procedures/triggers ensures proper access/performance, and reviewing the design entity-relation model will be helpful, but none of these contribute to the portability of an application connecting to a database.
223、When reviewing an organization's logical access security, which of the following should be of MOST concern to an IS auditor? 223.在检查一个组织的逻辑访问安全时,下面哪个是IS审计员最关心的:
A、Passwords are not shared. A.密码没有共享
B、Password files are not encrypted. B.密码文件没有加密
C、Redundant logon IDs are deleted. C.多余的登录帐号被删除
D、The allocation of logon IDs is controlled. D.登录帐号分配受控制
ANSWER: B
NOTE: When evaluating the technical aspects of logical security, unencrypted files represent the greatest risk. The sharing of passwords, checking for the redundancy of logon IDs and proper logon ID procedures are essential, but they are less important than ensuring that the password files are encrypted.
224、Which of the following implementation modes would provide the GREATEST amount of security for outbound data connecting to the Internet? 224.对连接到因特网的外发数据,下面哪个模型提供最大的安全:
A、Transport mode with authentication header (AH) plus encapsulating security payload (ESP) A.认证头协议加封装安全有效负载的传输模式
B、Secure Sockets Layer (SSL) mode B.安全套接层协议 (SSL)模式
C、Tunnel mode with AH plus ESP C.认证头协议加封装安全有效负载的管道模式
D、Triple-DES encryption mode 数据加密模式
ANSWER: C
NOTE: Tunnel mode provides protection to the entire IP package. To accomplish this, AH and ESP services can be nested. The transport mode provides primary protection for the higher layers of the protocols by extending protection to the data fields (payload) of an IP package. The SSL mode provides security to the higher communication layers (transport layer). The triple-DES encryption mode is an algorithm that provides confidentiality
225、An IS auditor reviewing access controls for a client-server environment should FIRST: 225.在C/S环境下,IS审计员检查的访问控制时首先应:
A、evaluate the encryption technique. A.评估加密技术
B、identify the network access points. B.确认网络访问点
C、review the identity management system. C.检查认证管理系统
D、review the application level access controls. D.检查应用层面的访问控制
ANSWER: B
NOTE: A client-server environment typically contains several access points and utilizes distributed techniques, increasing the risk of unauthorized access to data and processing. To evaluate the security of the client server environment, all network access points should be identified. Evaluating encryption techniques, reviewing the identity management system and reviewing the application level access controls would be performed at a later stage of the review.
226、An IS auditor finds that conference rooms have active network ports. Which of the following is MOST important to ensure? 226.审计员发现会议室有活动的网络端口。下面哪个是最需要确认的:
A、The corporate network is using an intrusion prevention system (IPS) A.公司网络使用入侵防护系统
B、This part of the network is isolated from the corporate network B.这部分网络(会议室网络)与公司网络隔绝
C、A single sign-on has been implemented in the corporate network C.公司网络使用单点登陆
D、Antivirus software is in place to protect the corporate network D.公司网络由反病毒软件来防护
ANSWER: B
NOTE: If the conference rooms have access to the corporate network, unauthorized users may be able to connect to the corporate network; therefore, both networks should be isolated either via a firewall or being physically separated. An IPS would detect possible attacks, but only after they have occurred. A single sign-on would ease authentication management. Antivirus software would reduce the impact of possible viruses; however, unauthorized users would still be able to access the corporate network, which is the biggest risk.
227、Which of the following types of firewalls provide the GREATEST degree and granularity of control? 227.下面哪个类型的防火墙提供最大程度的控制?
A、Screening router A.筛选路由器
B、Packet filter B.包过滤
C、Application gateway C.应用网关
D、Circuit gateway D.电路网关
ANSWER: C
NOTE: The application gateway is similar to a circuit gateway, but it has specific proxies for each service. To handle web services, it has an HTTP proxy that acts as an intermediary between externals and internals, but is specifically for HTTP. This means that it not only checks the packet IP addresses (layer 3) and the ports it is directed to (in this case port 80, or layer 4), it also checks every HTTP command (layers 5 and 7). Therefore, it works in a more detailed (granularity) way than the others. Screening router and packet filter (choices A and B) work at the protocol, service and/or port level. This means that they analyze packets from layers 3 and 4, and not from higher levels. A circuit gateway (choice D) is based on a proxy or program that acts as an intermediary between external and internal accesses. This means that during an external access, instead of opening a single connection to the internal server, two connections are established-one from the external server to the proxy (which conforms the circuit-gateway) and one from the proxy to the internal server. Layers 3 and 4 (IP and TCP) and some general features from higher protocols are used to perform these tasks.
228、Which of the following should be of MOST concern to an IS auditor? 228.下面哪个选项是IS审计员最关心?
A、Lack of reporting of a successful attack on the network A.缺少成功网络攻击的报告
B、Failure to notify police of an attempted intrusion B.没有将入侵尝试告之警察
C、Lack of periodic examination of access rights C.缺少定期检查访问权限
D、Lack of notification to the public of an intrusion D.没有将入侵告之公众
ANSWER: A
NOTE: Not reporting an intrusion is equivalent to an IS auditor hiding a malicious intrusion, which would be a professional mistake. Although notification to the police may be required and the lack of a periodic examination of access rights might be a concern, they do not represent as big a concern as the failure to report the attack. Reporting to the public is not a requirement and is dependent on the organization's desire, or lack thereof, to make the intrusion known.
229、While observing a full simulation of the business continuity plan, an IS auditor notices that the notification systems within the organizational facilities could be severely impacted by infrastructural damage. The BEST recommendation the IS auditor can provide to the organization is to ensure: 229.在观察一个业务继续计划的模拟,IS审计员注意到报警系统严重受到设施破坏。下列选项中,哪个是IS审计员可以提供的最佳建议:
A、the salvage team is trained to use the notification system. A.培训救护组如何使用报警系统
B、the notification system provides for the recovery of the backup. B.报警系统为备份提供恢复
C、redundancies are built into the notification system. C.建立冗余的报警系统
D、the notification systems are stored in a vault. D.把报警系统存放地窖里
ANSWER: C
NOTE: If the notification system has been severely impacted by the damage, redundancy would be the best control. The salvage team would not be able to use a severely damaged notification system, even if they are trained to use it. The recovery of the backups has no bearing on the notification system and storing the notification system in a vault would be of little value if the building is damaged.
230、Which of the following is a characteristic of timebox management? 230.下面哪个是时间窗管理的特性?
A、Not suitable for prototyping or rapid application development (RAD) A.不适合原型或快速应用开发
B、Eliminates the need for a quality process B.减少质量过程的需要
C、Prevents cost overruns and delivery delays C.防止超支和延迟交付
D、Separates system and user acceptance testing D.分开系统和用户接受性测试
ANSWER: C
NOTE: Timebox management, by its nature, sets specific time and cost boundaries. It is very suitable for prototyping and RAD, and integrates system and user acceptance testing, but does not eliminate the need for a quality process.
231、In an IS audit of several critical servers, the IS auditor wants to analyze audit trails to discover potential anomalies in user or system behavior. Which of the following tools are MOST suitable for performing that task? 231.在多个重要服务器的IS审计过程中,审计员想要分析审计痕迹去发现用户或系统行为的不正常。下面哪个工具是最适合的?
A、CASE tools 工具
B、Embedded data collection tools B.嵌入式数据收集工具
C、Heuristic scanning tools C.启发式扫描工具
D、Trend/variance detection tools D.趋势/差异检测工具
ANSWER: D
NOTE: Trend/variance detection tools look for anomalies in user or system behavior, for example, determining whether the numbers for prenumbered documents are sequential or increasing. CASE tools are used to assist software development. Embedded (audit) data collection software is used for sampling and to provide production statistics. Heuristic scanning tools can be used to scan for viruses to indicate possible infected code.
232、The human resources (HR) department has developed a system to allow employees to enroll in benefits via a web site on the corporate Intranet. Which of the following would protect the confidentiality of the data? 232.人力资源部开发一套系统使得雇员可以通过公司内网申报各种奖励。下面哪个可以保护数据的保密性?
A、SSL encryption 加密
B、Two-factor authentication B.双因素认证
C、Encrypted session cookies C.加密会话cookies
D、IP address verification 地址校验
ANSWER: A
NOTE: The main risk in this scenario is confidentiality, therefore the only option which would provide confidentiality is Secure Socket Layer (SSL) encryption. The remaining options deal with authentication issues.
233、Which of the following protocols would be involved in the implementation of a router and an interconnectivity device monitoring system? 233.下面哪种协议可用来实施路由器和互联设备监控系统?
A、Simple Network Management Protocol (简单网络管理协议)
B、File Transfer Protocol (文件传输协议)
C、Simple Mail Transfer Protocol (简单邮件传输协议)
D、Telnet 协议
ANSWER: A
NOTE: The Simple Network Management Protocol provides a means to monitor and control network devices and to manage configurations and performance. The File Transfer Protocol (FTP) transfers files from a computer on the Internet to the user's computer and does not have any functionality related to monitoring network devices. Simple Mail Transfer Protocol (SMTP) is a protocol for sending and receiving e-mail messages and does not provide any monitoring or management for network devices. Telnet is a standard terminal emulation protocol used for remote terminal connections, enabling users to log into remote systems and use resources as if they were connected to a local system; it does not provide any monitoring or management of network devices.
234、Regarding a disaster recovery plan, the role of an IS auditor should include: 234.在灾难恢复计划中,审计员的职责包括:
A、identifying critical applications. A.确认重要的应用
B、determining the external service providers involved in a recovery test. B.决定外部服务提供商是否参与恢复测试
C、observing the tests of the disaster recovery plan. C.观察灾难恢复测试
D、determining the criteria for establishing a recovery time objective (RTO). D.决定建立一个恢复时间目标(RTO)的标准
ANSWER: C
NOTE: The IS auditor should be present when disaster recovery plans are tested, to ensure that the test meets the targets for restoration, and the recovery procedures are effective and efficient. As appropriate, the auditor should provide a report of the test results. All other choices are a responsibility of management.
235、At the end of the testing phase of software development, an IS auditor observes that an intermittent software error has not been corrected. No action has been taken to resolve the error. The IS auditor should: 235.在软件开发的测试阶段结束时,审计员观察一个中间软件错误没有被改正。没有任何解决这个错误的行为。审计员该:
A、report the error as a finding and leave further exploration to the auditee's discretion. A.作为一个发现报告错误及让被审计对象的仲裁委员会进一步研讨这个错误
B、attempt to resolve the error. B.尝试解决错误
C、recommend that problem resolution be escalated. C.建议提升问题解决层次
D、ignore the error, as it is not possible to get objective evidence for the software error. D.忽视错误,因为不能获得软件错误的客观证据
ANSWER: C
NOTE: When an IS auditor observes such conditions, it is best to fully apprise the auditee and suggest that further problem resolutions be attempted. Recording it as a minor error and leaving it to the auditee's discretion would be inappropriate, and neglecting the error would indicate that the auditor has not taken steps to further probe the issue to its logical end.
236、Which of the following is the BEST practice to ensure that access authorizations are still valid? 236.下面那个是保证访问权限仍然有效的最佳实践?
A、Information owner provides authorization for users to gain access A.信息所有者提供给用户访问权限
B、Identity management is integrated with human resource processes B.确认管理与人力资源流程集成在一起
C、Information owners periodically review the access controls C.信息所有者定期检查访问控制
D、An authorization matrix is used to establish validity of access D.用权限列表来建立访问有效性
ANSWER: B
NOTE: Personnel and departmental changes can result in authorization creep and can impact the effectiveness of access controls. Many times when personnel leave an organization, or employees are promoted, transferred or demoted, their system access is not fully removed, which increases the risk of unauthorized access. The best practices for ensuring access authorization is still valid is to integrate identity management with human resources processes. When an employee transfers to a different function, access rights are adjusted at the same time.
237、To determine who has been given permission to use a particular system resource, an IS auditor should review: 237.为了确定谁可以有权限使用某个系统资源,审计员应该检查:
A、activity lists. A.活动列表
B、access control lists. B.访问控制列表
C、logon ID lists. C.登录ID列表
D、password lists. D.密码列表
ANSWER: B
NOTE: Access control lists are the authorization tables that document the users who have been given permission to use a particular system resource and the types of access they have been granted. The other choices would not document who has been given permission to use (access) specific system resources.
238、An IS auditor reviewing an organization's data file control procedures finds that transactions are applied to the most current files, while restart procedures use earlier versions. The IS auditor should recommend the implementation of: 238.在检查一个企业的数据文件控制流程时,审计员发现事务处理涉及到的文件都是当前版本的,而重启流程则使用早期版本。审计员建议实施:
A、source documentation retention. A.源文件保留
B、data file security. B.数据文件安全
C、version usage control. C.版本使用控制
D、one-for-one checking. D.一个一个检查
ANSWER: C
NOTE: For processing to be correct, it is essential that the proper version of a file is used. Transactions should be applied to the most current database, while restart procedures should use earlier versions. Source documentation should be retained for an adequate time period to enable documentation retrieval, reconstruction or verification of data, but it does not aid in ensuring that the correct version of a file will be used. Data file security controls prevent access by unauthorized users who could then alter the data files; however, it does not ensure that the correct file will be used. It is necessary to ensure that all documents have been received for processing, one-for-one; however, this does not ensure the use of the correct file.
239、A digital signature contains a message digest to: 239.数字签名包含一个消息摘要是为了:
A、show if the message has been altered after transmission. A.显示如果信息在传输后被改动
B、define the encryption algorithm. B.定义加密算法
C、confirm the identity of the originator. C.确认源的标识(/身份)
D、enable message transmission in a digital format. D.使得消息以数字格式传输
ANSWER: A
NOTE: The message digest is calculated and included in a digital signature to prove that the message has not been altered. It should be the same value as a recalculation performed upon receipt. It does not define the algorithm or enable the transmission in digital format and has no effect on the identity of the user; it is there to ensure integrity rather than identity.
240、In what way is a common gateway interface (CGI) MOST often used on a web server? 240.下列哪个选项是网络服务器最通常用的CGI(普通网关接口)?
A、Consistent way for transferring data to the application program and back to the user A.传输数据到应用程序又返回到用户
B、Computer graphics imaging method for movies and TV B.电影电视的电脑图像处理
C、Graphic user interface for web design C.网络设计的用户图形界面
D、Interface to access the private gateway domain D.访问个人网管域的接口
ANSWER: A
NOTE: The common gateway interface (CGI) is a standard way for a web server to pass a user's request to an application program and to move data back and forth to the user. When the user requests a web page (for example, by clicking on a highlighted word or entering a web site address), the server sends back the requested page. However, when a user fills out a form on a web page and submits it, it usually needs to be processed by an application program. The web server typically passes the form information to a small application program that processes the data and may send back a confirmation message. This method, or convention, for passing data back and forth between the server and the application is called the common gateway interface (CGI). It is part of the web's HTTP protocol.
241、The application systems of an organization using open-source software have no single recognized developer producing patches. Which of the following would be the MOST secure way of updating open-source software? 241、组织使用的应用系统为无任何经过认证的开发人员研发补丁的开源系统。以下哪种为最安全的开源软件更新方法?
A、Rewrite the patches and apply them A、重写补丁并应用
B、Code review and application of available patches B、检查源码并应用可用补丁
C、Develop in-house patches C、开发内部补丁
D、Identify and test suitable patches before applying them D、在应用前检查并测试对应补丁
ANSWER: D 答案:D
NOTE: Suitable patches from the existing developers should be selected and tested before applying them.
Rewriting the patches and applying them is not a correct answer because it would require skilled resources and time to rewrite the patches. Code review could be possible but tests need to be performed before applying the patches. Since the system was developed outside the organization, the IT department may not have the necessary skills and resources to develop patches.
242、When reviewing input controls, an IS auditor observes that, in accordance with corporate policy, procedures allow supervisory override of data validation edits. The IS auditor should: 242、当检查输入控制时,信息系统审计师发现企业一致性策略中,流程允许超级用户覆盖数据验证结果。此信息安全审计师应该:
A、not be concerned since there may be other compensating controls to mitigate the risks. A、不关心,可能有其他修补控制来降低风险。
B、ensure that overrides are automatically logged and subject to review. B、确保覆盖会被自动记录并接受检查。
C、verify whether all such overrides are referred to senior management for approval. C、验证是否所有这些覆盖被提交给高级管理人员批准。
D、recommend that overrides not be permitted. D、建议不允许覆盖。
ANSWER: B 答案:B
NOTE: If input procedures allow overrides of data validation and editing, automatic logging should occur. A management individual who did not initiate the override should review this log. An IS auditor should not assume that compensating controls exist. As long as the overrides are policy-compliant, there is no need for senior management approval or a blanket prohibition.
243、Which of the following is a prevalent risk in the development of end-user computing (EUC) applications? 243、以下哪种为开发客户端应用程序时的普遍风险?
A、Applications may not be subject to testing and IT general controls A、应用程序可能不会被测试和IT通用管控
B、Increased development and maintenance costs B、增加开发和维护成本
C、Increased application development time C、增加应用程序开发时间
D、Decision-making may be impaired due to diminished responsiveness to requests for information D、决策可能由于当请求信息时响应效率的降低而受到削弱
ANSWER: A 答案:A
NOTE: End-user developed applications may not be subjected to an independent outside review by systems analysts and frequently are not created in the context of a formal development methodology. These applications may lack appropriate standards, controls, quality assurance procedures, and documentation. A risk of end-user applications is that management may rely on them as much as traditional applications. End-user computing (EUC) systems typically result in reduced application development and maintenance costs, and a reduced development cycle time. EUC systems normally increase flexibility and responsiveness to management's information requests.
244、When selecting audit procedures, an IS auditor should use professional judgment to ensure that: 244、当选择审计规程时,信息系统审计师应使用专业判断来确保:
A、sufficient evidence will be collected. A、充足的证据将被收集
B、all significant deficiencies identified will be corrected within a reasonable period. B、确定的所有重大缺陷将在合理的周期被更正
C、all material weaknesses will be identified. C、所有材料缺陷将被鉴别
D、audit costs will be kept at a minimum level. D、审计成本将被保持在最低水平
ANSWER: A 答案:A
NOTE: Procedures are processes an IS auditor may follow in an audit engagement. In determining the appropriateness of any specific procedure, an IS auditor should use professional judgment appropriate to the specific circumstances. Professional judgment involves a subjective and often qualitative evaluation of conditions arising in the course of an audit. Judgment addresses a grey area where binary (yes/no) decisions are not appropriate and the auditor's past experience plays a key role in making a judgment. ISACA's guidelines provide information on how to meet the standards when performing IS audit work. Identifying material weaknesses is the result of appropriate competence, experience and thoroughness in planning and executing the audit and not of professional judgment. Professional judgment is not a primary input to the financial aspects of the audit.
245、An IT steering committee should review information systems PRIMARILY to assess: 245、IT指导委员会应从根本上对信息系统进行评定:
A、whether IT processes support business requirements. A、IT流程是否支持业务需求
B、if proposed system functionality is adequate. B、系统功能是否完善
C、the stability of existing software. C、现有软件的稳定性
D、the complexity of installed technology. D、现有技术的复杂度
ANSWER: A 答案:A
NOTE: The role of an IT steering committee is to ensure that the IS department is in harmony with the organization's mission and objectives. To ensure this, the committee must determine whether IS processes support the business requirements. Assessing proposed additional functionality and evaluating software stability and the complexity of technology are too narrow in scope to ensure that IT processes are, in fact, supporting the organization's goals.
246、Digital signatures require the: 246、数字签名需要:
A、signer to have a public key and the receiver to have a private key. A、签署者拥有公钥且接收者拥有私钥
B、signer to have a private key and the receiver to have a public key. B、签署者拥有私钥且接收者拥有公钥
C、signer and receiver to have a public key. C、签署者和接收者均拥有公钥
D、signer and receiver to have a private key. D、签署者和接收者均拥有私钥
ANSWER: B 答案:B
NOTE: Digital signatures are intended to verify to a recipient the integrity of the data and the identity of the sender. The digital signature standard is a public key algorithm. This requires the signer to have a private key and the receiver to have a public key.
247、Which of the following types of testing would determine whether a new or modified system can operate in its target environment without adversely impacting other existing systems? 247、以下哪种测试方法可以确定新(或修改)系统是否能在目标环境中与已有系统无缝运行?
A、Parallel testing A、并行测试
B、Pilot testing B、抽样测试
C、Interface/integration testing C、接口/集成测试
D、Sociability testing D、社会测试
ANSWER: D 答案:D
NOTE: The purpose of sociability testing is to confirm that a new or modified system can operate in its target environment without adversely impacting existing systems. This should cover the platform that will perform primary application processing and interfaces with other systems, as well as changes to the desktop in a client-server or web development. Parallel testing is the process of feeding data into two systems—the modified system and an alternate system—and comparing the results. In this approach, the old and new systems operate concurrently for a period of time and perform the same processing functions. Pilot testing takes place first at one location and is then extended to other locations. The purpose is to see if the new system operates satisfactorily in one place before implementing it at other locations. Interface/integration testing is a hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective is to take unit-tested modules and build an integrated structure.
248、Passwords should be: 248、密码应该满足:
A、assigned by the security administrator for first time logon. A、安全管理员赋予首次登录
B、changed every 30 days at the discretion of the user. B、由用户每隔30天进行更改
C、reused often to ensure the user does not forget the password. C、经常复用以确保用户不会遗忘
D、displayed on the screen so that the user can ensure that it has been entered properly. D、在屏幕上回显以确保用户输入正确
ANSWER: A 答案:A
NOTE: Initial password assignment should be done discretely by the security administrator. Passwords should be changed often (., every 30 days); however, changing should not be voluntary, it should be required by the system. Systems should not permit previous passwords to be used again. Old passwords may have been compromised and would thus permit unauthorized access. Passwords should not be displayed in any form.
249、The MAJOR consideration for an IS auditor reviewing an organization's IT project portfolio is the: 249、信息系统审计师需要对组织项目投资组合回顾的主要考虑是:
A、IT budget. A、IT预算
B、existing IT environment. B、已有IT环境
C、business plan. C、业务规划
D、investment plan. D、投资规划
ANSWER: C 答案:C
NOTE: One of the most important reasons for which projects get funded is how well a project meets an organization's strategic objectives. Portfolio management takes a holistic view of a company's overall IT strategy. IT strategy should be aligned with the business strategy and, hence, reviewing the business plan should be the major consideration. Choices A, B and D are important but secondary to the importance of reviewing the business plan.
250、An IS auditor should review the configuration of which of the following protocols to detect unauthorized mappings between the IP address and the media access control (MAC) address? 250、信息系统审计师应该对以下哪种用于检测未被授权认证的IP地址和MAC地址映射协议配置进行回顾?
A、Simple Object Access Protocol (SOAP) A、Simple Object Access Protocol (SOAP)
B、Address Resolution Protocol (ARP) B、Address Resolution Protocol (ARP)
C、Routing Information Protocol (RIP) C、Routing Information Protocol (RIP)
D、Transmission Control Protocol (TCP) D、Transmission Control Protocol (TCP)
ANSWER: B 答案:B
NOTE: Address Resolution Protocol (ARP) provides dynamic address mapping between an IP address and hardware address. Simple Object Access Protocol (SOAP) is a platform-independent XML-based protocol, enabling applications to communicate with each other over the Internet, and does not deal with media access control (MAC) addresses. Routing Information Protocol (RIP) specifies how routers exchange routing table information. Transmission Control Protocol (TCP) enables two hosts to establish a connection and exchange streams of data.
251、Which of the following satisfies a two-factor user authentication? 251、以下哪种能满足双重用户身份认证?
A、Iris scanning plus fingerprint scanning A、虹膜加指纹扫描
B、Terminal ID plus global positioning system (GPS) B、终端号加全球定位系统(GPS)
C、A smart card requiring the user's PIN C、需要用户识别号的智能卡
D、User ID along with password D、用户代码加密码
ANSWER: C 答案:C
NOTE: A smart card addresses what the user has. This is generally used in conjunction with testing what the user knows, ., a keyboard password or personal identification number (PIN). Proving who the user is usually requires a biometrics method, such as fingerprint, iris scan or voice verification, to prove biology. This is not a two-factor user authentication, because it proves only who the user is. A global positioning system (GPS) receiver reports on where the user is. The use of an ID and password (what the user knows) is a single-factor user authentication.
252、Which of the following is an attribute of the control self-assessment (CSA) approach? 252、以下哪种为自评估方法的属性?
A、Broad stakeholder involvement A、Broad stakeholder involvement
B、Auditors are the primary control analysts B、审计师为主控分析
C、Limited employee participation C、雇员参与限制
D、Policy driven D、策略驱动
ANSWER: A 答案:A
NOTE: The control self-assessment (CSA) approach emphasizes management of and accountability for developing and monitoring the controls of an organization's business processes. The attributes of CSA include empowered employees, continuous improvement, extensive employee participation and training, all of which are representations of broad stakeholder involvement. Choices B, C and D are attributes of a traditional audit approach.
253、The BEST method for assessing the effectiveness of a business continuity plan is to review the: 253、评估商业连续计划效果最好的方法是:
A、plans and compare them to appropriate standards. A、使用适当的标准进行规划和比较
B、results from previous tests. B、之前的测试结果
C、emergency procedures and employee training. C、紧急预案和员工培训
D、offsite storage and environmental controls. D、环境控制和存储站点
ANSWER: B 答案:B
NOTE: Previous test results will provide evidence of the effectiveness of the business continuity plan. Comparisons to standards will give some assurance that the plan addresses the critical aspects of a business continuity plan but will not reveal anything about its effectiveness. Reviewing emergency procedures, offsite storage and environmental controls would provide insight into some aspects of the plan but would fall short of providing assurance of the plan's overall effectiveness.
254、Active radio frequency ID (RFID) tags are subject to which of the following exposures? 254、RFID标签可能会受到以下哪些方法的攻击?
A、Session hijacking A、绑架进程
B、Eavesdropping B、窃听
C、Malicious code C、恶意代码
D、Phishing D、钓鱼
ANSWER: B 答案:B
NOTE: Like wireless devices, active RFID tags are subject to eavesdropping. They are by nature not subject to session hijacking, malicious code or phishing.
255、Which of the following Internet security threats could compromise integrity? 255、以下哪些互联网安全风险可能危及完整性?
A、Theft of data from the client A、窃取客户数据
B、Exposure of network configuration information B、暴露网络配置信息
C、A Trojan horse browser C、浏览器木马
D、Eavesdropping on the net D、网络窃听
ANSWER: C 答案:C
NOTE: Internet security threats/vulnerabilities to integrity include a Trojan horse, which could modify user data, memory and messages found in client-browser software. The other options compromise confidentiality.
256、Which of the following BEST describes the role of a directory server in a public key infrastructure (PKI)? 256、以下哪项为PKI目录服务器的最佳描述?
A、Encrypts the information transmitted over the network A、加密网络中传送的信息
B、Makes other users' certificates available to applications B、对其他用户身份进行认证并提交应用程序
C、Facilitates the implementation of a password policy C、为执行密码策略提供便利
D、Stores certificate revocation lists (CRLs) D、保存认证撤回列表(CRLs)
ANSWER: B 答案:B
NOTE: A directory server makes other users' certificates available to applications. Encrypting the information transmitted over the network and storing certificate revocation lists (CRLs) are roles performed by a security server. Facilitating the implementation of a password policy is not relevant to public key infrastructure (PKI).
257、The MOST likely explanation for a successful social engineering attack is: 257、以下对社会工程学攻击解释中最接近的是:
A、that computers make logic errors. A、计算机存在逻辑错误
B、that people make judgment errors. B、人做出错误判断
C、the computer knowledge of the attackers. C、攻击者的计算机知识
D、the technological sophistication of the attack method. D、多种攻击技术复合
ANSWER: B 答案:B
NOTE: Humans make errors in judging others; they may trust someone when, in fact, the person is untrustworthy. Driven by logic, computers make the same error every time they execute the erroneous logic; however, this is not the basic argument in designing a social engineering attack. Generally, social engineering attacks do not require technological expertise; often, the attacker is not proficient in information technology or systems. Social engineering attacks are human-based and generally do not involve complicated technology.
258、The PRIMARY advantage of a continuous audit approach is that it: 258、连续审计方法的主要优点是:
A、does not require an IS auditor to collect evidence on system reliability while processing is taking place. A、在处理过程中无需信息系统审计师进行系统可靠性证据搜集
B、requires the IS auditor to review and follow up immediately on all information collected. B、需要信息系统审计师回顾并立刻跟进所有搜集的信息
C、can improve system security when used in time-sharing environments that process a large number of transactions. C、可以提高大事务量分时环境的系统安全
D、does not depend on the complexity of an organization's computer systems. D、与组织的计算机系统复杂性无关
ANSWER: C 答案:C
NOTE: The use of continuous auditing techniques can improve system security when used in time-sharing environments that process a large number of transactions, but leave a scarce paper trail. Choice A is incorrect since the continuous audit approach often does require an IS auditor to collect evidence on system reliability while processing is taking place. Choice B is incorrect since an IS auditor normally would review and follow up only on material deficiencies or errors detected. Choice D is incorrect since the use of continuous audit techniques depends on the complexity of an organization's computer systems.
259、Which of the following is the BEST information source for management to use as an aid in the identification of assets that are subject to laws and regulations? 259、以下哪种为依据法规管理识别资产时的最佳信息来源?
A、Security incident summaries A、安全事件汇总
B、Vendor best practices B、原厂商最佳实践
C、CERT coordination center C、认证中心
D、Significant contracts D、重要合同
ANSWER: D 答案:D
NOTE: Contractual requirements are one of the sources that should be consulted to identify the requirements for the management of information assets. Vendor best practices provides a basis for evaluating how competitive an enterprise is, while security incident summaries are a source for assessing the vulnerabilities associated with the IT infrastructure. CERT () is an information source for assessing vulnerabilities within the IT infrastructure.
260、An IS auditor doing penetration testing during an audit of Internet connections would: 260、信息系统审计师通过互联网进行渗透测试时应:
A、evaluate configurations. A、评价配置
B、examine security settings. B、检查安全设置
C、ensure virus-scanning software is in use. C、确保病毒扫描软件在工作
D、use tools and techniques available to a hacker. D、使用黑客工具和技术
ANSWER: D 答案:D
NOTE: Penetration testing is a technique used to mimic an experienced hacker attacking a live site by using tools and techniques available to a hacker. The other choices are procedures that an IS auditor would consider undertaking during an audit of Internet connections, but are not aspects of penetration testing techniques.
261、Which of the following is a benefit of using a callback device? 261、以下哪项为使用回呼设备的好处?
A、Provides an audit trail A、提供审计踪迹
B、Can be used in a switchboard environment B、可以在总机环境中使用
C、Permits unlimited user mobility C、允许不受限制的用户灵活性
D、Allows call forwarding D、允许呼叫转移
ANSWER: A 答案:A
NOTE: A callback feature hooks into the access control software and logs all authorized and unauthorized access attempts, permitting the follow-up and further review of potential breaches. Call forwarding (choice D) is a means of potentially bypassing callback control. By dialing through an authorized phone number from an unauthorized phone number, a perpetrator can gain computer access. This vulnerability can be controlled through callback systems that are available.
262、An IS auditor examining a biometric user authentication system establishes the existence of a control weakness that would allow an unauthorized individual to update the centralized database on the server that is used to store biometric templates. Of the following, which is the BEST control against this risk? 262、信息安全审计师检查用户生物身份验证系统时发现存在一个非认证人员可以更新存储生物身份认证模板的数据库服务器的弱点。以下哪项为控制此项风险的最佳方法?
A、Kerberos A、Kerberos
B、Vitality detection B、活体检测
C、Multimodal biometrics C、复合生物识别方式
D、Before-image/after-image logging D、进出拍照记录
ANSWER: A 答案:A
NOTE: Kerberos is a network authentication protocol for client-server applications that can be used to restrict access to the database to authorized users. Choices B and C are incorrect because vitality detection and multimodal biometrics are controls against spoofing and mimicry attacks. Before-image/after-image logging of database transactions is a detective control, as opposed to Kerberos, which is a preventative control.
263、Which of the following systems or tools can recognize that a credit card transaction is more likely to have resulted from a stolen credit card than from the holder of the credit card? 263、以下哪种系统或工具可以辨识是否为被盗信用卡事务?
A、Intrusion detection systems A、入侵检测系统
B、Data mining techniques B、数据挖掘技术
C、Firewalls C、防火墙
D、Packet filtering routers D、包过滤路由器
ANSWER: B 答案:B
NOTE: Data mining is a technique used to detect trends or patterns of transactions or data. If the historical pattern of charges against a credit card account is changed, then it is a flag that the transaction may have resulted from a fraudulent use of the card.
264、While conducting an audit, an IS auditor detects the presence of a virus. What should be the IS auditor's next step? 264、信息系统审计师在进行审计时发现存在病毒,后续步骤应为?
A、Observe the response mechanism. A、观察反应机制
B、Clear the virus from the network. B、从网络上清除病毒
C、Inform appropriate personnel immediately. C、立刻通知相关人员
D、Ensure deletion of the virus. D、确保病毒被清除
ANSWER: C 答案:C
NOTE: The first thing an IS auditor should do after detecting the virus is to alert the organization to its presence, then wait for their response. Choice A should be taken after choice C. This will enable an IS auditor to examine the actual workability and effectiveness of the response system. An IS auditor should not make changes to the system being audited, and ensuring the deletion of the virus is a management responsibility.
265、Which of the following is the BEST way to handle obsolete magnetic tapes before disposing of them? 265、以下哪种为丢弃废旧磁带前的最佳处理方式?
A、Overwriting the tapes A、覆盖磁带
B、Initializing the tape labels B、初始化磁带卷标
C、Degaussing the tapes C、对磁带进行消磁
D、Erasing the tapes D、删除磁带
ANSWER: C 答案:C
NOTE: The best way to handle obsolete magnetic tapes is to degauss them. This action leaves a very low residue of magnetic induction, essentially erasing the data from the tapes. Overwriting or erasing the tapes may cause magnetic errors but would not remove the data completely. Initializing the tape labels would not remove the data that follows the label.
266、An organization has contracted with a vendor for a turnkey solution for their electronic toll collection system (ETCS). The vendor has provided its proprietary application software as part of the solution. The contract should require that: 266、组织已和供应商签约,使用他们的电子征税系统解决方案。供应商在解决方案中包含了应用软件的所有权。合约应满足:
A、a backup server be available to run ETCS operations with up-to-date data. A、备份服务器应可以使用最新数据运行电子征税系统
B、a backup server be loaded with all the relevant software and data. B、备份服务器保存所有相关软件和数据
C、the systems staff of the organization be trained to handle any event. C、组织中使用该系统的员工应被培训后可处理任何事件
D、source code of the ETCS application be placed in escrow. D、电子征税系统的原代码应由第三者保存附带条件委付盖印的契约
ANSWER: D 答案:D
NOTE: Whenever proprietary application software is purchased, the contract should provide for a source code agreement. This will ensure that the purchasing company will have the opportunity to modify the software should the vendor cease to be in business. Having a backup server with current data and staff training is critical but not as critical as ensuring the availability of the source code.
267、During an audit of an enterprise that is dedicated to e-commerce, the IS manager states that digital signatures are used when receiving communications from customers. To substantiate this, an IS auditor must prove that which of the following is used? 267、在审计一家专注于电子商务的企业时,信息系统经理表明当从客户获取信息时使用了数字签名。要证实此说法,信息系统审计师应证实以下哪项被应用?
A、A biometric, digitalized and encrypted parameter with the customer's public key A、生物,数字,加密参数和客户的公钥
B、A hash of the data that is transmitted and encrypted with the customer's private key B、使用客户公钥加密并传输的哈希值
C、A hash of the data that is transmitted and encrypted with the customer's public key C、使用客户公钥加密并传输的哈希值
D、The customer's scanned signature encrypted with the customer's public key D、扫描的用户签名已使用客户公钥加密
ANSWER: B 答案:B
NOTE: The calculation of a hash, or digest, of the data that are transmitted and its encryption require the public key of the client (receiver) and is called a signature of the message, or digital signature. The receiver performs the same process and then compares the received hash, once it has been decrypted with their private key, to the hash that is calculated with the received data. If they are the same, the conclusion would be that there is integrity in the data that have arrived and the origin is authenticated. The concept of encrypting the hash with the private key of the originator provides nonrepudiation, as it can only be decrypted with their public key and, as the CD suggests, the private key would not be known to the recipient. Simply put, in a key-pair situation, anything that can be decrypted by a sender's public key must have been encrypted with their private key, so they must have been the sender, ., nonrepudiation. Choice C is incorrect because, if this were the case, the hash could not be decrypted by the recipient, so the benefit of nonrepudiation would be lost and there could be no verification that the message had not been intercepted and amended. A digital signature is created by encrypting with a private key. A person creating the signature uses their own private key, otherwise everyone would be able to create a signature with any public key. Therefore, the signature of the client is created with the client's private key, and this can be verified—by the enterprise—using the client's public key. Choice B is the correct answer because, in this case, the customer uses their private key to sign the hash data.
268、Which of the following is a function of an IS steering committee? 268、以下哪项为信息指导委员会的职能?
A、Monitoring vendor-controlled change control and testing A、监控供应商变更管理和测试的管理
B、Ensuring a separation of duties within the information's processing environment B、确保信息处理环境中责任分离
C、Approving and monitoring major projects, the status of IS plans and budgets C、审核和监控主要项目,信息规划和预算的状况
D、Liaising between the IS department and the end users D、在信息系统部门和最终用户之间保持联系
ANSWER: C 答案:C
NOTE: The IS steering committee typically serves as a general review board for major IS projects and should not become involved in routine operations; therefore, one of its functions is to approve and monitor major projects, the status of IS plans and budgets. Vendor change control is an outsourcing issue and should be monitored by IS management. Ensuring a separation of duties within the information's processing environment is an IS management responsibility. Liaising between the IS department and the end users is a function of the individual parties and not a committee.
269、During the review of a biometrics system operation, an IS auditor should FIRST review the stage of: 269、生物测定系统操作回顾时,信息系统审计师应首先回顾哪个活动?
A、enrollment. A、注册
B、identification. B、辨识
C、verification. C、确认
D、storage. D、存储
ANSWER: A 答案:A
NOTE: The users of a biometrics device must first be enrolled in the device. The device captures a physical or behavioral image of the human, identifies the unique features and uses an algorithm to convert them into a string of numbers stored as a template to be used in the matching processes.
270、An IS auditor noted that an organization had adequate business continuity plans (BCPs) for each individual process, but no comprehensive BCP. Which would be the BEST course of action for the IS auditor? 270、信息系统审计师注意到组织中对于每个独立流程都有对应的商业持续计划,但缺乏全面的商业持续计划。以下哪种为最佳行动?
A、Recommend that an additional comprehensive BCP be developed. A、建议建立全面的B商业持续计划
B、Determine whether the BCPs are consistent. B、确认所有的商业持续计划是否相容
C、Accept the BCPs as written. C、接受已有商业持续计划
D、Recommend the creation of a single BCP. D、建议建立单独的商业持续计划
ANSWER: B 答案:B
NOTE: Depending on the complexity of the organization, there could be more than one plan to address various aspects of business continuity and disaster recovery. These do not necessarily have to be integrated into one single plan; however, each plan should be consistent with other plans to have a viable business continuity planning strategy.
271、When identifying an earlier project completion time, which is to be obtained by paying a premium for early completion, the activities that should be selected are those: 271、当鉴别之前一个项目的完成时间时,以下哪项为在之前完成的基础上需要额外付费的活动:
A、whose sum of activity time is the shortest. A、总计时间最短者
B、that have zero slack time. B、零差错时间者
C、that give the longest possible completion time. C、最长完成时间者
D、whose sum of slack time is the shortest. D、总计差错时间最少者
ANSWER: B 答案:B
NOTE: A critical path's activity time is longer than that for any other path through the network. This path is important because if everything goes as scheduled, its length gives the shortest possible completion time for the overall project. Activities on the critical path become candidates for crashing, ., for reduction in their time by payment of a premium for early completion. Activities on the critical path have zero slack time and conversely, activities with zero slack time are on a critical path. By successively relaxing activities on a critical path, a curve showing total project costs vs. time can be obtained.
272、An organization has just completed their annual risk assessment. Regarding the business continuity plan, what should an IS auditor recommend as the next step for the organization? 272、组织已经完成了年风险估价。信息系统审计师对于组织下一步的有何关于商业持续计划的建议?
A、Review and evaluate the business continuity plan for adequacy A、回顾并评价商业持续计划是否恰当
B、Perform a full simulation of the business continuity plan B、对商业持续计划进行完整的演练
C、Train and educate employees regarding the business continuity plan C、对职员进行商业持续计划的培训
D、Notify critical contacts in the business continuity plan D、将商业持续计划通报关键联络人
ANSWER: A 答案:A
NOTE: The business continuity plan should be reviewed every time a risk assessment is completed for the organization. Training of the employees and a simulation should be performed after the business continuity plan has been deemed adequate for the organization. There is no reason to notify the business continuity plan contacts at this time.
273、Which of the following should be of PRIMARY concern to an IS auditor reviewing the management of external IT service providers? 273、当回顾外包IT服务提供商时,以下哪项为信息系统审计师的主要关注点?
A、Minimizing costs for the services provided A、服务提供商成本最小化
B、Prohibiting the provider from subcontracting services B、禁止供应商转包服务
C、Evaluating the process for transferring knowledge to the IT department C、评估将知识转交给IT部门的流程
D、Determining if the services were provided as contracted D、确定服务是否和合同相符
ANSWER: D 答案:D
NOTE: From an IS auditor's perspective, the primary objective of auditing the management of service providers should be to determine if the services that were requested were provided in a way that is acceptable, seamless and in line with contractual agreements. Minimizing costs, if applicable and achievable (depending on the customer's need) is traditionally not part of an IS auditor's job. This would normally be done by a line management function within the IT department. Furthermore, during an audit, it is too late to minimize the costs for existing provider arrangements. Subcontracting providers could be a concern, but it would not be the primary concern. Transferring knowledge to the internal IT department might be desirable under certain circumstances, but should not be the primary concern of an IS auditor when auditing IT service providers and the management thereof.
274、An IS auditor reviewing an organization's IS disaster recovery plan should verify that it is: 274、信息系统审计师回顾组织的信息系统灾难恢复计划时应检验:
A、tested every six months. A、每半年演练一次
B、regularly reviewed and updated. B、周期性回顾并更新
C、approved by the chief executive officer (CEO). C、经首席执行官(CEO)认可
D、communicated to every department head in the organization. D、与组织的所有部门负责人沟通
ANSWER: B 答案:B
NOTE: The plan should be reviewed at appropriate intervals, depending upon the nature of the business and the rate of change of systems and personnel. Otherwise, it may become out of date and may no longer be effective. The plan must be subjected to regular testing, but the period between tests will again depend on the nature of the organization and the relative importance of IS. Three months or even annually may be appropriate in different circumstances. Although the disaster recovery plan should receive the approval of senior management, it need not be the CEO if another executive officer is equally or more appropriate. For a purely IS-related plan, the executive responsible for technology may have approved the plan. Similarly, although a business continuity plan is likely to be circulated throughout an organization, the IS disaster recovery plan will usually be a technical document and only relevant to IS and communications staff.
275、Which of the following is the most important element in the design of a data warehouse? 275、以下哪项为数据仓库设计时最为重要的考虑因素?
A、Quality of the metadata A、元数据的质量
B、Speed of the transactions B、事务处理的速度
C、Volatility of the data C、数据的挥发性
D、Vulnerability of the system D、系统弱点
ANSWER: A 答案:A
NOTE: Quality of the metadata is the most important element in the design of a data warehouse. A data warehouse is a copy of transaction data specifically structured for query and analysis. Metadata aim to provide a table of contents to the information stored in the data warehouse. Companies that have built warehouses believe that metadata are the most important component of the warehouse.
276、Which of the following insurance types provide for a loss arising from fraudulent acts by employees? 276、以下哪种保险类型可在发生员工欺诈时降低损失?
A、Business interruption A、业务中断
B、Fidelity coverage B、忠实覆盖
C、Errors and omissions C、错误和疏忽
D、Extra expense D、额外费用
ANSWER: B 答案:B
NOTE: Fidelity insurance covers the loss arising from dishonest or fraudulent acts by employees. Business interruption insurance covers the loss of profit due to the disruption in the operations of an organization. Errors and omissions insurance provides legal liability protection in the event that the professional practitioner commits an act that results in financial loss to a client. Extra expense insurance is designed to cover the extra costs of continuing operations following a disaster/disruption within an organization.
277、Inadequate programming and coding practices introduce the risk of: 277、规划不足和编程中引入的风险为:
A、phishing. A、钓鱼
B、buffer overflow exploitation. B、缓冲区溢出
C、SYN flood. C、SYN 攻击
D、brute force attacks. D、暴力破解
ANSWER: B 答案:B
NOTE: Buffer overflow exploitation may occur when programs do not check the length of the data that are input into a program. An attacker can send data that exceed the length of a buffer and override part of the program with malicious code. The countermeasure is proper programming and good coding practices. Phishing, SYN flood and brute force attacks happen independently of programming and coding practices.
278、Which of the following environmental controls is appropriate to protect computer equipment against short-term reductions in electrical power? 278、以下哪项环境控制措施可以在发生短时电力减弱时提供保护?
A、Power line conditioners A、电路调节器
B、Surge protective devices B、防浪涌设备
C、Alternative power supplies C、冗余电源
D、Interruptible power supplies D、不间断电源
ANSWER: A 答案:A
NOTE: Power line conditioners are used to compensate for peaks and valleys in the power supply and reduce peaks in the power flow to what is needed by the machine. Any valleys are removed by power stored in the equipment. Surge protection devices protect against high-voltage bursts. Alternative power supplies are intended for computer equipment running for longer periods and are normally coupled with other devices such as an uninterruptible power supply (UPS) to compensate for the power loss until the alternate power supply becomes available. An interruptible power supply would cause the equipment to come down whenever there was a power failure.
279、An IS auditor reviewing the risk assessment process of an organization should FIRST: 279、信息系统审计师回顾组织的风险估价流程时应首先:
A、identify the reasonable threats to the information assets. A、鉴别对于信息资产威胁的合理性
B、analyze the technical and organizational vulnerabilities. B、分析技术和组织弱点
C、identify and rank the information assets. C、鉴别并对信息资产进行分级
D、evaluate the effect of a potential security breach. D、对潜在的安全漏洞效果进行评价
ANSWER: C 答案:C
NOTE: Identification and ranking of information assets—., data criticality, locations of assets—will set the tone or scope of how to assess risk in relation to the organizational value of the asset. Second, the threats facing each of the organization's assets should be analyzed according to their value to the organization. Third, weaknesses should be identified so that controls can be evaluated to determine if they mitigate the weaknesses. Fourth, analyze how these weaknesses, in absence of given controls, would impact the organization information assets.
280、The cost of ongoing operations when a disaster recovery plan is in place, compared to not having a disaster recovery plan, will MOST likely: 280、相对于不存在灾难恢复计划,和当前灾难恢复计划的成本对比,最接近的是:
A、increase. A、增加
B、decrease. B、减少
C、remain the same. C、保持不变
D、be unpredictable. D、不可预知
ANSWER: A 答案:A
NOTE: Due to the additional cost of disaster recovery planning (DRP) measures, the cost of normal operations for any organization will always increase after a DRP implementation, ., the cost of normal operations during a nondisaster period will be more than the cost of operations during a nondisaster period when no disaster recovery plan was in place.
281、A certificate authority (CA) can delegate the processes of: 281、认证中心CA可委托以下过程:
A、revocation and suspension of a subscriber's certificate. A、撤消和中止用户的证书
B、generation and distribution of the CA public key. B、产生并分发CA的公钥
C、establishing a link between the requesting entity and its public key. C、在请求实体和它的公钥间建立链接
D、issuing and distributing subscriber certificates. D、发放并分发用户的证书
ANSWER: C
NOTE: Establishing a link between the requesting entity and its public key is a function of a registration authority. This may or may not be performed by a CA; therefore, this function can be delegated. Revocation and suspension and issuance and distribution of the subscriber certificate are functions of the subscriber certificate life cycle management, which the CA must perform. Generation and distribution of the CA public key is a part of the CA key life cycle management process and, as such, cannot be delegated. 注释:在请求实体和它的公钥间建立链接是注册中心RA的功能。这个功能可用或不用CA执行,因此,这个过程可委托。撤消和中止及发放分发证书是证书生命周期的一部分,必须是CA来执行。产生分发CA的公钥是CA密钥生命周期管理的一部分,不能委托。
282、While designing the business continuity plan (BCP) for an airline reservation system, the MOST appropriate method of data transfer/backup at an offsite location would be: 282、在设计航空预定系统的业务连续性计划时,远程数据传输/备份的最好方法是:
A、shadow file processing. A、shadow文件进程
B、electronic vaulting. B、电子链接
C、hard-disk mirroring. C、磁盘镜像
D、hot-site provisioning. D、热站
ANSWER: A
NOTE: In shadow file processing, exact duplicates of the files are maintained at the same site or at a remote site. The two files are processed concurrently. This is used for critical data files, such as airline booking systems. Electronic vaulting electronically transmits data either to direct access storage, an optical disc or another storage medium; this is a method used by banks. Hard-disk mirroring provides redundancy in case the primary hard disk fails. All transactions and operations occur on two hard disks in the same server. A hot site is an alternate site ready to take over business operations within a few hours of any business interruption and is not a method for backing up data. 注释:在shadow文件进程,能够持续准确地复制同站点或远程站点的文件,并且两个文件是同时处理。这种方法主要用在关键数据文件,如航空预订系统。电子链接电子传输的数据是直接访问储存,光盘或其他存储介质,银行使用这种方法。硬盘镜像提供冗余以防主硬盘失败,两个硬盘上所有的交易和业务在同一个服务器上。一个热站是一个候补的站点随时准备接管业务的几个小时的任何业务中断,不是一个备份数据的方法。
283、Which of the following intrusion detection systems (IDSs) will MOST likely generate false alarms resulting from normal network activity? 283、下列哪种IDS将最有可能对正常网络活动产生错误警报?
A、Statistical-based A、基于统计
B、Signature-based B、基于数字签名
C、Neural network C、神经网络
D、Host-based D、基于主机
ANSWER: A
NOTE: A statistical-based IDS relies on a definition of known and expected behavior of systems. Since normal network activity may at times include unexpected behavior (., a sudden massive download by multiple users), these activities will be flagged as suspicious. A signature-based IDS is limited to its predefined set of detection rules, just like a virus scanner. A neural network combines the previous two IDSs to create a hybrid and better system. Host-based is another classification of IDS. Any of the three IDSs above may be host- or network-based. 注释:基于统计的入侵检测系统依赖于定义一个已知和预期的行为系统。由于正常的网络活动,有时可包括非预期的行为(例如,突然有多个用户大量下载),这些活动将标记为可疑。基于签名的入侵检测系统,其预定的一套检测规则是有限的,如病毒扫描。神经网络结合前面两种IDS产生一种更佳的系统。基于主机的是另一种分类的IDS 。其它三种属于基于主机或基于网络的ISD。
284、A long-term IS employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be based on the individual's experience and: 284、一个长期的雇员具有很强的技术背景和管理经验,申请审计部门的一个职位。是否聘用他,应基于个人的经验和:
A、length of service, since this will help ensure technical competence. A、服务年限的长短,因为这将有助于确保技术能力。
B、age, as training in audit techniques may be impractical. B、年龄,(年纪太大的话)在审计技术培训时可能不切实际。
C、IS knowledge, since this will bring enhanced credibility to the audit function. C、信息系统知识,因为这将加强审计的可信度
D、ability, as an IS auditor, to be independent of existing IS relationships. D、能力,作为信息系统审计师,将独立于现有的信息系统
ANSWER: D
NOTE: Independence should be continually assessed by the auditor and management. This assessment should consider such factors as changes in personal relationships, financial interests, and prior job assignments and responsibilities. The fact that the employee has worked in IS for many years may not in itself ensure credibility. The audit department's needs should be defined and any candidate should be evaluated against those requirements. The length of service will not ensure technical competency. Evaluating an individual's qualifications based on the age of the individual is not a good criterion and is illegal in many parts of the world. 注释:审计员和管理人员应连续地评估独立性。这项评估应考虑以下等因素的变化:个人关系,财政利益,及先前从事的工作和职责。事实上,工作在信息系统多年的雇员本身并不能确保其公信力。审计部门的需要应详细定义并要对候选人评估这些要求。服务年限并不能确保技术能力。基于个人的年龄来评价个人的资质并不是一个好的标准,且在世界许多地方是不合法的。
285、If inadequate, which of the following would be the MOST likely contributor to a denial-of-service attack? 如果使用不恰当,下列哪个将是最可能的引起拒绝服务攻击呢?
