DISA Review Question Bank updated on March, 2016

Table of Contents Module 1-Primer on Information technology, IS Infrastructure & Emerging Technologies ...................... 2 Module 2-Information Systems Assurance Services ...................................................................... 150 Module 3-Governance and Management of Enterprise Information Technology, Risk Management & Compliance .............................................................................................................................. 173 Module 4- Protection of Information Assets .................................................................................. 216 Module 5- Systems Development-Acquisition, Maintenance and Implementation .............................. 302 Module 6- Business Application Software Audit ............................................................................ 320 Module 7- Business Continuity Management ................................................................................ 332 Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 2 1. The Key components of IT Infrastructure are ___________________ A. Users, Applications, DBMS, System Software, Network & Hardware B. Computing systems, satellite dishes, ISDN lines, Radio towers C. Concrete building, air conditioning, fire extinguishers, sprinklers D. Large servers, desktop computers, laptops, tablets KEY: A Justification: A. All information systems will have these elements as common to them since interactions will take place between them in such systems. This is explained in para 1.2. B. B, C and D are incorrect since they are not speaking of the common elements of any information systems but are various types of equipment alone (B), physical infrastructure alone (C) or merely various types of computing devices 2. Auditors dealing with organizations deploying IT need to have ______________ A. Adequate working knowledge of IT hardware & software B. Expertise in all areas of IT technology C. Thorough knowledge on the financial aspects alone D. Expertise both in financial and IT technology aspects KEY: A Justification: A. C.A.s knowledge of IT technology need not and cannot be complete and total. They only need adequate knowledge to effectively audit the IT functions of an organization B. C.A.s cannot be expected to be experts in all areas of IT technology; this is not their role C. Knowledge of financial aspects alone in a technology oriented function like IT will not facilitate effective auditing of the IT function D. A C.A. cannot be expected to have thorough knowledge of both financial & IT technology aspects 3. People, the most import element of information systems, comprise ________________ A. Users of the system in the head office and branches B. All users of the system and all information system personnel C. All employees except information system personnel D. Employees involved with maintenance of the information system KEY: B Justification: A. It does not exclude the people managing the IT system B. As brought out in paragraph 1.2.1, the scope of IT covers both the actual users as well as those involved in managing the IT system C. It includes the information system management personnel D. The actual users of the system are also key to the IT system 4. Application software is a collection of programs which ______________ Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 3 A. Operates computer hardware & facilitates use of system software B. Exclusively use for generating applications to govt. bodies C. Addresses a real life problem for its end users D. Helps users generate complaints to IT services dept. alone KEY: C Justification It is system software which helps run hardware & facilitates use of application software. Options B & D are also wrong & are not generic definitions of application softwareAs explained in paragraph 1.2.2, application software are programmes that help address business, scientific or other needs of its end users 5. Hardware refers to___________________ A. All computer parts except those which are soft, made of glass or plastic B. Devices performing Input, output, processing & data storage functions of a computer C. All connecting tubes, hoses, joints, cables and pipelines carrying IT cables D. All parts of the computer which are complex and hard to understand KEY: B Justification: A. A, C & D are clearly wrong answers which have no relation to the definition in paragraph 1.2.6 B. As defined clearly in paragraph 1.2.6 6. The basic sequential steps of the machine cycle performed by the CPU are _____________ A. Fetch, Decode, Execute and Store B. Decode, Execute, Store and Fetch C. Store, Fetch, Decode and Execute D. Execute, Fetch, Decode and Store KEY: A Justification: As defined clearly in paragraph 1.3.2 B,C & D are clearly wrong answers which contain the wrong sequence 7. Cache memory ________________ A. Is a large, slow memory which is no longer used in computers B. Helps bridge speed difference between Registers and Primary Memory C. Is a virtual memory which is an image of another memory D. Is a memory where only valuable, secret information is stored KEY: B Justification Cache memory is a small & fast memory very much in use even today. As brought out in paragraph 1.3.3 Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 4 It is not a virtual memory It maintains copies of most frequently used data from main memories and not only for secret information 8. Secondary Memory _______________ A. Is volatile memory with large storage capacities B. Is non-volatile memory which is fast & responsive C. Is non-volatile memory with large storage capacities D. Involves higher cost per unit of information than RAM KEY: C Justification: Secondary memory is not volatile. It is not fast. As brought out in paragraph 1.3.3, secondary memory is non-volatile, with large storage capacities. It is, however, slower than registers or primary storage. Its cost per unit of information is lower than RAM 9. One Megabyte is equal to ___________________ A. 1024 x 1024 Bytes B. 1000 Kilobytes C. 1000 Bytes D. 1,000,000 Bytes KEY: A Justification: 1 Megabyte equals 1024 Kilobytes or 1024 x 1024 Bytes. All the other answers are, therefore, obviously wrong. 