A、Router configuration and rules A、路由配置和规则
B、Design of the internal network B、设计内部网络
C、Updates to the router system software C、升级路由器系统软件
D、Audit testing and review techniques D、审计测试和审查技术
ANSWER: A
NOTE: Inadequate router configuration and rules would lead to an exposure to denial-of-service attacks. Choices B and C would be lesser contributors. Choice D is incorrect because audit testing and review techniques are applied after the fact. 注释:不恰当的路由配置和规则将导致拒绝服务攻击。选项B和C不如A。选项D是不正确的,因为审计测试和审查技术是事后应用。
286、An IS auditor examining the configuration of an operating system to verify the controls should review the: 286、信息系统审计师检查操作系统的配置来验证控制,应查看下列哪个:
A、transaction logs. A、交易日志
B、authorization tables. B、授权表
C、parameter settings. C、参数设置
D、routing tables. D、路由表
ANSWER: C
NOTE: Parameters allow a standard piece of software to be customized for diverse environments and are important in determining how a system runs. The parameter settings should be appropriate to an organization's workload and control environment. Improper implementation and/or monitoring of operating systems can result in undetected errors and corruption of the data being processed, as well as lead to unauthorized access and inaccurate logging of system usage. Transaction logs are used to analyze transactions in master and/or transaction files. Authorization tables are used to verify implementation of logical access controls and will not be of much help when reviewing control features of an operating system. Routing tables do not contain information about the operating system and, therefore, provide no information to aid in the evaluation of controls. 注释:参数是软件在设备环境中的定制标准,它是重要的,能够决定系统的运行。参数设置要恰当。不恰当地执行和/或监视操作系统将导致未遇料的错误,可能出现非授权的访问。交易日志是用来分析交易员和/或交易文件。授权表是用来验证逻辑访问控制,对审查操作系统的控制帮助不大。路由表不包括操作系统的信息,因此对评估控制不起作用。
287、An organization is using an enterprise resource management (ERP) application. Which of the following would be an effective access control? 287、一个组织使用ERP,下列哪个是有效的访问控制?
A、User-level permissions A、用户级权限
B、Role-based B、基于角色
C、Fine-grained C、细粒度
D、Discretionary D、自主访问控制
ANSWER: B
NOTE: Role-based access controls the system access by defining roles for a group of users. Users are assigned to the various roles and the access is granted based on the user's role. User-level permissions for an ERP system would create a larger administrative overhead. Fine-grained access control is very difficult to implement and maintain in the context of a large enterprise. Discretionary access control may be configured or modified by the users or data owners, and therefore may create inconsistencies in the access control management. 注释:基于角色的访问控制,系统的访问是通过一群用户的角色来定义。用户分配了不同的角色,他们的访问是基于自己的角色。用户级权限如果用在ERP系统将带来一个过重的管理负担。在一个大型企业,细粒度的访问控制在实施和维护方面是是非常困难的。自主访问控制可能会被用户或数据拥有者自己配置或修改,将造成混乱的访问控制管理。
288、Documentation of a business case used in an IT development project should be retained until: 288、在IT开发项目中使用的商业案例文档应该保留直到:
A、the end of the system's life cycle. 。
B、the project is approved. B、该项目获得批准
C、user acceptance of the system. C、用户接受系统
D、the system is in production. D、系统变成产品
ANSWER: A
NOTE: A business case can and should be used throughout the life cycle of the product. It serves as an anchor for new (management) personnel, helps to maintain focus and provides valuable information on estimates vs. actuals. Questions like, “why do we do that,”“what was the original intent” and “how did we perform against the plan” can be answered, and lessons for developing future business cases can be learned. During the development phase of a project one should always validate the business case, as it is a good management instrument. After finishing a project and entering production, the business case and all the completed research are valuable sources of information that should be kept for further reference. 注释:商业案例可以且应该贯穿整个产品的生命周期。它能帮助新(管理)员工理解关键点并对预期与实际情况提供有价值的信息。类似的问题:“为什么我们这样做”,“最初的目标是什么”和“我们如何执行这项计划”都可以回答,且有助于开发未来的商业案例。在一个项目的开发阶段,应验证商业案例,因为它是一个很好的管理工具。当完成一个项目,变成产品,商业案例和所有已完成的研究是宝贵的信息来源,应成为将来的参考。
289、The sender of a public key would be authenticated by a: 289、发送人的公钥将通过什么进行身份验证:
A、certificate authority. A、证书机构
B、digital signature. B、数字签名
C、digital certificate. C、数字证书
D、registration authority. D、注册机构
ANSWER: C
NOTE: A digital certificate is an electronic document that declares a public key holder is who the holder claims to be. The certificates do handle data authentication as they are used to determine who sent a particular message. A certificate authority issues the digital certificates, and distributes, generates and manages public keys. A digital signature is used to ensure integrity of the message being sent and solve the nonrepudiation issue of message origination. The registration authority would perform most of the administrative tasks of a certificate authority, ., registration of the users of a digital signature plus authenticating the information that is put in the digital certificate. 注释:一个数字证书是一个电子文档,说明公钥拥有者是谁。证书用来鉴别是谁发送的消息。证书机构发行数字证书,并分配、产生和管理公钥。数字签名用来确保消息的完整性,确定消息的发源方。注册机构执行证书机构的大部分管理工作,如登记用户的数字签名,并对用户的信息进行鉴别。
290、Which of the following is the MOST reliable form of single factor personal identification? 290、下列哪个是最可靠的单因素的个人识别?
A、Smart card A、智能卡
B、Password B、口令
C、Photo identification C、有照片的身份证明
D、Iris scan D、虹膜扫描
ANSWER: D
NOTE: Since no two irises are alike, identification and verification can be done with confidence. There is no guarantee that a smart card is being used by the correct person since it can be shared, stolen or lost and found. Passwords can be shared and, if written down, carry the risk of discovery. Photo IDs can be forged or falsified. 注释:因为没有两个虹膜是完全一样的,所以鉴别和验证是可信的。智能卡不能保证是恰当的人使用,因为它可能共享、被盗、丢失及复制。口令可以共享,如果写下来,增加发现的风险。有照片的身份证明可以伪造。
291、Which of the following public key infrastructure (PKI) elements provides detailed descriptions for dealing with a compromised private key? 291、在公钥基础设施( PKI )中,处理私钥安全的详细说明是?
A、Certificate revocation list (CRL) A、证书撤销列表(CRL)
B、Certification practice statement (CPS) B、证书实务声明(CPS)
C、Certificate policy (CP) C、证书策略(CP)
D、PKI disclosure statement (PDS) D、PKI披露条款(PDS)
ANSWER: B
NOTE: The CPS is the how-to part in policy-based PKI. The CRL is a list of certificates that have been revoked before their scheduled expiration date. The CP sets the requirements that are subsequently implemented by the CPS. The PDS covers critical items, such as the warranties, limitations and obligations that legally bind each party. 注释:CPS是PKI政策中“如何分配”的说明。CRL是尚未 到期即被撤消的证书清单。CP制定了CPS实施的次序要求。PDS涵养了一些重要的内容,如相关各方法律上承担的担保、约束(限制条件)、责任和义务等。
292、A business application system accesses a corporate database using a single ID and password embedded in a program. Which of the following would provide efficient access control over the organization's data? 292、商业应用系统访问公司的数据库,采用的方法是在在程序中使用单一的ID和密码。下列哪一项对组织的数据将提供有效的访问控制?
A、Introduce a secondary authentication method such as card swipe A、引入一个辅助的认证方法,如刷智能卡
B、Apply role-based permissions within the application system B、在应用系统中使用一个基于角色的权限访问
C、Have users input the ID and password for each database transaction C、在每个数据库交易时用户输入ID和密码
D、Set an expiration period for the database password embedded in the program D、在程序中设置数据库密码的有效期
ANSWER: B
NOTE: When a single ID and password are embedded in a program, the best compensating control would be a sound access control over the application layer and procedures to ensure access to data is granted based on a user's role. The issue is user permissions, not authentication, therefore adding a stronger authentication does not improve the situation. Having a user input the ID and password for access would provide a better control because a database log would identify the initiator of the activity. However, this may not be efficient because each transaction would require a separate authentication process. It is a good practice to set an expiration date for a password. However, this might not be practical for an ID automatically logged in from the program. Often, this type of password is set not to expire. 注释:当在程度中使用单一的ID和密码,最好的补偿控制是在应用层采用恰当地访问控制--基于角色的访问。关注的是用户权限,不是认证,因此增加更强的认证也不能改善这种情况。用户输入的ID和密码访问将提供一个较好的控制,因为数据库日志可确定行为的发起者。然而,这样并不是高效的,因为每笔交易将需要一个单独的身份验证过程。较好的方法是,给密码设一个有效期。但是,给每个ID自动记录有些不实际。因此,大部分,这类的密码设置是不过期。
293、Depending on the complexity of an organization's business continuity plan (BCP), the plan may be developed as a set of more than one plan to address various aspects of business continuity and disaster recovery. In such an environment, it is essential that: 293、根据组织业务连续性计划(BCP)的复杂程度 ,可以建立多个计划来满足业务连续和和灾难恢复的各方面。在这种情况下,有必要:
A、each plan is consistent with one another. A、 每一个计划和其它计划相协调
B、all plans are integrated into a single plan. B、所有的计划要整合到一个计划中
C、each plan is dependent on one another. C、每个计划都要独立其他计划
D、the sequence for implementation of all plans is defined. D、指定所有计划实施的顺序
ANSWER: A
NOTE: Depending on the complexity of an organization, there could be more than one plan to address various aspects of business continuity and disaster recovery. These do not necessarily have to be integrated into one single plan. However, each plan has to be consistent with other plans to have a viable business continuity planning strategy. It may not be possible to define a sequence in which plans have to be implemented, as it may be dependent on the nature of disaster, criticality, recovery time, etc. 注释:根据组织规模的大小、业务复杂性,可以建立多个计划来满足灾难恢复和业务连续运行的需要,这些计划并不一定要集成到一个计划中,但是计划之间要互相协调,为一个总的业务连续性策略服务。确定计划实施的顺序不太可行,因为计划的实施依赖于灾难的性质、重要性和恢复时间等具体情况。
294、Which of the following should be the MOST important consideration when deciding areas of priority for IT governance implementation? 294、当实施IT治理时,决定实施对象的优先级时,下列哪一项是最重要的考虑因素?
A、Process maturity A、过程成熟度
B、Performance indicators B、性能指标
C、Business risk C、商业风险
D、Assurance reports D、保证报告
ANSWER: C
NOTE: Priority should be given to those areas which represent a known risk to the enterprise's operations. The level of process maturity, process performance and audit reports will feed into the decision making process. Those areas that represent real risk to the business should be given priority. 注释:应优先考虑代表企业风险的领域,过程成熟度、性能指标及审计报告将纳入决定过程,企业高风险的领域应给予优先考虑。
295、Which of the following ensures confidentiality of information sent over the Internet? 295、下列哪个确保在互联网上传送的信息的保密性?
A、Digital signature A、数字签名
B、Digital certificate B、数字证书
C、Online Certificate Status Protocol C、在线证书状态协议
D、Private key cryptosystem D、私钥加密系统
ANSWER: D
NOTE: Confidentiality is assured by a private key cryptosystem. Digital signatures assure data integrity, authentication and nonrepudiation, but not confidentially. A digital certificate is a certificate that uses a digital signature to bind together a public key with an identity; therefore, it does not address confidentiality. Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of a digital certificate. 注释:私钥加密系统能够保证信息的保密性。数字签名保证数据的完整性和认可性,没有保密性。数字证书是一个使用数字签名绑定公钥证明身份的一致性;因此,和保密性无关。在线证书状态协议是一个互联网协议,用来获取撤销状态的数字证书。
296、Which of the following is a practice that should be incorporated into the plan for testing disaster recovery procedures? 296、下列哪一种方法是最佳实践,应纳入测试灾难恢复程序计划?
A、Invite client participation. A、邀请客户参与
B、Involve all technical staff. B、涉及所有的技术人员
C、Rotate recovery managers. C、轮换灾难恢复经理
D、Install locally-stored backup. D、安装本地储存备份
ANSWER: C
NOTE: Recovery managers should be rotated to ensure the experience of the recovery plan is spread among the managers. Clients may be involved but not necessarily in every case. Not all technical staff should be involved in each test. Remote or offsite backup should always be used. 注释:轮换灾难恢复经理能够增加管理人员对灾难恢复计划的经验。客户并不需要在每一次都参加。并非所有技术人员都要参加每一次测试。远程或异地备份是需要的。
297、An advantage of the use of hot sites as a backup alternative is that: 297、使用热站作为备份的优点是:
A、the costs associated with hot sites are low. A、热站的费用低
B、hot sites can be used for an extended amount of time. B、热站能够延长使用时间
C、hot sites can be made ready for operation within a short period of time. C、热站在短时间内可运作
D、they do not require that equipment and systems software be compatible with the primary site. D、热站不需要和主站点兼容的设备和系统软件
ANSWER: C
NOTE: Hot sites can be made ready for operation normally within hours. However, the use of hot sites is expensive, should not be considered as a long-term solution, and requires that equipment and systems software be compatible with the primary installation being backed up. 注释:热站通常在几小时就可运行,不过使用热站是昂贵的,不可作为一个长远的解决办法。热站要求设备和系统软件与主站兼容,用来备份。
298、An IS auditor has been asked to participate in project initiation meetings for a critical project. The IS auditor's MAIN concern should be that the: 298、一个信息系统审计师要求参与一个关键项目的启动会议,信息系统审计师主要关心的是什么?
A、complexity and risks associated with the project have been analyzed. A、已分析过项目的复杂性和风险
B、resources needed throughout the project have been determined. B、贯穿整个项目所需的资源
C、project deliverables have been identified. C、项目交付文档已确定
D、a contract for external parties involved in the project has been completed. D、已签约的外包方合同
ANSWER: A
NOTE: Understanding complexity and risk, and actively managing these throughout a project are critical to a successful outcome. The other choices, while important during the course of the project, cannot be fully determined at the time the project is initiated, and are often contingent upon the risk and complexity of the project. 注释:理解项目的复杂性和风险并在项目中积极面对是取得成功的关键。其它选项,在项目过程中也是重要的,但是在项目的启动会议时不能完全决定,往往取决于项目的风险和复杂度。
299、Which of the following functions is performed by a virtual private network (VPN)? 虚拟专用网(VPN)提供下列哪个功能?
A、Hiding information from sniffers on the net A、对网络嗅探器隐藏信息
B、Enforcing security policies B、强制实施安全策略
C、Detecting misuse or mistakes C、检测到网络错误和用户对网络资源的滥用
D、Regulating access D、制定访问规则
ANSWER: A
NOTE: A VPN hides information from sniffers on the net using encryption. It works based on tunneling. A VPN does not analyze information packets and, therefore, cannot enforce security policies. It also does not check the content of packets, so it cannot detect misuse or mistakes. A VPN also does not perform an authentication function and, therefore, cannot regulate access. 注释:虚拟专用网可以对网络嗅探器隐藏信息。通过加密的虚拟专用网可以隐藏信息,它基于隧道工作。虚拟专用网并不分析信息包,所以它并不强制安全策略。虚拟专用网不检查包的内容,所以不能检测到网络错误和用户对网络资源的滥用。检测到网络错误和用户对网络资源的滥用也不具有身份验证功能,所以不能制定访问规则。
300、Which of the following goals would you expect to find in an organization's strategic plan? 300、下列哪个选项,你期望知道组织的战略计划?
A、Test a new accounting package. A、测试一个新的帐户包
B、Perform an evaluation of information technology needs. B、评估信息技术
C、Implement a new project planning system within the next 12 months. C、在接下的一年中实行一个新项目计划系统
D、Become the supplier of choice for the product offered. D、产品的供应商
ANSWER: D
NOTE: Strategic planning sets corporate or departmental objectives into motion. Comprehensive planning helps ensure an effective and efficient organization. Strategic planning is time- and project-oriented, but also must address and help determine priorities to meet business needs. Long- and short-range plans should be consistent with the organization's broader plans for attaining their goals. Choice D represents a business objective that is intended to focus the overall direction of the business and would thus be a part of the organization's strategic plan. The other choices are project-oriented and do not address business objectives. 注释:战略规划纳入了公司或部门的目标。全面规划有助于组织的效率和效益。战略规划是以时间和项目为导向,但是也要依据业务需求进行优先级排序。长期和短期计划应该和组织的目标是一致的。选择D代表了商业目标,因此它是组织战略计划的一部分。其他的选择是面向项目,和商业目标没有联系。
301、Which of the following is the MOST reliable sender authentication method? 301、下面那种发送者鉴定方法是最值得信赖的?
A、Digital signatures A、数字签名
B、Asymmetric cryptography B、不对称加密
C、Digital certificates C、数字证书
D、Message authentication code D、消息鉴定码
ANSWER: C
NOTE: Digital certificates are issued by a trusted third party. The message sender attaches the certificate and the recipient can verify authenticity with the certificate repository. Asymmetric cryptography, such as public key infrastructure (PKI), appears to authenticate the sender but is vulnerable to a man-in-the-middle attack. Digital signatures are used for both authentication and confidentiality, but the identity of the sender would still be confirmed by the digital certificate. Message authentication code is used for message integrity verification.
302、An organization is using symmetric encryption. Which of the following would be a valid reason for moving to asymmetric encryption? Symmetric encryption: 302、一个组织使用对称加密方法。下列哪种原因会导致组织改成非对称加密法?因为对称加密:
A、provides authenticity. A、提供真实性确认
B、is faster than asymmetric encryption. B、比非对称加密更快
C、can cause key management to be difficult. C、能导致关键管理变得困难
D、requires a relatively simple algorithm. D、要求相对简单的算法
ANSWER: C
NOTE: In a symmetric algorithm, each pair of users needs a unique pair of keys, so the number of keys grows and key management can become overwhelming. Symmetric algorithms do not provide authenticity, and symmetric encryption is faster than asymmetric encryption. Symmetric algorithms require mathematical calculations, but they are not as complex as asymmetric algorithms.
303、When reviewing IS strategies, an IS auditor can BEST assess whether IS strategy supports the organizations' business objectives by determining if IS: 303、当检查信息系统战略时,信息系统审计师要评价信息系统战略是否支持组织的业务目标,最好通过判断信息系统是否:
A、has all the personnel and equipment it needs. A、有所有必需的人员和设备
B、plans are consistent with management strategy. B、计划跟管理战略相一致
C、uses its equipment and personnel efficiently and effectively. C、有效率地和有效地使用了设备和人员
D、has sufficient excess capacity to respond to changing directions. D、有足够充裕的能力去应对变化的形势
ANSWER: B
NOTE: Determining if the IS plan is consistent with management strategy relates IS/IT planning to business plans. Choices A, C and D are effective methods for determining the alignment of IS plans with business objectives and the organization's strategies.
304、When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that: 304、制定基于风险的审计战略时,IS审计师应该风险评估,以确定:
A、controls needed to mitigate risks are in place. A、已经存在减免风险的控制
B、vulnerabilities and threats are identified. B、找到了弱点和威胁
C、audit risks are considered. C、已经考虑到了审计风险
D、a gap analysis is appropriate. D、实施差异分析是恰当的
ANSWER: B
NOTE: In developing a risk-based audit strategy, it is critical that the risks and vulnerabilities be understood. This will determine the areas to be audited and the extent of coverage. Understanding whether appropriate controls required to mitigate risks are in place is a resultant effect of an audit. Audit risks are inherent aspects of auditing, are directly related to the audit process and are not relevant to the risk analysis of the environment to be audited. A gap analysis would normally be done to compare the actual state to an expected or desirable state.
305、An IS auditor finds that a system under development has 12 linked modules and each item of data can carry up to 10 definable attribute fields. The system handles several million transactions a year. Which of these techniques could an IS auditor use to estimate the size of the development effort? 305、信息系统审计师了解到一个开发中的系统有12个相连的模块,并且每个数据项有10个可定义的属性列。此系统每年处理好几百万桩交易。那么审计师运用以下哪种技术最能检测出开发成果的规模?
A、Program evaluation review technique (PERT) A、项目评审技术(PERT)
B、Counting source lines of code (SLOC) B、源代码行数(SLOC,单点估计方法)
C、Function point analysis C、功能点分析
D、White box testing D、百盒测试
ANSWER: C
NOTE: Function point analysis is an indirect method of measuring the size of an application by considering the number and complexity of its inputs, outputs and files. It is useful for evaluating complex applications. PERT is a project management technique that helps with both planning and control. SLOC gives a direct measure of program size, but does not allow for the complexity that may be caused by having multiple, linked modules and a variety of inputs and outputs. White box testing involves a detailed review of the behavior of program code, and is a quality assurance technique suited to simpler applications during the design and build stage of development.
306、Which of the following would MOST effectively control the usage of universal storage bus (USB) storage devices? 306、以下哪项最能有效地控制USB存储设备的使用?
A、Policies that require instant dismissal if such devices are found A、发现设备时直接忽视命令的政策
B、Software for tracking and managing USB storage devices B、追踪和管理USB存储设备的软件
C、Administratively disabling the USB port C、行政上不允许使用USB接口
D、Searching personnel for USB storage devices at the facility's entrance D、在入口处搜索使用USB存储设备的职员
ANSWER: B
NOTE: Software for centralized tracking and monitoring would allow a USB usage policy to be applied to each user based on changing business requirements, and would provide for monitoring and reporting exceptions to management. A policy requiring dismissal may result in increased employee attrition and business requirements would not be properly addressed. Disabling ports would be complex to manage and might not allow for new business needs. Searching of personnel for USB storage devices at the entrance to a facility is not a practical solution since these devices are small and could be easily hidden.
307、Failure in which of the following testing stages would have the GREATEST impact on the implementation of new application software? 307、以下哪个测试阶段的失败最影响新的应用软件的实施?
A、System testing A、系统测试
B、Acceptance testing B、验收测试
C、Integration testing C、集成测试
D、Unit testing D、单元测试
ANSWER: B
NOTE: Acceptance testing is the final stage before the software is installed and is available for use. The greatest impact would occur if the software fails at the acceptance testing level, as this could result in delays and cost overruns. System testing is undertaken by the developer team to determine if the software meets user requirements per specifications. Integration testing examines the units/modules as one integrated system and unit testing examines the individual units or components of the software. System, integration and unit testing are all performed by the developers at various stages of development; the impact of failure is comparatively less for each than failure at the acceptance testing stage.
308、Which of the following should an IS auditor review to gain an understanding of the effectiveness of controls over the management of multiple projects? 308、信息系统审计师应该通过检查以下哪项内容来了解多项目管理的控制效果?
A、Project database A、项目数据库
B、Policy documents B、政策文件
C、Project portfolio database C、项目组合数据库
D、Program organization D、项目组织
ANSWER: C
NOTE: A project portfolio database is the basis for project portfolio management. It includes project data, such as owner, schedules, objectives, project type, status and cost. Project portfolio management requires specific project portfolio reports. A project database may contain the above for one specific project and updates to various parameters pertaining to the current status of that single project. Policy documents on project management set direction for the design, development, implementation and monitoring of the project. Program organization is the team required (steering committee, quality assurance, systems personnel, analyst, programmer, hardware support, etc.) to meet the delivery objective of the project.
309、What method might an IS auditor utilize to test wireless security at branch office locations? 309、信息系统审计师可能使用以下哪种方法来检测办公分支区域的无线网络安全?
A、War dialing A、战争拨号
B、Social engineering B、社交工程
C、War driving C、战争驾驶
D、Password cracking D、密码破解
ANSWER: C
NOTE: War driving is a technique for locating and gaining access to wireless networks by driving or walking with a wireless equipped computer around a building. War dialing is a technique for gaining access to a computer or a network through the dialing of defined blocks of telephone numbers, with the hope of getting an answer from a modem. Social engineering is a technique used to gather information that can assist an attacker in gaining logical or physical access to data or resources. Social engineering exploits human weaknesses. Password crackers are tools used to guess users' passwords by trying combinations and dictionary words.
310、The advantage of a bottom-up approach to the development of organizational policies is that the policies: 310、采用自底向上的方法来制订部门政策的优点是这一政策:
A、are developed for the organization as a whole. A、是依据组织整体来制订的
B、are more likely to be derived as a result of a risk assessment. B、更可能是基于风险评估的基础之上
C、will not conflict with overall corporate policy. C、将不会和整体公司政策相冲突
D、ensure consistency across the organization. D、确保组织内部的一致性
ANSWER: B
NOTE: A bottom-up approach begins by defining operational-level requirements and policies, which are derived and implemented as the result of risk assessments. Enterprise-level policies are subsequently developed based on a synthesis of existing operational policies. Choices A, C and D are advantages of a top-down approach for developing organizational policies. This approach ensures that the policies will not be in conflict with overall corporate policy and ensure consistency across the organization.
311、The risks associated with electronic evidence gathering would MOST likely be reduced by an e-mail: 311、电子证据收集风险将最可能被电子邮件的哪种政策所减少?
A、destruction policy. A、销毁政策
B、security policy. B、安全政策
C、archive policy. C、存档政策
D、audit policy. D、审计政策
ANSWER: C
NOTE: With a policy of well-archived e-mail records, access to or retrieval of specific e-mail records is possible without disclosing other confidential e-mail records. Security and/or audit policies would not address the efficiency of record retrieval, and destroying e-mails may be an illegal act.
312、Which of the following would be the BEST population to take a sample from when testing program changes? 312、当测试程序变更时,以下哪项是最好的抽样总体?
A、Test library listings A、测试库清单
B、Source program listings B、源程序清单
C、Program change requests C、程序变更请求
D、Production library listings D、产品库清单
ANSWER: D
NOTE: The best source from which to draw any sample or test of system information is the automated system. The production libraries represent executables that are approved and authorized to process organizational data. Source program listings would be time intensive. Program change requests are the documents used to initiate change; there is no guarantee that the request has been completed for all changes. Test library listings do not represent the approved and authorized executables.
313、An IS auditor is assigned to perform a postimplementation review of an application system. Which of the following situations may have impaired the independence of the IS auditor? The IS auditor: 313、信息系统审计师被委任去执行对一个应用系统进行实施后维护的检查过程。以下哪种情形将减弱信息系统审计师的独立性。审计师:
A、implemented a specific control during the development of the application system. A、在应用系统的开发过程中实施了详细控制
B、designed an embedded audit module exclusively for auditing the application system. B、专门设计了一个嵌入审计模块用来审计此应用系统
C、participated as a member of the application system project team, but did not have operational responsibilities. C、作为一个成员参与了此应用系统项目团队,但没有操作职责
D、provided consulting advice concerning application system best practices. D、就应用系统最佳实务提供了咨询意见
ANSWER: A
NOTE: Independence may be impaired if an IS auditor is, or has been, actively involved in the development, acquisition and implementation of the application system. Choices B and C are situations that do not impair an IS auditor's independence. Choice D is incorrect because an IS auditor's independence is not impaired by providing advice on known best practices.
314、During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is to: 314、在信息系统审计的计划阶段,信息审计师的首要目标是
A、address audit objectives. A、确定审计目标
B、collect sufficient evidence. B、收集足够的证据
C、specify appropriate tests. C、设计详细测试
D、minimize audit resources. D、最小化审计资源
ANSWER: A
NOTE: ISACA auditing standards require that an IS auditor plan the audit work to address the audit objectives. Choice B is incorrect because the auditor does not collect evidence in the planning stage of an audit. Choices C and D are incorrect because they are not the primary goals of audit planning. The activities described in choices B, C and D are all undertaken to address audit objectives and are thus secondary to choice A.
315、Which of the following cryptographic systems is MOST appropriate for bulk data encryption and small devices such as smart cards? 315、下列加密系统哪个最适用于大量数据加密和小型设备(如智能卡)?
A、DES A、DES
B、AES B、AES
C、Triple DES C、Triple DES
D、RSA D、RSA
ANSWER: B
NOTE: Advanced Encryption Standard (AES), a public algorithm that supports keys from 128 to 256 bits in size, not only provides good security, but provides speed and versatility across a variety of computer platforms. AES runs securely and efficiently on large computers, desktop computers and even small devices such as smart cards. DES is not considered a strong cryptographic solution since its entire key space can be brute forced by large computer systems within a relatively short period of time. Triple DES can take up to three times longer than DES to perform encryption and decryption. RSA keys are large numbers that are suitable only for short messages, such as the creation of a digital signature.
316、Which of the following would be of MOST concern to an IS auditor reviewing a virtual private network (VPN) implementation? Computers on the network that are located: 316、当检查一个虚拟局域网(VPN)的实施时,信息系统审计师最关注以下哪一个?网络上的电脑位于:
A、on the enterprise's internal network. A、公司内部网
B、at the backup site. B、后备站点
C、in employees' homes. C、雇员家里
D、at the enterprise's remote offices. D、公司远程办公室
ANSWER: C
NOTE: One risk of a virtual private network (VPN) implementation is the chance of allowing high-risk computers onto the enterprise's network. All machines that are allowed onto the virtual network should be subject to the same security policy. Home computers are least subject to the corporate security policies, and therefore are high-risk computers. Once a computer is hacked and “owned,” any network that trusts that computer is at risk. Implementation and adherence to corporate security policy is easier when all computers on the network are on the enterprise's campus. On an enterprise's internal network, there should be security policies in place to detect and halt an outside attack that uses an internal machine as a staging platform. Computers at the backup site are subject to the corporate security policy, and therefore are not high-risk computers. Computers on the network that are at the enterprise's remote offices, perhaps with different IS and security employees who have different ideas about security, are more risky than choices A and B, but obviously less risky than home computers.
317、Which of the following is a concern when data are transmitted through Secure Sockets Layer (SSL) encryption, implemented on a trading partner's server? 317、当实施在一个贸易伙伴的服务器上的数据通过安全套接层(SSL)加密时,以下哪个会受到关注?
A、The organization does not have control over encryption. A、组织没有控制加密
B、Messages are subjected to wire tapping. B、消息受制于搭线窃听
C、Data might not reach the intended recipient. C、数据可能不能到达目的接受者
D、The communication may not be secure. D、通信可能不安全
ANSWER: A
NOTE: The SSL security protocol provides data encryption, server authentication, message integrity and optional client authentication. Because SSL is built into all major browsers and web servers, simply installing a digital certificate turns on the SSL capabilities. SSL encrypts the datum while it is being transmitted over the Internet. The encryption is done in the background, without any interaction from the user; consequently, there is no password to remember. The other choices are incorrect. Since the communication between client and server is encrypted, the confidentiality of information is not affected by wire tapping. Since SSL does the client authentication, only the intended recipient will receive the decrypted data. All data sent over an encrypted SSL connection are protected with a mechanism to detect tampering, ., automatically determining whether data has been altered in transit.
318、An IS auditor reviewing an outsourcing contract of IT facilities would expect it to define the: 318、信息系统审计师检查一个IT设备的外包合同时,会期望合同定义了:
A、hardware configuration. A、硬件配置
B、access control software. B、访问控制软件
C、ownership of intellectual property. C、知识产权的所有者
D、application development methodology. D、应用开发方法论
ANSWER: C
NOTE: Of the choices, the hardware and access control software is generally irrelevant as long as the functionality, availability and security can be affected, which are specific contractual obligations. Similarly, the development methodology should be of no real concern. The contract must, however, specify who owns the intellectual property (., information being processed, application programs). Ownership of intellectual property will have a significant cost and is a key aspect to be defined in an outsourcing contract.
319、When performing a database review, an IS auditor notices that some tables in the database are not normalized. The IS auditor should next: 319、当执行数据库检查时,信息系统审计师注意到数据库里的有些表没有规格化。信息系统审计师接下来应该:
A、recommend that the database be normalized. A、推荐配置数据规格
B、review the conceptual data model. B、检查数据概念模型
C、review the stored procedures. C、检查存储过程
D、review the justification. D、检查说明文件
ANSWER: D
NOTE: If the database is not normalized, the IS auditor should review the justification since, in some situations, denormalization is recommended for performance reasons. The IS auditor should not recommend normalizing the database until further investigation takes place. Reviewing the conceptual data model or the stored procedures will not provide information about normalization.
320、Which of the following does a lack of adequate security controls represent? 320、以下哪个是缺乏适当的安全控制的表现:
A、Threat A、威胁
B、Asset B、资产
C、Impact C、影响
D、Vulnerability D、脆弱性
ANSWER: D
NOTE: The lack of adequate security controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers. This could result in a loss of sensitive information and lead to the loss of goodwill for the organization. A succinct definition of risk is provided by the Guidelines for the Management of IT Security published by the International Organization for Standardization (ISO), which defines risk as the “potential that a given threat will exploit the vulnerability of an asset or group of assets to cause loss or damage to the assets.” The various elements of the definition are vulnerability, threat, asset and impact. Lack of adequate security functionality in this context is a vulnerability.
321、An IS auditor finds that not all employees are aware of the enterprise's information security policy. The IS auditor should conclude that: 如果信息系统审计师发现并不是所有的员工都了解公司的信息安全政策,那么审计师可以得出的结论是:
A、this lack of knowledge may lead to unintentional disclosure of sensitive information. A 导致员工无意的泄漏公司敏感信息
B、information security is not critical to all functions. B 信息安全不能对所有业务起作用
C、IS audit should provide security training to the employees. C 信息系统审计师应对员工进行安全培训
D、the audit finding will cause management to provide continuous training to staff. D 审计发现将导致管理层对采取行动对员工进行持续的培训
ANSWER: A
NOTE: All employees should be aware of the enterprise's information security policy to prevent unintentional disclosure of sensitive information. Training is a preventive control. Security awareness programs for employees can prevent unintentional disclosure of sensitive information to outsiders.
322、After completing the business impact analysis (BIA), what is the next step in the business continuity planning process? 在完成了业务影响分析(BIA)后,下一步的业务持续性计划应该是什么
A、Test and maintain the plan. A 测试和维护业务持续性计划
B、Develop a specific plan. B 制定一个针对性计划
C、Develop recovery strategies. C 制定恢复策略
D、Implement the plan. D 实施业务持续性计划
ANSWER: C
NOTE: The next phase in the continuity plan development is to identify the various recovery strategies and select the most appropriate strategy for recovering from a disaster. After selecting a strategy, a specific plan can be developed, tested and implemented.
323、Which of the following would be the GREATEST cause for concern when data are sent over the Internet using HTTPS protocol? 当数据采用HTTPS协议进行传输时,以下哪点最令人担心
A、Presence of spyware in one of the ends A 传输双方的PC中存在间谍软件
B、The use of a traffic sniffing tool B 嗅探软件的使用
C、The implementation of an RSA-compliant solution C RSA加密算法的使用
D、A symmetric cryptography is used for transmitting data D 数据传输中使用对称加密算法
ANSWER: A
NOTE: Encryption using secure sockets layer/transport layer security (SSL/TLS) tunnels makes it difficult to intercept data in transit, but when spyware is running on an end user's computer, data are collected before encryption takes place. The other choices are related to encrypting the traffic, but the presence of spyware in one of the ends captures the data before encryption takes place.
324、Which of the following types of firewalls would BEST protect a network from an Internet attack? 以下哪类防火墙能最有效的抵御来自互联网的攻击
A、Screened subnet firewall A 屏蔽子网防火墙
B、Application filtering gateway B 应用级防火墙
C、Packet filtering router C 包过滤防火墙
D、Circuit-level gateway D 电路级防火墙
ANSWER: A
NOTE: A screened subnet firewall would provide the best protection. The screening router can be a commercial router or a node with routing capabilities and the ability to allow or avoid traffic between nets or nodes based on addresses, ports, protocols, interfaces, etc. Application-level gateways are mediators between two entities that want to communicate, also known as proxy gateways. The application level (proxy) works at the application level, not just at a package level. The screening controls at the package level, addresses and ports, but does not see the contents of the package. A packet filtering router examines the header of every packet or data traveling between the Internet and the corporate network.
325、Which of the following provides the BEST evidence of an organization's disaster recovery readiness? 以下哪项能对组织的灾难恢复计划提供最好的保障
A、A disaster recovery plan A 灾难恢复计划
B、Customer references for the alternate site provider B 对可选择的恢复站点的选择参考
C、Processes for maintaining the disaster recovery plan C 维护灾难恢复计划的流程
D、Results of tests and drills D 测试和计划演练的结果
ANSWER: D
NOTE: Plans are important, but mere plans do not provide reasonable assurance unless tested. References for the alternate site provider and the existence and maintenance of a disaster recovery plan are important, but only tests and drills demonstrate the adequacy of the plans and provide reasonable assurance of an organization's disaster recovery readiness.
326、At the completion of a system development project, a postproject review should include which of the following? 在系统开发项目完成后,对项目的复核应包括以下哪项
A、Assessing risks that may lead to downtime after the production release A 在项目完成后的产生的停工期评估风险
B、Identifying lessons learned that may be applicable to future projects B 总结经验以便适用于以后的项目
C、Verifying the controls in the delivered system are working C 验证开发后的系统中的控制点
D、Ensuring that test data are deleted D 确保测试数据已经被删除
ANSWER: B
NOTE: A project team has something to learn from each and every project. As risk assessment is a key issue for project management, it is important for the organization to accumulate lessons learned and integrate them into future projects. An assessment of potential downtime should be made with the operations group and other specialists before implementing a system. Verifying that controls are working should be covered during the acceptance test phase and possibly, again, in the postimplementation review. Test data should be retained for future regression testing.
327、In an audit of an inventory application, which approach would provide the BEST evidence that purchase orders are valid? 在对于存货的应用系统的审计过程中,以下哪项证据可以表明采购订单式有效的
A、Testing whether inappropriate personnel can change application parameters A 测试是否有不适当人员可以改变应用程序参数
B、Tracing purchase orders to a computer listing B 追踪采购订单至计算机中系统中的列表
C、Comparing receiving reports to purchase order details C 比较收到的报告和采购订单
D、Reviewing the application documentation D 复核应用系统的记录
ANSWER: A
NOTE: To determine purchase order validity, testing access controls will provide the best evidence. Choices B and C are based on after-the-fact approaches, while choice D does not serve the purpose because what is in the system documentation may not be the same as what is happening.
328、An offsite information processing facility with electrical wiring, air conditioning and flooring, but no computer or communications equipment, is a: 一个备份站点包括电线、空调和地板,但不包括计算机和通讯设备,那么它属于
A、cold site. A 冷站
B、warm site. B 温站
C、dial-up site. C 直线站点
D、duplicate processing facility. D 镜像站点
ANSWER: A
NOTE: A cold site is ready to receive equipment but does not offer any components at the site in advance of the need. A warm site is an offsite backup facility that is partially configured with network connections and selected peripheral equipment—such as disk and tape units, controllers and CPUs—to operate an information processing facility. A duplicate information processing facility is a dedicated, self-developed recovery site that can back up critical applications.
329、An offsite information processing facility: 以下关于备份站点的说法哪项是正确的
A、should have the same amount of physical access restrictions as the primary processing site. A 应与原业务系统具有同样的物理访问控制措施
B、should be easily identified from the outside so that, in the event of an emergency, it can be easily found. B 应容易被找到以便于在灾难发生时以备紧急情况的需要
C、should be located in proximity to the originating site, so it can quickly be made operational. C 应部署在离原业务系统所在地较近的地方
D、need not have the same level of environmental monitoring as the originating site. D 不需要具有和原业务系统相同的环境监控等级
ANSWER: A
NOTE: An offsite information processing facility should have the same amount of physical control as the originating site. It should not be easily identified from the outside to prevent intentional sabotage. The offsite facility should not be subject to the same natural disaster that could affect the originating site and thus should not be located in proximity of the original site. The offsite facility should possess the same level of environmental monitoring and control as the originating site.
330、While reviewing the IT infrastructure, an IS auditor notices that storage resources are continuously being added. The IS auditor should: 当信息系统审计师检查信息资产时,发现存储设备在持续增加,那么他应该
A、recommend the use of disk mirroring. A 建议使用磁盘镜像
B、review the adequacy of offsite storage. B 检查备份站点的存储量是否足够
C、review the capacity management process. C 检查规划管理路程
D、recommend the use of a compression algorithm. D 建议对文件进行压缩
ANSWER: C
NOTE: Capacity management is the planning and monitoring of computer resources to ensure that available IT resources are used efficiently and effectively. Business criticality must be considered before recommending a disk mirroring solution and offsite storage is unrelated to the problem. Though data compression may save disk space, it could affect system performance.
331、Which of the following would be MOST important for an IS auditor to verify when conducting a business continuity audit? 在对业务持续性计划进行验证时,以下哪项对于信息系统审计师来说最为重要
A、Data backups are performed on a timely basis A 数据备份准时执行
B、A recovery site is contracted for and available as needed B 备份站点已签订合约,并且在需要时可以使用
C、Human safety procedures are in place C 人员安全计划部署适当
D、Insurance coverage is adequate and premiums are current D 保险
ANSWER: C
NOTE: The most important element in any business continuity process is the protection of human life. This takes precedence over all other aspects of the plan.
332、Online banking transactions are being posted to the database when processing suddenly comes to a halt. The integrity of the transaction processing is BEST ensured by: 当系统突然宕机时,在线电子银行交易正被发送给数据库,那么以下哪项可以最好的确保交易的完整性
A、database integrity checks. A 数据库完整性检查
B、validation checks. B 有效性检查
C、input controls. C 输入控制
D、database commits and rollbacks. D 数据库应答和回拨程序
ANSWER: D
NOTE: Database commits ensure the data are saved to disk, while the transaction processing is underway or complete. Rollback ensures that the already completed processing is reversed back, and the data already processed are not saved to the disk in the event of the failure of the completion of the transaction processing. All other options do not ensure integrity while processing is underway.
333、The editing/validation of data entered at a remote site would be performed MOST effectively at the: 以下哪项可以最有效确保数据被录入到远程站点
A、central processing site after running the application system. A 中央处理流程在应用程序执行之后进行
B、central processing site during the running of the application system. B 中央处理流程在应用程序执行时进行
C、remote processing site after transmission of the data to the central processing site. C 数据传输至中央站点优先与远程站点
D、remote processing site prior to transmission of the data to the central processing site. D 数据传输至远程站点优先于中央站点
ANSWER: D
NOTE: It is important that the data entered from a remote site is edited and validated prior to transmission to the central processing site.
334、Which of the following is a management technique that enables organizations to develop strategically important systems faster, while reducing development costs and maintaining quality? 在减少项目开发支出并且保证项目的质量情况下,以下哪项可以使项目周期缩短
A、Function point analysis A 功能点分析
B、Critical path methodology B 关键路径法
C、Rapid application development C 快速应用程序开发(瀑布法)
D、Program evaluation review technique D 程序评估复核技术
ANSWER: C
NOTE: Rapid application development is a management technique that enables organizations to develop strategically important systems faster, while reducing development costs and maintaining quality. The program evaluation review technique (PERT) and critical path methodology (CPM) are both planning and control techniques, while function point analysis is used for estimating the complexity of developing business applications.
335、Which of the following aspects of symmetric key encryption influenced the development of asymmetric encryption? 对称加密算法的哪一方面影响了非对称加密算法的发展
A、Processing power A 处理能力
B、Volume of data B 数据大小
C、Key distribution C 密钥分发
D、Complexity of the algorithm D 算法的复杂性
ANSWER: C
NOTE: Symmetric key encryption requires that the keys be distributed. The larger the user group, the more challenging the key distribution. Symmetric key cryptosystems are generally less complicated and, therefore, use less processing power than asymmetric techniques, thus making it ideal for encrypting a large volume of data. The major disadvantage is the need to get the keys into the hands of those with whom you want to exchange data, particularly in e-commerce environments, where customers are unknown, untrusted entities.
336、Which of the following is an advantage of an integrated test facility (ITF)? 以下哪点是设施完整性测试(ITF)的优点
A、It uses actual master files or dummies and the IS auditor does not have to review the source of the transaction. A 使用了测试数据以至于信息系统审计师无需检查交易来源
B、Periodic testing does not require separate test processes. B 定期测试无需分离测试流程
C、It validates application systems and tests the ongoing operation of the system. C 测试了应用系统的有效性以及正在运行的数据
D、The need to prepare test data is eliminated. D 需要删除测试数据
ANSWER: B
NOTE: An integrated test facility creates a fictitious entity in the database to process test transactions simultaneously with live input. Its advantage is that periodic testing does not require separate test processes. However, careful planning is necessary, and test data must be isolated from production data.
337、Facilitating telecommunications continuity by providing redundant combinations of local carrier T-1 lines, microwaves and/or coaxial cables to access the local communication loop is: 以下哪项技术可以确保通过光纤、微波以及同轴电缆连入本地通讯网时的通讯持续性
A、last-mile circuit protection. A 最后一米线路保护技术
B、long-haul network diversity. B 长距离网络传输技术
C、diverse routing. C 多变路由技术
D、alternative routing. D 可选路由技术
ANSWER: A
NOTE: The method of providing telecommunication continuity through the use of many recovery facilities, providing redundant combinations of local carrier T-1s, microwave and/or coaxial cable to access the local communication loop in the event of a disaster, is called last-mile circuit protection. Providing diverse long-distance network availability utilizing T-1 circuits among major long-distance carriers is called long-haul network diversity. This ensures long-distance access should any one carrier experience a network failure. The method of routing traffic through split-cable facilities or duplicate-cable facilities is called diverse routing. Alternative routing is the method of routing information via an alternative medium, such as copper cable or fiber optics.
338、While reviewing sensitive electronic work papers, the IS auditor noticed that they were not encrypted. This could compromise the: 当收到敏感的电子工作底稿时 ,IS审计师发现它们没有被加密,那么这将影响以下哪项
A、audit trail of the versioning of the work papers. A 工作底稿的版本审计日志
B、approval of the audit phases. B 工作底稿的审批
C、access rights to the work papers. C 工作底稿的访问权限
D、confidentiality of the work papers. D 工作底稿的保密性
ANSWER: D
NOTE: Encryption provides confidentiality for the electronic work papers. Audit trails, audit phase approvals and access to the work papers do not, of themselves, affect the confidentiality but are part of the reason for requiring encryption.
339、The FIRST step in data classification is to: 数据分类第一步应做的是
A、establish ownership. A 建立数据拥有者
B、perform a criticality analysis. B 风险分析
C、define access rules. C 定义访问规则
D、create a data dictionary. D 创建数据字典
ANSWER: A
NOTE: Data classification is necessary to define access rules based on a need-to-do and need-to-know basis. The data owner is responsible for defining the access rules; therefore, establishing ownership is the first step in data classification. The other choices are incorrect. A criticality analysis is required for protection of data, which takes input from data classification. Access definition is complete after data classification and input for a data dictionary is prepared from the data classification process.
340、An organization's disaster recovery plan should address early recovery of: 组织在制定灾难恢复计划时,应该最先针对以下哪点制定
A、all information systems processes. A 所有信息系统流程
B、all financial processing applications. B 所有应用系统流程
C、only those applications designated by the IS manager. C 信息系统经理指派的路程
D、processing in priority order, as defined by business management. D 业务经理定义的流程优先级
ANSWER: D
NOTE: Business management should know which systems are critical and when they need to process well in advance of a disaster. It is management's responsibility to develop and maintain the plan. Adequate time will not be available for this determination once the disaster occurs. IS and the information processing facility are service organizations that exist for the purpose of assisting the general user management in successfully performing their jobs.
341、An IS auditor reviewing an accounts payable system discovers that audit logs are not being reviewed. When this issue is raised with management the response is that additional controls are not necessary because effective system access controls are in place. The BEST response the auditor can make is to: 341 ,一个审计师在检查应付帐款系统发现审计日志没有被审查。当这个问题向与管理层提出的回复是:额外的检查手段是没有必要,因为有效的制度,访问控制已经存在。最好的回应,审计师可以是:
A、review the integrity of system access controls. a 检查综合的系统访问控制
B、accept management's statement that effective access controls are in place. b ,接受管理层的声明,即有效的访问控制已经存在。
C、stress the importance of having a system control framework in place. c ,强调必须有一个系统控制的框架
D、review the background checks of the accounts payable staff. d ,对应付帐款工作人员背景检查。
ANSWER: C
NOTE: Experience has demonstrated that reliance purely on preventative controls is dangerous. Preventative controls may not prove to be as strong as anticipated or their effectiveness can deteriorate over time. Evaluating the cost of controls versus the quantum of risk is a valid management concern. However, in a high-risk system a comprehensive control framework is needed. Intelligent design should permit additional detective and corrective controls to be established that don't have high ongoing costs, ., automated interrogation of logs to highlight suspicious individual transactions or data patterns. Effective access controls are, in themselves, a positive but, for reasons outlined above, may not sufficiently compensate for other control weaknesses. In this situation the IS auditor needs to be proactive. The IS auditor has a fundamental obligation to point out control weaknesses that give rise to unacceptable risks to the organization and work with management to have these corrected. Reviewing background checks on accounts payable staff does not provide evidence that fraud will not occur.
342、A company undertakes a business process reengineering (BPR) project in support of a new and direct marketing approach to its customers. Which of the following would be an IS auditor's main concern about the new process? 342 ,一个公司进行了业务流程再造( BPR的)项目,以支持一个新的直接营销客户。下列哪一个是审计师的主要关心的?
A、Whether key controls are in place to protect assets and information resources a ,是否关键控制已经部署,保护资产和信息资源
B、If the system addresses corporate customer requirements b 系统是否满足合作客户的需求
C、Whether the system can meet the performance goals (time and resources) c ,系统是否能满足性能目标(时间和资源
D、Whether owners have been identified who will be responsible for the process d 是否所有者确定谁为程序负责
ANSWER: A
NOTE: The audit team must advocate the inclusion of the key controls and verify that the controls are in place before implementing the new process. Choices B, C and D are objectives that the business process reengineering (BPR) process should achieve, but they are not the auditor's primary concern.
343、Applying a retention date on a file will ensure that: 343 ,申请保留的日期的文件将确保:
A、data cannot be read until the date is set. a,数据无法读取,直到日期设置。
B、data will not be deleted before that date. b ,在该日期之前,数据不会被删除。
C、backup copies are not retained after that date. c ,备份副本,并未保留在该日期之后。
D、datasets having the same name are differentiated. d,对具有相同的名称数据区别。
ANSWER: B
NOTE: A retention date will ensure that a file cannot be overwritten before that date has passed. The retention date will not affect the ability to read the file. Backup copies would be expected to have a different retention date and therefore may be retained after the file has been overwritten. The creation date, not the retention date, will differentiate files with the same name.
344、Which of the following would an IS auditor consider a weakness when performing an audit of an organization that uses a public key infrastructure with digital certificates for its business-to-consumer transactions via the Internet? 344 ,下列哪一个是审计师要考虑的弱点,当其企业使用公开密码匙基础设施的数码证书对消费者通过互联网交易时?
A、Customers are widely dispersed geographically, but the certificate authorities are not. a,客户广泛分发证书,但该证书授权没有。
B、Customers can make their transactions from any computer or mobile device. b ,客户可以使他们的交易在任何一台计算机或移动设备。
C、The certificate authority has several data processing subcenters to administer certificates. C ,证书颁发机构有几个数据处理子中心管理证书。
D、The organization is the owner of the certificate authority. d,组织是拥有该证书的权威。
ANSWER: D
NOTE: If the certificate authority belongs to the same organization, this would generate a conflict of interest. That is, if a customer wanted to repudiate a transaction, they could allege that because of the shared interests, an unlawful agreement exists between the parties generating the certificates. If a customer wanted to repudiate a transaction, they could argue that there exists a bribery between the parties to generate the certificates, as shared interests exist. The other options are not weaknesses.
345、Which testing approach is MOST appropriate to ensure that internal application interface errors are identified as soon as possible? 345 哪个测试方法是最适当的,以确保内部的应用程式接口的错误被确定为尽快验证?
A、Bottom up 自底向下
B、Sociability testing 交叉测试
C、Top-down 自顶向下
D、System test 系统测试
ANSWER: C
NOTE: The top-down approach to testing ensures that interface errors are detected early and that testing of major functions is conducted early. A bottom-up approach to testing begins with atomic units, such as programs and modules, and works upward until a complete system test has taken place. Sociability testing and system tests take place at a later stage in the development process.
346、An IS auditor is performing a network security review of a telecom company that provides Internet connection services to shopping malls for their wireless customers. The company uses Wireless Transport Layer Security (WTLS) and Secure Sockets Layer (SSL) technology for protecting their customer's payment information. The IS auditor should be MOST concerned if a hacker: 346 ,一个是审计师在检查电信公司提供网际网路连线服务,商场为他们的无线客户。该公司使用的无线传输层安全性( WTLS的)和安全套接字层( SSL )技术,保护其客户的付款信息。该审计师最关心的是黑客:
A、compromises the Wireless Application Protocol (WAP) gateway. a,考虑无线应用协议( WAP )网关安全。
B、installs a sniffing program in front of the server. b 在服务器前安装流量监控工具
C、steals a customer's PDA. c 偷盗客户的PDA设备
D、listens to the wireless transmission. d 监听无线数据传输
ANSWER: A
NOTE: In a WAP gateway, the encrypted messages from customers must be decrypted to transmit over the Internet and vice versa. Therefore, if the gateway is compromised, all of the messages would be exposed. SSL protects the messages from sniffing on the Internet, limiting disclosure of the customer's information. WTLS provides authentication, privacy and integrity and prevents messages from eavesdropping.
347、A large chain of shops with electronic funds transfer (EFT) at point-of-sale devices has a central communications processor for connecting to the banking network. Which of the following is the BEST disaster recovery plan for the communications processor? 347 ,大型连锁店铺,与电子转帐( EFT)在销售点设备有一个中央通信处理器,用于连接银行网络。下列哪一项是最好的灾难恢复计划?
A、Offsite storage of daily backups a 离线存储的日常备份
B、Alternative standby processor onsite b 选择在线备份程序
C、Installation of duplex communication links c 安装双通讯链路
D、Alternative standby processor at another network node d 在网络的其他地点部署备份程序
ANSWER: D
NOTE: Having an alternative standby processor at another network node would be the best solution. The unavailability of the central communications processor would disrupt all access to the banking network, resulting in the disruption of operations for all of the shops. This could be caused by failure of equipment, power or communications. Offsite storage of backups would not help, since EFT tends to be an online process and offsite storage will not replace the dysfunctional processor. The provision of an alternate processor onsite would be fine if it were an equipment problem, but would not help in the case of a power outage. Installation of duplex communication links would be most appropriate if it were only the communication link that failed.
348、Which of the following cryptography options would increase overhead/cost? 348 ,下列哪些加密选项会增加开销/成本?
A、The encryption is symmetric rather than asymmetric. a 对称加密比非对称加密
B、A long asymmetric encryption key is used. b 长的非对称加密密钥的使用
C、The hash is encrypted rather than the message. c 哈希加密比信息更增加成本
D、A secret key is used. d 安全密钥的使用
ANSWER: B
NOTE: Computer processing time is increased for longer asymmetric encryption keys, and the increase may be disproportionate. For example, one benchmark showed that doubling the length of an RSA key from 512 bits to 1,024 bits caused the decrypt time to increase nearly six-fold. An asymmetric algorithm requires more processing time than symmetric algorithms. A hash is shorter than the original message; therefore, a smaller overhead is required if the hash is encrypted rather than the message. Use of a secret key, as a symmetric encryption key, is generally small and used for the purpose of encrypting user data.
349、In regard to moving an application program from the test environment to the production environment, the BEST control would be to have the: 349 ,在移动方面的应用程序从测试环境到生产环境,最佳的控制将有:
A、application programmer copy the source program and compiled object module to the production libraries. a,应用程序员复制源程序,并汇编成对象模块到生产库
B、application programmer copy the source program to the production libraries and then have the production control group compile the program. b ,应用程序员复制源程序到生产库,然后有生产控制组编制程序
C、production control group compile the object module to the production libraries using the source program in the test environment. c ,生产控制组编译的对象模块生产库使用在测试环境的源程序
D、production control group copy the source program to the production libraries and then compile the program. d,生产控制组复制源程序到生产库,然后编译该程序。
ANSWER: D
NOTE: The best control would be provided by having the production control group copy the source program to the production libraries and then compile the program.
350、Which of the following would an IS auditor consider to be the MOST important to review when conducting a business continuity audit? 350 ,下列哪一个是审计师认为最重要的审查,在进行业务连续性审计时候?
A、A hot site is contracted for and available as needed. a,热门站的承诺和有效是必要
B、A business continuity manual is available and current. b 业务连续手册是有效的和具备的
C、Insurance coverage is adequate and premiums are current. c ,保险覆盖面是足够的并且具有足够的保费费用。
D、Media backups are performed on a timely basis and stored offsite. d, 具备介质备份,并及时的储存。
ANSWER: D
NOTE: Without data to process, all other components of the recovery effort are in vain. Even in the absence of a plan, recovery efforts of any type would not be practical without data to process.
351、The technique used to ensure security in virtual private networks (VPNs) is: 用来保证VPN安全的技术是:
A、encapsulation. A封装
B、wrapping. B打包
C、transform. C转换
D、encryption. D加密
ANSWER: A
NOTE: Encapsulation, or tunneling, is a technique used to carry the traffic of one protocol over a network that does not support that protocol directly. The original packet is wrapped in another packet. The other choices are not security techniques specific to VPNs.
352、A firewall is being deployed at a new location. Which of the following is the MOST important factor in ensuring a successful deployment? 防火墙在新的地方配置。下列哪项是影响配置成功的最重要因素
A、Reviewing logs frequently A频繁检查日志
B、Testing and validating the rules B测试和确认规则
C、Training a local administrator at the new location C在新地点培训一个本地管理员
D、Sharing firewall administrative duties D分享防火墙管理准则
ANSWER: B
NOTE: A mistake in the rule set can render a firewall insecure. Therefore, testing and validating the rules is the most important factor in ensuring a successful deployment. A regular review of log files would not start until the deployment has been completed. Training a local administrator may not be necessary if the firewalls are managed from a central location. Having multiple administrators is a good idea, but not the most important.
353、Which of the following would contribute MOST to an effective business continuity plan (BCP)? 下列哪项对商业持续性计划的有效性影响最为显著
A、Document is circulated to all interested parties A文件在所有相关当事人之间传播
B、Planning involves all user departments B计划涉及到所有使用部门
C、Approval by senior management C通过高级经理的批准
D、Audit by an external IS auditor D经过外部IS auditor的审计
ANSWER: B
NOTE: The involvement of user departments in the BCP is crucial for the identification of the business processing priorities. The BCP circulation will ensure that the BCP document is received by all users. Though essential, this does not contribute significantly to the success of the BCP. A BCP approved by senior management would not ensure the quality of the BCP, nor would an audit necessarily improve the quality of the BCP.
354、An IS auditor is reviewing access to an application to determine whether the 10 most recent “new user” forms were correctly authorized. This is an example of: 一个IS审计员查看对申请的授权以确定最新的10个新用户是被正确授权的。这是一个-----的例子
A、variable sampling. A可变抽样法
B、substantive testing. B实质性测试
C、compliance testing. C符合性测试
D、stop-or-go sampling. D停走抽样
ANSWER: C
NOTE: Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized. Variable sampling is used to estimate numerical values, such as dollar values. Substantive testing substantiates the integrity of actual processing, such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized. Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed.
355、During the development of an application, the quality assurance testing and user acceptance testing were combined. The MAJOR concern for an IS auditor reviewing the project is that there will be: 随着应用软件的发展,质量保证测试和用户接受度测试被结合起来。IS审计员在检查项目时应着重关注
A、increased maintenance. A增加的维护费用
B、improper documentation of testing. B测试的不适当文件
C、inadequate functional testing. C不充分功能的测试
D、delays in problem resolution. D问题解决的延迟
ANSWER: C
NOTE: The major risk of combining quality assurance testing and user acceptance testing is that functional testing may be inadequate. Choices A, B and D are not as important.
356、When evaluating the controls of an EDI application, an IS auditor should PRIMARILY be concerned with the risk of: 在检查EDI应用软件的控制时,IS审计员应该首先注意到-----的风险
A、excessive transaction turnaround time. A过多的处理转变时间
B、application interface failure. B应用程序界面错误
C、improper transaction authorization. C不恰当的授权处理
D、nonvalidated batch totals. D无效的分批总数
ANSWER: C
NOTE: Foremost among the risks associated with electronic data interchange (EDI) is improper transaction authorization. Since the interaction with the parties is electronic, there is no inherent authentication. The other choices, although risks, are not as significant.
357、The PRIMARY objective of implementing corporate governance by an organization's management is to: 一个组织的管理者实施公司治理的最根本目的是
A、provide strategic direction. A提供战略指导
B、control business operations. B控制商务运营
C、align IT with business. C整合IT与商业
D、implement best practices. D执行最优方法
ANSWER: A
NOTE: Corporate governance is a set of management practices to provide strategic direction, thereby ensuring that goals are achievable, risks are properly addressed and organizational resources are properly utilized. Hence, the primary objective of corporate governance is to provide strategic direction. Based on the strategic direction, business operations are directed and controlled.
358、After implementation of a disaster recovery plan, pre-disaster and post-disaster operational costs for an organization will: 实施灾难恢复计划后,灾难前和灾难后的运作成本将会
A、decrease. A降低
B、not change (remain the same). B不变
C、increase. C增高
D、increase or decrease depending upon the nature of the business. D由企业性质决定
ANSWER: C
NOTE: There are costs associated with all activities and disaster recovery planning (DRP) is not an exception. Although there are costs associated with a disaster recovery plan, there are unknown costs that are incurred if a disaster recovery plan is not implemented.
359、As an outcome of information security governance, strategic alignment provides: 作为信息安全管理的产物,战略结盟提供了
A、security requirements driven by enterprise requirements. A安全需求受到企业需求的驱动
B、baseline security following best practices. B基线安全遵循最优方法
C、institutionalized and commoditized solutions. C制度化和常规化的解决方案
D、an understanding of risk exposure. D理解风险爆发
ANSWER: A
NOTE: Information security governance, when properly implemented, should provide four basic outcomes: strategic alignment, value delivery, risk management and performance measurement. Strategic alignment provides input for security requirements driven by enterprise requirements. Value delivery provides a standard set of security practices, ., baseline security following best practices or institutionalized and commoditized solutions. Risk management provides an understanding of risk exposure.
360、In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, the IS auditor should: 在实施风险分析期间,IS审计员识别出威胁和潜在影响后应该
A、identify and assess the risk assessment process used by management. A识别和评定管理者使用的风险评估方法
B、identify information assets and the underlying systems. B鉴别信息资产和基本系统
C、disclose the threats and impacts to management. C发现威胁和管理受到的影响
D、identify and evaluate the existing controls. D鉴别和评价现存的控制方法
ANSWER: D
NOTE: It is important for an IS auditor to identify and evaluate the existing controls and security once the potential threats and possible impacts are identified. Upon completion of an audit an IS auditor should describe and discuss with management the threats and potential impacts on the assets.
361、Information for detecting unauthorized input from a terminal would be BEST provided by the: 从终端发现未授权输入的信息最好是由-----提供
A、console log printout. A控制台日志输出
B、transaction journal. B事务处理日志
C、automated suspense file listing. C自动化的不确定文件清单
D、user error report. D用户错误报告
ANSWER: B
NOTE: The transaction journal would record all transaction activity, which then could be compared to the authorized source documents to identify any unauthorized input. A console log printout is not the best, because it would not record activity from a specific terminal. An automated suspense file listing would only list transaction activity where an edit error occurred, while the user error report would only list input that resulted in an edit error.
362、Which of the following provides nonrepudiation services for e-commerce transactions? 下列哪项为电子商务事务处理提供认可
A、Public key infrastructure (PKI) A公钥基础
B、Data Encryption Standard (DES) B数据加密标准
C、Message authentication code (MAC) C信息 证实代码
D、Personal identification number (PIN) D个人鉴定码
ANSWER: A
NOTE: PKI is the administrative infrastructure for digital certificates and encryption key pairs. The qualities of an acceptable digital signature are: it is unique to the person using it; it is capable of verification; it is under the sole control of the person using it; and it is linked to data in such a manner that if data are changed, the digital signature is invalidated. PKI meets these tests. The Data Encryption Standard (DES) is the most common private key cryptographic system. DES does not address nonrepudiation. A MAC is a cryptographic value calculated by passing an entire message through a cipher system. The sender attaches the MAC before transmission and the receiver recalculates the MAC and compares it to the sent MAC. If the two MACs are not equal, this indicates that the message has been altered during transmission; it has nothing to do with nonrepudiation. A PIN is a type of password, a secret number assigned to an individual that, in conjunction with some other means of identification, serves to verify the authenticity of the individual.
363、Which of the following tasks should be performed FIRST when preparing a disaster recovery plan? 在准备灾难恢复计划时下列哪项应该被首先实施?
A、Develop a recovery strategy. A做出恢复策略
B、Perform a business impact analysis. B执行商业影响分析
C、Map software systems, hardware and network components. C明确软件系统、硬件和网络组件结构
D、Appoint recovery teams with defined personnel, roles and hierarchy. D委任具有明确的雇员、角色和层级的恢复团队,
ANSWER: B
NOTE: The first step in any disaster recovery plan is to perform a business impact analysis. All other tasks come afterwards.
364、The GREATEST advantage of using web services for the exchange of information between two systems is: 运用网络服务进行两系统间信息交换的最大优点是
A、secure communications. A安全通信
B、improved performance. B改良的性能
C、efficient interfacing. C有效的接口连接
D、enhanced documentation. D增强的文件系统
ANSWER: C
NOTE: Web services facilitate the exchange of information between two systems, regardless of the operating system or programming language used. Communication is not necessarily securer or faster, and there is no documentation benefit in using web services.
365、A benefit of quality of service (QoS) is that the: 服务质量的益处是
A、entire network's availability and performance will be significantly improved. A整个网络的有效性和性能将显著提高
B、telecom carrier will provide the company with accurate service-level compliance reports. B电信运营商将依报告提供给公司精确的服务等级
C、participating applications will have guaranteed service levels. C参与者应用软件将得到有保障的服务水平
D、communications link will be supported by security controls to perform secure online transactions. D通信连接装置将由安全控制提供用于实现安全的在线交易
ANSWER: C
NOTE: The main function of QoS is to optimize network performance by assigning priority to business applications and end users, through the allocation of dedicated parts of the bandwidth to specific traffic. Choice A is not true because the communication itself will not be improved. While the speed of data exchange for specific applications could be faster, availability will not be improved. The QoS tools that many carriers are using do not provide reports of service levels; however, there are other tools that will generate service-level reports. Even when QoS is integrated with firewalls, VPNs, encryption tools and others, the tool itself is not intended to provide security controls.
366、In an online transaction processing system, data integrity is maintained by ensuring that a transaction is either completed in its entirety or not at all. This principle of data integrity is known as: 在线交易系统中,数据的完整性是由确保交易是全面完成的或是一点都没有进行来维持的。这个数据完整性的原理被称为
A、isolation. A孤立性
B、consistency. B连贯性
C、atomicity. C原子性
D、durability. D持久性
ANSWER: C
NOTE: The principle of atomicity requires that a transaction be completed in its entirety or not at all. If an error or interruption occurs, all changes made up to that point are backed out. Consistency ensures that all integrity conditions in the database be maintained with each transaction. Isolation ensures that each transaction is isolated from other transactions; hence, each transaction only accesses data that are part of a consistent database state. Durability ensures that, when a transaction has been reported back to a user as complete, the resultant changes to the database will survive subsequent hardware or software failures.
367、The use of object-oriented design and development techniques would MOST likely: 目标导向在设计和开发技术中的应用最可能
A、facilitate the ability to reuse modules. A使模块具有重用性
B、improve system performance. B改进系统的性能
C、enhance control effectiveness. C提高操纵有效性
D、speed up the system development life cycle. D加快系统开发的生命周期
ANSWER: A
NOTE: One of the major benefits of object-oriented design and development is the ability to reuse modules. The other options do not normally benefit from the object-oriented technique.
368、Due to changes in IT, the disaster recovery plan of a large organization has been changed. What is the PRIMARY risk if the new plan is not tested? 由于IT的发展,灾难恢复计划在大型组织中的应用也发生了变化。如果新计划没有被测试下面哪项是最主要的风险
A、Catastrophic service interruption A灾难性的断电
B、High consumption of resources B资源的高消耗
C、Total cost of the recovery may not be minimized C恢复的总成本不能被最小化
D、Users and recovery teams may face severe difficulties when activating the plan D用户和恢复团队在实施计划时可能面临服务器问题
ANSWER: A
NOTE: Choices B, C and D are all possible problems that might occur, and would cause difficulties and financial losses or waste of resources. However, if a new disaster recovery plan is not tested, the possibility of a catastrophic service interruption is the most critical of all risks.
369、Which of the following BEST reduces the ability of one device to capture the packets that are meant for another device? 下列哪项最好的降低了一个设备获取其他设备信息包的能力
A、Filters A过滤器
B、Switches B转换器
C、Routers C路由器
D、Firewalls 防火墙
ANSWER: B
NOTE: Switches are at the lowest level of network security and transmit a packet to the device to which it is addressed. This reduces the ability of one device to capture the packets that are meant for another device. Filters allow for some basic isolation of network traffic based on the destination addresses. Routers allow packets to be given or denied access based on the addresses of the sender and receiver and the type of packet. Firewalls are a collection of computer and network equipment used to allow communications to flow out of the organization and restrict communications flowing into the organization.
370、An organization can ensure that the recipients of e-mails from its employees can authenticate the identity of the sender by: 一个组织可以保证他的雇员在收到邮件时鉴别出发件人的身份通过以下哪种方式
A、digitally signing all e-mail messages. A对所有的电子邮件使用数字签名
B、encrypting all e-mail messages. B对所有电子邮件进行加密
C、compressing all e-mail messages. C压缩所有电子邮件
D、password protecting all e-mail messages. D对所有电子邮件进行密码保护
ANSWER: A
NOTE: By digitally signing all e-mail messages, the receiver will be able to validate the authenticity of the sender. Encrypting all e-mail messages would ensure that only the intended recipient will be able to open the message; however, it would not ensure the authenticity of the sender. Compressing all e-mail messages would reduce the size of the message, but would not ensure the authenticity. Password protecting all e-mail messages would ensure that only those who have the password would be able to open the message; however, it would not ensure the authenticity of the sender.
371、An IS auditor issues an audit report pointing out the lack of firewall protection features at the perimeter network gateway and recommends a vendor product to address this vulnerability. The IS auditor has failed to exercise: 371、信息系统审计师出具审计报告指出perimeter 网关缺少防火墙保护,并推荐了一个外部产品来解决这一缺陷。信息系统审计师违反了:
A、professional independence A、专业独立性
B、organizational independence. B、组织独立性
C、technical competence. C、技术能力
D、professional competence. D、专业能力
ANSWER: A
NOTE: When an IS auditor recommends a specific vendor, they compromise professional independence. Organizational independence has no relevance to the content of an audit report and should be considered at the time of accepting the engagement. Technical and professional competence is not relevant to the requirement of independence.
372、Use of asymmetric encryption in an Internet e-commerce site, where there is one private key for the hosting server and the public key is widely distributed to the customers, is MOST likely to provide comfort to the: 372、在电子商务网站中应用不对称加密,其中有一个主机服务器的私钥,公钥被广泛分发给顾客,这最近似于向谁提供安慰?
A、customer over the authenticity of the hosting organization. A、主办组织的真实性,向顾客提供安慰。
B、hosting organization over the authenticity of the customer. B、对于顾客的真实性,向主办组织提供安慰。
C、customer over the confidentiality of messages from the hosting organization. C、对于主办组织的信息机密性,向顾客提供安慰。
D、hosting organization over the confidentiality of messages passed to the customer. D、对于传递给顾客的信息的机密性,向主办组织提供安慰。
ANSWER: A
NOTE: Any false site will not be able to encrypt using the private key of the real site, so the customer would not be able to decrypt the message using the public key. Many customers have access to the same public key so the host cannot use this mechanism to ensure the authenticity of the customer. The customer cannot be assured of the confidentiality of messages from the host as many people have access to the public key and can decrypt the messages from the host. The host cannot be assured of the confidentiality of messages sent out, as many people have access to the public key and can decrypt it.
373、An IS auditor is told by IS management that the organization has recently reached the highest level of the software capability maturity model (CMM). The software quality process MOST recently added by the organization is: 373、信息系统管理人员告诉信息系统审计师组织最近达到了软件能力成熟度模型(CMM)的最高水平,则最近组织增加的软件质量流程是:
A、continuous improvement. A、持续改进
B、quantitative quality goals. B、量化的质量目标
C、a documented process. C、文档化流程
D、a process tailored to specific projects. D、为某一特殊项目定制的流程
ANSWER: A
NOTE: An organization would have reached the highest level of the software CMM at level 5, optimizing. Quantitative quality goals can be reached at level 4 and below, a documented process is executed at level 3 and below, and a process tailored to specific projects can be achieved at level 3 or below.
374、Confidentiality of the data transmitted in a wireless LAN is BEST protected if the session is: 374、在下列那种情况下无线局域网中的数据传输机密性得到了最好的保护:
A、restricted to predefined MAC addresses. A、限于预先确定的MAC地址。
B、encrypted using static keys. B、使用静态密钥加密。
C、encrypted using dynamic keys. C、使用动态密钥加密。
D、initiated from devices that have encrypted storage. D、从具有加密存储的设备初始化。
ANSWER: C
NOTE: When using dynamic keys, the encryption key is changed frequently, thus reducing the risk of the key being compromised and the message being decrypted. Limiting the number of devices that can access the network does not address the issue of encrypting the session. Encryption with static keys—using the same key for a long period of time—risks that the key would be compromised. Encryption of the data on the connected device (laptop, PDA, etc.) addresses the confidentiality of the data on the device, not the wireless session.
375、To determine if unauthorized changes have been made to production code the BEST audit procedure is to: 375、用于确定未经授权的变更已经发生在生产代码中的最佳审计程序是:
A、examine the change control system records and trace them forward to object code files. A、检查变更控制系统记录,追踪至目标代码文件。
B、review access control permissions operating within the production program libraries. B、复核应用在生产程序库中的访问控制许可。
C、examine object code to find instances of changes and trace them back to change control records. C、检查目标代码,找出变更实例并追踪至变更控制记录。
D、review change approved designations established within the change control system. D、复核变更控制系统中确定的批准变更指示。
ANSWER: C
NOTE: The procedure of examining object code files to establish instances of code changes and tracing these back to change control system records is a substantive test that directly addresses the risk of unauthorized code changes. The other choices are valid procedures to apply in a change control audit but they do not directly address the risk of unauthorized code changes.
376、An advantage in using a bottom-up vs. a top-down approach to software testing is that: 376、在软件测试中使用自下而上方式优于自上而下方式的好处是:
A、interface errors are detected earlier. A、界面错误会被较早发现
B、confidence in the system is achieved earlier. B、较早建立对系统的信心
C、errors in critical modules are detected earlier. C、关键模块中的错误会被较早发现
D、major functions and processing are tested earlier. D、主要功能和过程得到较早测试
ANSWER: C
NOTE: The bottom-up approach to software testing begins with the testing of atomic units, such as programs and modules, and works upward until a complete system testing has taken place. The advantages of using a bottom-up approach to software testing are the fact that there is no need for stubs or drivers and errors in critical modules are found earlier. The other choices in this question all refer to advantages of a top-down approach, which follows the opposite path, either in depth-first or breadth-first search order.
377、Ideally, stress testing should be carried out in a: 377、理想的情况下,重点测试应该:
A、test environment using test data. A、在测试环境中使用测试数据
B、production environment using live workloads. B、在生产环境中使用实际工作量
C、test environment using live workloads. C、在测试环境中使用实际工作量
D、production environment using test data. D、在生产环境中使用测试数据
ANSWER: C
NOTE: Stress testing is carried out to ensure a system can cope with production workloads. A test environment should always be used to avoid damaging the production environment. Hence, testing should never take place in a production environment (choices B and D), and if only test data is used, there is no certainty that the system was stress tested adequately.
378、To prevent IP spoofing attacks, a firewall should be configured to drop a packet if: 378、为防止伪装IP攻击,如果发生下列情况,防火墙应被配置为drop包:
A、the source routing field is enabled. A、源路由域被激活
B、it has a broadcast address in the destination field. B、在目的域中有播放地址
C、a reset flag (RST) is turned on for the TCP connection. C、重置标记(RST)为TCP连接开启
D、dynamic routing is used instead of static routing. D、使用动态路由替代静态路由
ANSWER: A
NOTE: IP spoofing takes advantage of the source-routing option in the IP protocol. With this option enabled, an attacker can insert a spoofed source IP address. The packet will travel the network according to the information within the source-routing field, bypassing the logic in each router, including dynamic and static routing (choice D). Choices B and C do not have any relation to IP spoofing attacks. If a packet has a broadcast destination address (choice B), it will be sent to all addresses in the subnet. Turning on the reset flag (RST) (choice C) is part of the normal procedure to end a TCP connection.
379、Which of the following would be considered an essential feature of a network management system? 379、下列哪一项应被认为是网络管理系统实质性特征?
A、A graphical interface to map the network topology A、绘制网络拓扑的图形化界面
B、Capacity to interact with the Internet to solve the problems B、与因特网互动解决问题的能力
C、Connectivity to a help desk for advice on difficult issues C、可以连接服务人员得到建议以便解决疑难问题
D、An export facility for piping data to spreadsheets D、输出将数据输出至电子表格的设备
ANSWER: A
NOTE: To trace the topology of the network, a graphical interface would be essential. It is not necessary that each network be on the Internet and connected to a help desk, while the ability to export to a spreadsheet is not an essential element.
380、Which of the following should concern an IS auditor when reviewing security in a client-server environment? 380、在复核客户服务器环境的安全性时,信息系统审计师应最关注下列哪个事项?
A、Protecting data using an encryption technique A、用加密技术保护数据
B、Preventing unauthorized access using a diskless workstation B、使用无盘工作站防止未经授权的访问
C、The ability of users to access and modify the database directly C、用户直接访问及修改数据库的能力
D、Disabling floppy drives on the users' machines D、使用户机软驱无效
ANSWER: C
NOTE: For the purpose of data security in a client-server environment, an IS auditor should be concerned with the users ability to access and modify a database directly. This could affect the integrity of the data in the database. Data protected by encryption aid in securing the data. Diskless workstations prevent copying of data into local disks and thus help to maintain the integrity and confidentiality of data. Disabling floppy drives is a physical access control, which helps to maintain the confidentiality of data by preventing it from being copied onto a disk.
381、The reliability of an application system's audit trail may be questionable if: 381、如果发生下列情况,应用系统审计痕迹的可靠性是值得怀疑的。
A、user IDs are recorded in the audit trail. A、用户ID被记录在审计痕迹中。
B、the security administrator has read-only rights to the audit file. B、安全管理人员对审计文件拥有只读权限。
C、date and time stamps are recorded when an action occurs. C、发生某一行动时记录了日期和时间戳。
D、users can amend audit trail records when correcting system errors. D、在修改系统错误时用户可以修改审计痕迹记录。
ANSWER: D
NOTE: An audit trail is not effective if the details in it can be amended.
382、An IS auditor evaluating the resilience of a high-availability network should be MOST concerned if: 382、当信息系统审计师评估一个高可用性网络的恢复能力时,如发生下列情况应最为关注:
A、the setup is geographically dispersed. A、设备在地理位置上分散
B、the network servers are clustered in a site. B、网络服务器位于同一地点
C、a hot site is ready for activation. C、热站就绪可以被激活
D、diverse routing is implemented for the network. D、网络执行了不同行程
ANSWER: B
NOTE: A clustered setup in one location makes the entire network vulnerable to natural disasters or other disruptive events. Dispersed geographical locations and diverse routing provide backup if a site has been destroyed. A hot site would also be a good alternative for a single point-of-failure site.
383、Which of the following is the MOST effective control over visitor access to a data center? 383、下列哪一项是对访客访问数据中心最有效的控制?
A、Visitors are escorted. A、陪同访问者。
B、Visitor badges are required. B、要求访问者佩戴证件。
C、Visitors sign in. C、访问者签字后进入。
D、Visitors are spot-checked by operators. D、操作人员对访问者进行抽查。
ANSWER: A
NOTE: Escorting visitors will provide the best assurance that visitors have permission to access the data processing facility. Choices B and C are not reliable controls. Choice D is incorrect because visitors should be accompanied at all times while they are on the premises, not only when they are in the data processing facility.
384、Which of the following types of transmission media provide the BEST security against unauthorized access? 384、下列哪一种传送媒介对于防止未经授权的访问最为安全?
A、Copper wire A、铜线
B、Twisted pair B、双绞线
C、Fiberoptic cables C、光缆
D、Coaxial cables D、同轴电缆
ANSWER: C
NOTE: Fiberoptic cables have proven to be more secure than the other media. Satellite transmission and copper wire can be violated with inexpensive equipment. Coaxial cable can also be violated more easily than other transmission media.
385、To provide protection for media backup stored at an offsite location, the storage site should be: 385、为了保护存储在一个指定地点的媒介备份,该存储地点应:
A、located on a different floor of the building. A、位于大楼中的不同楼层
B、easily accessible by everyone. B、容易被任何人访问
C、clearly labeled for emergency access. C、清晰地标注以便紧急访问。
D、protected from unauthorized access. D、受到保护,防止未经授权的访问。
ANSWER: D
NOTE: The offsite storage site should always be protected against unauthorized access and have at least the same security requirements as the primary site. Choice A is incorrect because, if the backup is in the same building, it may suffer the same event and may be inaccessible. Choices B and C represent access risks.
386、During a review of a customer master file, an IS auditor discovered numerous customer name duplications arising from variations in customer first names. To determine the extent of the duplication, the IS auditor would use: 386、在复核客户主文件时,信息系统审计师在客户名称变更中发现许多客户姓名副本。为了确定副本的范围,信息系统审计师应该使用:
A、test data to validate data input. A、用于验证数据输入的测试数据。
B、test data to determine system sort capabilities. B、用于确定系统分类能力的测试数据。
C、generalized audit software to search for address field duplications. C、用于搜索地址域副本的通用审计软件。
D、generalized audit software to search for account field duplications. D、用于搜索账户域副本的通用审计软件。
ANSWER: C
NOTE: Since the name is not the same (due to name variations), one method to detect duplications would be to compare other common fields, such as addresses. A subsequent review to determine common customer names at these addresses could then be conducted. Searching for duplicate account numbers would not likely find duplications, since customers would most likely have different account numbers for each variation. Test data would not be useful to detect the extent of any data characteristic, but simply to determine how the data were processed.
387、The MOST important success factor in planning a penetration test is: 387、在计划渗透测试时最重要的成功因素是:
A、the documentation of the planned testing procedure. A、计划测试过程的文档
B、scheduling and deciding on the timed length of the test. B、计划和决定测试的时间长度
C、the involvement of the management of the client organization. C、客户组织管理层的参与
D、the qualifications and experience of staff involved in the test. D、参与测试的人员的资格和经验
ANSWER: C
NOTE: The most important part of planning any penetration test is the involvement of the management of the client organization. Penetration testing without management approval could reasonably be considered espionage and is illegal in many jurisdictions.
388、Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated? 388、在不能恰当进行权责分离的环境中,信息系统审计师应关注下列哪种控制?
A、Overlapping controls A、重叠控制
B、Boundary controls B、边界控制
C、Access controls C、访问控制
D、Compensating controls D、补偿性控制
ANSWER: D
NOTE: Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated. Overlapping controls are two controls addressing the same control objective or exposure. Since primary controls cannot be achieved when duties cannot or are not appropriately segregated, it is difficult to install overlapping controls. Boundary controls establish the interface between the would-be user of a computer system and the computer system itself, and are individual-based, not role-based, controls. Access controls for resources are based on individuals and not on roles.
389、Which of the following system and data conversion strategies provides the GREATEST redundancy? 389、下列哪种系统及数据转换战略产生了最大的冗余?
A、Direct cutover A、直接转换
B、Pilot study B、试点转换
C、Phased approach C、分阶段转换
D、Parallel run D、平行转换
ANSWER: D
NOTE: Parallel runs are the safest-though the most expensive-approach, because both the old and new systems are run, thus incurring what might appear to be double costs. Direct cutover is actually quite risky, since it does not provide for a “shake down period” nor does it provide an easy fallback option. Both a pilot study and a phased approach are performed incrementally, making rollback procedures difficult to execute.
390、Which of the following reports should an IS auditor use to check compliance with a service level agreement's (SLA) requirement for uptime? 390、信息系统审计师应经常检查下列那些报告一遍符合服务级别协议(SLA)对运行时间的要求?
A、Utilization reports A、使用报告
B、Hardware error reports B、硬件错误报告
C、System logs C、系统日志
D、Availability reports D、可用性报告
ANSWER: D
NOTE: IS inactivity, such as downtime, is addressed by availability reports. These reports provide the time periods during which the computer was available for utilization by users or other processes. Utilization reports document the use of computer equipment, and can be used by management to predict how/where/when resources are required. Hardware error reports provide information to aid in detecting hardware failures and initiating corrective action. System logs are a recording of the system's activities.
391、When using public key encryption to secure data being transmitted across a network: 391.在使用公钥加密保护通过网络传输的数据安全时
A、both the key used to encrypt and decrypt the data are public. A.加密和解密都使用公钥
B、the key used to encrypt is private, but the key used to decrypt the data is public. B.加密使用私钥,解密使用公钥
C、the key used to encrypt is public, but the key used to decrypt the data is private. C.加密使用公钥,解密使用私钥
D、both the key used to encrypt and decrypt the data are private. D.加密和解密都使用私钥
ANSWER: C
NOTE: Public key encryption, also known as asymmetric key cryptography, uses a public key to encrypt the message and a private key to decrypt it.
392、For a discretionary access control to be effective, it must: 392.为了自主访问控制有效,应该:
A、operate within the context of mandatory access controls. A.在强制访问控制里使用
B、operate independently of mandatory access controls. B.独立于强制访问控制使用
C、enable users to override mandatory access controls when necessary. C.在必要的时候让用户可以绕过强制性访问控制
D、be specifically permitted by the security policy. D.通过安全策略来限定
ANSWER: A
NOTE: Mandatory access controls are prohibitive; anything that is not expressly permitted is forbidden. Only within this context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. When systems enforce mandatory access control policies, they must distinguish between these and the mandatory access policies that offer more flexibility. Discretionary controls do not override access controls and they do not have to be permitted in the security policy to be effective.
393、Which of the following is the MOST important function to be performed by IS management when a service has been outsourced? 393.在服务外包的情况下,下面哪个选项是最重要的,由IS管理层执行的功能?
A、Ensuring that invoices are paid to the provider A.保证发票已付款给提供商
B、Participating in systems design with the provider B.和提供商一起参与系统设计
C、Renegotiating the provider's fees C.与提供商洽谈费用
D、Monitoring the outsourcing provider's performance D.监控外包提供商的性能
ANSWER: D
NOTE: In an outsourcing environment, the company is dependent on the performance of the service provider. Therefore, it is critical the outsourcing provider's performance be monitored to ensure that services are delivered to the company as required. Payment of invoices is a finance function, which would be completed per contractual requirements. Participating in systems design is a byproduct of monitoring the outsourcing provider's performance, while renegotiating fees is usually a one-time activity.
394、Which of the following provides the best evidence of the adequacy of a security awareness program? 394.下面哪个选项提供最好的证据证明安全意识程序的完整性?
A、The number of stakeholders including employees trained at various levels A.股东数量,包括雇员的各个级别培训
B、Coverage of training at all locations across the enterprise B.整个企业所有地点的培训覆盖度
C、The implementation of security devices from different vendors C.不同供应商的安全设备实施
D、Periodic reviews and comparison with best practices D.定期的审查和与最佳实践比较
ANSWER: D
NOTE: The adequacy of security awareness content can best be assessed by determining whether it is periodically reviewed and compared to industry best practices. Choices A, B and C provide metrics for measuring various aspects of a security awareness program, but do not help assess the content.
395、Of the following alternatives, the FIRST approach to developing a disaster recovery strategy would be to assess whether: 395.下面各种方法,哪个是制定灾难恢复策略必须最先评估的:
A、all threats can be completely removed. A.所有的威胁可以被完全移除。
B、a cost-effective, built-in resilience can be implemented. B.一个可以实现的成本效益,内置的复原
C、the recovery time objective can be optimized. C.恢复时间可以优化
D、the cost of recovery can be minimized. D.恢复成本可以最小化
ANSWER: B
NOTE: It is critical to initially identify information assets that can be made more resilient to disasters, ., diverse routing, alternate paths or multiple communication carriers. It is impossible to remove all existing and future threats. The optimization of the recovery time objective and efforts to minimize the cost of recovery come later in the development of the disaster recovery strategy.
396、A firm is considering using biometric fingerprint identification on all PCs that access critical data. This requires: 396.一个公司正在考虑在所有可以访问重要数据的PC上使用指纹识别。这个要求:
A、that a registration process is executed for all accredited PC users. A.为所有认可的PC用户执行一个注册过
B、the full elimination of the risk of a false acceptance. B.全面减少错误接受的风险
C、the usage of the fingerprint reader be accessed by a separate password. C.用单独的密码去访问指纹识别器
D、assurance that it will be impossible to gain unauthorized access to critical data. D.确保不可能获得对重要数据的非授权访问
ANSWER: A
NOTE: The fingerprints of accredited users need to be read, identified and recorded, ., registered, before a user may operate the system from the screened PCs. Choice B is incorrect, as the false-acceptance risk of a biometric device may be optimized, but will never be zero because this would imply an unacceptably high risk of false rejection. Choice C is incorrect, as the fingerprint device reads the token (the user's fingerprint) and does not need to be protected in itself by a password. Choice D is incorrect because the usage of biometric protection on PCs does not guarantee that other potential security weaknesses in the system may not be exploited to access protected data.
397、The PRIMARY goal of a web site certificate is: 397.网站证书的主要目标是:
A、authentication of the web site that will be surfed. A.将被访问的网站的认证
B、authentication of the user who surfs through that site. B.要访问那个网站的用户的认证
C、preventing surfing of the web site by hackers. C.阻止网站被黑客访问
D、the same purpose as that of a digital certificate. D.的电子证书的目的相同
ANSWER: A
NOTE: Authenticating the site to be surfed is the primary goal of a web certificate. Authentication of a user is achieved through passwords and not by a web site certificate. The site certificate does not prevent hacking nor does it authenticate a person.
398、Before implementing controls, management should FIRST ensure that the controls: 398.在制定控制前,管理层首先应该保证控制:
A、satisfy a requirement in addressing a risk issue. A.满足控制一个风险问题的要求
B、do not reduce productivity. B.不减少生产力
C、are based on a cost-benefit analysis. C.基于成本效益的分析
D、are detective or corrective. D.检测行或改正性的
ANSWER: A
NOTE: When designing controls, it is necessary to consider all the above aspects. In an ideal situation, controls that address all these aspects would be the best controls. Realistically, it may not be possible to design them all and cost may be prohibitive; therefore, it is necessary to first consider the preventive controls that attack the cause of a threat.
399、A hard disk containing confidential data was damaged beyond repair. What should be done to the hard disk to prevent access to the data residing on it? 399.一个存有保密数据的硬盘被破坏且不能维修。下面哪个选项可以防止访问那个硬盘存有的数据?
A、Rewrite the hard disk with random 0s and 1s. A.用RANDOM 0s和1s重新硬盘数据
B、Low-level format the hard disk. B.低级别的格式化硬盘
C、Demagnetize the hard disk. C.粉粹硬盘数据
D、Physically destroy the hard disk. D.物理破坏硬盘
ANSWER: D
NOTE: Physically destroying the hard disk is the most economical and practical way to ensure that the data cannot be recovered. Rewriting data and low-level formatting are impractical, because the hard disk is damaged. Demagnetizing is an inefficient procedure, because it requires specialized and expensive equipment to be fully effective.
400、When segregation of duties concerns exist between IT support staff and end users, what would be a suitable compensating control? 400.如果出现IT人员和最终用户职权分工的问题,下面哪个选项是合适的补偿性控制?
A、Restricting physical access to computing equipment A.限制物理访问计算机设备
B、Reviewing transaction and application logs B.检阅事务和应用日志
C、Performing background checks prior to hiring IT staff C.在聘请IT人员以前进行背景检查
D、Locking user sessions after a specified period of inactivity D.在不活动的特定时间后,锁住用户会话
ANSWER: B
NOTE: Only reviewing transaction and application logs directly addresses the threat posed by poor segregation of duties. The review is a means of detecting inappropriate behavior and also discourages abuse, because people who may otherwise be tempted to exploit the situation are aware of the likelihood of being caught. Inadequate segregation of duties is more likely to be exploited via logical access to data and computing resources rather than physical access. Choice C is a useful control to ensure IT staff are trustworthy and competent but does not directly address the lack of an optimal segregation of duties. Choice D acts to prevent unauthorized users from gaining system access, but the issue of a lack of segregation of duties is more the misuse (deliberately or inadvertently) of access privileges that have officially been granted.
401、During which of the following phases in system development would user acceptance test plans normally be prepared? 401.系统开发过程中,线面哪个阶段将会准备用户接受性测试计划?
A、Feasibility study A.可行性分析
B、Requirements definition B.需求定义
C、Implementation planning C.实现计划
D、Postimplementation review D.实现后期检查
ANSWER: B
NOTE: During requirements definition, the project team will be working with the users to define their precise objectives and functional needs. At this time, the users should be working with the team to consider and document how the system functionality can be tested to ensure it meets their stated needs. The feasibility study is too early for such detailed user involvement, and the implementation planning and postimplementation review phases are too late. An IS auditor should know at what point user testing should be planned to ensure it is most effective and efficient.
402、During a security audit of IT processes, an IS auditor found that there were no documented security procedures. The IS auditor should: 402.在做IT流程安全审计的时候,信息系统审计员发现没有任何安全流程的相关文档。审计员该:
A、create the procedures document. A.创建流程文档
B、terminate the audit. B.结束审计
C、conduct compliance testing. C.进行符合性测试
D、identify and evaluate existing practices. D.确认及评估现存的实例
ANSWER: D
NOTE: One of the main objectives of an audit is to identify potential risks; therefore, the most proactive approach would be to identify and evaluate the existing security practices being followed by the organization. IS auditors should not prepare documentation, as doing so could jeopardize their independence. Terminating the audit may prevent achieving one of the basic audit objectives, ., identification of potential risks. Since there are no documented procedures, there is no basis against which to test compliance.
403、To assist an organization in planning for IT investments, an IS auditor should recommend the use of: 403.为了协助企业计划IT投资,信息系统审计员应建议使用:
A、project management tools. A.项目管理工具
B、an object-oriented architecture. B.面向对象结构
C、tactical planning. C.战术计划
D、enterprise architecture (EA). D.企业构架
ANSWER: D
NOTE: Enterprise architecture (EA) involves documenting the organization's IT assets and processes in a structured manner to facilitate understanding, management and planning for IT investments. It involves both a current state and a representation of an optimized future state. In attempting to complete an EA, organizations can address the problem either from a technology perspective or a business process perspective. Project management does not consider IT investment aspects; it is a tool to aid in delivering projects. Object-oriented architecture is a software development methodology and does not assist in planning for IT investment, while tactical planning is relevant only after high-level IT investment decisions have been made.
404、When reviewing an active project, an IS auditor observed that, because of a reduction in anticipated benefits and increased costs, the business case was no longer valid. The IS auditor should recommend that the: 404评估一个正在进行的项目,信息系统审计员注意到,因为减少预期的利益及增加成本,这个业务需求不再有效。信息系统审计员应该建议:
A、project be discontinued. A.项目不应该再继续。
B、business case be updated and possible corrective actions be identified. B.业务需求应该更新并作相应的修正
C、project be returned to the project sponsor for reapproval. C.项目应该让赞助者重新批准
D、project be completed and the business case be updated later. D.项目应该完成,业务需求随后更新。
ANSWER: B
NOTE: An IS auditor should not recommend discontinuing or completing the project before reviewing an updated business case. The IS auditor should recommend that the business case be kept current throughout the project since it is a key input to decisions made throughout the life of any project.
405、Establishing the level of acceptable risk is the responsibility of: 405.建立可接受风险的级别是下面哪个的责任:
A、quality assurance management. A.质量评估管理
B、senior business management. B.高级业务管理
C、the chief information officer. C.首席信息官
D、the chief security officer. D.首席安全管
ANSWER: B
NOTE: Senior management should establish the acceptable risk level, since they have the ultimate or final responsibility for the effective and efficient operation of the organization. Choices A, C and D should act as advisors to senior management in determining an acceptable risk level.
406、Which of the following controls would be the MOST comprehensive in a remote access network with multiple and diverse subsystems? 406.在一个有多子系统的远程访问网络里,下面哪个选项是最好的控制?
A、Proxy server A.代理服务器
B、Firewall installation B.安装防火墙
C、Network administrator C.网络管理员
D、Password implementation and administration D.密码实施及管理
ANSWER: D
NOTE: The most comprehensive control in this situation is password implementation and administration. While firewall installations are the primary line of defense, they cannot protect all access and, therefore, an element of risk remains. A proxy server is a type of firewall installation; thus, the same rules apply. The network administrator may serve as a control, but typically this would not be comprehensive enough to serve on multiple and diverse systems.
407、As part of the business continuity planning process, which of the following should be identified FIRST in the business impact analysis? 407.作为业务继续计划流程中的一部分,在业务影响分析中下面哪个选项应该最先确认?
A、Organizational risks, such as single point-of-failure and infrastructure risk A.组织的风险,像单点失败或设备风险
B、Threats to critical business processes B.重要业务流程的威胁
C、Critical business processes for ascertaining the priority for recovery C.根据恢复优先级设定的重要业务流程
D、Resources required for resumption of business D.重建业务的所需的资源
ANSWER: C
NOTE: The identification of the priority for recovering critical business processes should be addressed first. Organizational risks should be identified next, followed by the identification of threats to critical business processes. Identification of resources for business resumption will occur after the tasks mentioned.
408、When auditing a disaster recovery plan for a critical business area, an IS auditor finds that it does not cover all the systems. Which of the following is the MOST appropriate action for the IS auditor? 408.在评估一个重要业务范围的灾难恢复计划,信息系统审计员发现它并没有涵盖所有系统。下列哪个选项是审计员最正确的行为?
A、Alert management and evaluate the impact of not covering all systems. A.通知管理层并评估没有涵盖所有系统的影响
B、Cancel the audit. B.取消审计
C、Complete the audit of the systems covered by the existing disaster recovery plan. C根据已存的灾难恢复计划完成系统审计
D、Postpone the audit until the systems are added to the disaster recovery plan. D.延后审计知道所有的系统都被包含到灾难恢复计划中
ANSWER: A
NOTE: An IS auditor should make management aware that some systems are omitted from the disaster recovery plan. An IS auditor should continue the audit and include an evaluation of the impact of not including all systems in the disaster recovery plan. Cancelling the audit, ignoring the fact that some systems are not covered or postponing the audit are inappropriate actions to take.
409、Security administration procedures require read-only access to: 409.安全管理流程需要对下列哪个选项需要只读权限:
A、access control tables. A.访问控制表
B、security log files. B.安全日志文件
C、logging options. C.日志设定选项
D、user profiles. D.用户配置文件
ANSWER: B
NOTE: Security administration procedures require read-only access to security log files to ensure that, once generated, the logs are not modified. Logs provide evidence and track suspicious transactions and activities. Security administration procedures require write access to access control tables to manage and update the privileges according to authorized business requirements. Logging options require write access to allow the administrator to update the way the transactions and user activities are monitored, captured, stored, processed and reported.
410、An IS auditor inspected a windowless room containing phone switching and networking equipment and documentation binders. The room was equipped with two handheld fire extinguishers-one filled with CO 2 , the other filled with halon. Which of the following should be given the HIGHEST priority in the auditor's report? 410.信息系统审计员注意到一个没有窗户的房里有电话交换机,网络设备和文件档案。这个房间装有两个手持灭火器--一个装二氧化碳,另一个装哈龙。在审计师报告里,下面哪个选项是最高优先权?
A、The halon extinguisher should be removed because halon has a negative impact on the atmospheric ozone layer. A.哈龙灭火器应该被移除,应该哈龙对大气层有负面影响
B、Both fire suppression systems present a risk of suffocation when used in a closed room. B.在一个密封的房间里使用这两种灭火器会有窒息的危险。
C、The CO 2 extinguisher should be removed, because CO 2 is ineffective for suppressing fires involving solid combustibles (paper). C.二氧化碳灭火器应该被移除,因为二氧化碳没有灭由纸引起的火。
D、The documentation binders should be removed from the equipment room to reduce potential risks. D.文件档案应该从设备房移除减少潜在风险
ANSWER: B
NOTE: Protecting people's lives should always be of highest priority in fire suppression activities. CO 2 and halon both reduce the oxygen ratio in the atmosphere, which can induce serious personal hazards. In many countries installing or refilling halon fire suppression systems is not allowed. Although CO 2 and halon are effective and appropriate for fires involving synthetic combustibles and electrical equipment, they are nearly totally ineffective on solid combustibles (wood and paper). Although not of highest priority, removal of the documentation would probably reduce some of the risks.
411、Which of the following audit techniques would BEST aid an auditor in determining whether there have been unauthorized program changes since the last authorized program update? 411.下面哪个选项是最好的审计技术可以帮助审计师检查从最后授权程序更新后是不是还有非授权的程序更新?
A、Test data run A.测试数据运行
B、Code review B.代码检查
C、Automated code comparison C.自动代码对比
D、Review of code migration procedures D.代码移植流程审核
ANSWER: C
NOTE: An automated code comparison is the process of comparing two versions of the same program to determine whether the two correspond. It is an efficient technique because it is an automated procedure. Test data runs permit the auditor to verify the processing of preselected transactions, but provide no evidence about unexercised portions of a program. Code review is the process of reading program source code listings to determine whether the code contains potential errors or inefficient statements. A code review can be used as a means of code comparison but it is inefficient. The review of code migration procedures would not detect program changes.
412、Which of the following is an implementation risk within the process of decision support systems? 412.下面哪个是在决策支持系统中的实施风险?
A、Management control A.管理控制
B、Semistructured dimensions B.半结构化的维度
C、Inability to specify purpose and usage patterns C.没办法定义目标和使用模式
D、Changes in decision processes D.决策过程的变更
ANSWER: C
NOTE: The inability to specify purpose and usage patterns is a risk that developers need to anticipate while implementing a decision support system (DSS). Choices A, B and D are not risks, but characteristics of a DSS.
413、Which of the following presents an inherent risk with no distinct identifiable preventive controls? 413.下面哪个是没有单独的预防控制的固有风险?
A、Piggybacking A.骑肩跟入法
B、Viruses B.病毒
C、Data diddling C.数据欺骗
D、Unauthorized application shutdown D.非授权的应用关闭
ANSWER: C
NOTE: Data diddling involves changing data before they are entered into the computer. It is one of the most common abuses, because it requires limited technical knowledge and occurs before computer security can protect the data. There are only compensating controls for data diddling. Piggybacking is the act of following an authorized person through a secured door and can be prevented by the use of deadman doors. Logical piggybacking is an attempt to gain access through someone who has the rights, ., electronically attaching to an authorized telecommunication link to possibly intercept transmissions. This could be prevented by encrypting the message. Viruses are malicious program code inserted into another executable code that can self-replicate and spread from computer to computer via sharing of computer diskettes, transfer of logic over telecommunication lines or direct contact with an infected machine. Antiviral software can be used to protect the computer against viruses. The shutdown of an application can be initiated through terminals or microcomputers connected directly (online) or indirectly (dial-up line) to the computer. Only individuals knowing the high-level logon ID and password can initiate the shutdown process, which is effective if there are proper access controls.
414、An IS auditor performing an application maintenance audit would review the log of program changes for the: 414.信息系统审计员在评估应用系统维护的时候,会检阅程序变更日志,因为:
A、authorization of program changes. A.程序变更授权
B、creation date of a current object module. B.现在使用的对象模块的创建日期
C、number of program changes actually made. C.程序变更的实际数量
D、creation date of a current source program. D.现在使用的源程序的创建日期
ANSWER: A
NOTE: The manual log will most likely contain information on authorized changes to a program. Deliberate, unauthorized changes will not be documented by the responsible party. An automated log, found usually in library management products, and not a change log would most likely contain date information for the source and executable modules.
415、Overall business risk for a particular threat can be expressed as:
A、a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability. A.一个影响概率及震级的产物,如果威胁成功地变成一个弱点
B、the magnitude of the impact should a threat source successfully exploit the vulnerability. B.影响的震级,如果威胁成功地变成一个弱点
C、the likelihood of a given threat source exploiting a given vulnerability. C.威胁成功地变成一个弱点的可能性
D、the collective judgment of the risk assessment team. D.风险评估团队的整体判断
ANSWER: A
NOTE: Choice A takes into consideration the likelihood and magnitude of the impact and provides the best measure of the risk to an asset. Choice B provides only the likelihood of a threat exploiting a vulnerability in the asset but does not provide the magnitude of the possible damage to the asset. Similarly, choice C considers only the magnitude of the damage and not the possibility of a threat exploiting a vulnerability. Choice D defines the risk on an arbitrary basis and is not suitable for a scientific risk management process.
416、An integrated test facility is considered a useful audit tool because it:
A、is a cost-efficient approach to auditing application controls. A.它是评估应用控制的有效工具
B、enables the financial and IS auditors to integrate their audit tests. B.它使得财务部和信息系统审计员集成他们的审计测试
C、compares processing output with independently calculated data. C.它可以进行处理结果与独立计算数据的对比
D、provides the IS auditor with a tool to analyze a large range of information. D.他提供给信息系统审计员一个分析大量信息的工具
ANSWER: C
NOTE: An integrated test facility is considered a useful audit tool because it uses the same programs to compare processing using independently calculated data. This involves setting up dummy entities on an application system and processing test or production data against the entity as a means of verifying processing accuracy.
417、An IS auditor should use statistical sampling and not judgment (nonstatistical) sampling, when:
A、the probability of error must be objectively quantified. A.错误概率必须客观计算
B、the auditor wishes to avoid sampling risk. B.审计希望避免抽样风险
C、generalized audit software is unavailable. C.通用审计软件不可用的时候
D、the tolerable error rate cannot be determined. D.容错率未定的时候
ANSWER: A
NOTE: Given an expected error rate and confidence level, statistical sampling is an objective method of sampling, which helps an IS auditor determine the sample size and quantify the probability of error (confidence coefficient). Choice B is incorrect because sampling risk is the risk of a sample not being representative of the population. This risk exists for both judgment and statistical samples. Choice C is incorrect because statistical sampling does not require the use of generalized audit software. Choice D is incorrect because the tolerable error rate must be predetermined for both judgment and statistical sampling.
418、During an audit of the logical access control of an ERP financial system an IS auditor found some user accounts shared by multiple individuals. The user IDs were based on roles rather than individual identities. These accounts allow access to financial transactions on the ERP. What should the IS auditor do next?
A、Look for compensating controls. A.寻找补偿性控制
B、Review financial transactions logs. B.检阅财务事务日志
C、Review the scope of the audit. C.检阅审计范围
D、Ask the administrator to disable these accounts. D.叫管理员禁用这些帐号
ANSWER: A
NOTE: The best logical access control practice is to create user IDs for each individual to define accountability. This is possible only by establishing a one-to-one relationship between IDs and individuals. However, if the user IDs are created based on role designations, an IS auditor should first understand the reasons and then evaluate the effectiveness and efficiency of compensating controls. Reviewing transactions logs is not relevant to an audit of logical access control nor is reviewing the scope of the audit relevant. Asking the administrator to disable the shared accounts should not be recommended by an IS auditor before understanding the reasons and evaluating the compensating controls. It is not an IS auditor's responsibility to ask for disabling accounts during an audit.
419、Doing which of the following during peak production hours could result in unexpected downtime?
A、Performing data migration or tape backup A.进行数据迁移或磁带备份
B、Performing preventive maintenance on electrical systems B.进行电子系统预防性维护
C、Promoting applications from development to the staging environment C.将应用从开发环境提升到生产系统
D、Replacing a failed power supply in the core router of the data center D.替换数据中的主要路由器的供电配件
ANSWER: B
NOTE: Choices A and C are processing events which may impact performance, but would not cause downtime. Enterprise-class routers have redundant hot-swappable power supplies, so replacing a failed power supply should not be an issue. Preventive maintenance activities should be scheduled for non-peak times of the day, and preferably during a maintenance window time period. A mishap or incident caused by a maintenance worker could result in unplanned downtime.
420、During what process should router access control lists be reviewed?
A、Environmental review A.环境检阅
B、Network security review B.网络安全检阅
C、Business continuity review C.业务继续检阅
D、Data integrity review D数据完整性检阅
ANSWER: B
NOTE: Network security reviews include reviewing router access control lists, port scanning, internal and external connections to the system, etc. Environmental reviews, business continuity reviews and data integrity reviews do not require a review of the router access control lists.
421、Which of the following is the MOST robust method for disposing of magnetic media that contains confidential information? 下列哪一项,是处置含有机密数据的磁性存储介质的最佳方法?
A、Degaussing A、消磁
B、Defragmenting B、磁盘碎片整理
C、Erasing C、删除
D、Destroying D、销毁
ANSWER: D
NOTE: Destroying magnetic media is the only way to assure that confidential information cannot be recovered. Degaussing or demagnetizing is not sufficient to fully erase information from magnetic media. The purpose of defragmentation is to eliminate fragmentation in file systems and does not remove information. Erasing or deleting magnetic media does not remove the information; this method simply changes a file's indexing information.
422、An IS auditor performing a telecommunication access control review should be concerned PRIMARILY with the: IS审计人员在进行一项电讯访问控制的检查时,下列哪一项首先要得到关注:
A、maintenance of access logs of usage of various system resources. A、不同系统资源使用的访问日志的保持.
B、authorization and authentication of the user prior to granting access to system resources. B、优先获准访问系统资源的用户的授权和验证.
C、adequate protection of stored data on servers by encryption or other means. C、通过加密或其他方法形成的对服务器上存储数据的充分保护.
D、accountability system and the ability to identify any terminal accessing system resources. D、责任系统,以及鉴别任何一个访问系统资源的终端的能力.
ANSWER: B
NOTE: The authorization and authentication of users is the most significant aspect in a telecommunications access control review, as it is a preventive control. Weak controls at this level can affect all other aspects. The maintenance of access logs of usage of system resources is a detective control. The adequate protection of data being transmitted to and from servers by encryption or other means is a method of protecting information during transmission and is not an access issue. The accountability system and the ability to identify any terminal accessing system resources deal with controlling access through the identification of a terminal.
423、During a postimplementation review of an enterprise resource management system, an IS auditor would MOST likely: 在对一个企业资源管理系统进行检查期间,IS审计人员最有可能:
A、review access control configuration. A、检查访问控制设置.
B、evaluate interface testing. B、计价界面测试
C、review detailed design documentation. C、检查详细设计文档.
D、evaluate system testing. D、计价系统测试.
ANSWER: A
NOTE: Reviewing access control configuration would be the first task performed to determine whether security has been appropriately mapped in the system. Since a postimplementation review is done after user acceptance testing and actual implementation, one would not engage in interface testing or detailed design documentation. Evaluating interface testing would be part of the implementation process. The issue of reviewing detailed design documentation is not generally relevant to an enterprise resource management system, since these are usually vendor packages with user manuals. System testing should be performed before final user signoff.
424、A programmer maliciously modified a production program to change data and then restored the original code. Which of the following would MOST effectively detect the malicious activity? 一个程序员恶意地修改了生产程序代码以改变数据,随后又恢复了源代码。下列哪一项是发现这个恶意行为的最有效的:
A、Comparing source code A、比较源代码
B、Reviewing system log files B、检查系统日志文件
C、Comparing object code C、比较目标代码
D、Reviewing executable and source code integrity D、比较可执行代码和源代码的完整性
ANSWER: B
NOTE: Reviewing system log files is the only trail that may provide information about the unauthorized activities in the production library. Source and object code comparisons are ineffective, because the original programs were restored and do not exist. Reviewing executable and source code integrity is an ineffective control, because integrity between the executable and source code is automatically maintained.
425、Which of the following online auditing techniques is most effective for the early detection of errors or irregularities? 下列哪一项在线审计技术对于早期发现错误和无规则是最有效的?
A、Embedded audit module A、嵌入审计模块
B、Integrated test facility B、整合测试
C、Snapshots C、快照
D、Audit hooks D、审计钩
ANSWER: D
NOTE: The audit hook technique involves embedding code in application systems for the examination of selected transactions. This helps an IS auditor to act before an error or an irregularity gets out of hand. An embedded audit module involves embedding specially-written software in the organization's host application system so that application systems are monitored on a selective basis. An integrated test facility is used when it is not practical to use test data, and snapshots are used when an audit trail is required.
426、A company is implementing a dynamic host configuration protocol (DHCP). Given that the following conditions exist, which represents the GREATEST concern? 一家公司采用动态主机配置协议。假设下列情形存在,哪项最值得关注?
A、Most employees use laptops. A、大多数员工使用膝上电脑.
B、A packet filtering firewall is used. B、一个包过滤防火墙被使用.
C、The IP address space is smaller than the number of PCs. C、IP地址范围小于PC的数量
D、Access to a network port is not restricted. D、对网络端口的访问没有限制
ANSWER: D
NOTE: Given physical access to a port, anyone can connect to the internal network. The other choices do not present the exposure that access to a port does. DHCP provides convenience (an advantage) to the laptop users. Sharing IP addresses and the existence of a firewall can be security measures.
427、Which of the following would BEST provide assurance of the integrity of new staff? 下列哪一项可以提供新职员正直度的最好保证?
A、Background screening A、背景经历
B、References B、参考
C、Bonding C、亲密关系
D、Qualifications listed on a resumé D、简历上的资格证书列示
ANSWER: A
NOTE: A background screening is the primary method for assuring the integrity of a prospective staff member. References are important and would need to be verified, but they are not as reliable as background screening. Bonding is directed at due-diligence compliance, not at integrity, and qualifications listed on a resumé may not be accurate.
428、Which of the following is a substantive test? 下列哪一项是实质性测试?
A、Checking a list of exception reports A、检查例外报告清单
B、Ensuring approval for parameter changes B、确认参数修改得到批准
C、Using a statistical sample to inventory the tape library C、对存货进行统计抽样
D、Reviewing password history reports D、检查口令历史报告
ANSWER: C
NOTE: A substantive test confirms the integrity of actual processing. A substantive test would determine if the tape library records are stated correctly. A compliance test determines if controls are being applied in a manner that is consistent with management policies and procedures. Checking the authorization of exception reports, reviewing authorization for changing parameters and reviewing password history reports are all compliance tests.
429、Reverse proxy technology for web servers should be deployed if: 在哪种情况下,web服务器的反代理技术应该被使用:
A、http servers' addresses must be hidden. A、http服务器地址必须被隐藏.
B、accelerated access to all published pages is required. B、对所有公开网页的加速访问是必需的
C、caching is needed for fault tolerance. C、故障忍耐的高速缓存是需要的.
D、bandwidth to the user is limited. D、用户带宽是有限的.
ANSWER: A
NOTE: Reverse proxies are primarily designed to hide physical and logical internal structures from outside access. Complete URLs or URIs can be partially or completely redirected without disclosing which internal or DMZ server is providing the requested data. This technology might be used if a trade-off between security, performance and costs has to be achieved. Proxy servers cache some data but normally cannot cache all pages to be published because this depends on the kind of information the web servers provide. The ability to accelerate access depends on the speed of the back-end servers, ., those that are cached. Thus, without making further assumptions, a gain in speed cannot be assured, but virtualization and hiding of internal structures can. If speed is an issue, a scale-out approach (avoiding adding additional delays by passing firewalls, involving more servers, etc.) would be a better solution. Due to the limited caching option, reverse proxies are not suitable for enhancing fault tolerance. User requests that are handled by reverse proxy servers are using exactly the same bandwidth as direct requests to the hosts providing the data.
430、The PRIMARY objective of service-level management (SLM) is to: 服务水平管理(SLM)的首要目标是:
A、define, agree, record and manage the required levels of service. A、定义、批准、记录和管理需要的服务水平.
B、ensure that services are managed to deliver the highest achievable level of availability. B、保证被管理的服务是最高水平
C、keep the costs associated with any service at a minimum. C、将与每个服务相关的成本,控制在最低水平.
D、monitor and report any legal noncompliance to business management. D、监控和报告与企业管理的任何不合法事项.
ANSWER: A
NOTE: The objective of service-level management (SLM) is to negotiate, document and manage (., provide and monitor) the services in the manner in which the customer requires those services. This does not necessarily ensure that services are delivered at the highest achievable level of availability (., redundancy and clustering). Although maximizing availability might be necessary for some critical services, it cannot be applied as a general rule of thumb. SLM cannot ensure that costs for all services will be kept at a low or minimum level, since costs associated with a service will directly reflect the customer's requirements. Monitoring and reporting legal noncompliance is not a part of SLM.
431、Which of the following exposures associated with the spooling of sensitive reports for offline printing should an IS auditor consider to be the MOST serious? 下列哪项暴露(风险)关于假脱机打印的敏感性报告在离线打印时,被IS审计员认为是最严重的
A、Sensitive data can be read by operators. A、敏感数据被操作者读取
B、Data can be amended without authorization. B、数据未经授权访问
C、Unauthorized report copies can be printed. C、报告副本被未经授权地打印
D、Output can be lost in the event of system failure. D、系统失效时输出将失去
ANSWER: C
NOTE: Unless controlled, spooling for offline printing may enable additional copies to be printed. Print files are unlikely to be available for online reading by operators. Data on spool files are no easier to amend without authority than any other file. There is usually a lesser threat of unauthorized access to sensitive reports in the event of a system failure.
432、An IS auditor reviewing a database application discovers that the current configuration does not match the originally designed structure. Which of the following should be the IS auditor's next action? 一名IS审计人员注意到一项数据库操作反映出当前的(数据)结构与原始设计(数据)结构不匹配,下面哪个将是其下一步的行动?
A、Analyze the need for the structural change. A、分析结构变化的需要
B、Recommend restoration to the originally designed structure. B、建议恢复到原始的数据结构
C、Recommend the implementation of a change control process. C、建议控制进程随之变化
D、Determine if the modifications were properly approved. D、检测该项(结构)更改是经授权的。
ANSWER: D
NOTE: An IS auditor should first determine if the modifications were properly approved. Choices A, B and C are possible subsequent actions, should the IS auditor find that the structural modification had not been approved.
433、Effective IT governance will ensure that the IT plan is consistent with the organization's: 有效的IT治理将会确定IT计划与组织的什么一致:
A、business plan. A。 商业计划
B、audit plan. B。 审计计划
C、security plan. C。 安全计划。
D、investment plan. D。 投资计划。
ANSWER: A
NOTE: To govern IT effectively, IT and business should be moving in the same direction, requiring that the IT plans are aligned with an organization's business plans. The audit and investment plans are not part of the IT plan, while the security plan should be at a corporate level.
434、Which of the following concerns associated with the World Wide Web would be addressed by a firewall? 下列哪项与通过防火墙在WWW中寻址密切有关?
A、Unauthorized access from outside the organization A、系统外部不法访问
B、Unauthorized access from within the organization B、系统内部不法访问
C、A delay in Internet connectivity C、internet连接延迟
D、A delay in downloading using File Transfer Protocol (FTP) D、使用FTP下载时延迟
ANSWER: A
NOTE: Firewalls are meant to prevent outsiders from gaining access to an organization's computer systems through the Internet gateway. They form a barrier with the outside world, but are not intended to address access by internal users; they are more likely to cause delays than address such concerns.
435、The MAIN criterion for determining the severity level of a service disruption incident is: 决定服务中断事件(安全事件)等级主要标准:
A、cost of recovery. A、恢复成本
B、negative public opinion. B、社会负面影响
C、geographic location. C、地理位置
D、downtime. D、停工时间
ANSWER: D
NOTE: The longer the period of time a client cannot be serviced, the greater the severity of the incident. The cost of recovery could be minimal yet the service downtime could have a major impact. Negative public opinion is a symptom of an incident. Geographic location does not determine the severity of the incident.
436、Which of the following would provide the BEST protection against the hacking of a computer connected to the Internet? 哪项是互联网上的计算机的最佳防黑措施?
A、A remote access server A、远程访问服务
B、A proxy server B、代理服务
C、A personal firewall C、单机防火墙
D、A password-generating token D、密码产生机制
ANSWER: C
NOTE: A personal firewall is the best way to protect against hacking, because it can be defined with rules that describe the type of user or connection that is or is not permitted. A remote access server can be mapped or scanned from the Internet, creating security exposures. Proxy servers can provide protection based on the IP address and ports; however, an individual would need to have in-depth knowledge to do this, and applications can use different ports for the different sections of their program. A password-generating token may help to encrypt the session but does not protect a computer against hacking.
437、Which of the following user profiles should be of MOST concern to an IS auditor when performing an audit of an EFT system? 当IS审计员履行一个电子资金转账系统审计时,下列哪一项用户情形是其最关心的
A、Three users with the ability to capture and verify their own messages A、三个用户有权截获和检验他们自己的消息
B、Five users with the ability to capture and send their own messages B、五个用户有权截获和发送他们自己的消息
C、Five users with the ability to verify other users and to send their own messages C、五个用户有权检验其他用户和发送他们自己的消息
D、Three users with the ability to capture and verify the messages of other users and to send their own messages D、三个用户有权截获和检验其他用户的消息,也有权发送他们自己的消息
ANSWER: A
NOTE: The ability of one individual to capture and verify messages represents an inadequate segregation, since messages can be taken as correct and as if they had already been verified.
438、Which of the following functions should be performed by the application owners to ensure an adequate segregation of duties between IS and end users? 下列哪项功能将被程序所有者执行以确信在IS和最终用户之间隔离措施已被采取:
A、System analysis A系统分析
B、Authorization of access to data B数据访问授权
C、Application programming C申请程序
D、Data administration D数据管理
ANSWER: B
NOTE: The application owner is responsible for authorizing access to data. Application development and programming are functions of the IS department. Similarly, system analysis should be performed by qualified persons in IS who have knowledge of IS and user requirements. Data administration is a specialized function related to database management systems and should be performed by qualified database administrators.
439、Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems? 下列哪一项是对数据和系统所有权不适当的定义政策最大的风险(即数据和系统所有权取得策略)
A、User management coordination does not exist. A、用户管理协调不存在
B、Specific user accountability cannot be established. B、未制订明确的用户责任
C、Unauthorized users may have access to originate, modify or delete data. C、未授权用户可能取得创建、修改和删除数据的权力
D、Audit recommendations may not be implemented. D、审计建议未被贯彻
ANSWER: C
NOTE: Without a policy defining who has the responsibility for granting access to specific systems, there is an increased risk that one could gain (be given) system access when they should not have authorization. By assigning authority to grant access to specific users, there is a better chance that business objectives will be properly supported.
440、Which of the following network components is PRIMARILY set up to serve as a security measure by preventing unauthorized traffic between different segments of the network? 下列哪一项网络元件创建主要用于防止未经授权的数据通信在不同的网段间
A、Firewalls A、防火墙
B、Routers B、路由器
C、Layer 2 switches C、第二层交換器
D、VLANs D、虚拟局域网
ANSWER: A
NOTE: Firewall systems are the primary tool that enable an organization to prevent unauthorized access between networks. An organization may choose to deploy one or more systems that function as firewalls. Routers can filter packets based on parameters, such as source address, but are not primarily a security tool. Based on Media Access Control (MAC) addresses, layer 2 switches separate traffic in a port as different segments and without determining if it is authorized or unauthorized traffic. A virtual LAN (VLAN) is a functionality of some switches that allows them to switch the traffic between different ports as if they are in the same LAN. Nevertheless, they do not deal with authorized vs. unauthorized traffic.
441、When an organization is outsourcing their information security function, which of the following should be kept in the organization? 441、当一个企业将它的信息安全职能外包出去时,下面哪一项仍应被企业所保留?
A、Accountability for the corporate security policy A、企业安全策略的责任
B、Defining the corporate security policy B、定义企业的安全策略
C、Implementing the corporate security policy C、实施企业的安全策略
D、Defining security procedures and guidelines D、定义安全措施及指南
ANSWER: A
NOTE: Accountability cannot be transferred to external parties. Choices B, C and D can be performed by outside entities as long as accountability remains within the organization.
442、In transport mode, the use of the Encapsulating Security Payload (ESP) protocol is advantageous over the Authentication Header (AH) protocol because it provides: 442、在传输模式中,使用ESP协议优于AH协议是因为ESP协议提供了
A、connectionless integrity. A、无连接完整性
B、data origin authentication. B、数据源认证
C、antireplay service. C、防“重放”攻击服务
D、confidentiality. D、保密性
ANSWER: D
NOTE: Both protocols support choices A, B and C, but only the ESP protocol provides confidentiality via encryption.
443、An IS auditor recommends that an initial validation control be programmed into a credit card transaction capture application. The initial validation process would MOST likely: 443、IS审计师建议在信用卡交易程序中加入初始有效性控制,该初始有效性控制最可能用于:
A、check to ensure that the type of transaction is valid for the card type. A、检验信用卡类型对应的交易类型是否有效
B、verify the format of the number entered then locate it on the database. B、验证输入卡号的格式并在数据库中查找该卡号
C、ensure that the transaction entered is within the cardholder's credit limit. C、确保输入的交易额在持卡人的信用额度内
D、confirm that the card is not shown as lost or stolen on the master file. D、在主文件中验证该信用卡没有丢失或被盗
ANSWER: B
NOTE: The initial validation should confirm whether the card is valid. This validity is established through the card number and PIN entered by the user. Based on this initial validation, all other validations will proceed. A validation control in data capture will ensure that the data entered is valid (., it can be processed by the system). If the data captured in the initial validation is not valid (if the card number or PIN do not match with the database), then the card will be rejected or captured per the controls in place. Once initial validation is completed, then other validations specific to the card and cardholder would be performed.
444、Java applets and ActiveX controls are distributed executable programs that execute in the background of a web browser client. This practice is considered reasonable when: 444、Java applets and ActiveX控件是在WEB上分发的并在浏览器后台执行的程序。这种分发和执行活动在下面哪种情形下被认为是可行的?
A、a firewall exists. A、存在防火墙的时候
B、a secure web connection is used. B、使用安全WEB连接时
C、the source of the executable file is certain. C、可以信任程序文件的来源时
D、the host web site is part of the organization. D、WEB站点属于企业内部时
ANSWER: C
NOTE: Acceptance of these mechanisms should be based on established trust. The control is provided by only knowing the source and then allowing the acceptance of the applets. Hostile applets can be received from anywhere. It is virtually impossible at this time to filter at this level. A secure web connection or firewall is considered an external defense. A firewall will find it more difficult to filter a specific file from a trusted source. A secure web connection provides confidentiality. Neither a secure web connection nor a firewall can identify an executable file as friendly. Hosting the web site as part of the organization is impractical. Enabling the acceptance of Java applets and/or Active X controls is an all-or-nothing proposition. The client will accept the program if the parameters are established to do so.
445、Which of the following is the PRIMARY safeguard for securing software and data within an information processing facility? 445、下面哪一项安全措施对于确保信息处理设施里的软件和数据安全是最重要的?
A、Security awareness A、安全意识
B、Reading the security policy B、翻阅安全策略
C、Security committee C、安全委员会
D、Logical access controls D、逻辑访问控制
ANSWER: D
NOTE: To retain a competitive advantage and meet basic business requirements, organizations must ensure that the integrity of the information stored on their computer systems preserve the confidentiality of sensitive data and ensure the continued availability of their information systems. To meet these goals, logical access controls must be in place. Awareness (choice A) itself does not protect against unauthorized access or disclosure of information. Knowledge of an information systems security policy (choice B), which should be known by the organization's employees, would help to protect information, but would not prevent the unauthorized access of information. A security committee (choice C) is key to the protection of information assets, but would address security issues within a broader perspective.
446、There are several methods of providing telecommunications continuity. The method of routing traffic through split cable or duplicate cable facilities is called: 446、下面有几项保证通信线路连续性的措施,其中通过分离线缆或复合线缆设施来处理路由信息的措施叫做?
A、alternative routing. A、可替代路由
B、diverse routing. B、多态路由
C、long-haul network diversity. C、远距离网络多态
D、last-mile circuit protection. D、最后一里电路保护
ANSWER: B
NOTE: Diverse routing routes traffic through split-cable facilities or duplicate-cable facilities. This can be accomplished with different and/or duplicate cable sheaths. If different cable sheaths are used, the cable may be in the same conduit and, therefore, subject to the same interruptions as the cable it is backing up. The communication service subscriber can duplicate the facilities by having alternate routes, although the entrance to and from the customer premises may be in the same conduit. The subscriber can obtain diverse routing and alternate routing from the local carrier, including dual-entrance facilities. This type of access is time consuming and costly. Alternative routing is a method of routing information via an alternate medium, such as copper cable or fiber optics. This involves use of different networks, circuits or end points should the normal network be unavailable. Long-haul network diversity is a diverse, long-distance network utilizing T-1 circuits among the major long-distance carriers. It ensures long-distance access should any carrier experience a network failure. Last-mile circuit protection is a redundant combination of local carrier T-1s, microwave and/or coaxial cable access to the local communications loop. This enables the facility to have access during a local carrier communication disaster. Alternate local-carrier routing is also utilized.
447、After a full operational contingency test, an IS auditor performs a review of the recovery steps. The auditor concludes that the time it took for the technological environment and systems to return to full-functioning exceeded the required critical recovery time. Which of the following should the auditor recommend? 447、在进行了详尽的操作意外性测试后,IS审计师对相应的恢复步骤进行了审核,并发现为了将技术环境和系统的所有功能恢复所花费的时间超过了规定的关键恢复时间,审计师应当提出下面哪一项建议?
A、Perform an integral review of the recovery tasks. A、对恢复工作进行全面的审核。
B、Broaden the processing capacity to gain recovery time. B、扩充处理能力以缩短恢复时间
C、Make improvements in the facility's circulation structure. C、改进设施的流转结构
D、Increase the amount of human resources involved in the recovery. D、增加恢复工作中的人力
ANSWER: A
NOTE: Performing an exhaustive review of the recovery tasks would be appropriate to identify the way these tasks were performed, identify the time allocated to each of the steps required to accomplish recovery, and determine where adjustments can be made. Choices B, C and D could be actions after the described review has been completed.
448、Which of the following would be the MOST secure firewall system? 448、下面哪一种防火墙是最安全的?
A、Screened-host firewall A、主机扫描防火墙
B、Screened-subnet firewall B、子网扫描防火墙
C、Dual-homed firewall C、双宿主防火墙
D、Stateful-inspection firewall D、状态检测防火墙
ANSWER: B
NOTE: A screened-subnet firewall, also used as a demilitarized zone (DMZ), utilizes two packet filtering routers and a bastion host. This provides the most secure firewall system, since it supports both network- and application-level security while defining a separate DMZ network. A screened-host firewall utilizes a packet filtering router and a bastion host. This approach implements basic network layer security (packet filtering) and application server security (proxy services). A dual-homed firewall system is a more restrictive form of a screened-host firewall system, configuring one interface for information servers and another for private network host computers. A stateful-inspection firewall working at the transport layer keeps track of the destination IP address of each packet that leaves the organization's internal network and allows a reply from the recorded IP addresses.
449、During an application audit, an IS auditor finds several problems related to corrupted data in the database. Which of the following is a corrective control that the IS auditor should recommend? 449、在应用程序审计中,IS审计师发现有几个问题是由于数据库中损坏的数据造成的,IS 审计师应当建议下面哪一项更正控制措施?
A、Implement data backup and recovery procedures. A、实施数据备份和恢复
B、Define standards and closely monitor for compliance. B、制定标准并监控该标准的遵守程度
C、Ensure that only authorized personnel can update the database. C、确保只有授权的用户能更新数据库
D、Establish controls to handle concurrent access problems. D、建立控制机制以处理并行访问带来的问题
ANSWER: A
NOTE: Implementing data backup and recovery procedure is a corrective control, because backup and recovery procedures can be used to roll back database errors. Defining or establishing standards is a preventive control, while monitoring for compliance is a detective control. Ensuring that only authorized personnel can update the database is a preventive control. Establishing controls to handle concurrent access problems is also a preventive control.
450、Which of the following append themselves to files as a protection against viruses? 450、下面哪一项技术是通过将自身附加到文件上以抵御病毒侵害的?
A、Behavior blockers A、行为阻止器
B、Cyclical redundancy checkers (CRCs) B、循环冗余检测码
C、Immunizers C、免疫器
D、Active monitors D、实时监控器
ANSWER: C
NOTE: Immunizers defend against viruses by appending sections of themselves to files. They continuously check the file for changes and report changes as possible viral behavior. Behavior blockers focus on detecting potentially abnormal behavior, such as writing to the boot sector or the master boot record, or making changes to executable files. Cyclical redundancy checkers compute a binary number on a known virus-free program that is then stored in a database file. When that program is subsequently called to be executed, the checkers look for changes to the files, compare it to the database and report possible infection if changes have occurred. Active monitors interpret DOS and ROM basic input-output system (BIOS) calls, looking for virus-like actions.
451、Which of the following is the BEST method for determining the criticality of each application system in the production environment? 451、下面哪一项是确定生产环境下各个应用系统关键性的最好方法?
A、Interview the application programmers. A、和应用程序员面谈
B、Perform a gap analysis. B、实施差异分析
C、Review the most recent application audits. C、复核最近的应用程序审计文档
D、Perform a business impact analysis. D、实施商业影响分析
ANSWER: D
NOTE: A business impact analysis will give the impact of the loss of each application. Interviews with the application programmers will provide limited information related to the criticality of the systems. A gap analysis is only relevant to systems development and project management. The audits may not contain the required information or may not have been done recently.
452、Which audit technique provides the BEST evidence of the segregation of duties in an IS department? 452、下面哪一项审计技术可以为证明IS部门的职责分离提供最好的依据?
A、Discussion with management A、和管理层讨论
B、Review of the organization chart B、审核组织结构图
C、Observation and interviews C、观察与访谈
D、Testing of user access rights D、测试用户访问权限
ANSWER: C
NOTE: By observing the IS staff performing their tasks, an IS auditor can identify whether they are performing any incompatible operations, and by interviewing the IS staff, the auditor can get an overview of the tasks performed. Based on the observations and interviews the auditor can evaluate the segregation of duties. Management may not be aware of the detailed functions of each employee in the IS department; therefore, discussion with the management would provide only limited information regarding segregation of duties. An organization chart would not provide details of the functions of the employees. Testing of user rights would provide information about the rights they have within the IS systems, but would not provide complete information about the functions they perform.
453、During the design of a business continuity plan, the business impact analysis (BIA) identifies critical processes and supporting applications. This will PRIMARILY influence the: 453、在设计商业连续性计划时,商业影响分析可以用来识别关键业务流程和相应的支持程序,它主要会影响到下面哪一项内容的制定?
A、responsibility for maintaining the business continuity plan. A、维护商业连续性计划的职责
B、criteria for selecting a recovery site provider. B、选择站点恢复供应商的条件
C、recovery strategy. C、恢复策略
D、responsibilities of key personnel. D、关键人士的职责
ANSWER: C
NOTE: The most appropriate strategy is selected based on the relative risk level and criticality identified in the business impact analysis (BIA.) The other choices are made after the selection or design of the appropriate recovery strategy.
454、What is the lowest level of the IT governance maturity model where an IT balanced scorecard exists? 454、IT治理成熟度模型中从哪一层级开始可以使用IT平衡记分卡?
A、Repeatable but Intuitive A、可重复但模糊级
B、Defined B、已定义级
C、Managed and Measurable C、已管理和可度量级
D、Optimized D、已优化级
ANSWER: B
NOTE: Defined (level 3) is the lowest level at which an IT balanced scorecard is defined.
455、If the recovery time objective (RTO) increases: 455、如果恢复时间目标增加,则:
A、the disaster tolerance increases. A、灾难容忍度增加
B、the cost of recovery increases. B、恢复成本增加
C、a cold site cannot be used. C、不能使用冷备援计算机中心
D、the data backup frequency increases. D、数据备份频率增加
ANSWER: A
NOTE: The longer the recovery time objective (RTO), the higher disaster tolerance and the lower the recovery cost. It cannot be concluded that a cold site is inappropriate or that the frequency of data backup would increase.
456、In a client-server system, which of the following control techniques is used to inspect activity from known or unknown users? 456、在客户机-服务器系统环境中,下面哪一项控制技术可用于检查已知或未知用户的活动?
A、Diskless workstations A、无盘工作站
B、Data encryption techniques B、数据加密技术
C、Network monitoring devices C、网络监控设备
D、Authentication systems D、认证系统
ANSWER: C
NOTE: Network monitoring devices may be used to inspect activities from known or unknown users and can identify client addresses, which may assist in finding evidence of unauthorized access. This serves as a detective control. Diskless workstations prevent access control software from being bypassed. Data encryption techniques can help protect sensitive or propriety data from unauthorized access, thereby serving as a preventive control. Authentication systems may provide environmentwide, logical facilities that can differentiate among users, before providing access to systems.
457、The waterfall life cycle model of software development is most appropriately used when: 457、软件开发中的瀑布生命周期模型最适用于的环境是?
A、requirements are well understood and are expected to remain stable, as is the business environment in which the system will operate. A、在系统拟运行的商业环境中,需求能被很好的理解并预期能保持稳定
B、requirements are well understood and the project is subject to time pressures. B、需求能被很好的理解同时项目时间紧
C、the project intends to apply an object-oriented design and programming approach. C、项目打算应用面向对象的设计和开发技术
D、the project will involve the use of new technology. D、项目将使用新技术
ANSWER: A
NOTE: Historically, the waterfall model has been best suited to the stable conditions described in choice A. When the degree of uncertainty of the system to be delivered and the conditions in which it will be used rises, the waterfall model has not been successful. In these circumstances, the various forms of iterative development life cycle gives the advantage of breaking down the scope of the overall system to be delivered, making the requirements gathering and design activities more manageable. The ability to deliver working software earlier also acts to alleviate uncertainty and may allow an earlier realization of benefits. The choice of a design and programming approach is not itself a determining factor of the type of software development life cycle that is appropriate. The use of new technology in a project introduces a significant element of risk. An iterative form of development, particularly one of the agile methods that focuses on early development of actual working software, is likely to be the better option to manage this uncertainty.
458、The information security policy that states “each individual must have their badge read at every controlled door” addresses which of the following attack methods? 458、信息安全策略中指明“每个人在每个受控的门前都要提交证章供检查”,这主要是针对下面哪一项攻击手段?
A、Piggybacking A、尾随
B、Shoulder surfing B、窥视
C、Dumpster diving C、垃圾数据研究
D、Impersonation D、伪装
ANSWER: A
NOTE: Piggybacking refers to unauthorized persons following authorized persons, either physically or virtually, into restricted areas. This policy addresses the polite behavior problem of holding doors open for a stranger. If every employee must have their badge read at every controlled door no unauthorized person could enter the sensitive area. Looking over the shoulder of a user to obtain sensitive information could be done by an unauthorized person who has gained access to areas using piggybacking, but this policy specifically refers to physical access control. Shoulder surfing would not be prevented by the implementation of this policy. Dumpster diving, looking through an organization's trash for valuable information, could be done outside the company's physical perimeter; therefore, this policy would not address this attack method. Impersonation refers to a social engineer acting as an employee, trying to retrieve the desired information. Some forms of social engineering attacks could join an impersonation attack and piggybacking, but this information security policy does not address the impersonation attack.
459、To reduce the possibility of losing data during processing, the FIRST point at which control totals should be implemented is: 459、为了减少数据处理过程中数据丢失的可能性,控制总数应被首先应用于?
A、during data preparation. A、数据准备阶段
B、in transit to the computer. B、数据传输阶段
C、between related computer runs. C、数据处理阶段
D、during the return of the data to the user department. D、数据返回到用户部门时
ANSWER: A
NOTE: During data preparation is the best answer, because it establishes control at the earliest point.
460、An IS auditor should be MOST concerned with what aspect of an authorized honeypot? 460、IS审计师最关注蜜罐系统的哪个方面?
A、The data collected on attack methods A、收集到的关于攻击方式的数据
B、The information offered to outsiders on the honeypot B、蜜罐系统提供给外界的数据
C、The risk that the honeypot could be used to launch further attacks on the organization's infrastructure C、蜜罐被黑客当作攻击工具的风险
D、The risk that the honeypot would be subject to a distributed denial-of-service attack D、蜜罐系统遭受分布式拒绝服务攻击的风险
ANSWER: C
NOTE: Choice C represents the organizational risk that the honeypot could be used as a point of access to launch further attacks on the enterprise's systems. Choices A and B are purposes for deploying a honeypot, not a concern. Choice D, the risk that the honeypot would be subject to a distributed denial-of-service (DDoS) attack, is not relevant, as the honeypot is not a critical device for providing service.
461、Which of the following is a general operating system access control function? 461、下面哪一项是通用的操作系统访问控制功能?
A、Creating database profiles A、创建数据库配置文件
B、Verifying user authorization at a field level B、在字段级验证用户授权
C、Creating individual accountability C、授权
D、Logging database access activities for monitoring access violation D、记录数据库访问活动以监控非法访问活动
ANSWER: C
NOTE: Creating individual accountability is the function of the general operating system. Creating database profiles, verifying user authorization at a field level and logging database access activities for monitoring access violations are all database-level access control functions.
462、A top-down approach to the development of operational policies will help ensure: 462、在制定作业政策时使用自顶而下的方法有助于确保这些政策
A、that they are consistent across the organization. A、在整个组织内保持一致
B、that they are implemented as a part of risk assessment. B、被作为风险评估活动的一部分得以实施
C、compliance with all policies. C、符合组织中其他政策
D、that they are reviewed periodically. D、能被定期审核
ANSWER: A
NOTE: Deriving lower level policies from corporate policies (a top-down approach) aids in ensuring consistency across the organization and consistency with other policies. The bottom-up approach to the development of operational policies is derived as a result of risk assessment. A top-down approach of itself does not ensure compliance and development does not ensure that policies are reviewed.
463、Which of the following encryption techniques will BEST protect a wireless network from a man-in-the-middle attack? 463、下面哪种加密技术可以最好的保护无线网络遭受中间人攻击?
A、128-bit wired equivalent privacy (WEP) A、128位有线等效协议
B、MAC-based pre-shared key (PSK) B、基于MAC地址的预共享密钥
C、Randomly generated pre-shared key (PSK) C、随机生成的预共享密钥
D、Alphanumeric service set identifier (SSID) D、字符型服务区标识符
ANSWER: C
NOTE: A randomly generated PSK is stronger than a MAC-based PSK, because the MAC address of a computer is fixed and often accessible. WEP has been shown to be a very weak encryption technique and can be cracked within minutes. The SSID is broadcast on the wireless network in plaintext.
464、Change management procedures are established by IS management to: 464、IS管理层建立的变更管理程序是用来?
A、control the movement of applications from the test environment to the production environment. A、控制应用程序从测试环境迁移到生产环境
B、control the interruption of business operations from lack of attention to unresolved problems. B、控制由于缺乏对经营活动中待解决问题的关注而导致的经营活动中断
C、ensure the uninterrupted operation of the business in the event of a disaster. C、确保受灾时经营活动的不间断运行
D、verify that system changes are properly documented. D、验证变更活动被正确的记录。
ANSWER: A
NOTE: Change management procedures are established by IS management to control the movement of applications from the test environment to the production environment. Problem escalation procedures control the interruption of business operations from lack of attention to unresolved problems, and quality assurance procedures verify that system changes are authorized and tested.
465、In a public key infrastructure, a registration authority: 465、在公钥体系结构中,注册中心用于?
A、verifies information supplied by the subject requesting a certificate. A、验证请求证书的主体提供的信息
B、issues the certificate after the required attributes are verified and the keys are generated. B、当主体相关属性得到验证并生成密钥后发布证书
C、digitally signs a message to achieve nonrepudiation of the signed message. C、给信息加上数字签名以确保签署信息的不可抵赖性
D、registers signed messages to protect them from future repudiation. D、注册签署的信息以确保它们的不可抵赖性
ANSWER: A
NOTE: A registration authority is responsible for verifying information supplied by the subject requesting a certificate, and verifies the requestor's right to request certificate attributes and that the requestor actually possesses the private key corresponding to the public key being sent. Certification authorities, not registration authorities, actually issue certificates once verification of the information has been completed; because of this, choice B is incorrect. On the other hand, the sender who has control of their private key signs the message, not the registration authority. Registering signed messages is not a task performed by registration authorities.
466、The most common problem in the operation of an intrusion detection system (IDS) is: 466、在运行入侵检测系统时最常见的问题是?
A、the detection of false positives. A、误测
B、receiving trap messages. B、收到陷阱信息
C、reject-error rates. C、拒绝错误率
D、denial-of-service attacks. D、拒绝服务攻击
ANSWER: A
NOTE: Because of the configuration and the way IDS technology operates, the main problem in operating IDSs is the recognition (detection) of events that are not really security incidents—false positives, the equivalent of a false alarm. An IS auditor needs to be aware of this and should check for implementation of related controls, such as IDS tuning, and incident handling procedures, such as the screening process to know if an event is a security incident or a false positive. Trap messages are generated by the Simple Network Management Protocol (SNMP) agents when an important event happens, but are not particularly related to security or IDSs. Reject-error rate is related to biometric technology and is not related to IDSs. Denial-of-service is a type of attack and is not a problem in the operation of IDSs.
467、An IS auditor performing an independent classification of systems should consider a situation where functions could be performed manually at a tolerable cost for an extended period of time as: 467、IS审计师在对系统分级时,如果某系统允许在较长的时间段内以可接受的成本进行人工操作,该系统应被定义为
A、critical. A、关键级
B、vital. B、重要级
C、sensitive. C、敏感级
D、noncritical. D、非关键级
ANSWER: C
NOTE: Sensitive functions are best described as those that can be performed manually at a tolerable cost for an extended period of time. Critical functions are those that cannot be performed unless they are replaced by identical capabilities and cannot be replaced by manual methods. Vital functions refer to those that can be performed manually but only for a brief period of time; this is associated with lower costs of disruption than critical functions. Noncritical functions may be interrupted for an extended period of time at little or no cost to the company, and require little time or cost to restore.
468、A company has contracted with an external consulting firm to implement a commercial financial system to replace its existing system developed in-house. In reviewing the proposed development approach, which of the following would be of GREATEST concern? 468、某公司和外部咨询公司签约实施商业金融系统以替换现存的自开发系统。在审核提交的开发文档时,下面哪一项最值得重视?
A、Acceptance testing is to be managed by users. A、由用户来控制验收测试
B、A quality plan is not part of the contracted deliverables. B、质量控制计划不是合同的一部分
C、Not all business functions will be available on initial implementation. C、在初步实施时不包括所有的商业功能
D、Prototyping is being used to confirm that the system meets business requirements. D、原型法被用于确保系统符合商业需求
ANSWER: B
NOTE: A quality plan is an essential element of all projects. It is critical that the contracted supplier be required to produce such a plan. The quality plan for the proposed development contract should be comprehensive and encompass all phases of the development and include which business functions will be included and when. Acceptance is normally managed by the user area, since they must be satisfied that the new system will meet their requirements. If the system is large, a phased-in approach to implementing the application is a reasonable approach. Prototyping is a valid method of ensuring that the system will meet business requirements.
469、A poor choice of passwords and transmission over unprotected communications lines are examples of: 469、在未受保护的通信线路上传输数据和使用弱口令是一种?
A、vulnerabilities. A、弱点
B、threats. B、威胁
C、probabilities. C、可能性
D、impacts. D、影响
ANSWER: A
NOTE: Vulnerabilities represent characteristics of information resources that may be exploited by a threat. Threats are circumstances or events with the potential to cause harm to information resources. Probabilities represent the likelihood of the occurrence of a threat, while impacts represent the outcome or result of a threat exploiting a vulnerability.
470、During the system testing phase of an application development project the IS auditor should review the: 470、在应用程序开发项目的系统测试阶段,IS审计师应当审核?
A、conceptual design specifications. A、概要设计文档
B、vendor contract. B、开发商合同
C、error reports. C、错误报告
D、program change requests. D、程序变更请求
ANSWER: C
NOTE: Testing is crucial in determining that user requirements have been validated. The IS auditor should be involved in this phase and review error reports for their precision in recognizing erroneous data and review the procedures for resolving errors. A conceptual design specification is a document prepared during the requirements definition phase. A vendor contract is prepared during a software acquisition process. Program change requests would normally be reviewed as a part of the postimplementation phase.
471、To address a maintenance problem, a vendor needs remote access to a critical network. The MOST secure and effective solution is to provide the vendor with a: 銷售商為了從事故障維護工作需要遠程訪問關鍵的網絡。以下選項中,最安全和最有效的方法是為該銷售商建立:
A、Secure Shell (SSH-2) tunnel for the duration of the problem. A、安全外殼(SSH-2)隧道
B、two-factor authentication mechanism for network access. B、雙重認證
C、dial-in access. C、撥號接入
D、virtual private network (VPN) account for the duration of the vendor support contract. D、虛擬專用網
ANSWER: A
NOTE: For granting temporary access to the network, a Secure Shell (SSH-2) tunnel is the best approach. It has auditing features and allows restriction to specific access points. Choices B, C and D all give full access to the internal network. Two-factor authentication and virtual private network (VPN) provide access to the entire network and are suitable for dedicated users. Dial-in access would need to be closely monitored or reinforced with another mechanism to ensure authentication to achieve the same level of security as SSH-2.
472、Which of the following is the MOST effective method for dealing with the spreading of a network worm that exploits vulnerability in a protocol? 為了防止網絡蠕蟲利用某種網絡協議的弱點進行傳播,以下選項中最有效的處理方法是:
A、Install the vendor's security fix for the vulnerability. A、安裝銷售商提供的安全補丁來修正相關弱點
B、Block the protocol traffic in the perimeter firewall. B、阻止該協議的流量通過邊界防火牆
C、Block the protocol traffic between internal network segments. C、阻止該協議的流量在不同的網段中流通
D、Stop the service until an appropriate security fix is installed. D、停止該服務,直到安裝了適當的安全補丁為止
ANSWER: D
NOTE: Stopping the service and installing the security fix is the safest way to prevent the worm from spreading. If the service is not stopped, installing the fix is not the most effective method because the worm continues spreading until the fix becomes effective. Blocking the protocol on the perimeter does not stop the worm from spreading to the internal network(s). Blocking the protocol helps to slow down the spreading but also prohibits any software that utilizes it from working between segments.
473、An IS auditor analyzing the audit log of a database management system (DBMS) finds that some transactions were partially executed as a result of an error, and are not rolled back. Which of the following transaction processing features has been violated? 信息系統審計師在分析數據庫管理系統的審計日志時發現部分事務由於錯誤而沒有完全執行,而且出錯後沒有回滾操作。根據以上描述,這些事務違反了以下哪種事務特性?
A、Consistency A、一致性
B、Isolation B、獨立性
C、Durability C、持久性
D、Atomicity D、原子性
ANSWER: D
NOTE: Atomicity guarantees that either the entire transaction is processed or none of it is. Consistency ensures that the database is in a legal state when the transaction begins and ends. Isolation means that, while in an intermediate state, the transaction data is invisible to external operations. Durability guarantees that a successful transaction will persist, and cannot be undone.
474、Which of the following controls would be MOST effective in ensuring that production source code and object code are synchronized? 以下哪種控制措施能最有效地保證源代碼和目標代碼的一致性?
A、Release-to-release source and object comparison reports A、每次程序分布後對源代碼和目標代碼的比較分析報告
B、Library control software restricting changes to source code B、通過程序庫管理軟件來限制源代碼的修改
C、Restricted access to source code and object code C、限制訪問源代碼和目標代碼的權限
D、Date and time-stamp reviews of source and object code D、審核源代碼和目標代碼的日期和時間戳
ANSWER: D
NOTE: Date and time-stamp reviews of source and object code would ensure that source code, which has been compiled, matches the production object code. This is the most effective way to ensure that the approved production source code is compiled and is the one being used.
475、The PRIMARY objective of business continuity and disaster recovery plans should be to: 業務持續計劃和災難恢復計劃最主要的目標是:
A、safeguard critical IS assets. A、保護關鍵的信息系統資產
B、provide for continuity of operations. B、為業務的持續運作提供保證
C、minimize the loss to an organization. C、把企業的損失降至最低
D、protect human life. D、保護人的生命安全
ANSWER: D
NOTE: Since human life is invaluable, the main priority of any business continuity and disaster recovery plan should be to protect people. All other priorities are important but are secondary objectives of a business continuity and disaster recovery plan.
476、When implementing an application software package, which of the following presents the GREATEST risk? 部署某應用程序時,以下哪一項會帶來最大的風險?
A、Uncontrolled multiple software versions A、由於未對軟件版本加以控制,導致版本不一致
B、Source programs that are not synchronized with object code B、源程序與目標代碼不一致
C、Incorrectly set parameters C、參數設置錯誤
D、Programming errors D、編程錯誤
ANSWER: C
NOTE: Parameters that are not set correctly would be the greatest concern when implementing an application software package. The other choices, though important, are a concern of the provider, not the organization that is implementing the software itself.
477、Receiving an EDI transaction and passing it through the communication's interface stage usually requires: 當接收到EDI交易並將其傳送到通信接口後,通常會:
A、translating and unbundling transactions. A、對相關的交易進行轉譯和解除綁定操作
B、routing verification procedures. B、進行路由校驗
C、passing data to the appropriate application system. C、把有關數據傳送到適當的應用系統
D、creating a point of receipt audit log. D、創建對應的接收審計記錄
ANSWER: B
NOTE: The communication's interface stage requires routing verification procedures. EDI or ANSI X12 is a standard that must be interpreted by an application for transactions to be processed and then to be invoiced, paid and sent, whether they are for merchandise or services. There is no point in sending and receiving EDI transactions if they cannot be processed by an internal system. Unpacking transactions and recording audit logs are important elements that help follow business rules and establish controls, but are not part of the communication's interface stage.
478、Which of the following risks could result from inadequate software baselining? 軟件工程中如果沒有制定足夠的基線標志,會帶來以下哪種風險?
A、Scope creep A、導致范圍擴大
B、Sign-off delays B、驗收延遲
C、Software integrity violations C、損害軟件完整性
D、Inadequate controls D、控制不足
ANSWER: A
NOTE: A software baseline is the cut-off point in the design and development of a system beyond which additional requirements or modifications to the design do not or cannot occur without undergoing formal strict procedures for approval based on a business cost-benefit analysis. Failure to adequately manage the requirements of a system through baselining can result in a number of risks. Foremost among these risks is scope creep, the process through which requirements change during development. Choices B, C and D may not always result, but choice A is inevitable.
479、When using an integrated test facility (ITF), an IS auditor should ensure that: 在實用集成測試工具ITF時,信息系統審計師應該確保:
A、production data are used for testing. A、利用生產數據進行測試
B、test data are isolated from production data. B、測試數據要與生產數據分離
C、a test data generator is used. C、使用測試數據生成程序
D、master files are updated with the test data. D、使用測試數據後要更新主文件
ANSWER: B
NOTE: An integrated test facility (ITF) creates a fictitious file in the database, allowing for test transactions to be processed simultaneously with live data. While this ensures that periodic testing does not require a separate test process, there is a need to isolate test data from production data. An IS auditor is not required to use production data or a test data generator. Production master files should not be updated with test data.
480、In determining the acceptable time period for the resumption of critical business processes: 在計算可接受的關鍵業務流程恢復時間時,
A、only downtime costs need to be considered. A、只需考慮停機時間的成本
B、recovery operations should be analyzed. B、需要分析恢復操作的成本
C、both downtime costs and recovery costs need to be evaluated. C、停機時間成本和恢復操作成本都需要考慮
D、indirect downtime costs should be ignored. D、可以忽略間接的停機成本
ANSWER: C
NOTE: Both downtime costs and recovery costs need to be evaluated in determining the acceptable time period before the resumption of critical business processes. The outcome of the business impact analysis (BIA) should be a recovery strategy that represents the optimal balance. Downtime costs cannot be looked at in isolation. The quicker information assets can be restored and business processing resumed, the smaller the downtime costs. However, the expenditure needed to have the redundant capability required to recover information resources might be prohibitive for nonessential business processes. Recovery operations do not determine the acceptable time period for the resumption of critical business processes, and indirect downtime costs should be considered in addition to the direct cash outflows incurred due to business disruption. The indirect costs of a serious disruption to normal business activity, ., loss of customer and supplier goodwill and loss of market share, may actually be more significant than direct costs over time, thus reaching the point where business viability is threatened.
481、An IS auditor conducting a review of disaster recovery planning (DRP) at a financial processing organization has discovered the following: 信息系統審計師在審核一家金融機構的災難恢復計劃時發現了以下情況:
The existing disaster recovery plan was compiled two years earlier by a systems analyst in the organization's IT department using transaction flow projections from the operations department. 現有的災難恢復計劃由企業IT部門的系統分析師制定,計劃中涉及的業務流程描述由相關的業務部門提供
The plan was presented to the deputy CEO for approval and formal issue, but it is still awaiting their attention. 該計劃已經提交給企業的行政副總裁審批,但至今仍沒有結果
The plan has never been updated, tested or circulated to key management and staff, though interviews show that each would know what action to take for its area in the event of a disruptive incident. 雖然通過訪談得知一旦災難發生,相關人員都知道其相應的職責和應該采取的行動,但該企業從來沒有更新和測試該計劃,也沒有把計劃下發給主要的管理人員和職員。
The IS auditor's report should recommend that: 信息審計師的報告中應該建議:
A、the deputy CEO be censured for their failure to approve the plan. A、行政副總裁要對其沒有批准該計劃負責
B、a board of senior managers is set up to review the existing plan. B、組織各部門的高級管理者審核該計劃
C、the existing plan is approved and circulated to all key management and staff. C、批准該計劃並將其下發至所有關鍵的管理者和員工
D、a manager coordinates the creation of a new or revised plan within a defined time limit. D、在一個限定的時間內,由一位管理者組織創建新的計劃,或修訂現有計劃
ANSWER: D
NOTE: The primary concern is to establish a workable disaster recovery plan, which reflects current processing volumes to protect the organization from any disruptive incident. Censuring the deputy CEO will not achieve this and is generally not within the scope of an IS auditor to recommend. Establishing a board to review the plan, which is two years out of date, may achieve an updated plan, but is not likely to be a speedy operation, and issuing the existing plan would be folly without first ensuring that it is workable. The best way to achieve a disaster recovery plan in a short time is to make an experienced manager responsible for coordinating the knowledge of other managers into a single, formal document within a defined time limit.
482、When developing a disaster recovery plan, the criteria for determining the acceptable downtime should be the: 在制訂災難恢復計劃時,決定可接受停機時間的標准是:
A、annualized loss expectancy (ALE). A、年度損失期望值
B、service delivery objective. B、服務交付目標
C、quantity of orphan data. C、孤兒數據的數據
D、maximum tolerable outage. D、最大可容忍損失
ANSWER: D
NOTE: The recovery time objective is determined based on the acceptable downtime in case of a disruption of operations. It indicates the maximum tolerable outage that an organization considers to be acceptable before a system or process must resume following a disaster. Choice A is incorrect, because the acceptable downtime would not be determined by the annualized loss expectancy (ALE). Choices B and C are relevant to business continuity, but they are not determined by acceptable downtime.
483、Once an organization has finished the business process reengineering (BPR) of all its critical operations, an IS auditor would MOST likely focus on a review of: 當企業完成所有關鍵業務的業務流程重建(BPR)後,信息系統審計師最可能關注以下哪一項的審核?
A、pre-BPR process flowcharts. A、業務流程重建前有關的業務流程圖
B、post-BPR process flowcharts. B、業務流程重建後有關的業務流程圖
C、BPR project plans. C、業務流程重建項目計劃
D、continuous improvement and monitoring plans. D、持續改進和監控計劃
ANSWER: B
NOTE: An IS auditor's task is to identify and ensure that key controls have been incorporated into the reengineered process. Choice A is incorrect because an IS auditor must review the process as it is today, not as it was in the past. Choices C and D are incorrect because they are steps within a BPR project.
484、Which of the following is the MOST effective type of antivirus software? 下列各種反病毒軟件中最有效的是?
A、Scanners A、掃描器
B、Active monitors B、動態監視器
C、Integrity checkers C、完整性檢查工具
D、Vaccines D、病毒疫苗
ANSWER: C
NOTE: Integrity checkers compute a binary number on a known virus-free program that is then stored in a database file. This number is called a cyclical redundancy check (CRC). When that program is called to execute, the checker computes the CRC on the program about to be executed and compares it to the number in the database. A match means no infection; a mismatch means that a change in the program has occurred. A change in the program could mean a virus. Scanners look for sequences of bits called signatures that are typical of virus programs. They examine memory, disk boot sectors, executables and command files for bit patterns that match a known virus. Therefore, scanners need to be updated periodically to remain effective. Active monitors interpret DOS and ROM basic input-output system (BIOS) calls, looking for virus-like actions. Active monitors can be misleading, because they cannot distinguish between a user request and a program or virus request. As a result, users are asked to confirm actions like formatting a disk or deleting a file or set of files. Vaccines are known to be good antivirus software. However, they also need to be updated periodically to remain effective.
485、To ensure an organization is complying with privacy requirements, an IS auditor should FIRST review: 為了確保企業沒有違反保密協定,信息系統審計師應該首先審閱:
A、the IT infrastructure. A、IT基礎架構
B、organizational policies, standards and procedures. B、企業的管理政策、標准和流程
C、legal and regulatory requirements. C、法律和法規的要求
D、the adherence to organizational policies, standards and procedures. D、企業的管理政策、標准和流程是否得到有效的執行
ANSWER: C
NOTE: To ensure that the organization is complying with privacy issues, an IS auditor should address legal and regulatory requirements first. To comply with legal and regulatory requirements, organizations need to adopt the appropriate infrastructure. After understanding the legal and regulatory requirements, an IS auditor should evaluate organizational policies, standards and procedures to determine whether they adequately address the privacy requirements, and then review the adherence to these specific policies, standards and procedures.
486、Which of the following is the MOST critical and contributes the greatest to the quality of data in a data warehouse? 以下各項中,對數據倉庫的數據質量影響最大的是?
A、Accuracy of the source data
B、Credibility of the data source
C、Accuracy of the extraction process
D、Accuracy of the data transformation
ANSWER: A
NOTE: Accuracy of source data is a prerequisite for the quality of the data in a data warehouse. Credibility of the data source, accurate extraction processes and accurate transformation routines are all important, but would not change inaccurate data into quality (accurate) data.
487、When reviewing the implementation of a LAN, an IS auditor should FIRST review the: 信息系統審計師在審核局域網的部署時應首先審核:
A、node list. A、節點列表
B、acceptance test report. B、驗收測試報告
C、network diagram. C、網絡結構圖
D、user's list. D、用戶列表
ANSWER: C
NOTE: To properly review a LAN implementation, an IS auditor should first verify the network diagram and confirm the approval. Verification of nodes from the node list and the network diagram would be next, followed by a review of the acceptance test report and then the user's list.
488、An IS auditor reviewing the implementation of an intrusion detection system (IDS) should be MOST concerned if: 在審核入侵檢測系統的部署時如果發現下列情況,信息系統審計師最應關注的是:
A、IDS sensors are placed outside of the firewall. A、入侵檢測系統的感應器被放置在防火牆之外
B、a behavior-based IDS is causing many false alarms. B、基於行為的入侵檢測系統引起大量錯誤警報
C、a signature-based IDS is weak against new types of attacks. C、基於簽名的入侵檢測系統無法檢測某些新的攻擊類型
D、the IDS is used to detect encrypted traffic. D、入侵檢測系統被用於檢測加密的流量
ANSWER: D
NOTE: An intrusion detection system (IDS) cannot detect attacks within encrypted traffic, and it would be a concern if someone was misinformed and thought that the IDS could detect attacks in encrypted traffic. An organization can place sensors outside of the firewall to detect attacks. These sensors are placed in highly sensitive areas and on extranets. Causing many false alarms is normal for a behavior-based IDS, and should not be a matter of concern. Being weak against new types of attacks is also expected from a signature-based IDS, because it can only recognize attacks that have been previously identified.
489、A proposed transaction processing application will have many data capture sources and outputs in paper and electronic form. To ensure that transactions are not lost during processing, an IS auditor should recommend the inclusion of: 交易處理程序需要進行大量數據捕捉並把結果輸出到紙質單據和電子單據。為了確保處理過程中沒有丟失交易記錄,信息系統審計師應建議在該交易處理程序中引入以下那種控制?
A、validation controls. A、確認控制
B、internal credibility checks. B、內部可信性檢查
C、clerical control procedures. C、文件控制程序
D、automated systems balancing. D、自動系統平衡性檢查
ANSWER: D
NOTE: Automated systems balancing would be the best way to ensure that no transactions are lost as any imbalance between total inputs and total outputs would be reported for investigation and correction. Validation controls and internal credibility checks are certainly valid controls, but will not detect and report lost transactions. In addition, although a clerical procedure could be used to summarize and compare inputs and outputs, an automated process is less susceptible to error.
490、An example of a direct benefit to be derived from a proposed IT-related business investment is: 以下哪一項是進行IT相關業務投資可以直接帶來的利益?
A、enhanced reputation. A、提高企業名聲
B、enhanced staff morale. B、提升員工士氣
C、the use of new technology. C、使用了新的技術
D、increased market penetration. D、增加市場競爭力
ANSWER: D
NOTE: A comprehensive business case for any proposed IT-related business investment should have clearly defined business benefits to enable the expected return to be calculated. These benefits usually fall into two categories: direct and indirect, or soft. Direct benefits usually comprise the quantifiable financial benefits that the new system is expected to generate. The potential benefits of enhanced reputation and enhanced staff morale are difficult to quantify, but should be quantified to the extent possible. IT investments should not be made just for the sake of new technology but should be based on a quantifiable business need.
491、Network Data Management Protocol (NDMP) technology should be used for backup if: 网络数据管理协议技术用于备份应满足下列哪个条件
A、a network attached storage (NAS) appliance is required. 需要安装NAS。
B、the use of TCP/IP must be avoided. 应避免使用TCP/IP协议
C、file permissions that can not be handled by legacy backup systems must be backed up. 不能由遗传备份系统执行的文件许可必须得到备份
D、backup consistency over several related data volumes must be ensured. 对跨多个数据量进行备份的,必须确保备份的一致性
ANSWER: A
NOTE: NDMP defines three kind of services: a data service that interfaces with the primary storage to be backed up or restored, a tape service that interfaces with the secondary storage (primarily a tape device), and a translator service performing translations including multiplexing multiple data streams into one data stream and vice versa. NDMP services interact with each other. The result of this interaction is the establishment of an NDMP control session if the session is being used to achieve control for the backup or restore operation. It would result in an NDMP data session if the session is being used to transfer actual file system or volume data (including metadata). Control sessions are always TCP/IP-based, but data streams can be TCP/IP- or SAN-based. NDMP is more or less NAS-centric and defines a way to back up and restore data from a device, such as a NAS appliance, on which it is difficult to install a backup software agent. In the absence of NDMP, this data must be backed up as a shared drive on the LAN, which is accessed via network file protocols, such as Common Internet File System (CIFS) or Network File System (NFS), degrading backup performance. NDMP works on a block level for transferring payload data (file content) but metadata and traditional file system information needs to be handled by legacy backup systems that initiate NDMP data movement. NDMP does not know about nor takes care of consistency issues regarding related volumes (., a volume to store database files, a volume to store application server data and a volume to store web server data). NDMP can be used to do backups in such an environment (., SAP) but the logic required either must be put into a dedicated piece of software or must be scripted into the legacy backup software.
492、The PRIMARY objective of an audit of IT security policies is to ensure that: IT安全政策审计的主要目标是为了确保:
A、they are distributed and available to all staff. 让所有员工都知晓并了解
B、security and control policies support business and IT objectives. 安区和控制政策能支持业务及IT目标
C、there is a published organizational chart with functional descriptions. 有已经发布的组织机构图,在图中能了解所有的功能描述,即职位和职责
D、duties are appropriately segregated. 确保职责分开
ANSWER: B
NOTE: Business orientation should be the main theme in implementing security. Hence, an IS audit of IT security policies should primarily focus on whether the IT and related security and control policies support business and IT objectives. Reviewing whether policies are available to all is an objective, but distribution does not ensure compliance. Availability of organizational charts with functional descriptions and segregation of duties might be included in the review, but are not the primary objective of an audit of security policies.
493、Which of the following ensures the availability of transactions in the event of a disaster? 当发生灾难时,以下哪一项能保证业务交易的有效性
A、Send tapes hourly containing transactions offsite. 从当前区域外的地方持续每小时1次地传送交易磁带
B、Send tapes daily containing transactions offsite. 从当前区域外的地方持续每天1次地传送交易磁带
C、Capture transactions to multiple storage devices. 抓取交易以整合存储设备
D、Transmit transactions offsite in real time. 从当前区域外的地方实时传送交易磁带
ANSWER: D
NOTE: The only way to ensure availability of all transactions is to perform a real-time transmission to an offsite facility. Choices A and B are not in real time and, therefore, would not include all the transactions. Choice C does not ensure availability at an offsite location.
494、The PRIMARY reason an IS auditor performs a functional walkthrough during the preliminary phase of an audit assignment is to: 在审计任务分配的初级阶段,IS审计员执行功能漫游的主要原因是:
A、understand the business process. 了解业务流程
B、comply with auditing standards. 遵守审计标准
C、identify control weakness. 识别控制的弱点
D、plan substantive testing. 计划实质性测试
ANSWER: A
NOTE: Understanding the business process is the first step an IS auditor needs to perform. Standards do not require an IS auditor to perform a process walkthrough. Identifying control weaknesses is not the primary reason for the walkthrough and typically occurs at a later stage in the audit, while planning for substantive testing is performed at a later stage in the audit.
495、To gain an understanding of the effectiveness of an organization's planning and management of investments in IT assets, an IS auditor should review the: 为了完全理解组织对计划和管理IT资产投资的有效性,信息系统审计员应该审计以下哪方面:
A、enterprise data model. 企业数据模版
B、IT balanced scorecard (BSC). IT平衡记分卡(BSC)
C、IT organizational structure. IT组织架构
D、historical financial statements. 历史的财务声明
ANSWER: B
NOTE: The IT balanced scorecard (BSC) is a tool that provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate. An enterprise data model is a document defining the data structure of an organization and how data interrelate. It is useful, but it does not provide information on investments. The IT organizational structure provides an overview of the functional and reporting relationships in an IT entity. Historical financial statements do not provide information about planning and lack sufficient detail to enable one to fully understand management's activities regarding IT assets. Past costs do not necessarily reflect value, and assets such as data are not represented on the books of accounts.
496、After discovering a security vulnerability in a third-party application that interfaces with several external systems, a patch is applied to a significant number of modules. Which of the following tests should an IS auditor recommend? 某第三方应用作为多个外部系统的接口。在该应用中发现安全漏洞后,大量的模块被打上了补丁。IS审计员应建议执行以下哪个测试
A、Stress A、Stress 负载
B、Black box B、Black box 黑盒
C、Interface C、Interface 接口
D、System D、System 系统
ANSWER: D
NOTE: Given the extensiveness of the patch and its interfaces to external systems, system testing is most appropriate. Interface testing is not enough, and stress or black box testing are inadequate in these circumstances.
497、Which of the following situations would increase the likelihood of fraud? 下列哪一项条件可能增加欺骗的可能性?
A、Application programmers are implementing changes to production programs. 应用程序员对正式程序实施更改
B、Application programmers are implementing changes to test programs. 应用程序员对正式程序实施更改
C、Operations support staff are implementing changes to batch schedules. 操作支持人员对补丁计划实施更改
D、Database administrators are implementing changes to data structures. 数据库管理员对数据结构实施更改
ANSWER: A
NOTE: Production programs are used for processing an enterprise's data. It is imperative that controls on changes to production programs are stringent. Lack of control in this area could result in application programs being modified to manipulate the data. Application programmers are required to implement changes to test programs. These are used only in development and do not directly impact the live processing of data. The implementation of changes to batch schedules by operations support staff will affect the scheduling of the batches only; it does not impact the live data. Database administrators are required to implement changes to data structures. This is required for reorganization of the database to allow for additions, modifications or deletions of fields or tables in the database.
498、Responsibility and reporting lines cannot always be established when auditing automated systems since: 在审计自动系统时未必能分清责任及报告行是因为:
A、diversified control makes ownership irrelevant. 多样化控制导致所有权不恰当
B、staff traditionally changes jobs with greater frequency. 员工常规工作变动频率较高
C、ownership is difficult to establish where resources are shared. 在资源被分享的地方,所有权很难被建立起来。
D、duties change frequently in the rapid development of technology. 在技术高速发展的今天,责任改变得太频繁。
ANSWER: C
NOTE: Because of the diversified nature of both data and application systems, the actual owner of data and applications may be hard to establish.
499、Which of the following provides the GREATEST assurance of message authenticity? 以下哪一项能最大限度地保证信息的真实性?
A、The prehash code is derived mathematically from the message being sent. A 未经打乱的代码在传输的时候按照一定的数字逻辑进行数字化处理并传输
B、The prehash code is encrypted using the sender's private key. B未经打乱的代码用发送者的加密密钥进行加密
C、The prehash code and the message are encrypted using the secret key. C未经打乱的代码和信息都用密钥进行加密
D、The sender attains the recipient's public key and verifies the authenticity of its digital certificate with a certificate authority. D信息发送者获得接受信息的人群的公共密钥并由权威授权的证书检验该密钥的数字校验位
ANSWER: B
NOTE: Encrypting the prehash code using the sender's private key provides assurance of the authenticity of the message. Mathematically deriving the prehash code provides integrity to the message. Encrypting the prehash code and the message using the secret key provides confidentiality.
500、The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program? 组织的管理层决定建立一项安全认识项目。下列哪项最应该包含在该项目中?
A、Utilization of an intrusion detection system to report incidents 利用入侵检测系统支持发生的事件。
B、Mandating the use of passwords to access all software 要求使用密码登陆所有软件
C、Installing an efficient user log system to track the actions of each user 安装一个有效的用户日志系统来跟踪每个用户的操作。
D、Training provided on a regular basis to all current and new employees 对所有新老职员进行定期培训
ANSWER: D
NOTE: Utilizing an intrusion detection system to report on incidents that occur is an implementation of a security program and is not effective in establishing a security awareness program. Choices B and C do not address awareness. Training is the only choice that is directed at security awareness.
501、When reviewing procedures for emergency changes to programs, the IS auditor should verify that the procedures: 在审计项目的紧急变更流程时,IS审计员应检查流程的哪些方面:
A、allow changes, which will be completed using after-the-fact follow-up. 允许变更,且该变更通过事后跟踪来完成。
B、allow undocumented changes directly to the production library. 允许直接对正式库进行的变更,且该变更并未记录在案。
C、do not allow any emergency changes. 不允许任何紧急变更
D、allow programmers permanent access to production programs. 允许程序员有正式程序拥有永久的权限
ANSWER: A
NOTE: There may be situations where emergency fixes are required to resolve system problems. This involves the use of special logon IDs that grant programmers temporary access to production programs during emergency situations. Emergency changes should be completed using after-the-fact follow-up procedures, which ensure that normal procedures are retroactively applied; otherwise, production may be impacted. Changes made in this fashion should be held in an emergency library from where they can be moved to the production library, following the normal change management process. Programmers should not directly alter the production library nor should they be allowed permanent access to production programs.
502、Which of the following activities performed by a database administrator (DBA) should be performed by a different person? 以下哪个数据库管理员的操作应由另外一个人来执行?
A、Deleting database activity logs 删除数据库操作日志
B、Implementing database optimization tools 优化数据库工具
C、Monitoring database usage 检测数据库的使用情况
D、Defining backup and recovery procedures 定义备份及恢复流程
ANSWER: A
NOTE: Since database activity logs record activities performed by the database administrator (DBA), deleting them should be performed by an individual other than the DBA. This is a compensating control to aid in ensuring an appropriate segregation of duties and is associated with the DBA's role. A DBA should perform the other activities as part of the normal operations.
503、While copying files from a floppy disk, a user introduced a virus into the network. Which of the following would MOST effectively detect the existence of the virus? 从软盘上拷贝文件时,某用户带入了一个病毒到网络里。以下哪项能最有效检测到这个病毒的存在?
A、A scan of all floppy disks before use 使用前扫描所有软盘
B、A virus monitor on the network file server 在网络文件服务器上的病毒检测器
C、Scheduled daily scans of all network drives 安排每天对所有网络驱动器进行扫描
D、A virus monitor on the user's personal computer 在用户的个人电脑上的病毒检测器
ANSWER: C
NOTE: Scheduled daily scans of all network drives will detect the presence of a virus after the infection has occurred. All of the other choices are controls designed to prevent a computer virus from infecting the system.
504、During the audit of an acquired software package, an IS auditor learned that the software purchase was based on information obtained through the Internet, rather than from responses to a request for proposal (RFP). The IS auditor should FIRST: 在审计一个已获得的软件包时,信息系统审计员已经知道这个软件购买是以互联网上获得的信息为基础的,而不是从RFP得到的反馈。此时,IS审计员首先应该:
A、test the software for compatibility with existing hardware. 检测软件的完整性是否满足当前硬件的需求
B、perform a gap analysis. 执行漏洞分析
C、review the licensing policy. 审计版权政策
D、ensure that the procedure had been approved. 确保流程已经被批准
ANSWER: D
NOTE: In the case of a deviation from the predefined procedures, an IS auditor should first ensure that the procedure followed for acquiring the software is consistent with the business objectives and has been approved by the appropriate authorities. The other choices are not the first actions an IS auditor should take. They are steps that may or may not be taken after determining that the procedure used to acquire the software had been approved.
505、An IS auditor evaluates the test results of a modification to a system that deals with payment computation. The auditor finds that 50 percent of the calculations do not match predetermined totals. Which of the following would MOST likely be the next step in the audit? IS审计员评估付款系统的变更测试结果后发现,有50%的计算结果与预先定义的总值不符。接下来最可能执行的是以下哪一步?
A、Design further tests of the calculations that are in error. 对错误结果部分执行进一步测试
B、Identify variables that may have caused the test results to be inaccurate. 找出导致测试结果不准确的变量
C、Examine some of the test cases to confirm the results. 检测测试案例中的部分数据已确认结果是否正确
D、Document the results and prepare a report of findings, conclusions and recommendations. 把结果记录下来,并把发现的问题、结论、推荐处理办法整理成报告。
ANSWER: C
NOTE: An IS auditor should next examine cases where incorrect calculations occurred and confirm the results. After the calculations have been confirmed, further tests can be conducted and reviewed. Report preparation, findings and recommendations would not be made until all results are confirmed.
506、Though management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should: 虽然管理层发表了声明,但IS审计员仍然有理由相信组织使用了盗版软件。在这种情况下,IS审计员应该:
A、include the statement of management in the audit report. 把管理层的陈诉包含到审计报告中
B、identify whether such software is, indeed, being used by the organization. 认定组织实际使用了哪些软件
C、reconfirm with management the usage of the software. 与管理层再次确认实际使用了哪些软件
D、discuss the issue with senior management since reporting this could have a negative impact on the organization. 与更高级别管理层讨论:如果在审计报告中记录这个问题可能会导致负面的影响。
ANSWER: B
NOTE: When there is an indication that an organization might be using unlicensed software, the IS auditor should obtain sufficient evidence before including it in the report. With respect to this matter, representations obtained from management cannot be independently verified. If the organization is using software that is not licensed, the auditor, to maintain objectivity and independence, must include this in the report.
507、Which of the following forms of evidence for the auditor would be considered the MOST reliable? 以下哪种形式的证据对审计员来讲更具可靠性?
A、An oral statement from the auditee 被审计人员的口头陈诉
B、The results of a test performed by an IS auditor 由IS审计师执行的测试结果
C、An internally generated computer accounting report 一份内部导出的计算机财务账目报告
D、A confirmation letter received from an outside source 从外部资源发来的确认信。
ANSWER: D
NOTE: Evidence obtained from outside sources is usually more reliable than that obtained from within the organization. Confirmation letters received from outside parties, such as those used to verify accounts receivable balances, are usually highly reliable. Testing performed by an auditor may not be reliable, if the auditor did not have a good understanding of the technical area under review.
508、Which of the following would be BEST prevented by a raised floor in the computer machine room? 机房中,以下哪项最能被地板有效地保护:
A、Damage of wires around computers and servers 计算机及服务器周边的线缆损坏
B、A power failure from static electricity 由静电引起的断电
C、Shocks from earthquakes 地震
D、Water flood damage 水灾
ANSWER: A
NOTE: The primary reason for having a raised floor is to enable power cables and data cables to be installed underneath the floor. This eliminates the safety and damage risks posed when cables are placed in a spaghetti-like fashion on an open floor. Static electricity should be avoided in the machine room; therefore, measures such as specially manufactured carpet or shoes would be more appropriate for static prevention than a raised floor. Raised floors do not address shocks from earthquakes. To address earthquakes, anti-seismic architecture would be required to establish a quake-resistant structural framework. Computer equipment needs to be protected against water. However, a raised floor would not prevent damage to the machines in the event of overhead water pipe leakage.
509、The MAIN purpose for periodically testing offsite facilities is to: 周期性的测试位于站点外的设备目的是:
A、protect the integrity of the data in the database. A.保护数据库中数据的完整性
B、eliminate the need to develop detailed contingency plans. B.降低编制详细偶然事故计划的需要
C、ensure the continued compatibility of the contingency facilities. C.保证突发事故时使用的设备的兼容性
D、ensure that program and system documentation remains current. D.保证程序和系统文档持续更新
ANSWER: C
NOTE: The main purpose of offsite hardware testing is to ensure the continued compatibility of the contingency facilities. Specific software tools are available to protect the ongoing integrity of the database. Contingency plans should not be eliminated and program and system documentation should be reviewed continuously for currency.
510、The network of an organization has been the victim of several intruders' attacks. Which of the following measures would allow for the early detection of such incidents? 某个机构的网络遭受多次入侵攻击,下面那一种方法可以提前检测到这种事故?
A、Antivirus software 杀毒软件
B、Hardening the servers 强化服务器
C、Screening routers 路由器包过滤
D、Honeypots 诱捕攻击者数据包
ANSWER: D
NOTE: Honeypots can collect data on precursors of attacks. Since they serve no business function, honeypots are hosts that have no authorized users other than the honeypot administrators. All activity directed at them is considered suspicious. Attackers will scan and attack honeypots, giving administrators data on new trends and attack tools, particularly malicious code. However, honeypots are a supplement to, not a replacement for, properly securing networks, systems and applications. If honeypots are to be used by an organization, qualified incident handlers and intrusion detection analysts should manage them. The other choices do not provide indications of potential attacks.
511、The purpose of a deadman door controlling access to a computer facility is primarily to: 511.控制进入计算机设施的双道门,其主要的目的是用于:
A、prevent piggybacking. A.防止骑肩跟入法
B、prevent toxic gases from entering the data center. B.阻止有毒气体进入数据中心
C、starve a fire of oxygen. C.使火缺氧
D、prevent an excessively rapid entry to, or exit from, the facility. D.防止迅速的出入
ANSWER: A ANSWER: A
NOTE: The purpose of a deadman door controlling access to a computer facility is primarily intended to prevent piggybacking. Choices B and C could be accomplished with a single self-closing door. Choice D is invalid, as a rapid exit may be necessary in some circumstances, ., a fire.
512、While reviewing the business continuity plan of an organization, an IS auditor observed that the organization's data and software files are backed up on a periodic basis. Which characteristic of an effective plan does this demonstrate? 512.当审核一个组织的业务连续性计划时,某IS审计师观察到这个被审计组织的数据和软件文件被周期性的进行了备份。哪一个特性在这个有效的计划中被证明?
A、Deterrence A.阻碍
B、Mitigation B.减轻
C、Recovery C.恢复
D、Response D.响应
ANSWER: B ANSWER: B
NOTE: An effective business continuity plan includes steps to mitigate the effects of a disaster. Files must be restored on a timely basis for a backup plan to be effective. An example of deterrence is when a plan includes installation of firewalls for information systems. An example of recovery is when a plan includes an organization's hot site to restore normal business operations.
513、An IS auditor performing detailed network assessments and access control reviews should FIRST: IS审计师在实施对详细的网络资产和访问控制进行审核时,他应该首先做的是:
A、determine the points of entry. A.确定系统进入点
B、evaluate users' access authorization. B.评估用户的访问授权
C、assess users' identification and authorization. C.评估用户识别和授权
D、evaluate the domain-controlling server configuration. D.评估域控制服务器的配置
ANSWER: A ANSWER: A
NOTE: In performing detailed network assessments and access control reviews, an IS auditor should first determine the points of entry to the system and review the points of entry accordingly for appropriate controls. Evaluation of user access authorization, assessment of user identification and authorization, and evaluation of the domain-controlling server configuration are all implementation issues for appropriate controls for the points of entry.
514、By evaluating application development projects against the capability maturity model (CMM), an IS auditor should be able to verify that: 514.根据能力成熟度模型(CMM)评估某应用开发项目,IS审计师应该能够验证:
A、reliable products are guaranteed. A.产品的可靠性是有保证的
B、programmers' efficiency is improved. B.程序员的效率得到了提高
C、security requirements are designed. C.安全需求得到了设计
D、predictable software processes are followed. D.预期的软件开发流程是被遵循的
ANSWER: D ANSWER: D
NOTE: By evaluating the organization's development projects against the CMM, an IS auditor determines whether the development organization follows a stable, predictable software process. Although the likelihood of success should increase as the software processes mature toward the optimizing level, mature processes do not guarantee a reliable product. CMM does not evaluate technical processes such as programming nor does it evaluate security requirements or other application controls.
515、The most common reason for the failure of information systems to meet the needs of users is that: 515.信息系统不能满足用户的需求而失败,绝大多数的原因是:
A、user needs are constantly changing. A.用户的需求频繁变更
B、the growth of user requirements was forecast inaccurately. B.对用户需求的增长预测是错误的
C、the hardware system limits the number of concurrent users. C.硬件系统限制了用户并发数
D、user participation in defining the system's requirements was inadequate. D.用户参与需求的定义不充分
ANSWER: D ANSWER: D
NOTE: Lack of adequate user involvement, especially in the system's requirements phase, will usually result in a system that does not fully or adequately address the needs of the user. Only users can define what their needs are, and therefore what the system should accomplish.
516、Which of the following BEST restricts users to those functions needed to perform their duties? 516.以下哪一项能够最大程度的限制用户,只使用应有的那些功能来履行他们的职责?
A、Application level access control A.访问控制级别的申请
B、Data encryption B.数据加密
C、Disabling floppy disk drives C.禁用软盘动器
D、Network monitoring device D.网络监控装备
ANSWER: A ANSWER: A
NOTE: The use of application-level access control programs is a management control that restricts access by limiting users to only those functions needed to perform their duties. Data encryption and disabling floppy disk drives can restrict users to specific functions, but are not the best choices. A network monitoring device is a detective control, not a preventive control.
517、The MOST important reason for an IS auditor to obtain sufficient and appropriate audit evidence is to: 审计师需要获得充分和适当的审计证据的最重要原因是:
A、comply with regulatory requirements. A.遵从需求的调整
B、provide a basis for drawing reasonable conclusions. B.是提供合理结论的基础
C、ensure complete audit coverage. C.确保完整的审计覆盖
D、perform the audit according to the defined scope. D.依据已定义的范围完成审计
ANSWER: B ANSWER: B
NOTE: The scope of an IS audit is defined by its objectives. This involves identifying control weaknesses relevant to the scope of the audit. Obtaining sufficient and appropriate evidence assists the auditor in not only identifying control weaknesses but also documenting and validating them. Complying with regulatory requirements, ensuring coverage and the execution of audit are all relevant to an audit but are not the reason why sufficient and relevant evidence is required.
518、Which of the following controls will MOST effectively detect the presence of bursts of errors in network transmissions? 518.以下哪一种控制能够最有效的发现网络传输中发生突发误码的方法是:
A、Parity check A.奇偶检测
B、Echo check B.回显检测
C、Block sum check C.块求和检测
D、Cyclic redundancy check D.循环冗余检测
ANSWER: D ANSWER: D
NOTE: The cyclic redundancy check (CRC) can check for a block of transmitted data. The workstations generate the CRC and transmit it with the data. The receiving workstation computes a CRC and compares it to the transmitted CRC. If both of them are equal, then the block is assumed error free. In this case (such as in parity error or echo check), multiple errors can be detected. In general, CRC can detect all single-bit and bubble-bit errors. Parity check (known as vertical redundancy check) also involves adding a bit (known as the parity bit) to each character during transmission. In this case, where there is a presence of bursts of errors (., impulsing noise during high transmission rates), it has a reliability of approximately 50 percent. In higher transmission rates, this limitation is significant. Echo checks detect line errors by retransmitting data to the sending device for comparison with the original transmission.
519、During the audit of a database server, which of the following would be considered the GREATEST exposure? 519.在审计数据库服务器的过程中,哪一个被认为是最严重的风险暴露?
A、The password does not expire on the administrator account A.到期的管理员帐户密码未终止
B、Default global security settings for the database remain unchanged B.数据库缺省的全球安全设置一直保护不变
C、Old data have not been purged C.旧的数据未清除
D、Database activity is not fully logged D.数据库激活操作未被完整记录
ANSWER: B ANSWER: B
NOTE: Default security settings for the database could allow issues like blank user passwords or passwords that were the same as the username. Logging all database activity is not practical. Failure to purge old data may present a performance issue but is not an immediate security concern. Choice A is an exposure but not as serious as B.
520、With respect to the outsourcing of IT services, which of the following conditions should be of GREATEST concern to an IS auditor? 520.关于IT服务外包,以下哪一项是IS审计师最关心的?
A、Outsourced activities are core and provide a differentiated advantage to the organization. A.外包业务是核心业务并且是能给带来区别于其他组织的利益的业务
B、Periodic renegotiation is specified in the outsourcing contract. B.在外包合同中指定了周期性谈判的条款
C、The outsourcing contract fails to cover every action required by the arrangement. C.外包合同没有能够覆盖所有原安排中的业务内容
D、Similar activities are outsourced to more than one vendor. D.类似的业务被外包到不止一个服务商
ANSWER: A ANSWER: A
NOTE: An organization's core activities generally should not be outsourced, because they are what the organization does best; an IS auditor observing that should be concerned. An IS auditor should not be concerned about the other conditions because specification of periodic renegotiation in the outsourcing contract is a best practice. Outsourcing contracts cannot be expected to cover every action and detail expected of the parties involved, while multisourcing is an acceptable way to reduce risk.
521、An IS auditor has identified the lack of an authorization process for users of an application. The IS auditor's main concern should be that: 521.某IS审计师发现了一个针对某应用程序用户的授权过程的缺陷,他最主要的担心应该是:
A、more than one individual can claim to be a specific user. A.多个人获得特权
B、there is no way to limit the functions assigned to users. B.没有办法来限制将功能授予指定使用者
C、user accounts can be shared. C.用户的帐号被共享
D、users have a need-to-know privilege. D.用户拥有一个即需即有的特权
ANSWER: B ANSWER: B
NOTE: Without an appropriate authorization process, it will be impossible to establish functional limits and accountability. The risk that more than one individual can claim to be a specific user is associated with the authentication processes, rather than with authorization. The risk that user accounts can be shared is associated with identification processes, rather than with authorization. The need-to-know basis is the best approach to assigning privileges during the authorization process.
522、Which of the following is the MOST important objective of data protection? 522.数据保护最重要的是以下项目中的哪一个?
A、Identifying persons who need access to information A.识别需要获得相关信息的用户
B、Ensuring the integrity of information B.确认信息的完整性
C、Denying or authorizing access to the IS system C.对信息系统的访问进行拒绝或授权
D、Monitoring logical accesses D.监控逻辑访问
ANSWER: B
NOTE: Maintaining data integrity is the most important objective of data security. This is a necessity if an organization is to continue as a viable and successful enterprise. The other choices are important techniques for achieving the objective of data integrity.
523、Involvement of senior management is MOST important in the development of: 523.资深管理者的参与对哪个方面的发展是极其重要的:
A、strategic plans. A.战略规划
B、IS policies. 政策
C、IS procedures. 程序
D、standards and guidelines. D.标准和指导方针
ANSWER: A
NOTE: Strategic plans provide the basis for ensuring that the enterprise meets its goals and objectives. Involvement of senior management is critical to ensuring that the plan adequately addresses the established goals and objectives. IS policies, procedures, standards and guidelines are all structured to support the overall strategic plan.
524、When reviewing a project where quality is a major concern, an IS auditor should use the project management triangle to explain that: 524.当审核一个项目时,质量是主要考虑的方面,IS审计师应该使用项目管理三角形理论(质量-成本-时间)来解释:
A、increases in quality can be achieved, even if resource allocation is decreased. A.即使资源减少,质量目标也能提升
B、increases in quality are only achieved if resource allocation is increased. B.质量目标只能在资源减少的情况下提升
C、decreases in delivery time can be achieved, even if resource allocation is decreased. C.即使资源减少,交付时间也能减少
D、decreases in delivery time can only be achieved if quality is decreased. D.交付时间只能在质量目标下降的情况下减少
ANSWER: A ANSWER: A
NOTE: The three primary dimensions of a project are determined by the deliverables, the allocated resources and the delivery time. The area of the project management triangle, comprised of these three dimensions, is fixed. Depending on the degree of freedom, changes in one dimension might be compensated by changing either one or both remaining dimensions. Thus, if resource allocation is decreased an increase in quality can be achieved, if a delay in the delivery time of the project will be accepted. The area of the triangle always remains constant.
525、When auditing security for a data center, an IS auditor should look for the presence of a voltage regulator to ensure that the: 525.当审计一个数据中心的安全时,IS审计师会查找是否有电压调节装置的存在是为了确认:
A、hardware is protected against power surges. A.硬件设备在电压浪涌时受到保护
B、integrity is maintained if the main power is interrupted. B.如果主电源被切断,完整性能得到保护
C、immediate power will be available if the main power is lost. C.如果主电源被切断,即时接管的电源可用
D、hardware is protected against long-term power fluctuations. D.在长期电压波动的情况下硬件设备受到保护
ANSWER: A ANSWER: A
NOTE: A voltage regulator protects against short-term power fluctuations. It normally does not protect against long-term surges, nor does it maintain the integrity if power is interrupted or lost.
526、An IS auditor reviewing digital rights management (DRM) applications should expect to find an extensive use for which of the following technologies? 审计师在审核数字版权管理(DRM)应用软件时,期待找到如下哪一种广泛应用的技术?
A、Digitalized signatures A.数字签名
B、Hashing B.哈希法
C、Parsing C.分离法
D、Steganography D.隐写术
ANSWER: D ANSWER: D
NOTE: Steganography is a technique for concealing the existence of messages or information. An increasingly important steganographical technique is digital watermarking, which hides data within data, ., by encoding rights information in a picture or music file without altering the picture or music's perceivable aesthetic qualities. Digitalized signatures are not related to digital rights management. Hashing creates a message hash or digest, which is used to ensure the integrity of the message; it is usually considered a part of cryptography. Parsing is the process of splitting up a continuous stream of characters for analytical purposes, and is widely applied in the design of programming languages or in data entry editing.
527、An efficient use of public key infrastructure (PKI) should encrypt the: 527.公钥基础设施(PKI)的有效应用是加密:
A、entire message. A.全部信息
B、private key. B.私钥
C、public key. C.公钥
D、symmetric session key. D.对称会话密钥
ANSWER: D ANSWER: D
NOTE: Public key (asymmetric) cryptographic systems require larger keys (1,024 bits) and involve intensive and time-consuming computations. In comparison, symmetric encryption is considerably faster, yet relies on the security of the process for exchanging the secret key. To enjoy the benefits of both systems, a symmetric session key is exchanged using public key methods, after which it serves as the secret key for encrypting/decrypting messages sent between two parties.
528、When planning to add personnel to tasks imposing time constraints on the duration of a project, which of the following should be revalidated FIRST ? 528.为了赶一个时间要求极为迫切的项目,而增加人员时,以下哪一项目需要首先被重新核定:
A、The project budget A.项目预算
B、The critical path for the project B.项目的关键路径
C、The length of the remaining tasks C.剩余任务的花费时间长短
D、The personnel assigned to other tasks D.增加的人员被分配到其他项目中
ANSWER: B ANSWER: B
NOTE: Since adding resources may change the route of the critical path, the critical path must be reevaluated to ensure that additional resources will in fact shorten the project duration. Given that there may be slack time available on some of the other tasks not on the critical path, factors such as the project budget, the length of other tasks and the personnel assigned to them may or may not be affected.
529、The most likely error to occur when implementing a firewall is: 529.当使用一个防火墙时,最容易犯的错误是什么:
A、incorrectly configuring the access lists. A.错误的配置访问列表
B、compromising the passwords due to social engineering. B.基于社会工程学的原因危及密码的安全
C、connecting a modem to the computers in the network. C.使用调制解调器连接网络里的计算机
D、inadequately protecting the network and server from virus attacks. D.对于网络和服务器免遭病毒侵袭的保护不恰当
ANSWER: A ANSWER: A
NOTE: An updated and flawless access list is a significant challenge and, therefore, has the greatest chance for errors at the time of the initial installation. Passwords do not apply to firewalls, a modem bypasses a firewall and a virus attack is not an element in implementing a firewall.
530、In the process of evaluating program change controls, an IS auditor would use source code comparison software to: 530.在评估程序变更控制的过程中,IT审计师将使用源码比较软件来:
A、examine source program changes without information from IS personnel. A.无需得到信息系统人员提供的信息来检查源程序的变更
B、detect a source program change made between acquiring a copy of the source and the comparison run. B.比较源程序的拷贝和正在运行程序之间的区别,来确认程序发生的变更
C、confirm that the control copy is the current version of the production program. C.确认受控的程序拷贝就是当前生产机中运行的版本
D、ensure that all changes made in the current source copy are detected. D.确认所有的变更都在当前的源程序拷贝中被建立
ANSWER: A ANSWER: A
NOTE: An IS auditor has an objective, independent and relatively complete assurance of program changes because the source code comparison will identify changes. Choice B is incorrect, because the changes made since the acquisition of the copy are not included in the copy of the software. Choice C is incorrect, as an IS auditor will have to gain this assurance separately. Choice D is incorrect, because any changes made between the time the control copy was acquired and the source code comparison is made will not be detected.
531、E-mail message authenticity and confidentiality is BEST achieved by signing the message using the: 怎样签发信息来保证接收到的电子邮件信息的可靠性和机密性:
A、sender's private key and encrypting the message using the receiver's public key. A.用发件人的私钥签名并且用收件人的公钥对信息进行加密
B、sender's public key and encrypting the message using the receiver's private key. B.用发件人的公钥签名并且用收件人的私钥对信息进行加密
C、receiver's private key and encrypting the message using the sender's public key. C.用收件人的私钥签名并且用发件人的公钥对信息进行加密
D、receiver's public key and encrypting the message using the sender's private key. D.用收件人的公钥签名并且用发件人的私钥对信息进行加密
ANSWER: A
NOTE: By signing the message with the sender's private key, the receiver can verify its authenticity using the sender's public key. By encrypting the message with the receiver's public key, only the receiver can decrypt the message using their own private key. The receiver's private key is confidential and, therefore, unknown to the sender. Messages encrypted using the sender's private key can be read by anyone with the sender's public key. 用发件人的私钥对信息签名,收件人可以通过发件人的公钥证实它的可靠性。用收件人的公钥对信息进行加密,只有收件人可以用他们的私钥对信息进行解密。收件人的私钥是机密的,并且,不为发件人所知。用发件人的私钥加密的信息,可以被任何一个拥有发件人公钥的人读取。
532、The MOST important difference between hashing and encryption is that hashing: 哈希和加密之间最大的区别在于哈希:
A、is irreversible. A.不可逆转
B、output is the same length as the original message. B.同原始数据的输出长度相同
C、is concerned with integrity and security. C.同安全性和完整性相关
D、is the same at the sending and receiving end. D.在发送和接收断是相同的
ANSWER: A
NOTE: Hashing works one way; by applying a hashing algorithm to a message, a message hash/digest is created. If the same hashing algorithm is applied to the message digest, it will not result in the original message. As such, hashing is irreversible, while encryption is reversible. This is the basic difference between hashing and encryption. Hashing creates an output that is smaller than the original message, and encryption creates an output of the same length as the original message. Hashing is used to verify the integrity of the message and does not address security. The same hashing algorithm is used at the sending and receiving ends to generate and verify the message hash/digest. Encryption will not necessarily use the same algorithm at the sending and receiving end to encrypt and decrypt. 哈希的工作方式:通过哈希算法获得报文哈希/摘要(a message hash/digest)。如果是通过同样的哈希算法获得的报文摘要,它将不会影响原始数据。因此,哈希是不可逆转的,而加密是可逆转的。这是哈希和加密之间最本质的区别。哈希产生的输出比原始数据小,加密产生的输出同原始数据长度相同。哈希用来验证信息的完整性并不解决安全性。同样的哈希算法被用于在发送和接收端产生和验证报文哈希/摘要。加密不需要用同样的算法在发送和接收端加密和解密。
533、An IS auditor finds that a DBA has read and write access to production data. The IS auditor should: 一个IS审计师发现一名数据库管理员(DBA)有对生产数据(production data)读和写的访问权,IS审计师应该:
A、accept the DBA access as a common practice. A.接受DBA的访问权,作为一种普遍的做法
B、assess the controls relevant to the DBA function. B.评估与DBA职能相关的控制
C、recommend the immediate revocation of the DBA access to production data. C.建议立刻取消DBA对生产数据的访问权
D、review user access authorizations approved by the DBA. D.再检查由DBA认可的用户授权
ANSWER: B
NOTE: It is good practice when finding a potential exposure to look for the best controls. Though granting the database administrator (DBA) access to production data might be a common practice, the IS auditor should evaluate the relevant controls. The DBA should have access based on a need-to-know and need-to-do basis; therefore, revocation may remove the access required. The DBA, typically, may need to have access to some production data. Granting user authorizations is the responsibility of the data owner and not the DBA. 当发现潜在的漏洞时,这是寻找最佳控制的好做法。尽管给予数据库管理员(DBA)对与生产数据的访问权是一种常用的做法,IS审计师仍应该评估相关控制。该DBA需要在基于知所必需(need-to-know)和知所必做(need-to-do)的基础上有拥有访问权,因此,撤消可以移除访问需求。通常情况下,DBA会需要对一些生产数据的访问权。给予用户授权是数据所有人的责任不是DBA的。
534、Which of the following results in a denial-of-service attack? 下列哪项导致了拒绝服务攻击?
A、Brute force attack A.暴力破解(Brute force attack)
B、Ping of death B.死亡之ping(Ping of death)
C、Leapfrog attack C.跳步攻击(Leapfrog attack)
D、Negative acknowledgement (NAK) attack D.无预防攻击(Negative acknowledgement (NAK) attack)
ANSWER: B
NOTE: The use of Ping with a packet size higher than 65 KB and no fragmentation flag on will cause a denial of service. A brute force attack is typically a text attack that exhausts all possible key combinations. A leapfrog attack, the act of telneting through one or more hosts to preclude a trace, makes use of user ID and password information obtained illicitly from one host to compromise another host. A negative acknowledgement attack is a penetration technique that capitalizes on a potential weakness in an operating system that does not handle asynchronous interrupts properly, leaving the system in an unprotected state during such interrupts. 用大于65KB和没有报文报头的数据包的ping会引起拒绝服务攻击。暴力破解是典型的试尽所有可能的密码组合文本攻击。跳步攻击,远程登陆行为是通过一个或多个主机来预防跟踪,使用从一台主机到另一台主机非法获得的用户ID和密码信息。无预防攻击是一种渗透技术,此技术充分利用操作系统中的潜在弱点同时不能适当的处理异步中断,在这种中断中使系统处于未受保护的状态。
535、What should be the GREATEST concern to an IS auditor when employees use portable media (MP3 players, flash drives)? 当员工使用便携式媒体( MP3播放器,闪存驱动器)时IS 审计师应该最关注:
A、The copying of sensitive data on them A.在上面复制敏感信息
B、The copying of songs and videos on them B.在上面复制歌曲和影片
C、The cost of these devices multiplied by all the employees could be high C.所有员工的这些设备成本费用加起来非常高
D、They facilitate the spread of malicious code through the corporate network D.他们可能会使恶意代码在企业网络传播
ANSWER: A
NOTE: The MAIN concern with MP3 players and flash drives is data leakage, especially sensitive information. This could occur if the devices were lost or stolen. The risk when copying songs and videos is copyright infringement, but this is normally a less important risk than information leakage. Choice C is hardly an issue because employees normally buy the portable media with their own funds. Choice D is a possible risk, but not as important as information leakage and can be reduced by other controls. 对MP3播放器和闪存驱动器最关注的是数据泄露,尤其是敏感信息。如果设备丢失或被盗,这种情况就可能发生。复制歌曲和影片时的风险是侵犯版权,但是同信息泄露比较这通常是不太重要的风险。选C是不对的,因为员工们通常是自己花钱买便携式媒体。选项D是种可能的风险,但是没有信息泄露的风险性大,并且可以用其他控制降低。
536、Corrective action has been taken by an auditee immediately after the identification of a reportable finding. The auditor should: 在报告发现被确认后,被审计单位立即采取纠正行动(Corrective action)。审计师应该:
A、include the finding in the final report, because the IS auditor is responsible for an accurate report of all findings. A.在最终报告中包含发现,因为IS审计师有责任得到一份包含所有发现的准确报告
B、not include the finding in the final report, because the audit report should include only unresolved findings. B.在最终报告中不包含发现,因为审计报告只应该包含未解决的发现
C、not include the finding in the final report, because corrective action can be verified by the IS auditor during the audit. C.在最终报告中不包含发现,因为纠正行动可以被IS审计师在审计过程中验证
D、include the finding in the closing meeting for discussion purposes only. D.只在结束会议讨论目的时包含发现
ANSWER: A
NOTE: Including the finding in the final report is a generally accepted audit practice. If an action is taken after the audit started and before it ended, the audit report should identify the finding and describe the corrective action taken. An audit report should reflect the situation, as it existed at the start of the audit. All corrective actions taken by the auditee should be reported in writing. 在最终报告中包含发现是普遍接受的审计准则。如果一项行动在审计开始后结束前实施,审计报告需要验证发现和描述纠正行动的实施。审计报告要反映环境,因为它存在与审计之前。所有被审计单位的纠正行动都要提交书面报告。
537、Which of the following acts as a decoy to detect active Internet attacks? 下列哪项作为诱饵来检测互联网主动攻击?
A、Honeypots A.蜜罐(Honeypots)
B、Firewalls B.防火墙(Firewalls)
C、Trapdoors C.陷阱门(Trapdoors)
D、Traffic analysis D.流量分析(Traffic analysis)
ANSWER: A
NOTE: Honeypots are computer systems that are expressly set up to attract and trap individuals who attempt to penetrate other individuals' computer systems. The concept of a honeypot is to learn from intruder's actions. A properly designed and configured honeypot provides data on methods used to attack systems. The data are then used to improve measures that could curb future attacks. A firewall is basically a preventive measure. Trapdoors create a vulnerability that provides an opportunity for the insertion of unauthorized code into a system. Traffic analysis is a type of passive attack. 蜜罐是计算机系统专门用来针对攻击和企图渗透他人电脑系统的陷阱(trap individuals)的应用程序。蜜罐的概念就是学习入侵者的行为。一个设计和配置合理的蜜罐提供用来攻击系统数据。然后数据被用来改善抑制将来攻击的措施。陷阱门制造了一个漏洞,给未经授权的代码插入系统提供了机会。流量分析是一种被动攻击。
538、The knowledge base of an expert system that uses questionnaires to lead the user through a series of choices before a conclusion is reached is known as: 基于专家系统的知识,在得到结论达成共识之前它会采用问卷让用户经过一系列选择,称它为:
A、rules. A.规则rules
B、decision trees. B.决策树decision trees
C、semantic nets. C.语义图semantic nets
D、dataflow diagrams. D.数据流图dataflow diagrams
ANSWER: B
NOTE: Decision trees use questionnaires to lead a user through a series of choices until a conclusion is reached. Rules refer to the expression of declarative knowledge through the use of if-then relationships. Semantic nets consist of a graph in which nodes represent physical or conceptual objects and the arcs describe the relationship between the nodes. Semantic nets resemble a dataflow diagram and make use of an inheritance mechanism to prevent duplication of data. 决策树采用问卷指引用户经过一系列的选择直到得出的结论达成共识。规则涉及陈述性知识的表达,通过使用if-then关系。语义图由图表组成,其中节点代表物理的或者概念的实物﹑圆弧描述节点之间的关系。语义图类似于数据流图,并利用继承机制来防止数据的重复。
539、An appropriate control for ensuring the authenticity of orders received in an EDI application is to: 在EDI应用中,为确保收到订单的真实性,合适的控制是:
A、acknowledge receipt of electronic orders with a confirmation message. A.用确认消息告知电子订单的收到
B、perform reasonableness checks on quantities ordered before filling orders. B.在安排定单之前在数量上实施合理性检查
C、verify the identity of senders and determine if orders correspond to contract terms. C.验证发件人的身份,并确定订单是否与合约条款相一致。
D、encrypt electronic orders. D.加密电子订单。
ANSWER: C
NOTE: An electronic data interchange (EDI) system is subject not only to the usual risk exposures of computer systems but also to those arising from the potential ineffectiveness of controls on the part of the trading partner and the third-party service provider, making authentication of users and messages a major security concern. Acknowledging the receipt of electronic orders with a confirming message is good practice but will not authenticate orders from customers. Performing reasonableness checks on quantities ordered before placing orders is a control for ensuring the correctness of the company's orders, not the authenticity of its customers' orders. Encrypting sensitive messages is an appropriate step but does not apply to messages received. 电子数据交换(EDI)系统不仅是电脑系统的常规风险,也在贸易伙伴和第三方服务供应商方面所带来的控制的潜在失效,使用户和信息的认证成为主要的安全关注。用确认消息告知电子订单收到是好的做法,但不会验证订单来自客户。在安排定单之前在数量上实施合理性检查,是确保公司的订单正确性的控制,而不是客户订单的真实性。对敏感信息加密是恰当的步骤,但并不适用于消息接受。
540、Which of the following is the MOST likely reason why e-mail systems have become a useful source of evidence for litigation? 下列哪一项是电子邮件系统成为诉讼证据的有用来源的最有可能原因?
A、Multiple cycles of backup files remain available. A.备份文件的多个周期仍然可用.
B、Access controls establish accountability for e-mail activity. B.访问控制为电子邮件活动建立了问责制.
C、Data classification regulates what information should be communicated via e-mail. C.数据分类规范哪些信息应该通过电子邮件沟通。
D、Within the enterprise, a clear policy for using e-mail ensures that evidence is available. D.在企业内部,使用电子邮件的明确的政策可以确保证据可用。
ANSWER: A
NOTE: Backup files containing documents that supposedly have been deleted could be recovered from these files. Access controls may help establish accountability for the issuance of a particular document, but this does not provide evidence of the e-mail. Data classification standards may be in place with regards to what should be communicated via e-mail, but the creation of the policy does not provide the information required for litigation purposes. 包含着以为被删除掉的文件的备份文件可以从这些文件中恢复过来。访问控制可以帮助为特定的文件的签发建立问责制,但这并不提供电子邮件的证据。数据分类标准可能关心什么应该通过电子邮件沟通,但政策的创立不提供为诉讼目的所需的信息。
541、During an audit of a telecommunications system, an IS auditor finds that the risk of intercepting data transmitted to and from remote sites is very high. The MOST effective control for reducing this exposure is: 在审计电信系统时,IS审计师发现,拦截从远程站点传进和传出的数据的风险非常高的。为减少这种风险最有效的控制是:
A、encryption. A.加密
B、callback modems. B.回拨调制解调器
C、message authentication. C.消息的身份验证
D、dedicated leased lines. D.专用专用通道。
ANSWER: A
NOTE: Encryption of data is the most secure method. The other methods are less secure, with leased lines being possibly the least secure method. 数据加密是最安全的方法。其他方法安全性较低,专用通道可能是最不安全的方法。
542、A PRIMARY benefit derived from an organization employing control self-assessment (CSA) techniques is that it: .一个组织采用控制自我评估(CSA)技术的首要受益是:
A、can identify high-risk areas that might need a detailed review later. A.可以识别那些稍后可能需要一个详细的检查的高风险地区。
B、allows IS auditors to independently assess risk. B.允许IS审计师独立的评估风险。
C、can be used as a replacement for traditional audits. C.可被用来替代传统审计。
D、allows management to relinquish responsibility for control. D.使管理层放弃控制的责任。
ANSWER: A
NOTE: CSA is predicated on the review of high-risk areas that either need immediate attention or a more thorough review at a later date. Choice B is incorrect, because CSA requires the involvement of auditors and line management. What occurs is that the internal audit function shifts some of the control monitoring responsibilities to the functional areas. Choice C is incorrect because CSA is not a replacement for traditional audits. CSA is not intended to replace audit's responsibilities, but to enhance them. Choice D is incorrect, because CSA does not allow management to relinquish its responsibility for control. CSA基于对高风险地区的检查,需要立即注意或稍后进行更彻底的审查。选择B不正确,因为CSA需要审计师的参与和基线管理。会发生的是内部审计职能使一些控制监测责任转变到职能领域。选择C不正确,因为CSA不是传统审计的替代,而是加强它。选择D不正确,因为CSA不容许管理层放弃其控制的责任。
543、Which of the following is the GREATEST concern when an organization's backup facility is at a warm site? 当一个组织的备份设施处在温站时,下列哪一项是最关心的?
A、Timely availability of hardware A.硬件的及时可用性.
B、Availability of heat, humidity and air conditioning equipment B.热度,湿度和空调设备的可用性.
C、Adequacy of electrical power connections C.电力连接充足.
D、Effectiveness of the telecommunications network D.电信网络的有效性.
ANSWER: A
NOTE: A warm site has the basic infrastructure facilities implemented, such as power, air conditioning and networking, but is normally lacking computing equipment. Therefore, the availability of hardware becomes a primary concern. 温站实施了基本的基础设施设备,例如电力,空调和网络,但通常缺乏计算设备。因此,硬件的及时可用性成为首要关心的问题。
544、An IS auditor performing a review of an application's controls would evaluate the: 一个IS审计师对一项应用的控制进行了检查,将会评估:
A、efficiency of the application in meeting the business processes. A.该应用在满足业务流程上的效率。
B、impact of any exposures discovered. B.任何被发现风险影响。
C、business processes served by the application. C.业务流程服务的应用
D、application's optimization. D.应用程序的优化。
ANSWER: B
NOTE: An application control review involves the evaluation of the application's automated controls and an assessment of any exposures resulting from the control weaknesses. The other choices may be objectives of an application audit but are not part of an audit restricted to a review of controls. 应用控制的检查涉及应用的自动化控制的评价和控制的弱点导致的任何风险的评估。其他的选项可能是应用审计的目标,但不是控制检查审计的部分.
545、Applying a digital signature to data traveling in a network provides: 在网络传输中应用数字签名技术可以保证:
A、confidentiality and integrity. A.机密性和完整性
B、security and nonrepudiation. B.安全性和不可否认性
C、integrity and nonrepudiation. C.完整性和不可否认性
D、confidentiality and nonrepudiation. D.机密性和不可否认性
ANSWER: C
NOTE: The process of applying a mathematical algorithm to the data that travel in the network and placing the results of this operation with the hash data is used for controlling data integrity, since any unauthorized modification to this data would result in a different hash. The application of a digital signature would accomplish the nonrepudiation of the delivery of the message. The term security is a broad concept and not a specific one. In addition to a hash and a digital signature, confidentiality is applied when an encryption process exists. 对网络中传输的数据采用一定的运算规则,即把数据进得哈希处理,用来保证数据的完整性。因为任何未被授权的对数据的修改都会产生一个不同的哈希函数。数字签名的应用可以实现对传输信息的不可否认性。安全这个术语是一个宽广的概念,并不是专指一个特殊的方面,除了采用哈希和数字签名之外,当存在一个加密过程时,机密性可以实现。
546、When assessing the design of network monitoring controls, an IS auditor should FIRST review network: 当评估网络监控控制的结构时,IS审计师应当最先审查网络的:
A、topology diagrams. A.网络的拓扑结构图
B、bandwidth usage. B.带宽的使用
C、traffic analysis reports. C.交易分析报告
D、bottleneck locations. D.网络瓶颈
ANSWER: A
NOTE: The first step in assessing network monitoring controls should be the review of the adequacy of network documentation, specifically topology diagrams. If this information is not up to date, then monitoring processes and the ability to diagnose problems will not be effective. 评估网络监控控制的第一步应当审查网络文档的充分性,尤其是网络拓扑结构图。如果网络拓扑图不是最新的,那么监控程序以及它的诊断能力将不会产生作用。
547、An IS auditor attempting to determine whether access to program documentation is restricted to authorized persons would MOST likely: IS审计师想要审查是否对程序文档的访问只被限制给授权的用户,那么IS审计师最可能会:
A、evaluate the record retention plans for off-premises storage. A.评估场外存储保留计划的记录
B、interview programmers about the procedures currently being followed. B.询问程序员关于目前正在应用的程序
C、compare utilization records to operations schedules. C.比较使用记录和操作目录
D、review data file access records to test the librarian function. D.审查数据文件访问记录以检测程序管理员的功能
ANSWER: B
NOTE: Asking programmers about the procedures currently being followed is useful in determining whether access to program documentation is restricted to authorized persons. Evaluating the record retention plans for off-premises storage tests the recovery procedures, not the access control over program documentation. Testing utilization records or data files will not address access security over program documentation. 询问程序员关于当前的程序可以判断是否访问程序文档仅限于被授权的人士访问。评价场外存储记录保留计划,可以测试恢复程序,而不是测试对程序文档的访问控制。测试使用记录或数据文件不会涉及对程序文档的访问安全。
548、IS management has decided to install a level 1 Redundant Array of Inexpensive Disks (RAID) system in all servers to compensate for the elimination of offsite backups. The IS auditor should recommend: IS管理层决定要安装第1级冗余阵列磁盘系统在所有服务器上,以补偿异地备份的缺失,IS审计师应建议:
A、upgrading to a level 5 RAID. A.升级到第5级的RAID
B、increasing the frequency of onsite backups. B.增加现场备份的频率
C、reinstating the offsite backups. C.恢复异地备份
D、establishing a cold site in a secure location. D.在安全的位置建立一个冷站
ANSWER: C 答:C。
NOTE: A RAID system, at any level, will not protect against a natural disaster. The problem will not be alleviated without offsite backups, more frequent onsite backups or even setting up a cold site. Choices A, B and D do not compensate for the lack of offsite backup. 在一个RAID系统,在任何级别,都无法防范自然灾害。这个问题将不会缓解,如果没有异地备份。频繁的现场备份,甚至建立一个冷站,选择A , B和D都不能补偿缺失异地备份。
549、Which of the following should an IS auditor review to understand project progress in terms of time, budget and deliverables for early detection of possible overruns and for projecting estimates at completion (EACs)? 下列哪一个应该是IS审计师去审查,以便了解项目的进度,条款的时间,预算和交付,以及及早发现可能超支和对项目完成的评估?
A、Function point analysis A.功能点分析
B、Earned value analysis B.净值分析
C、Cost budget C.成本预算
D、Program Evaluation and Review Technique D.项目评估和审查技术
ANSWER: B
NOTE: Earned value analysis (EVA) is an industry standard method for measuring a project's progress at any given point in time, forecasting its completion date and final cost, and analyzing variances in the schedule and budget as the project proceeds. It compares the planned amount of work with what has actually been completed, to determine if the cost, schedule and work accomplished are progressing in accordance with the plan. EVA works most effectively if a well-formed work breakdown structure exists. Function point analysis (FPA) is an indirect measure of software size and complexity and, therefore, does not address the elements of time and budget. Cost budgets do not address time. PERT aids in time and deliverables management, but lacks projections for estimates at completion (EACs) and overall financial management. 净值分析(EVA)是一个行业标准方法,对于测量一个项目的进度,在任何特定的时间点,预测其完工日期和最终成本,并随着项目的进行分析时间和成本的差异。它把计划的大量工作与实际上完成的相比较,从而判断是否成本,时间,工作的完成与计划一致。如果存在一个良好的工作分解结构的话,EVA将会更有效。功能点分析法是一个间接的测量方法在软件规模和复杂性方面,因此,它不解决时间和预算这两个要素。费用预算没有解决的时间问题。PERT在时间和交付管理上有帮助,但是缺少对项目完成和整体经济管理的反映。
550、An IS auditor should expect which of the following items to be included in the request for proposal (RFP) when IS is procuring services from an independent service provider (ISP)? 一个IS审计师应希望下列哪项将被包含在请求建议书中,当IS部门决定采购外部提供商提供的服务时?
A、References from other customers A.参考其它用户
B、Service level agreement (SLA) template B.服务水平协议
C、Maintenance agreement C.维护协议
D、Conversion plan D.转换协议
ANSWER: A
NOTE: An IS auditor should look for an independent verification that the ISP can perform the tasks being contracted for. References from other customers would provide an independent, external review and verification of procedures and processes the ISP follows—issues which would be of concern to an IS auditor. Checking references is a means of obtaining an independent verification that the vendor can perform the services it says it can. A maintenance agreement relates more to equipment than to services, and a conversion plan, while important, is less important than verification that the ISP can provide the services they propose. IS审计师应寻求一个独立的证实来说明互联网服务供应商(ISP)可以执行任务承包。参考其他客户将提供一个独立的外部审查和核实ISP采用的程序和过程,这将是IS审计师所关注的。参考其它用户是一种对供应商可以执行其所承诺服务的审查方法。维护协议,相对于服务来说更涉及设备。转换计划,其重要性不在于核查ISP可以提供所承诺的服务。
551、Which of the following is the MOST secure and economical method for connecting a private network over the Internet in a small- to medium-sized organization? 551.小到中型组织,通过互联网连接到私有网络,下列哪种方法是最安全和经济的
A、Virtual private network a.虚拟专用网
B、Dedicated line b.专有线路
C、Leased line c.租用专线
D、Integrated services digital network d.综合服务数字网络
ANSWER: A 答案:A
NOTE: The most secure method is a virtual private network (VPN), using encryption, authentication and tunneling to allow data to travel securely from a private network to the Internet. Choices B, C and D are network connectivity options that are normally too expensive to be practical for small- to medium-sized organizations. 注释:最安全的方法是虚拟专用网,通过使用加密,授权和通道,允许数据安全的从私有网络传送到互联网,其他选项虽然都是网络连接选项,但是对于中小企业来太贵了
552、The objective of concurrency control in a database system is to: 552.数据库系统的并发控制的目的是为了:
A、restrict updating of the database to authorized users. a 对授权用户限制数据库的更新
B、prevent integrity problems when two processes attempt to update the same data at the same time. b.防止完整性问题的发生,当同一时间有2个进程同时试图更新同一个数据的时候
C、prevent inadvertent or unauthorized disclosure of data in the database. c.防止由于疏忽或者未授权导致的数据库中的数据泄露
D、ensure the accuracy, completeness and consistency of data. d.确保准确性,完整性和数据一致性
ANSWER: B 答案:B
NOTE: Concurrency controls prevent data integrity problems, which can arise when two update processes access the same data item at the same time. Access controls restrict updating of the database to authorized users, and controls such as passwords prevent the inadvertent or unauthorized disclosure of data from the database. Quality controls, such as edits, ensure the accuracy, completeness and consistency of data maintained in the database. 注释:防止数据完整性问题的发生的并发控制会产生于当两个更新进程同时访问同一个数据项的时候
553、The final decision to include a material finding in an audit report should be made by the: 553.在审计报告中包含的具体发现应该由谁来最终决定
A、audit committee. a.审计委员会
B、auditee's manager. b.被审人员的经理
C、IS auditor. c.信息系统审计师
D、CEO of the organization. d.组织的首席执行官
ANSWER: C 答案:c
NOTE: The IS auditor should make the final decision about what to include or exclude from the audit report. The other choices would limit the independence of the auditor. 注释:信息系统审计师应该最终决定什么应该包含在或者不包含在审计报告中
554、Which of the following is an advantage of prototyping? 554.下列哪一项是采用原形化的好处
A、The finished system normally has strong internal controls. a.已完成的系统自身就有很强的内部控制
B、Prototype systems can provide significant time and cost savings. b.原型系统能够提供明显的时间和花费节约
C、Change control is often less complicated with prototype systems. c.原型系统中的变更控制经常没那么复杂
D、It ensures that functions or extras are not added to the intended system. d.这样能确保功能性的或者额外的东西不会被加入到已经定型的系统中
ANSWER: B 答案:b
NOTE: Prototype systems can provide significant time and cost savings; however, they also have several disadvantages. They often have poor internal controls, change control becomes much more complicated, and it often leads to functions or extras being added to the system that were not originally intended. 注释:原型系统能够提供明显的时间和花费节约,然而,还有很多不足,经常没有足够的内部控制,变更控制变得非常复杂,经常导致功能或者额外的东西被加入到尚未开始定型的系统中
555、An organization provides information to its supply chain partners and customers through an extranet infrastructure. Which of the following should be the GREATEST concern to an IS auditor reviewing the firewall security architecture? 555.组织通过外网提供信息给它的供应链上的合作伙伴和客户,下列哪一项汇市信息系统审计师在察看防火墙安全架构时候最在意的:
A、A Secure Sockets Layer (SSL) has been implemented for user authentication and remote administration of the firewall. a.安全套接字已经被应用在防火墙的客户授权和远程管理
B、Firewall policies are updated on the basis of changing requirements. b.防火墙策略是按照变更需求的基础更新的
C、Inbound traffic is blocked unless the traffic type and connections have been specifically permitted. c.传入流量被屏蔽,除非这个传送类型和连接被专门许可
D、The firewall is placed on top of the commercial operating system with all installation options. d.防火墙是安置在所有操作系统所有安装选项的最前端
ANSWER: D 答案:D
NOTE: The greatest concern when implementing firewalls on top of commercial operating systems is the potential presence of vulnerabilities that could undermine the security posture of the firewall platform itself. In most circumstances, when commercial firewalls are breached that breach is facilitated by vulnerabilities in the underlying operating system. Keeping all installation options available on the system further increases the risks of vulnerabilities and exploits. Using SSL for firewall administration (choice A) is important, because changes in user and supply chain partners' roles and profiles will be dynamic. Therefore, it is appropriate to maintain the firewall policies daily (choice B), and prudent to block all inbound traffic unless permitted (choice C). 注释:当在所有操作系统顶层布置防火墙的时候,最大的关注点就在于能够破坏防火墙平台自身的安全设置的潜在漏洞的存在.在大多数环境中,当防火墙被破坏时,这种破坏都是由于底层操作系统的漏洞导致的,而在系统上保持所有安装选项可用又更增加了漏洞和自我开发的风险,对于防火墙管理使用安全套接字非常重要,因为客户和供应商的角色会经常变化,因此,每天维护防火墙策略和屏蔽所有而只允许或许可的通讯输入是合适的
556、Sign-on procedures include the creation of a unique user ID and password. However, an IS auditor discovers that in many cases the username and password are the same. The BEST control to mitigate this risk is to: 556.签署包含创建唯一客户名称和密码的流程, 然而,信息系统审计师发现很多案例中用户名字跟密码相同,能够减少这种风险的最好控制是:
A、change the company's security policy. a.更改公司安全策略
B、educate users about the risk of weak passwords. b.教育客户关于弱强度密码的风险
C、build in validations to prevent this during user creation and password change. c.建立一个确认过程防止俄这种事情在创建帐户和更改密码时发生
D、require a periodic review of matching user ID and passwords for detection and correction. d.需要定期的检查,确保用户名称和密码的检测和修正
ANSWER: C 答案:c
NOTE: The compromise of the password is the highest risk. The best control is a preventive control through validation at the time the password is created or changed. Changing the company's security policy and educating users about the risks of weak passwords only provides information to users, but does little to enforce this control. Requiring a periodic review of matching user ID and passwords for detection and ensuring correction is a detective control. 注释:密码方面的妥协是最高级别的风险,最好的控制就是当创建或者更改密码时通过确认来预防,更改公司安全策略和教育客户关于弱强度密码的风险,只能提供客户相关信息,但是几乎不能强化这种控制,要求定期的检查,确保用户名称和密码的检测和修正仅仅是检测措施
557、An IS auditor evaluating logical access controls should FIRST: 557.信息系统审计师在评估逻辑访问控制时,应该首先做什么?
A、document the controls applied to the potential access paths to the system. a.把应用在所以潜在访问路径上的控制项记录下来
B、test controls over the access paths to determine if they are functional. b.在访问路径上测试控制来检测是否他们具功能化
C、evaluate the security environment in relation to written policies and practices. c.按照写明的策略和实践评估安全环境
D、obtain an understanding of the security risks to information processing. d.对信息流程的安全风险进行了解
ANSWER: D 答案:D
NOTE: When evaluating logical access controls, an IS auditor should first obtain an understanding of the security risks facing information processing by reviewing relevant documentation, by inquiries, and by conducting a risk assessment. Documentation and evaluation is the second step in assessing the adequacy, efficiency and effectiveness, thus identifying deficiencies or redundancy in controls. The third step is to test the access paths—to determine if the controls are functioning. Lastly, the IS auditor evaluates the security environment to assess its adequacy by reviewing the written policies, observing practices and comparing them to appropriate security best practices. 注释:在评估逻辑访问控制时,信息系统审计师应该首先通过浏览相关文档,通过调查,通过风险评估,对信息流程的安全风险进行了解,在评估有足够效率和效力的情况下,记录和评估是第二步,从而鉴别不足或者是多余控制。第三步是测试访问途经-为了检测控制是否实现其功能,最后,信息系统审计师评估安全环境会通过检查政策,通过与适当的最佳实践的对比观察实践来评估它是否合适
558、Which of the following data validation edits is effective in detecting transposition and transcription errors? 558.下列哪一项数据确认校验,在检查交换和复制错误时,是有效的:
A、Range check a.范围检查
B、Check digit b.校验位
C、Validity check c.有效性检查
D、Duplicate check d.复制检查
ANSWER: B 答案:b
NOTE: A check digit is a numeric value that is calculated mathematically and is appended to data to ensure that the original data have not been altered, ., an incorrect, but valid, value substituted for the original. This control is effective in detecting transposition and transcription errors. A range check is checking data that matches a predetermined range of values. A validity check is programmed checking of the data validity in accordance with predetermined criteria. In a duplicate check, new or fresh transactions are matched to those previously entered to ensure that they are not already in the system. 注释:校验位是一种通过数学方法计算的一种数值,它附加在数据中确保数据没有被更改,譬如一个不正确的,但是有效的,原始值被替代的数据。这种控制在校验交换和复制错误时是有效的。有效性校验是根据预先的标准按照程序校验数据的有效性。在复制校验时候,新的或者重生的交换与前期输入的吻合用来确认原来系统中不存在
559、Distributed denial-of-service (DDOS) attacks on Internet sites are typically evoked by hackers using which of the following? 559.分布式拒绝服务攻击互联网网站是由于黑客使用如下哪一种典型手段引起的:
A、Logic bombs a. 逻辑炸弹
B、Phishing b.钓鱼网站
C、Spyware c.间谍软件
D、Trojan horses d.特洛伊木马
ANSWER: D 答案:d
NOTE: Trojan horses are malicious or damaging code hidden within an authorized computer program. Hackers use Trojans to mastermind DDOS attacks that affect computers that access the same Internet site at the same moment, resulting in overloaded site servers that may no longer be able to process legitimate requests. Logic bombs are programs designed to destroy or modify data at a specific time in the future. Phishing is an attack, normally via e-mail, pretending to be an authorized person or organization requesting information. Spyware is a program that picks up information from PC drives by making copies of their contents. 注释:特洛伊木马是一种隐藏在一个已经授权的计算机程序中恶意的或者破坏性的代码。黑客们使用特洛伊通过影响能同时访问同一个网站的计算机来策划分布式拒绝服务攻击,导致网站服务器过载以至于不再能够按照合理的时间处理请求。逻辑炸弹是一种程序,设计用来在未来特定时间破坏或者更改数据。钓鱼网站是一种攻击,通常通过电子邮件假装成一个授权的人或者组织要求信息。间谍软件是从pc驱动器上一种通过复制内容的拷贝能分拣信息的程序
560、An IS auditor is evaluating management's risk assessment of information systems. The IS auditor should FIRST review: 560.信息系统审计师正在评估信息系统的管理风险。首先要查看:
A、the controls already in place. a.控制措施已经适当
B、the effectiveness of the controls in place. b.控制的有效性适当
C、the mechanism for monitoring the risks related to the assets. c.监测资产有关风险的机制
D、the threats/vulnerabilities affecting the assets. d.影响资产的漏洞和威胁
ANSWER: D 答案:d
NOTE: One of the key factors to be considered while assessing the risks related to the use of various information systems is the threats and vulnerabilities affecting the assets. The risks related to the use of information assets should be evaluated in isolation from the installed controls. Similarly, the effectiveness of the controls should be considered during the risk mitigation stage and not during the risk assessment phase. 注释:当在评估各种信息系统使用相关的风险时,需要被考虑的关键因素之一就是影响资产的漏洞和威胁。和信息资产使用相关的风险应该被从已经部署了的控制中隔离出来评估。类似的控制有效性也应该在缓解风险阶段被考虑,而不是在风险评估阶段
A mechanism to continuously monitor the risks related to assets should be put in place during the risk monitoring function that follows the risk assessment phase. 持续监测与资产相关的风险的机制,应该在遵循风险评估阶段的风险监测功能时被采用
561、IT best practices for the availability and continuity of IT services should: 561.可用性和IT服务的可持续性的最佳实践应该是:
A、minimize costs associated with disaster-resilient components. a.使费用减到最小与灾难恢复相结合
B、provide for sufficient capacity to meet the agreed upon demands of the business. b.提供足够的能力满足业务需求
C、provide reasonable assurance that agreed upon obligations to customers can be met. c.提供合理的担保满足对客户的责任
D、produce timely performance metric reports. d.及时地生成性能报告
ANSWER: C 答案:c
NOTE: It is important that negotiated and agreed commitments (., service level agreements [SLAs]) can be fulfilled all the time. If this were not achievable, IT should not have agreed to these requirements, as entering into such a commitment would be misleading to the business. “All the time” in this context directly relates to the “agreed obligations” and does not imply that a service has to be available 100 percent of the time. Costs are a result of availability and service continuity management and may only be partially controllable. These costs directly reflect the agreed upon obligations. Capacity management is a necessary, but not sufficient, condition of availability. Despite the possibility that a lack of capacity may result in an availability issue, providing the capacity necessary for seamless operations of services would be done within capacity management, and not within availability management. Generating reports might be a task of availability and service continuity management, but that is true for many other areas of interest as well (., incident, problem, capacity and change management). 注释:能一直的完全的符合合同和服务标准协议是很重要的,如果达不到的话,IT就不应该同意这些需求,因为加入这样的承诺会误导业务走入歧途。“总是”在这个条款里直接与协议过的义务相关,不意味着服务不得不百分之百可用。费用就是可用性和服务可持续性管理的结果,而这个结果可能仅仅只能部分地控制。这些费用会直接影响协议的义务,容量管理是必要但不是充分可用性的条件。尽管有缺乏容量可能会导致可用性问题的可能性,但是对于无缝服务操作提供必要的容量会被做在容量管理里面,不是可用性管理里面。或许生成报告可能是可用性和服务可持续性的任务,但是对于其他方面兴趣也是一样真实存在的(比如事件,问题,容量和变更管理)
562、The MOST effective control for addressing the risk of piggybacking is: 562.能够解决尾随的风险最有效的控制措施是:
A、a single entry point with a receptionist. a.有一个传达员的单独入口
B、the use of smart cards. b.采用智能卡
C、a biometric door lock. c.生物学验证门锁
D、a deadman door. d.人员卡锁门
ANSWER: D 答案:D
NOTE: Deadman doors are a system of using a pair of (two) doors. For the second door to operate, the first entry door must close and lock with only one person permitted in the holding area. This reduces the risk of an unauthorized person following an authorized person through a secured entry (piggybacking). The other choices are all physical controls over entry to a secure area but do not specifically address the risk of piggybacking. 注释:人员卡锁门,是一种使用两道门的系统。若是操作第二道门,第一道门必须关闭并且只有一个人允许在维持区域保留。这样就减少了未授权的人尾随授权人进入安全入口的风险(尾随)。另外的选项全都是对安全区域的入口处添加物理控制,但是并不会特定的解决尾随的风险
563、Which of the following IT governance best practices improves strategic alignment? 563.下列哪项IT管理最佳实践改进了战略方针
A、Supplier and partner risks are managed. a.供应商和合作者风险管理
B、A knowledge base on customers, products, markets and processes is in place. b.有基于客户,产品,市场和流程的知识库
C、A structure is provided that facilitates the creation and sharing of business information. c.有能够提供创建和分享业务信息的组织结构
D、Top management mediate between the imperatives of business and technology. d.领导层在业务需求和技术部门之间的协调
ANSWER: D 答案:d
NOTE: Top management mediating between the imperatives of business and technology is an IT strategic alignment best practice. Supplier and partner risks being managed is a risk management best practice. A knowledge base on customers, products, markets and processes being in place is an IT value delivery best practice. An infrastructure being provided to facilitate the creation and sharing of business information is an IT value delivery and risk management best practice. 注释:领导层在业务需求和技术部门之间的协调是改进IT战略方针的最佳实践。供应商和合作者风险管理是风险管理的最佳实践。提供基于客户,产品,市场和流程的知识库是IT价值交付的最佳实践。
564、To verify that the correct version of a data file was used for a production run, an IS auditor should review: 564.为了确认一个产品运行所需数据文件的版本是否正确,信息系统审计师应该评测:
A、operator problem reports. a.操作员问题报告
B、operator work schedules. b.擦作员工作时间表
C、system logs. c.系统日志
D、output distribution reports. d.输出分布报告
ANSWER: C 答案:C
NOTE: System logs are automated reports which identify most of the activities performed on the computer. Programs that analyze the system log have been developed to report on specifically defined items. The auditor can then carry out tests to ensure that the correct file version was used for a production run. Operator problem reports are used by operators to log computer operation problems. Operator work schedules are maintained to assist in human resources planning. Output distribution reports identify all application reports generated and their distribution. 注释:系统日志会自动报告,能够确定大多数在计算机上运行的活动。为了报告特殊定义的项目,分析系统日志的程序也已经被研发出来。审计师可以进行测试确保产品运行需要的文件版本是正确的。操作员问题报告用来记录计算机操作问题,操作员工作时间表是被维护用来帮助人力资源计划的,输出分布报告,确认所有生成的应用报告以及他们的分布
565、Which of the following controls would BEST detect intrusion? 565.哪项控制措施是最好的检测入侵的措施
A、User IDs and user privileges are granted through authorized procedures. a.用户身份和用户权限通过认证程序指派
B、Automatic logoff is used when a workstation is inactive for a particular period of time. b.当计算机不活动超过一定时间,使用自动登出功能
C、Automatic logoff of the system occurs after a specified number of unsuccessful attempts. c.发生特定数量的失败尝试之后,自动登出系统启动
D、Unsuccessful logon attempts are monitored by the security administrator. d.登陆失败尝试,可以被安全管理员监测到
ANSWER: D 答案:d
NOTE: Intrusion is detected by the active monitoring and review of unsuccessful logons. User IDs and the granting of user privileges define a policy, not a control. Automatic logoff is a method of preventing access on inactive terminals and is not a detective control. Unsuccessful attempts to log on are a method for preventing intrusion, not detecting. 注释:入侵是通过活动监测和对登陆失败的检查监测出来的。客户身份和客户的权限定义的是一个政策,不是一个控制措施。自动登出是用来防止访问不活动终端的一种方法,并不是检测控制。记录尝试登陆失败,是防止入侵的,而不是检测入侵的
566、The PRIMARY purpose of implementing Redundant Array of Inexpensive Disks (RAID) level 1 in a file server is to: 566.在文件服务器上应用1级磁盘冗余阵列的主要目的是什么:
A、achieve performance improvement. a.改进性能
B、provide user authentication. b.提供客户授权
C、ensure availability of data. c.确保数据可用性
D、ensure the confidentiality of data. d.确保数据机密性
ANSWER: C 答案:c
NOTE: RAID level 1 provides disk mirroring. Data written to one disk are also written to another disk. Users in the network access data in the first disk; if disk one fails, the second disk takes over. This redundancy ensures the availability of data. RAID level 1 does not improve performance, has no relevance to authentication and does nothing to provide for data confidentiality. 注释:RAID 1提供磁盘镜像。写到一个磁盘中的数据同时也写道另外一个盘。在网络访问第一个磁盘数据的客户,如果磁盘失效,第二个磁盘就会接管。这种冗余确保了数据的可用性,RAID 1不改进性能,跟授权没有关系,并且也不能够提供数据机密性
567、What control detects transmission errors by appending calculated bits onto the end of each segment of data? 567.哪项控制通过附加在每一个数据段结尾一个可计算位来校验传输错误
A、Reasonableness check a.合理性校验
B、Parity check b.奇偶校验
C、Redundancy check c.冗余校验
D、Check digits d.校验位
ANSWER: C 答案:c
NOTE: A redundancy check detects transmission errors by appending calculated bits onto the end of each segment of data. A reasonableness check compares data to predefined reasonability limits or occurrence rates established for the data. A parity check is a hardware control that detects data errors when data are read from one computer to another, from memory or during transmission. Check digits detect transposition and transcription errors. 注释:冗余校验通过在每个数据段结尾附加一个可计算位来检测传输错误。合理性校验是与预先定义的对于数据的合理性极限或者发生率的对比数据来检测。奇偶校验是一种硬件控制,这种控制可以在当数据在一台计算机上被另外一台计算机或者从内存或者着在传输过程中读取的时候检测。校验位检测检测的是交换或者复制错误
568、Vendors have released patches fixing security flaws in their software. Which of the following should an IS auditor recommend in this situation? 568.供应商为他们的软件分发了修复安全漏洞的补丁。哪一项应该是审计师在这种情况下举荐的
A、Assess the impact of patches prior to installation. a.在补丁部署之前评估影响
B、Ask the vendors for a new software version with all fixes included. b.要求供应商提供带有所有补丁的软件的新的版本
C、Install the security patch immediately. c.立刻安装所有补丁
D、Decline to deal with these vendors in the future. d.以后拒绝和这些供应商合作
ANSWER: A 答案:A
NOTE: The effect of installing the patch should be immediately evaluated and installation should occur based on the results of the evaluation. To install the patch without knowing what it might affect could easily cause problems. New software versions with all fixes included are not always available and a full installation could be time consuming. Declining to deal with vendors does not take care of the flaw. 注释:安装不定的影响应该立刻被评估而且安装应该基于评估结果的基础上进行。不知道会影响什么就安装不定会很容易产生问题。带有所有补丁的新版本的软件并不总是可用的并且完全安装可能会花费很多时间。拒绝跟供应商未来的合作不能解决漏洞问题
569、When two or more systems are integrated, input/output controls must be reviewed by an IS auditor in the: 569.当两个或者多个系统整合时,审计师必须在哪里检查输入/输出控制
A、systems receiving the output of other systems. a.接收其他系统输出的系统
B、systems sending output to other systems. b.发送输出到其它系统的系统
C、systems sending and receiving data. c.输入输出数据的系统
D、interfaces between the two systems. d.在两个系统之间的分界处
ANSWER: C 答案:c
NOTE: Both of the systems must be reviewed for input/output controls, since the output for one system is the input for the other. 注释:两个系统都必须检查输入/输出。因为一个系统的输出就是另外一个系统的输入
570、Which of the following potentially blocks hacking attempts? 570.下面哪项潜在地屏蔽了黑客的企图
A、Intrusion detection system a.入侵检测系统
B、Honeypot system b.蜜罐系统
C、Intrusion prevention system c.入侵预防系统
D、Network security scanner d.网络安全扫描
ANSWER: C 答案:
NOTE: An intrusion prevention system (IPS) is deployed as an in-line device that can detect and block hacking attempts. An intrusion detection system (IDS) normally is deployed in sniffing mode and can detect intrusion attempts, but cannot effectively stop them. A honeypot solution traps the intruders to explore a simulated target. A network security scanner scans for the vulnerabilities, but it will not stop the intrusion. 注释:入侵预防系统作为内线设备被部署,这种设备能够检测并且屏蔽黑客企图。入侵检测系统通常部署为嗅探模式能够检测出入侵企图,但是不能有效地阻止它们。蜜罐解决方案诱骗入侵者浏览一个模拟的目标。网络安全扫描器扫描漏洞,但是不能阻止入侵
551、Which of the following is the MOST secure and economical method for connecting a private network over the Internet in a small- to medium-sized organization? 551.对中小组织来说通过互联网连接私有网络下面哪个方法最安全最经济:
A、Virtual private network A、虚拟专用网(Virtual private network)
B、Dedicated line B、专线(Dedicated line)
C、Leased line C、租用专线(Leased line)
D、Integrated services digital network D、综合业务数字网(Integrated services digital network)
ANSWER: A
NOTE: The most secure method is a virtual private network (VPN), using encryption, authentication and tunneling to allow data to travel securely from a private network to the Internet. Choices B, C and D are network connectivity options that are normally too expensive to be practical for small- to medium-sized organizations.
552、The objective of concurrency control in a database system is to: 552.数据库系统并发控制的目标是为了:
A、restrict updating of the database to authorized users. A、限制经授权用户对数据库的更新。
B、prevent integrity problems when two processes attempt to update the same data at the same time. B、防止当两个进程同时尝试更新同一数据时产生的一致性问题。
C、prevent inadvertent or unauthorized disclosure of data in the database. C、防止疏忽或未经授权的发布数据库中的数据
D、ensure the accuracy, completeness and consistency of data. D、确保数据的正确性、完整性和一致性。
ANSWER: B
NOTE: Concurrency controls prevent data integrity problems, which can arise when two update processes access the same data item at the same time. Access controls restrict updating of the database to authorized users, and controls such as passwords prevent the inadvertent or unauthorized disclosure of data from the database. Quality controls, such as edits, ensure the accuracy, completeness and consistency of data maintained in the database.
553、The final decision to include a material finding in an audit report should be made by the: 553.将实质性发现包括在审计报告中的最终决定应该由谁做出:
A、audit committee. A、审计委员会
B、auditee's manager. B、被审单位经理
C、IS auditor. C、信息系统审计师
D、CEO of the organization. D、公司首席执行官
ANSWER: C
NOTE: The IS auditor should make the final decision about what to include or exclude from the audit report. The other choices would limit the independence of the auditor.
554、Which of the following is an advantage of prototyping? 554.下列哪项是原型设计的好处:
A、The finished system normally has strong internal controls. A、完成的系统通常有强大的内控
B、Prototype systems can provide significant time and cost savings. B、原型系统可以提供显著的时间和成本的节约
C、Change control is often less complicated with prototype systems. C、对原型系统的变更控制通常不太复杂
D、It ensures that functions or extras are not added to the intended system. D、它确保额外功能不被加入预期的系统
ANSWER: B
NOTE: Prototype systems can provide significant time and cost savings; however, they also have several disadvantages. They often have poor internal controls, change control becomes much more complicated, and it often leads to functions or extras being added to the system that were not originally intended.
555、An organization provides information to its supply chain partners and customers through an extranet infrastructure. Which of the following should be the GREATEST concern to an IS auditor reviewing the firewall security architecture? 555.一个组织通过外网基础架构(extranet infrastructure)提供信息给它的供应商伙伴和客户。当信息系统审计师复核防火墙安全架构时,下面哪项应该引起最大的担忧:
A、A Secure Sockets Layer (SSL) has been implemented for user authentication and remote administration of the firewall. A、已经实现安全套接层勇于用户确认和防火墙的远程管理
B、Firewall policies are updated on the basis of changing requirements. B、防火墙规则根据变化的需求更新
C、Inbound traffic is blocked unless the traffic type and connections have been specifically permitted. C、除非通信类型和连接已经被特别允许否则传入通信(inbound traffic)被阻止
D、The firewall is placed on top of the commercial operating system with all installation options. D、安装防火墙的商业操作系统包括了所有的安装选项
ANSWER: D
NOTE: The greatest concern when implementing firewalls on top of commercial operating systems is the potential presence of vulnerabilities that could undermine the security posture of the firewall platform itself. In most circumstances, when commercial firewalls are breached that breach is facilitated by vulnerabilities in the underlying operating system. Keeping all installation options available on the system further increases the risks of vulnerabilities and exploits. Using SSL for firewall administration (choice A) is important, because changes in user and supply chain partners' roles and profiles will be dynamic. Therefore, it is appropriate to maintain the firewall policies daily (choice B), and prudent to block all inbound traffic unless permitted (choice C).
556、Sign-on procedures include the creation of a unique user ID and password. However, an IS auditor discovers that in many cases the username and password are the same. The BEST control to mitigate this risk is to: 556.登陆过程包括创建一个独立的用户帐号和密码。但是,信息系统审计师发现在很多情况下用户名和密码是一样的。为了减轻风险最好的控制是:
A、change the company's security policy. A、更改公司的安全规则
B、educate users about the risk of weak passwords. B、教育用户弱密码的风险
C、build in validations to prevent this during user creation and password change. C、在用户创建和密码更改时进行验证以阻止此类情况
D、require a periodic review of matching user ID and passwords for detection and correction. D、定期对用户帐号和密码进行匹配复核来检测和纠正此类情况
ANSWER: C
NOTE: The compromise of the password is the highest risk. The best control is a preventive control through validation at the time the password is created or changed. Changing the company's security policy and educating users about the risks of weak passwords only provides information to users, but does little to enforce this control. Requiring a periodic review of matching user ID and passwords for detection and ensuring correction is a detective control.
557、An IS auditor evaluating logical access controls should FIRST: 557.在进行逻辑访问控制评估时,信息系统审计师必须首先:
A、document the controls applied to the potential access paths to the system. A、记录对系统潜在访问路径进行的控制
B、test controls over the access paths to determine if they are functional. B、测试访问路径上的控制以确定其是否工作
C、evaluate the security environment in relation to written policies and practices. C、评估与书面的规则和实践有关的安全环境
D、obtain an understanding of the security risks to information processing. D、理解信息处理中的安全风险
ANSWER: D
NOTE: When evaluating logical access controls, an IS auditor should first obtain an understanding of the security risks facing information processing by reviewing relevant documentation, by inquiries, and by conducting a risk assessment. Documentation and evaluation is the second step in assessing the adequacy, efficiency and effectiveness, thus identifying deficiencies or redundancy in controls. The third step is to test the access paths—to determine if the controls are functioning. Lastly, the IS auditor evaluates the security environment to assess its adequacy by reviewing the written policies, observing practices and comparing them to appropriate security best practices.
558、Which of the following data validation edits is effective in detecting transposition and transcription errors? 558.为了探测移位(transposition)和抄写(transcription)错误,下面哪项数据编辑验证是有效的:
A、Range check A、范围检查
B、Check digit B、校验码(Check digit)
C、Validity check C、有效性检查
D、Duplicate check D、重复检查
ANSWER: B
NOTE: A check digit is a numeric value that is calculated mathematically and is appended to data to ensure that the original data have not been altered, ., an incorrect, but valid, value substituted for the original. This control is effective in detecting transposition and transcription errors. A range check is checking data that matches a predetermined range of values. A validity check is programmed checking of the data validity in accordance with predetermined criteria. In a duplicate check, new or fresh transactions are matched to those previously entered to ensure that they are not already in the system.
559、Distributed denial-of-service (DDOS) attacks on Internet sites are typically evoked by hackers using which of the following? 559.针对互联网网站的分布式拒绝服务攻击通常由黑客使用下列哪种工具调用:
A、Logic bombs A、逻辑炸弹(Logic bombs)
B、Phishing B、钓鱼(Phishing)
C、Spyware C、间谍软件(Spyware)
D、Trojan horses D、Trojan木马(Trojan horses)
ANSWER: D
NOTE: Trojan horses are malicious or damaging code hidden within an authorized computer program. Hackers use Trojans to mastermind DDOS attacks that affect computers that access the same Internet site at the same moment, resulting in overloaded site servers that may no longer be able to process legitimate requests. Logic bombs are programs designed to destroy or modify data at a specific time in the future. Phishing is an attack, normally via e-mail, pretending to be an authorized person or organization requesting information. Spyware is a program that picks up information from PC drives by making copies of their contents.
560、An IS auditor is evaluating management's risk assessment of information systems. The IS auditor should FIRST review: 560.一名信息系统审计师正在评估信息系统风险测评(risk assessment)的管理。他应该首先审核:
A、the controls already in place. A、已有控制
B、the effectiveness of the controls in place. B、已有控制的有效性
C、the mechanism for monitoring the risks related to the assets. C、对资产相关风险的监控的机制
D、the threats/vulnerabilities affecting the assets. D、影响资产的威胁和漏洞
ANSWER: D
NOTE: One of the key factors to be considered while assessing the risks related to the use of various information systems is the threats and vulnerabilities affecting the assets. The risks related to the use of information assets should be evaluated in isolation from the installed controls. Similarly, the effectiveness of the controls should be considered during the risk mitigation stage and not during the risk assessment phase.
A mechanism to continuously monitor the risks related to assets should be put in place during the risk monitoring function that follows the risk assessment phase.
561、IT best practices for the availability and continuity of IT services should: 561.针对IT服务的存在和可持续性的IT最佳实践应该:
A、minimize costs associated with disaster-resilient components. A、最小化灾难恢复组件的相关成本
B、provide for sufficient capacity to meet the agreed upon demands of the business. B、提供所承诺达到业务要求的足够能力
C、provide reasonable assurance that agreed upon obligations to customers can be met. C、提供合理的保证以使得对客户承诺的以上责任可以达成
D、produce timely performance metric reports. D、提供及时的性能度量报告
ANSWER: C
NOTE: It is important that negotiated and agreed commitments (., service level agreements [SLAs]) can be fulfilled all the time. If this were not achievable, IT should not have agreed to these requirements, as entering into such a commitment would be misleading to the business. “All the time” in this context directly relates to the “agreed obligations” and does not imply that a service has to be available 100 percent of the time. Costs are a result of availability and service continuity management and may only be partially controllable. These costs directly reflect the agreed upon obligations. Capacity management is a necessary, but not sufficient, condition of availability. Despite the possibility that a lack of capacity may result in an availability issue, providing the capacity necessary for seamless operations of services would be done within capacity management, and not within availability management. Generating reports might be a task of availability and service continuity management, but that is true for many other areas of interest as well (., incident, problem, capacity and change management).
562、The MOST effective control for addressing the risk of piggybacking is: 562、解决跟踪(Piggybacking)风险的最有效控制是:
A、a single entry point with a receptionist. A、有接待员的单一入口点
B、the use of smart cards. B、使用智能卡
C、a biometric door lock. C、使用生物智能门禁
D、a deadman door. D、双门禁(deadman door)
ANSWER: D
NOTE: Deadman doors are a system of using a pair of (two) doors. For the second door to operate, the first entry door must close and lock with only one person permitted in the holding area. This reduces the risk of an unauthorized person following an authorized person through a secured entry (piggybacking). The other choices are all physical controls over entry to a secure area but do not specifically address the risk of piggybacking.
563、Which of the following IT governance best practices improves strategic alignment? 563.下面哪项IT治理最佳实践改进了策略一致性(Strategic alignment)
A、Supplier and partner risks are managed. A、管理供应商和伙伴的风险
B、A knowledge base on customers, products, markets and processes is in place. B、客户、产品、市场和流程的知识库已建立
C、A structure is provided that facilitates the creation and sharing of business information. C、提供设备以协助商业信息的创建和共享
D、Top management mediate between the imperatives of business and technology. D、高级管理层作为业务和技术所必需的媒介
ANSWER: D
NOTE: Top management mediating between the imperatives of business and technology is an IT strategic alignment best practice. Supplier and partner risks being managed is a risk management best practice. A knowledge base on customers, products, markets and processes being in place is an IT value delivery best practice. An infrastructure being provided to facilitate the creation and sharing of business information is an IT value delivery and risk management best practice.
564、To verify that the correct version of a data file was used for a production run, an IS auditor should review: 564.为了验证生产系统使用正确版本的数据文件,信息系统审计师应该审核:
A、operator problem reports. A、操作员故障报告
B、operator work schedules. B、操作员工作计划
C、system logs. C、系统日志
D、output distribution reports. D、输出分类报告
ANSWER: C
NOTE: System logs are automated reports which identify most of the activities performed on the computer. Programs that analyze the system log have been developed to report on specifically defined items. The auditor can then carry out tests to ensure that the correct file version was used for a production run. Operator problem reports are used by operators to log computer operation problems. Operator work schedules are maintained to assist in human resources planning. Output distribution reports identify all application reports generated and their distribution.
565、Which of the following controls would BEST detect intrusion? 565.下列哪项控制将最适于检测到侵入?
A、User IDs and user privileges are granted through authorized procedures. A、通过认可的流程授予用户身份和用户权限
B、Automatic logoff is used when a workstation is inactive for a particular period of time. B、当工作站一段特定时间不活动时,自动退出
C、Automatic logoff of the system occurs after a specified number of unsuccessful attempts. C、当指定次数的不成功尝试后自动退出系统
D、Unsuccessful logon attempts are monitored by the security administrator. D、不成功的登陆由安全管理员监控
ANSWER: D
NOTE: Intrusion is detected by the active monitoring and review of unsuccessful logons. User IDs and the granting of user privileges define a policy, not a control. Automatic logoff is a method of preventing access on inactive terminals and is not a detective control. Unsuccessful attempts to log on are a method for preventing intrusion, not detecting.
566、The PRIMARY purpose of implementing Redundant Array of Inexpensive Disks (RAID) level 1 in a file server is to: 566.文件服务器上实现一级磁盘阵列(Redundant Array of Inexpensive Disk, RAID)的主要目的是:
A、achieve performance improvement. A、达成性能改进
B、provide user authentication. B、提供用户认证
C、ensure availability of data. C、确保数据可用性
D、ensure the confidentiality of data. D、确保数据机密性
ANSWER: C
NOTE: RAID level 1 provides disk mirroring. Data written to one disk are also written to another disk. Users in the network access data in the first disk; if disk one fails, the second disk takes over. This redundancy ensures the availability of data. RAID level 1 does not improve performance, has no relevance to authentication and does nothing to provide for data confidentiality.
567、What control detects transmission errors by appending calculated bits onto the end of each segment of data? 567.什么控制通过添加经计算的位数据到每个数据段的末尾来检测传输错误:
A、Reasonableness check A、合理性校验
B、Parity check B、奇偶校验
C、Redundancy check C、冗余校验
D、Check digits D、校验码校验
ANSWER: C
NOTE: A redundancy check detects transmission errors by appending calculated bits onto the end of each segment of data. A reasonableness check compares data to predefined reasonability limits or occurrence rates established for the data. A parity check is a hardware control that detects data errors when data are read from one computer to another, from memory or during transmission. Check digits detect transposition and transcription errors.
568、Vendors have released patches fixing security flaws in their software. Which of the following should an IS auditor recommend in this situation? 568.厂商已经发布了补丁来修补他们软件中的安全漏洞。在此情况下信息系统审计师应该建议下面的哪项:
A、Assess the impact of patches prior to installation. A、安装前评估补丁的影响
B、Ask the vendors for a new software version with all fixes included. B、向厂商要求一个包括所有补丁的新软件版本
C、Install the security patch immediately. C、立即安装安全补丁
D、Decline to deal with these vendors in the future. D、未来拒绝与厂商打交道
ANSWER: A
NOTE: The effect of installing the patch should be immediately evaluated and installation should occur based on the results of the evaluation. To install the patch without knowing what it might affect could easily cause problems. New software versions with all fixes included are not always available and a full installation could be time consuming. Declining to deal with vendors does not take care of the flaw.
569、When two or more systems are integrated, input/output controls must be reviewed by an IS auditor in the: 569.当两个或更多系统集成的时候,信息系统审计师必须审查下列的哪项输入和输出控制:
A、systems receiving the output of other systems. A、从其他系统接受输出的系统
B、systems sending output to other systems. B、发送输出给其他系统的系统
C、systems sending and receiving data. C、输出和输入数据的系统
D、interfaces between the two systems. D、两个系统之间的接口
ANSWER: C
NOTE: Both of the systems must be reviewed for input/output controls, since the output for one system is the input for the other.
570、Which of the following potentially blocks hacking attempts? 570.下列哪项有可能阻止黑客攻击尝试:
A、Intrusion detection system A、侵入检测系统
B、Honeypot system B、蜜罐系统(Honeypot)
C、Intrusion prevention system C、侵入阻止系统
D、Network security scanner D、网络安全扫描
ANSWER: C
NOTE: An intrusion prevention system (IPS) is deployed as an in-line device that can detect and block hacking attempts. An intrusion detection system (IDS) normally is deployed in sniffing mode and can detect intrusion attempts, but cannot effectively stop them. A honeypot solution traps the intruders to explore a simulated target. A network security scanner scans for the vulnerabilities, but it will not stop the intrusion.
571、The potential for unauthorized system access by way of terminals or workstations within an organization's facility is increased when: 571.使用企业内的终端或工作台会增加非授权访问的可能,当:
A、connecting points are available in the facility to connect laptops to the network. A.连接点可以使笔记本电脑连接到网络
B、users take precautions to keep their passwords confidential. B.用户谨慎地保密他们的密码
C、terminals with password protection are located in insecure locations. C.放在不安全地方的终端有密码保护
D、terminals are located within the facility in small clusters under the supervision of an administrator. D.在管理员的监控下,终端放置小群集环境中
ANSWER: A
NOTE: Any person with wrongful intentions can connect a laptop to the network. The insecure connecting points make unauthorized access possible if the individual has knowledge of a valid user ID and password. The other choices are controls for preventing unauthorized network access. If system passwords are not readily available for intruders to use, they must guess, introducing an additional factor and requires time. System passwords provide protection against unauthorized use of terminals located in insecure locations. Supervision is a very effective control when used to monitor access to a small operating unit or production resources.
572、Which of the following findings should an IS auditor be MOST concerned about when performing an audit of backup and recovery and the offsite storage vault? 572.在评估备份和恢复,异地存储中心时,下面哪个发现是信息系统审计员最关心的
A、There are three individuals with a key to enter the area. 个人拥有进入中心的钥匙
B、Paper documents are also stored in the offsite vault. B.纸质文件保存于异地离线中心
C、Data files that are stored in the vault are synchronized. C.保存于离线中心的数据文件有同步
D、The offsite vault is located in a separate facility. D.离线中心位于分开的大楼里。
ANSWER: C
NOTE: Choice A is incorrect because more than one person would typically need to have a key to the vault to ensure that individuals responsible for the offsite vault can take vacations and rotate duties. Choice B is not correct because an IS auditor would not be concerned with whether paper documents are stored in the offsite vault. In fact, paper documents, such as procedural documents and a copy of the contingency plan, would most likely be stored in the offsite vault, and the location of the vault is important, but not as important as the files being synchronized.
573、Many organizations require an employee to take a mandatory vacation (holiday) of a week or more to: 573.许多气压要求雇员强制性休假一周或者更多,目的是:
A、ensure the employee maintains a good quality of life, which will lead to greater productivity. A.确保雇员保持好的生活质量,从而提供生产力
B、reduce the opportunity for an employee to commit an improper or illegal act. B.减少雇员做不恰当或不合法行为的机会
C、provide proper cross-training for another employee. C.为其他雇员提供互相学习的机会
D、eliminate the potential disruption caused when an employee takes vacation one day at a time. D.减少因为雇员一次休假一天的混乱
ANSWER: B
NOTE: Required vacations/holidays of a week or more in duration in which someone other than the regular employee performs the job function is often mandatory for sensitive positions, as this reduces the opportunity to commit improper or illegal acts. During this time it may be possible to discover any fraudulent activity that was taking place. Choices A, C and D could all be organizational benefits from a mandatory vacation policy, but they are not the reason why the policy is established.
574、Which of the following is the GREATEST risk to the effectiveness of application system controls? 574.下面哪个选项是应用系统控制有效性的最大风险?
A、Removal of manual processing steps A.移除手工处理步骤
B、Inadequate procedure manuals B.不完整的流程手册
C、Collusion between employees C.雇员间的冲突
D、Unresolved regulatory compliance issues D.未解决的规章制度符合性问题
ANSWER: C
NOTE: Collusion is an active attack that can be sustained and is difficult to identify since even well-thought-out application controls may be circumvented. The other choices do not impact well-designed application controls.
575、Which of the following is the MOST important element for the successful implementation of IT governance? 575.下面哪个选项对成功实施IT治理是最重要的因素
A、Implementing an IT scorecard A.实施IT评分卡
B、Identifying organizational strategies B.确认组织策略
C、Performing a risk assessment C.进行风险评估
D、Creating a formal security policy D.创建正式的安全政策
ANSWER: B
NOTE: The key objective of an IT governance program is to support the business, thus the identification of organizational strategies is necessary to ensure alignment between IT and corporate governance. Without identification of organizational strategies, the remaining choices—even if implemented—would be ineffective.
576、Which of the following disaster recovery/continuity plan components provides the GREATEST assurance of recovery after a disaster? 576.在灾难发生后,下面哪个灾难恢复/继续计划提供最大保证的恢复:
A、The alternate facility will be available until the original information processing facility is restored. A.有替换的设备可用知道原来的信息处理设备恢复好
B、User management is involved in the identification of critical systems and their associated critical recovery times. B.用户参与重要系统的确认及他们相应的恢复时间
C、Copies of the plan are kept at the homes of key decision-making personnel. C.计划副本保存于主要决策人员的家里
D、Feedback is provided to management assuring them that the business continuity plans are indeed workable and that the procedures are current. D.提供反馈意见给管理层确保业务继续计划确实可用,流程与实际相符
ANSWER: A
NOTE: The alternate facility should be made available until the original site is restored to provide the greatest assurance of recovery after a disaster. Without this assurance, the plan will not be successful. All other choices ensure prioritization or the execution of the plan.
577、When preparing an audit report the IS auditor should ensure that the results are supported by: 577.在准备审计报告的时候,信息系统审计员应该确保结果由下列哪个选项支持:
A、statements from IS management. A.信息系统管理层的意见
B、workpapers of other auditors. B.其他审计员的工作底稿
C、an organizational control self-assessment. C.一个企业的自我控制评估
D、sufficient and appropriate audit evidence. D.足够的,正确的审计证据
ANSWER: D
NOTE: ISACA's standard on “reporting” requires the IS auditor have sufficient and appropriate audit evidence to support the reported results. Statements from IS management provide a basis for obtaining concurrence on matters that cannot be verified with empirical evidence. The report should be based on evidence collected during the course of the review even though the auditor may have access to the work papers of other auditors. The results of an organizational control self-assessment (CSA) could supplement the audit findings. Choices A, B and C might be referenced during an audit but, of themselves, would not be considered a sufficient basis for issuing a report.
578、Which of the following would be the MOST cost-effective recommendation for reducing the number of defects encountered during software development projects? 578.在软件开发项目中,下面哪个是对减少已发现的问题数量最成本有效的建议:
A、Increase the time allocated for system testing A.增加系统测试的时间
B、Implement formal software inspections B.实施正式的软件调查
C、Increase the development staff C.增加开发人员
D、Require the sign-off of all project deliverables D.要求签名所有的项目结果
ANSWER: B
NOTE: Inspections of code and design are a proven software quality technique. An advantage of this approach is that defects are identified before they propagate through the development life cycle. This reduces the cost of correction as less rework is involved. Allowing more time for testing may discover more defects; however, little is revealed as to why the quality problems are occurring and the cost of the extra testing, and the cost of rectifying the defects found will be greater than if they had been discovered earlier in the development process. The ability of the development staff can have a bearing on the quality of what is produced; however, replacing staff can be expensive and disruptive, and the presence of a competent staff cannot guarantee quality in the absence of effective quality management processes. Sign-off of deliverables may help detect defects if signatories are diligent about reviewing deliverable content; however, this is difficult to enforce. Deliverable reviews normally do not go down to the same level of detail as software inspections.
579、An existing system is being extensively enhanced by extracting and reusing design and program components. This is an example of: 579.通过抽取和重用设计及程序模块的方法扩展一个已有的系统。这是:
A、reverse engineering. A.逆向工程
B、prototyping. B.原型
C、software reuse. C.软件重用
D、reengineering. D.再造
ANSWER: D
NOTE: Old (legacy) systems that have been corrected, adapted and enhanced extensively require reengineering to remain maintainable. Reengineering is a rebuilding activity to incorporate new technologies into existing systems. Using program language statements, reverse engineering involves reversing a program's machine code into the source code in which it was written to identify malicious content in a program, such as a virus, or to adapt a program written for use with one processor for use with a differently designed processor. Prototyping is the development of a system through controlled trial and error. Software reuse is the process of planning, analyzing and using previously developed software components. The reusable components are integrated into the current software product systematically.
580、Which of the following reduces the potential impact of social engineering attacks? 580.下面哪个选项可以减少社会工程攻击的可能?
A、Compliance with regulatory requirements A.遵循规章要求
B、Promoting ethical understanding B.提高伦理道德水平
C、Security awareness programs C.安全意识程序
D、Effective performance incentives D.有效的性能激发
ANSWER: C
NOTE: Because social engineering is based on deception of the user, the best countermeasure or defense is a security awareness program. The other choices are not user-focused.
581、Over the long term, which of the following has the greatest potential to improve the security incident response process? 581.对于长期发展来说,下面哪个选项可以最大提高安全事件响应流程?
A、A walkthrough review of incident response procedures A.穿行审阅时间响应流程
B、Postevent reviews by the incident response team B.事件响应团队的事后审阅
C、Ongoing security training for users C.用户的持续安全培训
D、Documenting responses to an incident D.记录事件的响应
ANSWER: B
NOTE: Postevent reviews to find the gaps and shortcomings in the actual incident response processes will help to improve the process over time. Choices A, C and D are desirable actions, but postevent reviews are the most reliable mechanism for improving security incident response processes.
582、An IS auditor is evaluating a corporate network for a possible penetration by employees. Which of the following findings should give the IS auditor the GREATEST concern? 582.信息系统审计员正在评估一个企业的网络是否存在雇员的渗透。下面哪个发现是信息系统审计员最关心的
A、There are a number of external modems connected to the network. A.多个外部调制解调器连接到网络
B、Users can install software on their desktops. B.用户可以在自己的桌面上安装软件
C、Network monitoring is very limited. C.有限的网络监控
D、Many user IDs have identical passwords. D.多个用户帐号有一样的密码
ANSWER: D
NOTE: Exploitation of a known user ID and password requires minimal technical knowledge and exposes the network resources to exploitation. The technical barrier is low and the impact can be very high; therefore, the fact that many user IDs have identical passwords represents the greatest threat. External modems represent a security risk, but exploitation still depends on the use of a valid user account. While the impact of users installing software on their desktops can be high (for example, due to the installation of Trojans or key-logging programs), the likelihood is not high due to the level of technical knowledge required to successfully penetrate the network. Although network monitoring can be a useful detective control, it will only detect abuse of user accounts in special circumstances and is, therefore, not a first line of defense.
583、Which of the following attacks targets the Secure Sockets Layer (SSL)? 583.下面那个攻击的目标是SSL(安全套接层)?
A、Man-in-the middle A.中间人攻击(MITM攻击)
B、Dictionary B.字典
C、Password sniffing C.密码嗅探
D、Phishing D.网络钓鱼
ANSWER: A
NOTE: Attackers can establish a fake Secure Sockets Layer (SSL) server to accept user's SSL traffic and then route to the real SSL server, so that sensitive information can be discovered. A dictionary attack that has been launched to discover passwords would not attack SSL since SSL does not rely on passwords. SSL traffic is encrypted, thus it is not possible to sniff the password. A phishing attack targets a user and not SSL. Phishing attacks attempt to have the user surrender private information by falsely claiming to be a trusted person or enterprise.
584、In large corporate networks having supply partners across the globe, network traffic may continue to rise. The infrastructure components in such environments should be scalable. Which of the following firewall architectures limits future scalability? 584.在有全球供应商的大公司的网络里,网络堵塞可能发生。在这样环境里,设备组件必须是可扩展的。下面哪种防火墙限制了将来的扩展?
A、Appliances A.电器
B、Operating system-based B.基于操作系统的
C、Host-based C.基于主机的
D、Demilitarized D.隔离的(非武装的)
ANSWER: A
NOTE: The software for appliances is embedded into chips. Firmware-based firewall products cannot be moved to higher capacity servers. Firewall software that sits on an operating system can always be scalable due to its ability to enhance the power of servers. Host-based firewalls operate on top of the server operating system and are scalable. A demilitarized zone is a model of firewall implementation and is not a firewall architecture.
585、The phases and deliverables of a system development life cycle (SDLC) project should be determined: 585.系统开发生命周期的阶段和提交件应该在下列哪个时候决定?
A、during the initial planning stages of the project. A.在项目启动计划阶段
B、after early planning has been completed, but before work has begun. B.在早期计划完成后,在实际工作开始之前
C、throughout the work stages, based on risks and exposures. C.整个工作过程中,基于风险的
D、only after all risks and exposures have been identified and the IS auditor has recommended appropriate controls. D.只有在风险确认及信息系统审计员建议合适的控制后
ANSWER: A
NOTE: It is extremely important that the project be planned properly and that the specific phases and deliverables be identified during the early stages of the project.
586、Which of the following backup techniques is the MOST appropriate when an organization requires extremely granular data restore points, as defined in the recovery point objective (RPO)? 586.当企业在恢复计划目标定义一个粒度数据恢复点,下面哪个备份技术是最正确的?
A、Virtual tape libraries A.虚拟磁带库
B、Disk-based snapshots B.基于磁盘的快照
C、Continuous data backup C.持续数据备份
D、Disk-to-tape backup D.磁盘到磁带的备份
ANSWER: C
NOTE: The recovery point objective (RPO) is based on the acceptable data loss in the case of a disruption. In this scenario the organization needs a short RPO. Virtual tape libraries, disk-based snapshots and disk-to-tape backup would require time to complete the backup, while continuous data backup happens online (in real time).
587、An IS auditor has been assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST ? 587.信息系统审计员将审阅最近外包给多个服务商的IT构架和活动。信息系统审计员应该最先决定下面哪个选项:
A、That an audit clause is present in all contracts A.在所有合同有相关的审计条例
B、That the SLA of each contract is substantiated by appropriate KPIs B.每个合同的服务品质协议都有明确的适当的KPI
C、That the contractual warranties of the providers support the business needs of the organization C.服务商的合同保证支持企业的业务需求
D、That at contract termination, support is guaranteed by each outsourcer for new outsourcers D.合同终止时,每个外包商会支持新的外包商
ANSWER: C
NOTE: The complexity of IT structures matched by the complexity and interplay of responsibilities and warranties may affect or void the effectiveness of those warranties and the reasonable certainty that the business needs will be met. All other choices are important, but not as potentially dangerous as the interplay of the diverse and critical areas of the contractual responsibilities of the outsourcers.
588、When auditing a proxy-based firewall, an IS auditor should: 588.审阅基于代理的防火墙时,信息系统审计员应该:
A、verify that the firewall is not dropping any forwarded packets. A.确认防火墙没有丢掉任何发出的包
B、review Address Resolution Protocol (ARP) tables for appropriate mapping between media access control (MAC) and IP addresses. B.审阅地址解析协议表,确认物理地址与IP地址之间的正确映射
C、verify that the filters applied to services such as HTTP are effective. C.校验服务的过滤器是否有效,如HTTP
D、test whether routing information is forwarded by the firewall. D.测试是不是有路由信息通过防火墙发出
ANSWER: C
NOTE: A proxy-based firewall works as an intermediary (proxy) between the service or application and the client. It makes a connection with the client and opens a different connection with the server and, based on specific filters and rules, analyzes all the traffic between the two connections. Unlike a packet-filtering gateway, a proxy-based firewall does not forward any packets. Mapping between media access control (MAC) and IP addresses is a task for protocols such as Address Resolution Protocol/Reverse Address Resolution Protocol (ARP/RARP).
589、Which of the following applet intrusion issues poses the GREATEST risk of disruption to an organization? 589下列哪个小程序入侵问题对企业来说风险最大:
A、A program that deposits a virus on a client machine A.客户机器上带病毒的程序
B、Applets recording keystrokes and, therefore, passwords B.记录按键和密码的小程序
C、Downloaded code that reads files on a client's hard drive C.下载的读客户端硬盘的代码
D、Applets opening connections from the client machine D.可以从客户端打开连接的小程序
ANSWER: D
NOTE: An applet is a program downloaded from a web server to the client, usually through a web browser that provides functionality for database access, interactive web pages and communications with other users. Applets opening connections from the client machine to other machines on the network and damaging those machines, as a denial-of-service attack, pose the greatest threat to an organization and could disrupt business continuity. A program that deposits a virus on a client machine is referred to as a malicious attack (., specifically meant to cause harm to a client machine), but may not necessarily result in a disruption of service. Applets that record keystrokes, and therefore, passwords, and downloaded code that reads files on a client's hard drive relate more to organizational privacy issues, and although significant, are less likely to cause a significant disruption of service.
590、The responsibilities of a disaster recovery relocation team include: 590.灾难恢复重置团队的职责包括:
A、obtaining, packaging and shipping media and records to the recovery facilities, as well as establishing and overseeing an offsite storage schedule. A.获取,打包并发送介质和记录到恢复设备,通知建立并监视离线存储安排
B、locating a recovery site, if one has not been predetermined, and coordinating the transport of company employees to the recovery site. B.安排一个回复地点,如果没有提前决定,协调运送公司职员到恢复点
C、managing the relocation project and conducting a more detailed assessment of the damage to the facilities and equipment. C.管理重置项目并执行一个设备损坏的详细评估
D、coordinating the process of moving from the hot site to a new location or to the restored original location. D.协调从热点搬迁到新的地点或者原地点的工作
ANSWER: D
NOTE: Choice A describes an offsite storage team, choice B defines a transportation team and choice C defines a salvage team.
591、Integrating business continuity planning (BCP) into an IT project aids in:
A、the retrofitting of the business continuity requirements.
B、the development of a more comprehensive set of requirements.
C、the development of a transaction flowchart.
D、ensuring the application meets the user's needs.
ANSWER: B
NOTE: Integrating business continuity planning (BCP) into the development process ensures complete coverage of the requirements through each phase of the project. Retrofitting of the business continuity plan's requirements occurs when BCP is not integrating into the development methodology. Transaction flowcharts aid in analyzing an application's controls. A business continuity plan will not directly address the detailed processing needs of the users.
592、Which of the following procedures would BEST determine whether adequate recovery/restart procedures exist?
A、Reviewing program code
B、Reviewing operations documentation
C、Turning off the UPS, then the power
D、Reviewing program documentation
ANSWER: B
NOTE: Operations documentation should contain recovery/restart procedures, so operations can return to normal processing in a timely manner. Turning off the uninterruptible power supply (UPS) and then turning off the power might create a situation for recovery and restart, but the negative effect on operations would prove this method to be undesirable. The review of program code and documentation generally does not provide evidence regarding recovery/restart procedures.
593、The initial step in establishing an information security program is the:
A、development and implementation of an information security standards manual.
B、performance of a comprehensive security control review by the IS auditor.
C、adoption of a corporate information security policy statement.
D、purchase of security access control software.
ANSWER: C
NOTE: A policy statement reflects the intent and support provided by executive management for proper security and establishes a starting point for developing the security program.
594、An IS auditor reviewing an organization's IT strategic plan should FIRST review:
A、the existing IT environment.
B、the business plan.
C、the present IT budget.
D、current technology trends.
ANSWER: B
NOTE: The IT strategic plan exists to support the organization's business plan. To evaluate the IT strategic plan, an IS auditor would first need to familiarize themselves with the business plan.
595、An IS auditor should recommend the use of library control software to provide reasonable assurance that:
A、program changes have been authorized.
B、only thoroughly tested programs are released.
C、modified programs are automatically moved to production.
D、source and executable code integrity is maintained.
ANSWER: A
NOTE: Library control software should be used to separate test from production libraries in mainframe and/or client server environments. The main objective of library control software is to provide assurance that program changes have been authorized. Library control software is concerned with authorized program changes and would not automatically move modified programs into production and cannot determine whether programs have been thoroughly tested. Library control software provides reasonable assurance that the source code and executable code are matched at the time a source code is moved to production. However, subsequent events such as a hardware failure can result in a lack of consistency between source and executable code.
596、Which of the following would have the HIGHEST priority in a business continuity plan (BCP)?
A、Resuming critical processes
B、Recovering sensitive processes
C、Restoring the site
D、Relocating operations to an alternative site
ANSWER: A
NOTE: The resumption of critical processes has the highest priority as it enables business processes to begin immediately after the interruption and not later than the declared mean time between failure (MTBF). Recovery of sensitive processes refers to recovering the vital and sensitive processes that can be performed manually at a tolerable cost for an extended period of time and those that are not marked as high priority. Repairing and restoring the site to original status and resuming the business operations are time consuming operations and are not the highest priority. Relocating operations to an alternative site, either temporarily or permanently depending on the interruption, is a time consuming process; moreover, relocation may not be required.
597、Which of the following types of data validation editing checks is used to determine if a field contains data, and not zeros or blanks?
A、Check digit
B、Existence check
C、Completeness check
D、Reasonableness check
ANSWER: C
NOTE: A completeness check is used to determine if a field contains data and not zeros or blanks. A check digit is a digit calculated mathematically to ensure original data were not altered. An existence check also checks entered data for agreement to predetermined criteria. A reasonableness check matches input to predetermined reasonable limits or occurrence rates.
598、Which of the following is a passive attack to a network?
A、Message modification
B、Masquerading
C、Denial of service
D、Traffic analysis
ANSWER: D
NOTE: The intruder determines the nature of the flow of traffic (traffic analysis) between defined hosts and is able to guess the type of communication taking place. Message modification involves the capturing of a message and making unauthorized changes or deletions, changing the sequence or delaying transmission of captured messages. Masquerading is an active attack in which the intruder presents an identity other than the original identity. Denial of service occurs when a computer connected to the Internet is flooded with data and/or requests that must be processed.
599、Which of the following is an object-oriented technology characteristic that permits an enhanced degree of security over data?
A、Inheritance
B、Dynamic warehousing
C、Encapsulation
D、Polymorphism
ANSWER: C
NOTE: Encapsulation is a property of objects, and it prevents accessing either properties or methods that have not been previously defined as public. This means that any implementation of the behavior of an object is not accessible. An object defines a communication interface with the exterior and only that which belongs to that interface can be accessed.
600、When performing a review of the structure of an electronic funds transfer (EFT) system, an IS auditor observes that the technological infrastructure is based on a centralized processing scheme that has been outsourced to a provider in another country. Based on this information, which of the following conclusions should be the main concern of the IS auditor?
A、There could be a question regarding the legal jurisdiction.
B、Having a provider abroad will cause excessive costs in future audits.
C、The auditing process will be difficult because of the distance.
D、There could be different auditing norms.
ANSWER: A
NOTE: In the funds transfer process, when the processing scheme is centralized in a different country, there could be legal issues of jurisdiction that might affect the right to perform a review in the other country. The other choices, though possible, are not as relevant as the issue of legal jurisdiction.
601、To develop a successful business continuity plan, end user involvement is critical during which of the following phases?
A、Business recovery strategy
B、Detailed plan development
C、Business impact analysis (BIA)
D、Testing and maintenance
ANSWER: C
NOTE: End user involvement is critical in the BIA phase. During this phase the current operations of the business needs to be understood and the impact on the business of various disasters must be evaluated. End users are the appropriate persons to provide relevant information for these tasks. Inadequate end user involvement in this stage could result in an inadequate understanding of business priorities and the plan not meeting the requirements of the organization.
602、A hot site should be implemented as a recovery strategy when the:
A、disaster tolerance is low.
B、recovery point objective (RPO) is high.
C、recovery time objective (RTO) is high.
D、disaster tolerance is high.
ANSWER: A
NOTE: Disaster tolerance is the time gap during which the business can accept nonavailability of IT facilities. If this time gap is low, recovery strategies that can be implemented within a short period of time, such as a hot site, should be used. The RPO is the earliest point in time at which it is acceptable to recover the data. A high RPO means that the process can wait for a longer time. In such cases, other recovery alternatives, such as warm or cold sites, should be considered. A high RTO means that additional time would be available for the recovery strategy, thus making other recovery alternatives—such as warm or cold sites—viable alternatives.
603、Which of the following is the MOST important criterion when selecting a location for an offsite storage facility for IS backup files? The offsite facility must be:
A、physically separated from the data center and not subject to the same risks.
B、given the same level of protection as that of the computer data center.
C、outsourced to a reliable third party.
D、equipped with surveillance capabilities.
ANSWER: A
NOTE: It is important that there be an offsite storage location for IS files and that it be in a location not subject to the same risks as the primary data center. The other choices are all issues that must be considered when establishing the offsite location, but they are not as critical as the location selection.
604、The BEST way to minimize the risk of communication failures in an e-commerce environment would be to use:
A、compression software to minimize transmission duration.
B、functional or message acknowledgments.
C、a packet-filtering firewall to reroute messages.
D、leased asynchronous transfer mode lines.
ANSWER: D
NOTE: Leased asynchronous transfer mode lines are a way to avoid using public and shared infrastructures from the carrier or Internet service provider that have a greater number of communication failures. Choice A, compression software, is a valid way to reduce the problem, but is not as good as leased asynchronous transfer mode lines. Choice B is a control based on higher protocol layers and helps if communication lines are introducing noise, but not if a link is down. Choice C, a packet-filtering firewall, does not reroute messages.
605、Which of the following biometrics has the highest reliability and lowest false-acceptance rate (FAR)?
A、Palm scan
B、Face recognition
C、Retina scan
D、Hand geometry
ANSWER: C
NOTE: Retina scan uses optical technology to map the capillary pattern of an eye's retina. This is highly reliable and has the lowest false-acceptance rate (FAR) among the current biometric methods. Use of palm scanning entails placing a hand on a scanner where a palm's physical characteristics are captured. Hand geometry, one of the oldest techniques, measures the physical characteristics of the user's hands and fingers from a three dimensional perspective. The palm and hand biometric techniques lack uniqueness in the geometry data. In face biometrics, a reader analyzes the images captured for general facial characteristics. Though considered a natural and friendly biometric, the main disadvantage of face recognition is the lack of uniqueness, which means that people looking alike can fool the device.
606、Electromagnetic emissions from a terminal represent an exposure because they:
A、affect noise pollution.
B、disrupt processor functions.
C、produce dangerous levels of electric current.
D、can be detected and displayed.
ANSWER: D
NOTE: Emissions can be detected by sophisticated equipment and displayed, thus giving unauthorized persons access to data. They should not cause disruption of CPUs or effect noise pollution.
607、An IS auditor conducting an access control review in a client-server environment discovers that all printing options are accessible by all users. In this situation, the IS auditor is MOST likely to conclude that:
A、exposure is greater, since information is available to unauthorized users.
B、operating efficiency is enhanced, since anyone can print any report at any time.
C、operating procedures are more effective, since information is easily available.
D、user friendliness and flexibility is facilitated, since there is a smooth flow of information among users.
ANSWER: A
NOTE: Information in all its forms needs to be protected from unauthorized access. Unrestricted access to the report option results in an exposure. Efficiency and effectiveness are not relevant factors in this situation. Greater control over reports will not be accomplished since reports need not be in a printed form only. Information could be transmitted outside as electronic files, because print options allow for printing in an electronic form as well.
608、The PRIMARY purpose for meeting with auditees prior to formally closing a review is to:
A、confirm that the auditors did not overlook any important issues.
B、gain agreement on the findings.
C、receive feedback on the adequacy of the audit procedures.
D、test the structure of the final presentation.
ANSWER: B
NOTE: The primary purpose for meeting with auditees prior to formally closing a review is to gain agreement on the findings. The other choices, though related to the formal closure of an audit, are of secondary importance.
609、In the 2c area of the diagram, there are three hubs connected to each other. What potential risk might this indicate?
A、Virus attack
B、Performance degradation
C、Poor management controls
D、Vulnerability to external hackers
ANSWER: B
NOTE: Hubs are internal devices that usually have no direct external connectivity, and thus are not prone to hackers. There are no known viruses that are specific to hub attacks. While this situation may be an indicator of poor management controls, choice B is more likely when the practice of stacking hubs and creating more terminal connections is used.
610、When developing a risk management program, what is the FIRST activity to be performed?
A、Threat assessment
B、Classification of data
C、Inventory of assets
D、Criticality analysis
ANSWER: C
NOTE: Identification of the assets to be protected is the first step in the development of a risk management program. A listing of the threats that can affect the performance of these assets and criticality analysis are later steps in the process. Data classification is required for defining access controls and in criticality analysis.
611、The role of the certificate authority (CA) as a third party is to: 611. 认证授权(CA)作为一个第三方在通讯过程中所起的作用是:
A、provide secured communication and networking services based on certificates. A.基于证书(Certificates)来提供安全的通讯及网络服务。
B、host a repository of certificates with the corresponding public and secret keys issued by that CA. B.存储由CA发放的证书(包含对应的公钥和密钥)。
C、act as a trusted intermediary between two communication partners. C.在通讯双方之间扮演一位可信的仲裁者。
D、confirm the identity of the entity owning a certificate issued by that CA. D.确认某一拥有CA发放的证书的实体的身份。
ANSWER: D 答案: D
NOTE: The primary activity of a CA is to issue certificates. The primary role of the CA is to check the identity of the entity owning a certificate and to confirm the integrity of any certificate it issued. Providing a communication infrastructure is not a CA activity. The secret keys belonging to the certificates would not be archived at the CA. The CA can contribute to authenticating the communicating partners to each other, but the CA is not involved in the communication stream itself. CA的主要活动及发方证书。(在整个过程中,)CA的主要角色就是去识别拥有证书的实体,并且确认其发布证书的完整性。
提供一个通讯的基础架构并不是CA的活动。证书所包含的密钥并不会由CA来存档。CA能为通讯双方来提供互相的认证,但是其本身并不参与到通讯流中。
612、When transmitting a payment instruction, which of the following will help verify that the instruction was not duplicated? 612. 当传输一个支付的指令时,以下哪一项可用来帮助校验该指令不是被复制的?
A、Use of a cryptographic hashing algorithm A.使用密码学的哈希算法
B、Enciphering the message digest B.加密消息摘要
C、Deciphering the message digest C.解密消息摘要
D、A sequence number and time stamp D.(使用)序列号及时间戳
ANSWER: D 答案: D
NOTE: When transmitting data, a sequence number and/or time stamp built into the message to make it unique can be checked by the recipient to ensure that the message was not intercepted and replayed. This is known as replay protection, and could be used to verify that a payment instruction was not duplicated. Use of a cryptographic hashing algorithm against the entire message helps achieve data integrity. Enciphering the message digest using the sender's private key, which signs the sender's digital signature to the document, helps in authenticating the transaction. When the message is deciphered by the receiver using the sender's public key, it ensures that the message could only have come from the sender. This process of sender authentication achieves nonrepudiation. 当传输数据时,将一个序列号及/或时间戳加入消息中来使其(该消息)变得具有唯一性,从而使得接受者能够确定消息在传输过程中没有被拦截和重放。这既是公认的重放预防(Replay Protection),可以用来确认一个支付指令不是被复制的。
使用密码学的哈希算法来处理整个消息可以确保(传输过程中的)数据完整性。
使用发送者的密钥来加密消息摘要,即对(需要传输的)文档进行数字签名,用于认证该交易。
当接受者使用发送者的公钥来解密(收到的)消息时,这保证了该消息只能来自于对应的发送者。这个对发送者进行认证的过程保证了不可抵赖性。
613、Which of the following manages the digital certificate life cycle to ensure adequate security and controls exist in digital signature applications related to e-commerce? 613. 以下哪一项管理了数字证书的整个生命周期,以次来保证电子商务数字签名系统具有充分的安全性和控制?
A、Registration authority A.注册权威机构(RA) (注册审批机构)
B、Certificate authority (CA) B.认证权威机构(CA) (认证中心)
C、Certification relocation list C.证书撤销(废止)列表 - Certification Revocation List, CRL
D、Certification practice statement D.认证操作规范
ANSWER: B 答案: B
NOTE: The certificate authority maintains a directory of digital certificates for the reference of those receiving them. It manages the certificate life cycle, including certificate directory maintenance and certificate revocation list maintenance and publication. Choice A is not correct because a registration authority is an optional entity that is responsible for the administrative tasks associated with registering the end entity that is the subject of the certificate issued by the CA. Choice C is incorrect since a CRL is an instrument for checking the continued validity of the certificates for which the CA has responsibility. Choice D is incorrect because a certification practice statement is a detailed set of rules governing the certificate authority's operations. 认证权威机构(CA) (认证中心)维护了一个数字证书目录以供接收者参考。CA管理了证书的整个生命周期,包括维护证书目录,维护和发布证书撤销列表(CRL)。
A不正确,因为注册权威机构(RA) (注册审批机构)是一可选组件(实体),负责注册由CA发布的证书的主体及相关的管理工作。
C不正确,证书撤销(废止)列表(CRL)是用来检查证书有效性的工具。
D不正确,因为认证操作规范是管理/治理CA如何运作的一系列具体规则。
614、Which of the following must exist to ensure the viability of a duplicate information processing facility? 614. 一下哪一项对于备份信息处理设施的生存能力来说是必须的?
A、The site is near the primary site to ensure quick and efficient recovery. A.该站点必须离主站点足够近来保证快速有效的(业务)恢复。
B、The site contains the most advanced hardware available. B.该站点必须包含可用的最高级的硬件设备。
C、The workload of the primary site is monitored to ensure adequate backup is available. C.监控主站点的负载从而确保有足够的后备。
D、The hardware is tested when it is installed to ensure it is working properly. D.(该站点的)硬件设备在安装过程中都经过了合适的测试,来保证其有效运行。
ANSWER: C 答案: C
NOTE: Resource availability must be assured. The workload of the site must be monitored to ensure that availability for emergency backup use is not impaired. The site chosen should not be subject to the same natural disaster as the primary site. In addition, a reasonable compatibility of hardware/software must exist to serve as a basis for backup. The latest or newest hardware may not adequately serve this need. Testing the hardware when the site is established is essential, but regular testing of the actual backup data is necessary to ensure the operation will continue to perform as planned. 资源的可用性必须得到保证。必须监控站点的负载,从而保证紧急后备状态(系统)的可用性没有被削弱。选择备份站点的时候要考虑到其不会被同一自然灾害所破坏。此外,合理的软硬件兼容必须要考虑,从而保证基本的备份。最新的硬件可能不能充分满足此需求。在站点建立期间对硬件进行测试已经足够,但是定期的对备份的数据(的恢复)进行测试是必要的,这样才能保证操作能够依照计划那样恢复。
615、Which of the following provides the framework for designing and developing logical access controls? 615. 以下哪一项提供了设计和开发逻辑访问控制的架构?
A、Information systems security policy A.信息系统安全方针
B、Access control lists B.访问控制列表
C、Password management C.口令管理
D、System configuration files D.系统配置文件
ANSWER: A 答案: A
NOTE: The information systems security policy developed and approved by an organization's top management is the basis upon which logical access control is designed and developed. Access control lists, password management and systems configuration files are tools for implementing the access controls. 由组织机构的最高管理层开发并核准的信息系统安全方针是逻辑访问控制设计和开发的基础。访问控制列表,口令管理和系统配置文件都是实施访问控制的工具/手段。
616、Transmitting redundant information with each character or frame to facilitate detection and correction of errors is called a: 616. 通过传输每个字符或数据帧的冗余信息来检测或纠正(传输)错误被称作为:
A、feedback error control. A.反馈差错控制
B、block sum check. B.(数据)块和数校验
C、forward error control. C.前向差错控制
D、cyclic redundancy check. D.循环冗余校验
ANSWER: C 答案: C
NOTE: Forward error control involves transmitting additional redundant information with each character or frame to facilitate detection and correction of errors. In feedback error control, only enough additional information is transmitted so the receiver can identify that an error has occurred. Choices B and D are both error detection methods but not error correction methods. Block sum check is an extension of parity check wherein an additional set of parity bits is computed for a block of characters. A cyclic redundancy check is a technique wherein a single set of check digits is generated, based on the contents of the frame, for each frame transmitted. 前向差错控制包含了传输每个字符或数据帧的额外冗余信息来检测或纠正(传输)错误。
在反馈差错控制中仅仅传输足够使得接收者检测到差错发生的额外信息。
B及D均为差错检测方法,不是差错纠正方法。(数据)块和数校验是奇偶校验的扩展,即针对字符块计算一系列校验位。循环冗余校验是针对每一数据帧的内容生成一组校验位的技术。
617、Which of the following programs would a sound information security policy MOST likely include to handle suspected intrusions? 一套合理有效的信息安全策略最有可能包含以下哪一类(控制)程序来处理可疑的入侵?
A、Response A.响应的
B、Correction B.纠正的
C、Detection C.侦测的
D、Monitoring D.监控的
ANSWER: A 答案: A
NOTE: A sound IS security policy will most likely outline a response program to handle suspected intrusions. Correction, detection and monitoring programs are all aspects of information security, but will not likely be included in an IS security policy statement. 一套合理有效的信息安全策略最有可能包含响应的(控制)程序来处理可疑的入侵。纠正的,侦测的及监控的(控制)程序均为信息安全(控制措施)的各个方面,但是通常不会被陈述在信息安全策略中。
618、In planning an audit, the MOST critical step is the identification of the: 618. 在审核的计划阶段,最至关重要的一步为识别:
A、areas of high risk. A.具有高风险的方面。
B、skill sets of the audit staff. B.审核人员的技能。
C、test steps in the audit. C.审核的测试步骤。
D、time allotted for the audit. D.分配给审核的时间段。
ANSWER: A 答案: A
NOTE: When designing an audit plan, it is important to identify the areas of highest risk to determine the areas to be audited. The skill sets of the audit staff should have been considered before deciding and selecting the audit. Test steps for the audit are not as critical as identifying the areas of risk, and the time allotted for an audit is determined by the areas to be audited, which are primarily selected based on the identification of risks. 当设计一个审核计划,识别高风险的方面从而决定需要被审核的内容是至关重要的。审核人员的技能应该在决定和选择审核之前考察。审核的测试步骤不如识别高风险方面来的重要。分配给审核的时间段是由被审核的内容所决定的,而被审核内容主要基于识别出来的风险来 选择。
619、An IS auditor is reviewing an IT security risk management program. Measures of security risk should: 619. 一位信息系统审核员在审查IT安全风险管理程序。安全风险的测量应该:
A、address all of the network risks. A.列举所有的网络风险
B、be tracked over time against the IT strategic plan. B.对应IT战略计划持续追踪
C、take into account the entire IT environment. C.考虑整个IT环境
D、result in the identification of vulnerability tolerances. D.以识别出对(信息系统)弱点的容忍程度为结果
ANSWER: C 答案: C
NOTE: When assessing IT security risk, it is important to take into account the entire IT environment. Measures of security risk should focus on those areas with the highest criticality so as to achieve maximum risk reduction at the lowest possible cost. IT strategic plans are not granular enough to provide appropriate measures. Objective metrics must be tracked over time against measurable goals, thus the management of risk is enhanced by comparing today's results against last week, last month, last quarter. Risk measures will profile assets on a network to objectively measure vulnerability risk. They do not identify tolerances. 当评估IT安全风险时,考虑整个IT环境是至关重要的。安全风险的测量应该集中在最重要的方面从而使用尽可能少的成本来获得最大的风险缩减。IT战略计划不够细节,所以也不能提供对应的应对措施。应该根据可测量的目标来持续追踪客观的度量(参数),从而通过拿今天的结果比较上周、上个月、上个季度的结果,来不断加强风险的管理。风险的测量勾勒出网络中所有的资产从而客观测量弱点对应的风险,但是并不识别对(信息系统)弱点的容忍程度。
620、The reason for establishing a stop or freezing point on the design of a new system is to: 在设计一个新系统时设立一个中断或冻结点的原因是:
A、prevent further changes to a project in process. A.避免对一个进行中的项目的进一步影响/变更。
B、indicate the point at which the design is to be completed. B.表明在该点设计将被完成。
C、require that changes after that point be evaluated for cost-effectiveness. C.要求对该点之后的变更进行投入-效益比(性价比?)的评估。
D、provide the project management team with more control over the project design. D.提供项目管理团队对该项目设计更多的控制。
ANSWER: C 答案: C
NOTE: Projects often have a tendency to expand, especially during the requirements definition phase. This expansion often grows to a point where the originally anticipated cost-benefits are diminished because the cost of the project has increased. When this occurs, it is recommended that the project be stopped or frozen to allow a review of all of the cost-benefits and the payback period. 项目总有扩张的趋势,尤其是自需求(分析)定义阶段。由于项目成本的提高,这样的扩张通常会使原本评估的投入-收益比减少。当这样的情形发生时,建议项目暂停或冻结,从而可以重新评估(项目的)投入-收益比以及回报周期。
621、With respect to business continuity strategies, an IS auditor interviews key stakeholders in an organization to determine whether they understand their roles and responsibilities. The IS auditor is attempting to evaluate the: 621. 审核业务连续性战略时,信息系统审核员与组织中的主要几位负责人面谈来了解他们对自己(BCP中的)角色和职责的理解程度。信息系统审核员会评估以下哪一方面?
A、clarity and simplicity of the business continuity plans. A.业务连续性计划的清晰度和简洁度。
B、adequacy of the business continuity plans. B.业务连续性计划考虑的周全性。
C、effectiveness of the business continuity plans. C.业务连续性计划有效性。
D、ability of IS and end-user personnel to respond effectively in emergencies. D.信息系统管理人员及最终用户在紧急情况下的响应能力。
ANSWER: A 答案: A
NOTE: The IS auditor should interview key stakeholders to evaluate how well they understand their roles and responsibilities. When all stakeholders have a detailed understanding of their roles and responsibilities in the event of a disaster, an IS auditor can deem the business continuity plan to be clear and simple. To evaluate adequacy, the IS auditor should review the plans and compare them to appropriate standards. To evaluate effectiveness, the IS auditor should review the results from previous tests. This is the best determination for the evaluation of effectiveness. An understanding of roles and responsibilities by key stakeholders will assist in ensuring the business continuity plan is effective. To evaluate the response, the IS auditor should review results of continuity tests. This will provide the IS auditor with assurance that target and recovery times are met. Emergency procedures and employee training need to be reviewed to determine whether the organization had implemented plans to allow for the effective response. 信息系统审核员通过与组织中的主要几位负责人面谈来评估他们对自己(BCP中的)角色和职责的理解程度。当所有相关负责人对自身在灾难事件中的角色和职责有很细致的了解时,审核员就能够确信(该组织的)业务连续性计划是清晰和简洁的。
要评估(业务连续性计划)是否考虑周全,审核员需要审核对应的(业务连续性)计划并与相关标准进行比对。
评估有效性,审核员需要审核之前(业务连续性计划)演练的结果。当然各个主要负责人对角色和职责的理解能够有利于保证(业务连续性计划)的有效性。
评估(应急)响应的情况,审核员需要审核演练(本身),
622、Which of the following intrusion detection systems (IDSs) monitors the general patterns of activity and traffic on a network and creates a database? 622. 以下哪一种入侵检测系统监控网络中流量和事件的整体模式,并建立一个数据库?
A、Signature-based A.基于特征库的
B、Neural networks-based B.基于神经网络的
C、Statistical-based C.基于统计(信息)的
D、Host-based D.基于主机的
ANSWER: B 答案: B
NOTE: The neural networks-based IDS monitors the general patterns of activity and traffic on the network and creates a database. This is similar to the statistical model but has the added function of self-learning. Signature-based systems are a type of IDS in which the intrusive patterns identified are stored in the form of signatures. These IDS systems protect against detected intrusion patterns. Statistical-based systems need a comprehensive definition of the known and expected behavior of systems. Host-based systems are not a type of IDS, but a category of IDS, and are configured for a specific environment. They will monitor various internal resources of the operating system to warn of a possible attack. 基于神经网络的入侵检测系统监控网络中流量和事件的整体模式,并建立一个数据库。这个和基于统计信息的模型,但是增加了自学习功能。
基于特征库的入侵监测系统是将(已知的)入侵模式识别并存储为特征。这类入侵检测系统只能预防已知的入侵模式。
基于统计(信息)的入侵监测系统需要一个(正常)系统的已知和可接受状况的全面定义。
基于主机的入侵监测系统实际上不是不是入侵监测系统的一种类型,只是对针对某一特殊系统/环境的IDC的一个分类。主要监控操作系统各类内部资源的情况来对可能的攻击进行告警。
623、Which of the following is the PRIMARY advantage of using computer forensic software for investigations? 623. 以下哪一项是使用计算机取证软件来作为调查(工具)的主要优势?
A、The preservation of the chain of custody for electronic evidence A.保存电子证据链
B、Time and cost savings B.节约时间和成本
C、Efficiency and effectiveness C.高效并且有效
D、Ability to search for violations of intellectual property rights D.搜查侵犯知识产权的能力
ANSWER: A 答案: A
NOTE: The primary objective of forensic software is to preserve electronic evidence to meet the rules of evidence. Choice B, time and cost savings, and choice C, efficiency and effectiveness, are legitimate concerns that differentiate good from poor forensic software packages. Choice D, the ability to search for intellectual property rights violations, is an example of a use of forensic software. 计算机取证软件的主要目标是保存电子证据来满足证据的规则。
选项B节约时间和成本和选项C高效并且有效均为判断计算机取证软件好坏合理的考量。
D.搜查侵犯知识产权的能力是计算机取证软件的一种应用。
624、An accuracy measure for a biometric system is: 624. 生物测量系统的精确度指标是:
A、system response time. A.系统响应时间
B、registration time. B.注册时间
C、input file size. C.输入文件的大小
D、false-acceptance rate. D.错误接受率
ANSWER: D 答案: D
NOTE: For a biometric solution three main accuracy measures are used: false-rejection rate (FRR), cross-error rate (CER) and false-acceptance rate (FAR). FRR is a measure of how often valid individuals are rejected. FAR is a measure of how often invalid individuals are accepted. CER is a measure of when the false-rejection rate equals the false-acceptance rate. Choices A and B are performance measures. 对于生物测量解决方案有3个主要的精确度指标:错误拒绝率(FRR),交叉错误率(CER,又称等同错误率EER)及错误接受率(FAR)。错误拒绝率是指合法用户被错误拒绝的频率。错误接受率是指非法用户被错误接受的频率。交叉错误率是指当FRR与FAR相等时的频率。
A和B选项都是效率指标。
625、In which of the following situations is it MOST appropriate to implement data mirroring as the recovery strategy? 625. 以下哪种情形下最适合使用数据镜像来作为恢复策略?
A、Disaster tolerance is high. A.对在灾难的承受能力高
B、Recovery time objective is high. B.恢复时间目标(RTO)高
C、Recovery point objective is low. C.恢复点目标(RPO)低
D、Recovery point objective is high. D.恢复点目标(RPO)高
ANSWER: C 答案: C
NOTE: A recovery point objective (RPO) indicates the latest point in time at which it is acceptable to recover the data. If the RPO is low, data mirroring should be implemented as the data recovery strategy. The recovery time objective (RTO) is an indicator of the disaster tolerance. The lower the RTO, the lower the disaster tolerance. Therefore, choice C is the correct answer. 恢复点目标(RPO)体现了可接受的数据恢复的最近一个时间点。如果RPO要求低则应该选择数据镜像来作为恢复策略。恢复时间目标(RTO)是对灾难承受程度的指标。越低的RTO则对灾难的承受程度越低。所以选项C是正确答案。
626、During an audit of a business continuity plan (BCP), an IS auditor found that, although all departments were housed in the same building, each department had a separate BCP. The IS auditor recommended that the BCPs be reconciled. Which of the following areas should be reconciled FIRST ? 626. 在对业务连续性计划进行审核时,信息系统审核员发现虽然所有的部门都在同一座大楼中(办公),但是各个部门有各自独立的BCP(业务连续性计划)。审核员建议整合所有的BCP。以下哪一项应该首先被整合?
A、Evacuation plan A.撤离计划
B、Recovery priorities B.恢复优先级
C、Backup storages C.备份存储
D、Call tree D.通信树 (联系表)
ANSWER: A 答案: A
NOTE: Protecting human resources during a disaster-related event should be addressed first. Having separate BCPs could result in conflicting evacuation plans, thus jeopardizing the safety of staff and clients. Choices B, C and D may be unique to each department and could be addressed separately, but still should be reviewed for possible conflicts and/or the possibility of cost reduction, but only after the issue of human safety has been analyzed. 灾难事件过程中保护人员安全是首要考虑的内容。(各个部门)有各自独立的BCP可能会造成撤离计划的相互冲突,从而危害到员工或客户的安全。
B,C,D选项的内容可能各个部门都各有不同所以可以分别考虑,但是还有有必要进行审视,来发现是否有冲突以及(或)降低成本的可能性。但这些都是在保证人员安全的前提下才考量的内容。
627、A company has decided to implement an electronic signature scheme based on public key infrastructure. The user's private key will be stored on the computer's hard drive and protected by a password. The MOST significant risk of this approach is: 627.某公司决定建立一套基于KPI(公共密钥基础结构)的电子签名系统。用户的密钥将会被存储在个人计算机的硬盘中,并由口令保护。这一方法最重大的风险是:
A、impersonation of a user by substitution of the user's public key with another person's public key. A.通过替换一位用户的公钥方式来假扮他。
B、forgery by using another user's private key to sign a message with an electronic signature. B.通过另一用户的私钥进行数字签名来伪造。
C、use of the user's electronic signature by another person if the password is compromised. C.如果口令泄密,用户的数字签名将被其他人使用。
D、forgery by substitution of another person's private key on the computer. D.通过替换另一个用户的私钥来伪造。
ANSWER: A 答案: A
NOTE: The user's digital signature is only protected by a password. Compromise of the password would enable access to the signature. This is the most significant risk. Choice B would require subversion of the public key infrastructure mechanism, which is very difficult and least likely. Choice C would require that the message appear to have come from a different person and therefore the true user's credentials would not be forged. Choice D has the same consequence as choice C. 用户的数字签名仅由口令保护,获得口令即获得了该数字签名的访问权限,这是这一方案最重大的风险。
B选项要求颠覆整个PKI体系,这个相当困难从而可能性很低。
C选项使得对应的消息看上去是由另外的人员发送的,而不是真正的作者,所以真正作者的并没有被伪造。D和C的逻辑相同。
628、Which of the following represents the GREATEST risk created by a reciprocal agreement for disaster recovery made between two companies? 628. 以下哪一项是两家公司通过签订互惠协议来作为灾难恢复计划的最大风险?
A、Developments may result in hardware and software incompatibility. A.各自的发展将导致(互相间)软硬件不兼容。
B、Resources may not be available when needed. B.当需要时资源未必可用。
C、The recovery plan cannot be tested. C.恢复计划无法演练。
D、The security infrastructures in each company may be different. D.各家公司的安全基础架构可能不同。
ANSWER: A 答案: A
NOTE: If one organization updates its hardware and software configuration, it may mean that it is no longer compatible with the systems of the other party in the agreement. This may mean that each company is unable to use the facilities at the other company to recover their processing following a disaster. Resources being unavailable when needed are an intrinsic risk in any reciprocal agreement, but this is a contractual matter and is not the greatest risk. The plan can be tested by paper-based walkthroughs, and possibly by agreement between the companies. The difference in security infrastructures, while a risk, is not insurmountable. 如果其中之一的组织更新了他的软硬件配置,可能意味着将于互惠协议中另一方的系统不兼容。这将导致任意一家公司都将无法在灾难之后使用另一家的设施持续其业务操作。
当需要时资源未必可用,(这一情况)是任何互惠协议的内在风险,但这是契约问题而非巨大的风险。
恢复计划可以通过纸面上的预演来进行,而且两家公司间互相同意的话也可能进行演练。
安全基础架构的差异作为风险来说并不是不可避免的。
629、Which of the following BEST limits the impact of server failures in a distributed environment? 629. 在一个分布式环境中,以下哪一项能够最大程度减轻服务器故障的影响?
A、Redundant pathways A.冗余路径
B、Clustering B.(服务器)集群
C、Dial backup lines C.拨号备份链路
D、Standby power D.备份电源
ANSWER: B 答案: B
NOTE: Clustering allows two or more servers to work as a unit, so that when one of them fails, the other takes over. Choices A and C are intended to minimize the impact of channel communications failures, but not a server failure. Choice D provides an alternative power source in the event of an energy failure. 服务器集群使得两个或两个以上的服务器作为一个单元来工作,因此其中一个发生故障时,其他的(服务器)依旧可以正常工作。
A和C都是为了最小化通讯中断的影响而非服务器的故障。
D提供了在能源发生故障时的替代电源。
630、Before implementing an IT balanced scorecard, an organization must: 630. 在实施IT平衡记分卡时,组织必须:
A、deliver effective and efficient services. A.提供有效且高效率的服务。
B、define key performance indicators. B.定义关键绩效指标
C、provide business value to IT projects. C.为IT项目提供业务价值。
D、control IT expenses. D.控制IT开支。
ANSWER: B 答案: B
NOTE: A definition of key performance indicators is required before implementing an IT balanced scorecard. Choices A, C and D are objectives. 实施IT平衡记分卡前必须定义关键绩效指标。A,C,D都是实施IT平衡记分卡的目的。
631、A substantive test to verify that tape library inventory records are accurate is: 一个实际性测试以验证磁带库存放记录是准确的,应该是:
A、determining whether bar code readers are installed. A、确定条码阅读器是否安装
B、determining whether the movement of tapes is authorized. B、确定磁带的移动是否被授权
C、conducting a physical count of the tape inventory. C、指导磁带库的一次物理计数
D、checking if receipts and issues of tapes are accurately recorded. D、检查磁带的收发记录是否准确记载
ANSWER: C
NOTE: A substantive test includes gathering evidence to evaluate the integrity of individual transactions, data or other information. Conducting a physical count of the tape inventory is a substantive test. Choices A, B and D are compliance tests.
632、A TCP/IP-based environment is exposed to the Internet. Which of the following BEST ensures that complete encryption and authentication protocols exist for protecting information while transmitted? 一个基于TCP/IP的环境暴露给互联网。下列哪个是最佳答案
A、Work is completed in tunnel mode with IP security using the nested services of authentication header (AH) and encapsulating security payload (ESP). A、相应工作在隧道模式里使用IP采用嵌套的认证头AH和封装的安全净荷ESP完成
B、A digital signature with RSA has been implemented. B、实施了一个采用RSA的数字签名
C、Digital certificates with RSA are being used. C、采用了RSA的数字证书
D、Work is being completed in TCP services. D、相应工作在TCP服务中完成
ANSWER: A
NOTE: Tunnel mode with IP security provides encryption and authentication of the complete IP package. To accomplish this, the AH and ESP services can be nested. Choices B and C provide authentication and integrity. TCP services do not provide encryption and authentication.
633、A manufacturing firm wants to automate its invoice payment system. Objectives state that the system should require considerably less time for review and authorization and the system should be capable of identifying errors that require follow up. Which of the following would BEST meet these objectives? 一个制造公司希望自动化它的发票付款系统。目标明确为这个系统应该需要相当少的时间来评价、授权,而且系统应该有能力识别那些需要追究错误。下列哪个是最符合这些目标?
A、Establishing an inter-networked system of client servers with suppliers for increased efficiencies A、与供应商建立一个内部联网的CS系统以提升效率
B、Outsourcing the function to a firm specializing in automated payments and accounts receivable/invoice processing B、外包该功能给一家专门从事自动付款和会计收支处理的公司
C、Establishing an EDI system of electronic business documents and transactions with key suppliers, computer to computer, in a standard format C、与关键供应商建立一个电子商务文档和交易EDI系统,计算机对计算机,用标准格式
D、Reengineering the existing processing and redesigning the existing system D、重造现有流程并重新设计现有系统
ANSWER: C
NOTE: EDI is the best answer. Properly implemented (., agreements with trading partners transaction standards, controls over network security mechanisms in conjunction with application controls), EDI is best suited to identify and follow up on errors more quickly, given reduced opportunities for review and authorization.
634、An IS auditor has imported data from the client's database. The next step—confirming whether the imported data are complete—is performed by: 一个IS审计员从客户的数据库中导入了数据。下一步——确认导入数据是否完成——用……来完成:
A、matching control totals of the imported data to control totals of the original data. A、匹配导入数据和原始数据的控制总数
B、sorting the data to confirm whether the data are in the same order as the original data. B、排序数据以确认数据是否与原始数据有相同顺序
C、reviewing the printout of the first 100 records of original data with the first 100 records of imported data. C、评价打印出的原始数据和导入前100条记录
D、filtering data for different categories and matching them to the original data. D、用不同的种类过滤数据并与原始数据匹配
ANSWER: A
NOTE: Matching control totals of the imported data with control totals of the original data is the next logical step, as this confirms the completeness of the imported data. It is not possible to confirm completeness by sorting the imported data, because the original data may not be in sorted order. Further, sorting does not provide control totals for verifying completeness. Reviewing a printout of 100 records of original data with 100 records of imported data is a process of physical verification and confirms the accuracy of only these records. Filtering data for different categories and matching them to original data would still require that control totals be developed to confirm the completeness of the data.
635、While conducting an audit of a service provider, an IS auditor observes that the service provider has outsourced a part of the work to another provider. Since the work involves confidential information, the IS auditor's PRIMARY concern should be that the: 当指导一个服务提供商的审计时,一个信息系统审计员观察到这个服务提供商外包了部分工作给另外一家提供商。由于这项工作包括了保密信息,信审员的重点观注应当是:
A、requirement for protecting confidentiality of information could be compromised. A、保护信息保密性的要求可以被妥协
B、contract may be terminated because prior permission from the outsourcer was not obtained. B、合同应该中止,因为来自外包商的优先许可没有被包含
C、other service provider to whom work has been outsourced is not subject to audit. C、被外包的另外那家服务提供商不属于审计
D、outsourcer will approach the other service provider directly for further work. D、外包将直接接近另外那家服务提供商以深入工作
ANSWER: A
NOTE: Many countries have enacted regulations to protect the confidentiality of information maintained in their countries and/or exchanged with other countries. Where a service provider outsources part of its services to another service provider, there is a potential risk that the confidentiality of the information will be compromised. Choices B and C could be concerns but are not related to ensuring the confidentiality of information. There is no reason why an IS auditor should be concerned with choice D.
636、The BEST method of proving the accuracy of a system tax calculation is by: 检验一个系统的税务计算准确最佳方法是:
A、detailed visual review and analysis of the source code of the calculation programs. A、计算程序源代码的详细图形化评价和分析
B、recreating program logic using generalized audit software to calculate monthly totals. B、用通用审计软件再造程序逻辑以计算月度总数
C、preparing simulated transactions for processing and comparing the results to predetermined results. C、准备模拟事务以处理和比较结果和预决结果
D、automatic flowcharting and analysis of the source code of the calculation programs. D、计算程序源代码的自动化流程图和分析
ANSWER: C
NOTE: Preparing simulated transactions for processing and comparing the results to predetermined results is the best method for proving accuracy of a tax calculation. Detailed visual review, flowcharting and analysis of source code are not effective methods, and monthly totals would not address the accuracy of individual tax calculations.
637、The IS management of a multinational company is considering upgrading its existing virtual private network (VPN) to support voice-over IP (VoIP) communications via tunneling. Which of the following considerations should be PRIMARILY addressed? 一个多国语言公司的IS管理考虑升级它的现有虚拟私有网络VPN,以支持通过隧道的IP语音VOIP通信。下列哪项考虑应该重点声明?
A、Reliability and quality of service (QoS) A、可靠性和服务质量QoS
B、Means of authentication B、认证手段
C、Privacy of voice transmissions C、语音传输的私密性
D、Confidentiality of data transmissions D、数据传输的保密性
ANSWER: A
NOTE: The company currently has a VPN; issues such as authentication and confidentiality have been implemented by the VPN using tunneling. Privacy of voice transmissions is provided by the VPN protocol. Reliability and QoS are, therefore, the primary considerations to be addressed.
638、Which of the following would prevent unauthorized changes to information stored in a server's log? 下列哪项可以防止对存放在服务上的日志信息的未授权变更?
A、Write-protecting the directory containing the system log A、包含系统日志的目录写保护
B、Writing a duplicate log to another server B、写一份重复的日志到另外一台服务器
C、Daily printing of the system log C、每天打印系统日志
D、Storing the system log in write-once media D、系统日志存放到一次性写入介质
ANSWER: D
NOTE: Storing the system log in write-once media ensures the log cannot be modified. Write-protecting the system log does not prevent deletion or modification, since the superuser or users that have special permission can override the write protection. Writing a duplicate log to another server or daily printing of the system log cannot prevent unauthorized changes.
639、An advantage of using sanitized live transactions in test data is that: 在测试数据中使用清洁活动事务的一个优点是:
A、all transaction types will be included. A、数据事务类型可以包括进来
B、every error condition is likely to be tested. B、每个错误情况可能被测试
C、no special routines are required to assess the results. C、没有特殊过程被要求来访问这些结果
D、test transactions are representative of live processing. D、测试事务是活动过程的代表
ANSWER: D
NOTE: Test data will be representative of live processing; however, it is unlikely that all transaction types or error conditions will be tested in this way.
640、Reconfiguring which of the following firewall types will prevent inward downloading of files through the File Transfer Protocol (FTP)? 重新配置下列哪种防火墙类型将防止向内的通过文件传输协议(FTP)文件下载?
A、Circuit gateway A、电路网关
B、Application gateway B、应用网关
C、Packet filter C、包过滤
D、Screening router D、镜像路由器
ANSWER: B
NOTE: An application gateway firewall is effective in preventing applications, such as FTPs, from entering the organization network. A circuit gateway firewall is able to prevent paths or circuits, not applications, from entering the organization's network. A packet filter firewall or screening router will allow or prevent access based on IP packets/address.
641、A company has implemented a new client-server enterprise resource planning (ERP) system. Local branches transmit customer orders to a central manufacturing facility. Which of the following would BEST ensure that the orders are entered accurately and the corresponding products are produced? 一家公司部署一套新的CS企业资源管理(ERP)系统。本地分支机构传送客户订单到一个中央制造设施,下列哪个最好地保证了订单准确地输入和相应的产品被生产了?
A、Verifying production to customer orders A、验证产品和客户订单
B、Logging all customer orders in the ERP system B、在ERP系统中记录所有的客户订单
C、Using hash totals in the order transmitting process C、在订单传输过程中使用总数hash
D、Approving (production supervisor) orders prior to production D、(产品主管)在生产前批准订单
ANSWER: A
NOTE: Verification will ensure that production orders match customer orders. Logging can be used to detect inaccuracies, but does not in itself guarantee accurate processing. Hash totals will ensure accurate order transmission, but not accurate processing centrally. Production supervisory approval is a time consuming, manual process that does not guarantee proper control.
642、Which of the following procedures would MOST effectively detect the loading of illegal software packages onto a network? 下列哪个流程可以最有效地检测一个网络上的不合法软件包上载?
A、The use of diskless workstations A、无盘工作站的使用
B、Periodic checking of hard drives B、周期性硬盘检查
C、The use of current antivirus software C、使用现有的反病毒软件
D、Policies that result in instant dismissal if violated D、如果违反即时解雇的政策
ANSWER: B
NOTE: The periodic checking of hard drives would be the most effective method of identifying illegal software packages loaded to the network. Antivirus software will not necessarily identify illegal software, unless the software contains a virus. Diskless workstations act as a preventive control and are not effective, since users could still download software from other than diskless workstations. Policies lay out the rules about loading the software, but will not detect the actual occurrence.
643、Management considered two projections for its business continuity plan; plan A with two months to recover and plan B with eight months to recover. The recovery objectives are the same in both plans. It is reasonable to expect that plan B projected higher: 管理层为业务持续性计划考虑两个方案:计划A用2个月时间恢复,计划B用8个月时间恢复。两个计划里的恢复目标是相同的。很合理地更期望B计划开展:
A、downtime costs. A、宕机成本
B、resumption costs. B、接续成本
C、recovery costs. C、恢复成本
D、walkthrough costs. D、排查成本
ANSWER: A
NOTE: Since the recovery time is longer in plan B, resumption and recovery costs can be expected to be lower. Walkthrough costs are not a part of disaster recovery. Since the management considered a higher window for recovery in plan B, downtime costs included in the plan are likely to be higher.
644、An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take? IS审计员指导一次软件使用和许可恢复的评估,大量PC含有未授权软件。IS审计员应该采取下列哪种行动?
A、Personally delete all copies of the unauthorized software. A、亲自删除所有未授权软件的拷贝
B、Inform the auditee of the unauthorized software, and follow up to confirm deletion. B、通知关于未授权软件的被审人员,并跟进以确认删除
C、Report the use of the unauthorized software and the need to prevent recurrence to auditee management. C、向被审人员的管理层报告未授权软件的使用情况和防止重现所需的工作
D、Take no action, as it is a commonly accepted practice and operations management is responsible for monitoring such use. D、不采取任何措施,因为这是一个普遍接受的实务,运营管理对监管这些使用负责
ANSWER: C
NOTE: The use of unauthorized or illegal software should be prohibited by an organization. Software piracy results in inherent exposure and can result in severe fines. An IS auditor must convince the user and user management of the risk and the need to eliminate the risk. An IS auditor should not assume the role of the enforcing officer and take on any personal involvement in removing or deleting the unauthorized software.
645、To aid management in achieving IT and business alignment, an IS auditor should recommend the use of: 为帮助管理层取得IT和业务统一,IS审计员应该推荐使用:
A、control self-assessments. A、控制的自我评估
B、a business impact analysis. B、一个业务影响分析
C、an IT balanced scorecard. C、IT平衡记分表
D、business process reengineering. D、业务流程重构
ANSWER: C
NOTE: An IT balanced scorecard (BSC) provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate. Control self-assessment (CSA), business impact analysis (BIA) and business process reengineering (BPR) are insufficient to align IT with organizational objectives.
646、A disaster recovery plan for an organization's financial system specifies that the recovery point objective (RPO) is no data loss and the recovery time objective (RTO) is 72 hours. Which of the following is the MOST cost-effective solution? 一个组织财务系统的灾难恢复计划声明恢复点目标(RPO)是没有数据损失,恢复时间目标(RTO)是72小时。下列哪个是成本高效的方案?
A、A hot site that can be operational in eight hours with asynchronous backup of the transaction logs A、一个可以在8小时内用异步事务的备份日志运行起来的热站
B、Distributed database systems in multiple locations updated asynchronously B、多区域异步更新的分布式数据库系统
C、Synchronous updates of the data and standby active systems in a hot site C、一个热站里的同步更新数据和主备系统
D、Synchronous remote copy of the data in a warm site that can be operational in 48 hours D、一个同步远程数据拷贝、可以48小时内运行起来的温站
ANSWER: D
NOTE: The synchronous copy of the storage achieves the RPO objective and a warm site operational in 48 hours meets the required RTO. Asynchronous updates of the database in distributed locations do not meet the RPO. Synchronous updates of the data and standby active systems in a hot site meet the RPO and RTO requirements but are more costly than a warm site solution.
647、The success of control self-assessment (CSA) highly depends on: 控制自我估计(CSA)的成功高度依赖于:
A、having line managers assume a portion of the responsibility for control monitoring. A、拥有线条经理假设的部分控制监控职责
B、assigning staff managers the responsibility for building, but not monitoring, controls. B、分配给经理的建筑职责,但没有监控和控制
C、the implementation of a stringent control policy and rule-driven controls. C、实施的严厉控制政策和规则驱动的控制
D、the implementation of supervision and the monitoring of controls of assigned duties. D、监管和分配职责中控制点的监控的实现
ANSWER: A
NOTE: The primary objective of a CSA program is to leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional area line managers. The success of a control self-assessment (CSA) program depends on the degree to which line managers assume responsibility for controls. Choices B, C and D are characteristics of a traditional audit approach, not a CSA approach.
648、A comprehensive and effective e-mail policy should address the issues of e-mail structure, policy enforcement, monitoring and: 一个综合和有效电子邮件政策应当强调的问题包括电子邮件的结构、政策要求,监控和:
A、recovery. A、恢复
B、retention. B、保留
C、rebuilding. C、重构
D、reuse. D、重用
ANSWER: B
NOTE: Besides being a good practice, laws and regulations may require that an organization keep information that has an impact on the financial statements. The prevalence of lawsuits in which e-mail communication is held in the same regard as the official form of classic “paper” makes the retention of corporate e-mail a necessity. All e-mail generated on an organization's hardware is the property of the organization, and an e-mail policy should address the retention of messages, considering both known and unforeseen litigation. The policy should also address the destruction of e-mails after a specified time to protect the nature and confidentiality of the messages themselves. Addressing the retention issue in the e-mail policy would facilitate recovery, rebuilding and reuse.
649、When reviewing system parameters, an IS auditor's PRIMARY concern should be that: 当评估系统参数时,一个IS审计员的主要关注点应该是:
A、they are set to meet security and performance requirements. A、被设置为满足安全性和性能要求
B、changes are recorded in an audit trail and periodically reviewed. B、变化被记录到审计追踪里并周期性评估
C、changes are authorized and supported by appropriate documents. C、变化被授权并有适当的文档支持
D、access to parameters in the system is restricted. D、访问系统中的参数被限制
ANSWER: A
NOTE: The primary concern is to find the balance between security and performance. Recording changes in an audit trail and periodically reviewing them is a detective control; however, if parameters are not set according to business rules, monitoring of changes may not be an effective control. Reviewing changes to ensure they are supported by appropriate documents is also a detective control. If parameters are set incorrectly, the related documentation and the fact that these are authorized does not reduce the impact. Restriction of access to parameters ensures that only authorized staff can access the parameters; however, if the parameters are set incorrectly, restricting access will still have an adverse impact.
650、When evaluating the collective effect of preventive, detective or corrective controls within a process, an IS auditor should be aware of which of the following? 当评估一个过程中的预防、检测和纠正控制的组合效果时,IS审计员应当注意下列哪项?
A、The point at which controls are exercised as data flow through the system A、某个点,在此处的控制被演练成数据流通过系统
B、Only preventive and detective controls are relevant B、只有预防和检测控制是相关的
C、Corrective controls can only be regarded as compensating C、纠正性控制可以只被认为是补偿
D、Classification allows an IS auditor to determine which controls are missing D、分类允许IS审计员确定哪个控制是缺失的
ANSWER: A
NOTE: An IS auditor should focus on when controls are exercised as data flow through a computer system. Choice B is incorrect since corrective controls may also be relevant. Choice C is incorrect, since corrective controls remove or reduce the effects of errors or irregularities and are exclusively regarded as compensating controls. Choice D is incorrect and irrelevant since the existence and function of controls is important, not the classification.
651、Which of the following would MOST likely indicate that a customer data warehouse should remain in-house rather than be outsourced to an offshore operation? 下面最可能指出客户数据库应该保留在内部而不是外包到离岸操作的项是
A、Time zone differences could impede communications between IT teams. a 时区差异可能会造成IT部门之间沟通受阻
B、Telecommunications cost could be much higher in the first year. b 第一年的话费费用可能会非常高
C、Privacy laws could prevent cross-border flow of information. c 保密法可能会阻止跨界传送信息
D、Software development may require more detailed specifications. d 软件开发可能需要更具体的规范
ANSWER: C
NOTE: Privacy laws prohibiting the cross-border flow of personally identifiable information would make it impossible to locate a data warehouse containing customer information in another country. Time zone differences and higher telecommunications costs are more manageable. Software development typically requires more detailed specifications when dealing with offshore operations.
652、While planning an audit, an assessment of risk should be made to provide: 在计划审计的时候应该进行一次风险评估以提供:
A、reasonable assurance that the audit will cover material items. 审计会涵盖实质的项目的合理的保证
B、definite assurance that material items will be covered during the audit work. 绝对的保证实质项目在审计工作过程中会被涵盖
C、reasonable assurance that all items will be covered by the audit. 合理的保证所有的项目都会被涵盖在这次审计中
D、sufficient assurance that all items will be covered during the audit work. 足够的保证所有项目在这次审计工作中都会被涵盖
ANSWER: A
NOTE: The ISACA IS Auditing Guideline G15 on planning the IS audit states, “An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work. This assessment should identify areas with a relatively high risk of the existence of material problems.” Definite assurance that material items will be covered during the audit work is an impractical proposition. Reasonable assurance that all items will be covered during the audit work is not the correct answer, as material items need to be covered, not all items.
653、The PRIMARY objective of testing a business continuity plan is to: 业务持续计划的测试的最主要的目的是:
A、familiarize employees with the business continuity plan. 让员工熟悉业务持续计划
B、ensure that all residual risks are addressed. 确保所有的残留风险都能够被辨别出来
C、exercise all possible disaster scenarios. 实践所有的灾难设想
D、identify limitations of the business continuity plan. 鉴别业务持续计划的局限性
ANSWER: D
NOTE: Testing the business continuity plan provides the best evidence of any limitations that may exist. Familiarizing employees with the business continuity plan is a secondary benefit of a test. It is not cost effective to address residual risks in a business continuity plan, and it is not practical to test all possible disaster scenarios.
654、During the requirements definition phase for a database application, performance is listed as a top priority. To access the DBMS files, which of the following technologies should be recommended for optimal I/O performance? 在数据库应用程序的需求定义阶段,性能被列为第一重要,下面哪个技术在访问DBMS文件时候,应该被建议采用来实现最佳输入输出性能
A、Storage area network (SAN) 存储区域网络
B、Network Attached Storage (NAS) 网络附属存储
C、Network file system (NFS v2) 网络文件系统
D、Common Internet File System (CIFS) 通用网际文件系统
ANSWER: A
NOTE: In contrast to the other options, in a SAN comprised of computers, FC switches or routers and storage devices, there is no computer system hosting and exporting its mounted file system for remote access, aside from special file systems. Access to information stored on the storage devices in a SAN is comparable to direct attached storage, which means that each block of data on a disk can be addressed directly, since the volumes of the storage device are handled as though they are local, thus providing optimal performance. The other options describe technologies in which a computer (or appliance) shares its information with other systems. To access the information, the complete file has to be read.
655、Assuming this diagram represents an internal facility and the organization is implementing a firewall protection program, where should firewalls be installed? 假设这个图表述了正在部署防火墙保护程序的一个内部机构和组织,那么防火墙应该安装到哪里:
A、No firewalls are needed 不需要防火墙
B、Op-3 location only 仅仅第三层区域
C、MIS (Global) and NAT2 管理信息系统 (全球化的)和网络地址转换2
D、SMTP Gateway and op-3 简单邮件传输协议和三层系统
ANSWER: D
NOTE: The objective of a firewall is to protect a trusted network from an untrusted network; therefore, locations needing firewall implementations would be at the existence of the external connections. All other answers are incomplete or represent internal connections. 防火墙的目的是为了从不信任网络中来保护可信任的网络,因此需要部署防火墙的区域就是一个存在外部链接的区域,其他的答案都不完整或者表述的内部连接
656、An IS steering committee should: 信息安全委员会应该:
A、include a mix of members from different departments and staff levels. 包含从各个部门和阶层中混合的成员
B、ensure that IS security policies and procedures have been executed properly. 确保信息系统安全策略和流程已经恰当的被执行了
C、have formal terms of reference and maintain minutes of its meetings. 有定期的会议,并且维护会议记录
D、be briefed about new trends and products at each meeting by a vendor. 供应商在会议上简单介绍关于新的趋势和产品
ANSWER: C
NOTE: It is important to keep detailed steering committee minutes to document the decisions and activities of the IS steering committee, and the board of directors should be informed about those decisions on a timely basis. Choice A is incorrect because only senior management or high-level staff members should be on this committee because of its strategic mission. Choice B is not a responsibility of this committee, but the responsibility of the security administrator. Choice D is incorrect because a vendor should be invited to meetings only when appropriate.
657、An IS auditor reviewing a proposed application software acquisition should ensure that the: 信息系统审计师在检查一个推荐的应用软件许可的时候应该确保:
A、operating system (OS) being used is compatible with the existing hardware platform. 使用的操作系统与存在的硬件平台相一致
B、planned OS updates have been scheduled to minimize negative impacts on company needs. 计划的系统升级已经按照对公司需求的最小负面影响来规划时间
C、OS has the latest versions and updates. 系统是最新版本并且实时升级
D、products are compatible with the current or planned OS. 产品与当前或者计划中的系统相一致
ANSWER: D
NOTE: Choices A, B and C are incorrect because none of them are related to the area being audited. In reviewing the proposed application the auditor should ensure that the products to be purchased are compatible with the current or planned OS. Regarding choice A, if the OS is currently being used, it is compatible with the existing hardware platform, because if it is not it would not operate properly. In choice B, the planned OS updates should be scheduled to minimize negative impacts on the organization. For choice C, the installed OS should be equipped with the most recent versions and updates (with sufficient history and stability).
658、The computer security incident response team (CSIRT) of an organization disseminates detailed descriptions of recent threats. An IS auditor's GREATEST concern should be that the users might: 组织中的计算机安全事故响应团队把最近发现的威胁详细的公布出去,审计师最大的关注点应该是用户可能
A、use this information to launch attacks. 使用这个信息来实施攻击
B、forward the security alert. 转发安全警报
C、implement individual solutions. 部署各自的解决方案
D、fail to understand the threat. 不明白这个威胁
ANSWER: A
NOTE: An organization's computer security incident response team (CSIRT) should disseminate recent threats, security guidelines and security updates to the users to assist them in understanding the security risk of errors and omissions. However, this introduces the risk that the users may use this information to launch attacks, directly or indirectly. An IS auditor should ensure that the CSIRT is actively involved with users to assist them in mitigation of risks arising from security failures and to prevent additional security incidents resulting from the same threat. Forwarding the security alert is not harmful to the organization. Implementing individual solutions is unlikely and users failing to understand the threat would not be a serious concern.
659、The PRIMARY objective of Secure Sockets Layer (SSL) is to ensure: 安全套接字的最主要的目的是:
A、only the sender and receiver are able to encrypt/decrypt the data. 只有接收人和发送人能够加密和解密数据
B、the sender and receiver can authenticate their respective identities. 发送人和接收人能够鉴别出各自的特性
C、the alteration of transmitted data can be detected. 传输数据的更改能够被检测出来
D、the ability to identify the sender by generating a one-time session key. 通过生成一次性协议密钥来鉴别发送人的能力
ANSWER: A
NOTE: SSL generates a session key used to encrypt/decrypt the transmitted data, thus ensuring its confidentiality. Although SSL allows the exchange of X509 certificates to provide for identification and authentication, this feature along with choices C and D are not the primary objectives.
660、Which of the following should be considered FIRST when implementing a risk management program? 在部署风险管理程序的时候,哪项应该最先考虑到:
A、An understanding of the organization's threat, vulnerability and risk profile 组织威胁,弱点和风险概括的理解
B、An understanding of the risk exposures and the potential consequences of compromise 揭露风险的理解和妥协的潜在后果
C、A determination of risk management priorities based on potential consequences 基于潜在结果的风险管理优先级的决心
D、A risk mitigation strategy sufficient to keep risk consequences at an acceptable level 风险缓解战略足够在一个可以接受的水平上保持风险的结果
ANSWER: A
NOTE: Implementing risk management, as one of the outcomes of effective information security governance, would require a collective understanding of the organization's threat, vulnerability and risk profile as a first step. Based on this, an understanding of risk exposure and potential consequences of compromise could be determined. Risk management priorities based on potential consequences could then be developed. This would provide a basis for the formulation of strategies for risk mitigation sufficient to keep the consequences from risk at an acceptable level.
661、From a control perspective, the key element in job descriptions is that they: 从控制观点出发,工作描述的要素是他们:
A、provide instructions on how to do the job and define authority. 提供如何做这项工作的说明,以及定义权限
B、are current, documented and readily available to the employee. 对员工来说是当前的比较容易得到的文档化的
C、communicate management's specific job performance expectations. 传达管理层对特定工作绩效的期望值
D、establish responsibility and accountability for the employee's actions. 对员工行为建立职责和义务
ANSWER: D
NOTE: From a control perspective, a job description should establish responsibility and accountability. This will aid in ensuring that users are given system access in accordance with their defined job responsibilities. The other choices are not directly related to controls. Providing instructions on how to do the job and defining authority addresses the managerial and procedural aspects of the job. It is important that job descriptions are current, documented and readily available to the employee, but this in itself is not a control. Communication of management's specific expectations for job performance outlines the standard of performance and would not necessarily include controls.
662、The GREATEST benefit in implementing an expert system is the: 推行专家系统的最大好处是:
A、capturing of the knowledge and experience of individuals in an organization. 在组织内收集个人的知识跟经验
B、sharing of knowledge in a central repository. 在集中知识库里分享知识
C、enhancement of personnel productivity and performance. 增加个人的生产力和绩效
D、reduction of employee turnover in key departments. 在关键部门减少员工流动
ANSWER: A
NOTE: The basis for an expert system is the capture and recording of the knowledge and experience of individuals in an organization. Coding and entering the knowledge in a central repository, shareable within the enterprise, is a means of facilitating the expert system. Enhancing personnel productivity and performance is a benefit; however, it is not as important as capturing the knowledge and experience. Employee turnover is not necessarily affected by an expert system.
663、Which of the following is MOST critical when creating data for testing the logic in a new or modified application system? 在新的或者更改过的应用程序系统里面进行逻辑测试哪像是最关键的
A、A sufficient quantity of data for each test case 对每一个测试范例都有足量的数据
B、Data representing conditions that are expected in actual processing 期望按照实际处理过程的数据表述条件
C、Completing the test on schedule 按日程表完成测试
D、A random sample of actual data 实际数据的随机抽样
ANSWER: B
NOTE: Selecting the right kind of data is key in testing a computer system. The data should not only include valid and invalid data but should be representative of actual processing; quality is more important than quantity. It is more important to have adequate test data than to complete the testing on schedule. It is unlikely that a random sample of actual data would cover all test conditions and provide a reasonable representation of actual data.
664、The responsibility for authorizing access to application data should be with the: 授权访问应用程序数据的责任的人应该是:
A、data custodian. 数据保管员
B、database administrator (DBA). 数据库管理员
C、data owner. 数据所有人
D、security administrator. 安全主管
ANSWER: C
NOTE: Data owners should have the authority and responsibility for granting access to the data and applications for which they are responsible. Data custodians are responsible only for storing and safeguarding the data. The database administrator (DBA) is responsible for managing the database and the security administrator is responsible for implementing and maintaining IS security. The ultimate responsibility for data resides with the data owner.
665、Which of the following will BEST ensure the successful offshore development of business applications? 确保业务应用能成功地的离岸开发,下面哪像是最好的:
A、Stringent contract management practices 严格的履行合同管理
B、Detailed and correctly applied specifications 详细并且正确的采用说明书
C、Awareness of cultural and political differences 有文化和政策差异的意识
D、Postimplementation reviews 部署后再检查
ANSWER: B
NOTE: When dealing with offshore operations, it is essential that detailed specifications be created. Language differences and a lack of interaction between developers and physically remote end users could create gaps in communication in which assumptions and modifications may not be adequately communicated. Contract management practices, cultural and political differences, and postimplementation reviews, although important, are not as pivotal to the success of the project.
666、Which of the following will help detect changes made by an intruder to the system log of a server? 下面哪项将会帮助检测入侵者在服务器的系统日志里面做过的改动
A、Mirroring the system log on another server 登陆另外一台服务器的镜像系统
B、Simultaneously duplicating the system log on a write-once disk 在不可重复擦写磁盘里实时复制系统日志
C、Write-protecting the directory containing the system log 包含系统日志的目录写保护
D、Storing the backup of the system log offsite 离岸备份系统日志
ANSWER: B
NOTE: A write-once CD cannot be overwritten. Therefore, the system log duplicated on the disk could be compared to the original log to detect differences, which could be the result of changes made by an intruder. Write-protecting the system log does not prevent deletion or modification, since the superuser can override the write protection. Backup and mirroring may overwrite earlier files and may not be current.
667、Which of the following provides the MOST relevant information for proactively strengthening security settings? 哪项为事先加强安全设定提供了最相关的信息
A、Bastion host 堡垒主机
B、Intrusion detection system 入侵监测系统
C、Honeypot 蜜罐系统
D、Intrusion prevention system 入侵预防系统
ANSWER: C
NOTE: The design of a honeypot is such that it lures the hacker and provides clues as to the hacker's methods and strategies and the resources required to address such attacks. A bastion host does not provide information about an attack. Intrusion detection systems and intrusion prevention systems are designed to detect and address an attack in progress and stop it as soon as possible. A honeypot allows the attack to continue, so as to obtain information about the hacker's strategy and methods.
668、Users are issued security tokens to be used in combination with a PIN to access the corporate virtual private network (VPN). Regarding the PIN, what is the MOST important rule to be included in a security policy? 用户被分发了安全Token用来与PIN联合使用访问组织的虚拟专用网络。对于PIN来说,包含在安全策略里面最重要的一条规定是:
A、Users should not leave tokens where they could be stolen 客户不应该把token留在能够被人偷盗的地方
B、Users must never keep the token in the same bag as their laptop computer 客户必须把Token保持在他们笔记本电脑的同一个包之内
C、Users should select a PIN that is completely random, with no repeating digits 客户应该选择完全随机的,没有重复数字的pin
D、Users should never write down their PIN 客户绝对不可以写下pin
ANSWER: D
NOTE: If a user writes their PIN on a slip of paper, an individual with the token, the slip of paper, and the computer could access the corporate network. A token and the PIN is a two-factor authentication method. Access to the token is of no value without the PIN; one cannot work without the other. The PIN does not need to be random as long as it is secret.
669、Which of the following should be the MOST important criterion in evaluating a backup solution for sensitive data that must be retained for a long period of time due to regulatory requirements? 因为调整的需要必须要保留很长一段时间的敏感数据备份解决方案,哪项是最重要的评估标准:
A、Full backup window 全备份窗口
B、Media costs 媒介消耗
C、Restore window 恢复窗口
D、Media reliability 媒介的可靠性
ANSWER: D
NOTE: To comply with regulatory requirements, the media should be reliable enough to ensure an organization's ability to recovery the data should they be required for any reason. Media price is a consideration, but should not be more important than the ability to provide the required reliability. Choices A and C are less critical than reliability.
670、Neural networks are effective in detecting fraud because they can: 关系型网络在检测欺骗入侵的时候是有效的,因为他们能够:
A、discover new trends since they are inherently linear. 发现新的趋势,缘于他们的内在联系
B、solve problems where large and general sets of training data are not obtainable. 能够解决在大量基础培训数据不可获得的时候产生的问题
C、attack problems that require consideration of a large number of input variables. 解决需要考虑大量不同的输入的问题
D、make assumptions about the shape of any curve relating variables to the output. 对任何曲折关系的输出假设形态
ANSWER: C
NOTE: Neural networks can be used to attack problems that require consideration of numerous input variables. They are capable of capturing relationships and patterns often missed by other statistical methods, but they will not discover new trends. Neural networks are inherently nonlinear and make no assumption about the shape of any curve relating variables to the output. Neural networks will not work well at solving problems for which sufficiently large and general sets of training data are not obtainable.
671、From a risk management point of view, the BEST approach when implementing a large and complex IT infrastructure is: 从风险管理的观点来看,部署庞大且复杂的IT架构,哪种途径最好:
A、a big bang deployment after proof of concept. a.在考证这个想法之后,迅速部署
B、prototyping and a one-phase deployment. b. 原形化和单阶段部署
C、a deployment plan based on sequenced phases. c. 按次序阶段性的部署计划
D、to simulate the new infrastructure before deployment. d. 部署前模拟新的架构
ANSWER: C 答案:c
NOTE: When developing a large and complex IT infrastructure, the best practice is to use a phased approach to fitting the entire system together. This will provide greater assurance of quality results. The other choices are riskier approaches. 注释:部属庞大复杂的IT架构时,最佳实践就是按次序阶段性的方法,可以一起适用于整个系统。这将会提供很大程度上的对部署质量结果的保证。其他的选择都是危险途径
672、To prevent unauthorized entry to the data maintained in a dial-up, fast response system, an IS auditor should recommend: 672. 为了防止未授权的进入在拨号和快速相应系统中的数据。审计人员应该要求:
A、online terminals are placed in restricted areas. a.在线终端在受限区域布置
B、online terminals are equipped with key locks. b. 用钥匙和锁装备的终端
C、ID cards are required to gain access to online terminals. c. 访问在线终端时,需要获得身份卡验证
D、online access is terminated after a specified number of unsuccessful attempts. d. 重试特定失败次数之后在线访问会被断开
ANSWER: D 答案:d
NOTE: The most appropriate control to prevent unauthorized entry is to terminate connection after a specified number of attempts. This will deter access through the guessing of IDs and passwords. The other choices are physical controls, which are not effective in deterring unauthorized accesses via telephone lines. 注释:防止未授权进入的最适当的方法就是重试特定失败次数之后断开连接。这样就会阻止通过猜测身份和密码的方式访问。其他的选择都是物理控制,这些控制不能有效地阻止通过电话线未授权的访问
673、A penetration test performed as part of evaluating network security: 673. 渗透测试作为网络安全评估的一部分履行什么职责:
A、provides assurance that all vulnerabilities are discovered. a. 提供保证所有弱点都被发现
B、should be performed without warning the organization's management. b.在不需要警告所有组织的管理层的情况下执行
C、exploits the existing vulnerabilities to gain unauthorized access. c. 找到存在的能够获得未授权访问的漏洞
D、would not damage the information assets when performed at network perimeters. d. 在网络边界上执行不会破坏信息资产
ANSWER: C 答案:c
NOTE: Penetration tests are an effective method of identifying real-time risks to an information processing environment. They attempt to break into a live site in order to gain unauthorized access to a system. They do have the potential for damaging information assets or misusing information because they mimic an experienced hacker attacking a live system. On the other hand, penetration tests do not provide assurance that all vulnerabilities are discovered because they are based on a limited number of procedures. Management should provide consent for the test to avoid false alarms to IT personnel or to law enforcement bodies. 注释:渗透测试时认定信息处理环境中实时风险的有效方法。 这种测试试图闯入真实站点以达到获取未授权访问系统的目的。因为他通过模拟熟练的黑客攻击真实系统所以可能会存在破坏信息资产或者滥用信息的风险。从另外一个角度说,因为这种测试是基于有限过程的测试,所以渗透测试不保证所有的弱点都被发现。管理层应该同意这个测试以免IT成员或者执法人员造成错误的警报
674、When reviewing a hardware maintenance program, an IS auditor should assess whether: 674.检查硬件维护程序。审计师应该评估是否:
A、the schedule of all unplanned maintenance is maintained. a. 所有未计划的维护都按照时间表维护了
B、it is in line with historical trends. b. 和历史趋势相一致
C、it has been approved by the IS steering committee. c. 已经被信息系统委员会同意
D、the program is validated against vendor specifications. d. 与供应商陈述的程序是否一致
ANSWER: D 答案:d
NOTE: Though maintenance requirements vary based on complexity and performance work loads, a hardware maintenance schedule should be validated against the vendor-provided specifications. For business reasons, an organization may choose a more aggressive maintenance program than the vendor's program. The maintenance program should include maintenance performance history, be it planned, unplanned, executed or exceptional. Unplanned maintenance cannot be scheduled. Hardware maintenance programs do not necessarily need to be in line with historical trends. Maintenance schedules normally are not approved by the steering committee.
675、The decisions and actions of an IS auditor are MOST likely to affect which of the following risks? 审计师的决策和做法最可能影响下面哪种风险:
A、Inherent a. 固有风险
B、Detection b. 检测风险
C、Control c. 控制风险
D、Business d. 业务风险
ANSWER: B 答案:B
NOTE: Detection risks are directly affected by the auditor's selection of audit procedures and techniques. Inherent risks are not usually affected by an IS auditor. Control risks are controlled by the actions of the company's management. Business risks are not affected by an IS auditor.
676、IT control objectives are useful to IS auditors, as they provide the basis for understanding the: 控制目标对审计师来说很有用,因为他们能够为什么提供基础:
A、desired result or purpose of implementing specific control procedures. a.实施了特殊控制流程之后的期望结果或者目的
B、best IT security control practices relevant to a specific entity. b 与特定实体相关的最佳IT 安全控制实践
C、techniques for securing information. c 信息安全技术
D、security policy. d 安全策略
ANSWER: A
NOTE: An IT control objective is defined as the statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity. They provide the actual objectives for implementing controls and may or may not be the best practices. Techniques are the means of achieving an objective, and a security policy is a subset of IT control objectives.
677、Which of the following is a continuity plan test that uses actual resources to simulate a system crash to cost-effectively obtain evidence about the plan's effectiveness? 677. 下面哪项检验是一个持续的计划,这个计划用实际资源模拟系统崩溃来获得关于计划效力的证据
A、Paper test a 纸上谈兵
B、Post test b 深入测试
C、Preparedness test c 准备就绪的测试
D、Walkthrough d 预演练测试
ANSWER: C 答案:c
NOTE: A preparedness test is a localized version of a full test, wherein resources are expended in the simulation of a system crash. This test is performed regularly on different aspects of the plan and can be a cost-effective way to gradually obtain evidence about the plan's effectiveness. It also provides a means to improve the plan in increments. A paper test is a walkthrough of the plan, involving major players, who attempt to determine what might happen in a particular type of service disruption in the plan's execution. A paper test usually precedes the preparedness test. A post-test is actually a test phase and is comprised of a group of activities, such as returning all resources to their proper place, disconnecting equipment, returning personnel and deleting all company data from third-party systems. A walkthrough is a test involving a simulated disaster situation that tests the preparedness and understanding of management and staff, rather than the actual resources.
678、An organization has outsourced its help desk. Which of the following indicators would be the best to include in the SLA? 678. 组织把服务热线外包出去,下面哪个指标最好包含在服务级别协议里面
A、Overall number of users supported a 所有支持的客户数量
B、Percentage of incidents solved in the first call b 第一时间解决的事件所占总事件的百分比
C、Number of incidents reported to the help desk c 汇报到服务热线的事件数量
D、Number of agents answering the phones d 代理回答电话的数量
ANSWER: B 答案:b
NOTE: Since it is about service level (performance) indicators, the percentage of incidents solved on the first call is the only option that is relevant. Choices A, C and D are not quality measures of the help desk service.
679、What is a risk associated with attempting to control physical access to sensitive areas such as computer rooms using card keys or locks? 679 试图去控制像用密钥卡或者锁的计算机房这样敏感区域的物理访问所带来的风险是
A、Unauthorized individuals wait for controlled doors to open and walk in behind those authorized. a 未授权人员在控制门前等待授权人员打开门后尾随
B、The contingency plan for the organization cannot effectively test controlled access practices. b 组织的偶然计划不能有效的检测控制访问实践
C、Access cards, keys and pads can be easily duplicated allowing easy compromise of the control. c 控制卡,钥匙还有输密码的小键盘可以容易的被复制,这就允许了控制很容易被妥协
D、Removing access for those who are no longer authorized is complex. d 移除不再有权限的人的访问权限很复杂
ANSWER: A 答案:a
NOTE: The concept of piggybacking compromises all physical control established. Choice B would be of minimal concern in a disaster recovery environment. Items in choice C are not easily duplicated. Regarding choice D, while technology is constantly changing, card keys have existed for some time and appear to be a viable option for the foreseeable future.
680、The purpose of code signing is to provide assurance that: 680 代码标记的目的是为了提供什么保证:
A、the software has not been subsequently modified. a 软件没有后续更改过
B、the application can safely interface with another signed application. b 应用程序能安全的和另外一个标记了的应用程序接口
C、the signer of the application is trusted. c 做标记者是可信任的
D、the private key of the signer has not been compromised. d 做标记者的私钥尚未被危及安全
ANSWER: A 答案 a
NOTE: Code signing can only ensure that the executable code has not been modified after being signed. The other choices are incorrect and actually represent potential and exploitable weaknesses of code signing.
681、Which of the following is a benefit of a risk-based approach to audit planning? Audit: 681 下列哪项是基于风险途径的审计计划的好处
A、scheduling may be performed months in advance. a 可以提前数月安排日程
B、budgets are more likely to be met by the IS audit staff. b 审计成员可以更容易的满足预算需求
C、staff will be exposed to a variety of technologies. c 成员将不得不面对多样化的技术
D、resources are allocated to the areas of highest concern. d 可以把资源分配到最容易产生问题的地方
ANSWER: D 答案 d
NOTE: The risk-based approach is designed to ensure audit time is spent on the areas of highest risk. The development of an audit schedule is not addressed by a risk-based approach. Audit schedules may be prepared months in advance using various scheduling methods. A risk approach does not have a direct correlation to the audit staff meeting time budgets on a particular audit, nor does it necessarily mean a wider variety of audits will be performed in a given year.
682、The MOST likely effect of the lack of senior management commitment to IT strategic planning is: 682 对于IT部署计划,如果缺少高级管理层的参与,最可能带来的影响是:
A、a lack of investment in technology. a 缺少技术投资
B、a lack of a methodology for systems development. b 缺少系统发展的方法论
C、technology not aligning with the organization's objectives. c 技术部署与组织目标不一致
D、an absence of control over technology contracts. d 缺少技术合约上的控制
ANSWER: C 答案 c
NOTE: A steering committee should exist to ensure that the IT strategies support the organization's goals. The absence of an information technology committee or a committee not composed of senior managers would be an indication of a lack of top-level management commitment. This condition would increase the risk that IT would not be aligned with the organization's strategy.
683、Naming conventions for system resources are important for access control because they: 683 系统资源的命名规则对于访问控制非常重要,是因为他们:
A、ensure that resource names are not ambiguous. a 确保系统资源名字不会出现不明确的情况
B、reduce the number of rules required to adequately protect resources. b 减少能充分保护资源的必要规则的数量
C、ensure that user access to resources is clearly and uniquely identified. c 确保能够明确且唯一地确认客户访问资源
D、ensure that internationally recognized names are used to protect resources. d 确保国际认定命名来保护资源
ANSWER: B 答案 B
NOTE: Naming conventions for system resources are important for the efficient administration of security controls. The conventions can be structured, so resources beginning with the same high-level qualifier can be governed by one or more generic rules. This reduces the number of rules required to adequately protect resources, which in turn facilitates security administration and maintenance efforts. Reducing the number of rules required to protect resources allows for the grouping of resources and files by application, which makes it easier to provide access. Ensuring that resource names are not ambiguous cannot be achieved through the use of naming conventions. Ensuring the clear and unique identification of user access to resources is handled by access control rules, not naming conventions. Internationally recognized names are not required to control access to resources. Naming conventions tend to be based on how each organization wants to identify its resources.
684、Responsibility for the governance of IT should rest with the: 684 IT管理的责任取决于
A、IT strategy committee. A IT战略委员会
B、chief information officer (CIO). b 信息主任
C、audit committee. c 审计委员会
D、board of directors. d 主管会议
ANSWER: D 答案 d
NOTE: Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly. The audit committee, the chief information officer (CIO) and the IT strategy committee all play a significant role in the successful implementation of IT governance within an organization, but the ultimate accountability resides with the board of directors.
685、During a business continuity audit an IS auditor found that the business continuity plan (BCP) covered only critical processes. The IS auditor should: 685 在进行业务持续审计的时候,审计师发现业务持续计划仅仅覆盖到了关键流程,那么审计师应该:
A、recommend that the BCP cover all business processes. a 推荐业务持续计划涵盖所有业务流程
B、assess the impact of the processes not covered. b 评估未被包含进业务持续计划内的流程的影响
C、report the findings to the IT manager. c 将这个发现报告给IT经理
D、redefine critical processes. d 重新定义关键流程
ANSWER: B 答案:b
NOTE: The business impact analysis needs to be either updated or revisited to assess the risk of not covering all processes in the plan. It is possible that the cost of including all processes might exceed the value of those processes; therefore, they should not be covered. An IS auditor should substantiate this by analyzing the risk.
686、Which of the following is MOST directly affected by network performance monitoring tools? 686 下面哪一个最直接的被网络性能监测工具所影响
A、Integrity a 完整性
B、Availability b 可用性
C、Completeness c 完全性
D、Confidentiality d 机密性
ANSWER: B 答案 b
NOTE: In case of a disruption in service, one of the key functions of network performance monitoring tools is to ensure that the information has remained unaltered. It is a function of security monitoring to assure confidentiality by using such tools as encryption. However, the most important aspect of network performance is assuring the ongoing dependence on connectivity to run the business. Therefore, the characteristic that benefits the most from network monitoring is availability.
687、A number of system failures are occurring when corrections to previously detected errors are resubmitted for acceptance testing. This would indicate that the maintenance team is probably not performing adequately which of the following types of testing? 687当正在校正上一次为了接受测试重新提交了的检测错误时,大量系统错误产生。这会表明维护小组在执行下列哪种测试的时候或许没有充分执行:
A、Unit testing a 单元测试
B、Integration testing b 完整性测试
C、Design walkthroughs c 设计预演练
D、Configuration management d 结构管理
ANSWER: B
NOTE: A common system maintenance problem is that errors are often corrected quickly (especially when deadlines are tight). Units are tested by the programmer and then transferred to the acceptance test area; this often results in system problems that should have been detected during integration or system testing. Integration testing aims at ensuring that the major components of the system interface correctly.
688、During maintenance of a relational database, several values of the foreign key in a transaction table of a relational database have been corrupted. The consequence is that: 688 在关系数据库维护期间,许多外键的值在关系数据库过渡表里面损坏了,结论是:
A、the detail of involved transactions may no longer be associated with master data, causing errors when these transactions are processed. a 当这些交换进行的时候,包含在交换期间的细节与主数据不再有关联,导致了错误
B、there is no way of reconstructing the lost information, except by deleting the dangling tuples and reentering the transactions. b 除了删除不稳定的元组,或者重新进行数据交换,没有别的方法重构建信息
C、the database will immediately stop execution and lose more information. c 数据库会立刻停止运行,并且丢失更多的信息
D、the database will no longer accept input data. d 数据不不再接受输入数据
ANSWER: A 答案a
NOTE: When the external key of a transaction is corrupted or lost, the application system will normally be incapable of directly attaching the master data to the transaction data. This will normally cause the system to undertake a sequential search and slow down the processing. If the concerned files are big, this slowdown will be unacceptable. Choice B is incorrect, since a system can recover the corrupted external key by reindexing the table. Choices C and D would not result from a corrupted foreign key.
689、Validated digital signatures in an e-mail software application will: 689 在电子邮件中让数字签名生效会:
A、help detect spam. a 帮助检测广告邮件
B、provide confidentiality. b 提供机密性
C、add to the workload of gateway servers. c 会给网关服务器增加负载
D、significantly reduce available bandwidth. d 明显减少带宽的有效性
ANSWER: A 答案a
NOTE: Validated electronic signatures are based on qualified certificates that are created by a certification authority (CA), with the technical standards required to ensure the key can neither be forced nor reproduced in a reasonable time. Such certificates are only delivered through a registration authority (RA) after a proof of identity has been passed. Using strong signatures in e-mail traffic, nonrepudiation can be assured and a sender can be tracked. The recipient can configure their e-mail server or client to automatically delete e-mails from specific senders. For confidentiality issues, one must use encryption, not a signature, although both methods can be based on qualified certificates. Without any filters directly applied on mail gateway servers to block traffic without strong signatures, the workload will not increase. Using filters directly on a gateway server will result in an overhead less than antivirus software imposes. Digital signatures are only a few bytes in size and will not slash bandwidth. Even if gateway servers were to check CRLs, there is little overhead.
690、An information security policy stating that “the display of passwords must be masked or suppressed” addresses which of the following attack methods? 690 信息安全方针描述了”密码显示必须用暗文或者禁止“,这一点防范了下列哪种攻击方法
A、Piggybacking a 尾随
B、Dumpster diving b 在废弃信息中挖掘机密信息
C、Shoulder surfing c 背后偷窥
D、Impersonation d 假冒
ANSWER: C
NOTE: If a password is displayed on a monitor, any person nearby could look over the shoulder of the user to obtain the password. Piggybacking refers to unauthorized persons following, either physically or virtually, authorized persons into restricted areas. Masking the display of passwords would not prevent someone from tailgating an authorized person. This policy only refers to “the display of passwords.” If the policy referred to “the display and printing of passwords” then it would address shoulder surfing and dumpster diving (looking through an organization's trash for valuable information). Impersonation refers to someone acting as an employee in an attempt to retrieve desired information.
691、When performing an audit of access rights, an IS auditor should be suspicious of which of the following if allocated to a computer operator?
A、Read access to data
B、Delete access to transaction data files
C、Logged read/execute access to programs
D、Update access to job control language/script files
ANSWER: B
NOTE: Deletion of transaction data files should be a function of the application support team, not operations staff. Read access to production data is a normal requirement of a computer operator, as is logged access to programs and access to JCL to control job execution.
692、An IS auditor notes that IDS log entries related to port scanning are not being analyzed. This lack of analysis will MOST likely increase the risk of success of which of the following attacks?
A、Denial-of-service
B、Replay
C、Social engineering
D、Buffer overflow
ANSWER: A
NOTE: Prior to launching a denial-of-service attack, hackers often use automatic port scanning software to acquire information about the subject of their attack. A replay attack is simply sending the same packet again. Social engineering exploits end-user vulnerabilities, and buffer overflow attacks exploit poorly written code.
693、Disaster recovery planning (DRP) for a company's computer system usually focuses on:
A、operations turnover procedures.
B、strategic long-range planning.
C、the probability that a disaster will occur.
D、alternative procedures to process transactions.
ANSWER: D
NOTE: It is important that disaster recovery identifies alternative processes that can be put in place while the system is not available.
694、The IT balanced scorecard is a business governance tool intended to monitor IT performance evaluation indicators other than:
A、financial results.
B、customer satisfaction.
C、internal process efficiency.
D、innovation capacity.
ANSWER: A
NOTE: Financial results have traditionally been the sole overall performance metric. The IT balanced scorecard (BSC) is an IT business governance tool aimed at monitoring IT performance evaluation indicators other than financial results. The IT BSC considers other key success factors, such as customer satisfaction, innovation capacity and processing.
695、The logical exposure associated with the use of a checkpoint restart procedure is:
A、denial of service.
B、an asynchronous attack.
C、wire tapping.
D、computer shutdown.
ANSWER: B
NOTE: Asynchronous attacks are operating system-based attacks. A checkpoint restart is a feature that stops a program at specified intermediate points for later restart in an orderly manner without losing data at the checkpoint. The operating system saves a copy of the computer programs and data in their current state as well as several system parameters describing the mode and security level of the program at the time of stoppage. An asynchronous attack occurs when an individual with access to this information is able to gain access to the checkpoint restart copy of the system parameters and change those parameters such that upon restart the program would function at a higher-priority security level.
696、An organization is disposing of a number of laptop computers. Which of the following data destruction methods would be the MOST effective?
A、Run a low-level data wipe utility on all hard drives
B、Erase all data file directories
C、Format all hard drives
D、Physical destruction of the hard drive
ANSWER: D
NOTE: The most effective method is physical destruction. Running a low-level data wipe utility may leave some residual data that could be recovered; erasing data directories and formatting hard drives are easily reversed, exposing all data on the drive to unauthorized individuals.
697、Which of the following recovery strategies is MOST appropriate for a business having multiple offices within a region and a limited recovery budget?
A、A hot site maintained by the business
B、A commercial cold site
C、A reciprocal arrangement between its offices
D、A third-party hot site
ANSWER: C
NOTE: For a business having many offices within a region, a reciprocal arrangement among its offices would be most appropriate. Each office could be designated as a recovery site for some other office. This would be the least expensive approach to providing an acceptable level of confidence. A hot site maintained by the business would be a costly solution but would provide a high degree of confidence. Multiple cold sites leased for the multiple offices would lead to a costly solution with a high degree of confidence. A third-party facility for recovery is provided by a traditional hot site. This would be a costly approach providing a high degree of confidence.
698、In the event of a data center disaster, which of the following would be the MOST appropriate strategy to enable a complete recovery of a critical database?
A、Daily data backup to tape and storage at a remote site
B、Real-time replication to a remote site
C、Hard disk mirroring to a local server
D、Real-time data backup to the local storage area network (SAN)
ANSWER: B
NOTE: With real-time replication to a remote site, data are updated simultaneously in two separate locations; therefore, a disaster in one site would not damage the information located in the remote site. This assumes that both sites were not affected by the disaster. Daily tape backup recovery could lose up to a day's work of data. Choices C and D take place in the same data center and could possibly be affected by the same disaster.
699、A company has recently upgraded its purchase system to incorporate EDI transmissions. Which of the following controls should be implemented in the EDI interface to provide for efficient data mapping?
A、Key verification
B、One-for-one checking
C、Manual recalculations
D、Functional acknowledgements
ANSWER: D
NOTE: Acting as an audit trail for EDI transactions, functional acknowledgements are one of the main controls used in data mapping. All the other choices are manual input controls, whereas data mapping deals with automatic integration of data in the receiving company.
700、A clerk changed the interest rate for a loan on a master file. The rate entered is outside the normal range for such a loan. Which of the following controls is MOST effective in providing reasonable assurance that the change was authorized?
A、The system will not process the change until the clerk's manager confirms the change by entering an approval code.
B、The system generates a weekly report listing all rate exceptions and the report is reviewed by the clerk's manager.
C、The system requires the clerk to enter an approval code.
D、The system displays a warning message to the clerk.
ANSWER: A
NOTE: Choice A would prevent or detect the use of an unauthorized interest rate. Choice B informs the manager after the fact that a change was made, thereby making it possible for transactions to use an unauthorized rate prior to management review. Choices C and D do not prevent the clerk from entering an unauthorized rate change.