10. Unicode _____________ A. Uses 16 Bytes for character coding & has replaced other major coding systems B. Uses 7 bits for character coding C. Uses 16 bits for character coding & has replaced other major coding systems D. Uses 8 bits for character coding KEY: C Justification: A B & D answers are, obviously wrong. C. Unicode uses 16 bits for character coding & has replaced other major coding systems as brought out in paragraph 1.4 11. Implementing Hardware Monitoring Procedures ______________ Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 5 A. Is expensive and not cost effective B. Reduces Total Cost of Ownership & improves Return on Investment C. Is cumbersome & time consuming D. Leads to increased server downtime KEY: B Justification: Pra 1.5.3 establishes that the other options are wrong & it makes sense to implement hardware monitoring procedures. As brought out in paragraph 1.5.3 12. Some factors that affect the requirement & capacity of various hardware are ____________ A. Number of employees in the organization B. Variety of markets in which operations happen C. Nature of the products dealt with in the organization D. Transaction volume, Computation complexity KEY: D Justification: As brought out in paragraph 1.5.4. This para also establishes that the other options are wrong. 13. A key issue in retirement of hardware is security & disposal of data. Robust policies need to be in place for hardware retirement cycles, archiving of data, closure of licensing and/or contracts. A. FALSE B. TRUE KEY: B Justification: As brought out in paragraph 1.5.5, this statement is factually correct 14. Hardware Auditing ________________ A. Is best carried out by the purchase department of the I.T. department B. Primarily encompasses hardware acquisition & capacity management C. Should be restricted to the financial aspects of hardware usage D. Is not as critical as software auditing which can be a more vulnerable area E. KEY: B Hardware is a vulnerable area which needs to be closely reviewed by Audit. Hence, the other three options are not correct Paragraph1.6 elaborates on the criticality of hardware acquisition & capacity management as KEY Areas of Hardware auditing. Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 6 15. Software _________________ A. Software consists of clearly-defined instruction sets that upon execution, tell a computer what to do B. Refers to all the soft parts of any computer system C. Is not as important as hardware; a system can operate even without it D. Are only those programs which convert machine language to English KEY: A Justification: Paragraph 2.1 incorporates this definition. While option B is obviously incorrect, C is wrong since it would be impossible to operate any computer without software. D, too, is wrong since software plays a role much beyond that of converting machine language to English 16. System Software _______________ A. Is specific to each application software and cannot be interchanged B. Co-ordinates instructions between application software and hardware C. Cannot be used for application development D. Is not involved in I/O devices connectivity KEY: B Justification: Definition as per paragraph 2.1.1. It is actually generic and can be used with any application (option A). It can actually be the basis for development of application development (option C). It enables I/O devices connectivity 17. Application Software __________________ A. Microsoft Office is not an example of application software B. Cannot be directly interacted with by end users C. Is a set of software that performs a function directly for the end user D. Can be directly used on a computer even without system software KEY: C Justification: As clearly defined in 2.1.2. Microsoft Office is, indeed, an example of application software. (option A). A KEY Aspect of application software is that it can be directly interacted with by end users (option B). Lastly, a computer cannot be run without system software as brought out in earlier notes 18. An Operating System is ______________ A. An intermediary agent that manages computer resources among various processes B. An application software which is in operation in a computer network C. A new type of software which has been introduced in the latest computers only D. A computer system which has been switched on and is in proper operation Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 7 KEY: A Justification: The definition is as per paragraph 2.2. As for the other options, an operating system is, obviously a system software and not an application software (option B). It is not a new type of software and has been an intrinsic part of all computer systems for long (option C). Though option D may not appear to be factually incorrect, this is not the sense in which the term Operating System is used in this context. 19. State True or False : Operating Systems can be single user / multi user, multi processing or real time. A. FALSE B. TRUE Key: B Justification: This has been clearly elaborated in paragraph 2.2.1 20. Processor Management refers to _______________ A. Management of the various processors by the Systems Executive B. Training of the end-user for optimal user of computer systems C. Optimisation of use of application software on a personal computer D. Process or task scheduling carried out by the Operating System KEY: D Justification: As brought out in paragraph 2.2.2, Processor Management is one of the key roles played by an Operating system. It enables process scheduling. The Operating system is part of the main computer system and one of its key roles is process scheduling. It has nothing to do with the management role of Systems Executives or with training of end users (options A & B). It is not relevant to application software optimisation (option C). 21. Which of the following is performed by the Operating System ________________ A. Supports virtual memory by carving out an area of hard disk B. Supports virtual memory on external storage device C. Supports secondary memory by allocating an area of hard disk D. Supports end user in carrying out specific functions KEY: A Justification: The Operating System supports RAM by carving out an area of hard disk to create a virtual memory (option A). It does not do this on any external storage device (option B). The OS can only assist expansion of RAM space by carving out hard disk space, not secondary memory (option C). The OS is only an intermediary agent and does not interact directly with the end user (option D). Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 8 22. Which of the following is a role of the Operating System ______________ A. Helps manage Data bases of various types B. Facilitates use of spread sheets by end users C. Manages device communication with respective drivers D. Helps programmers to create computer programs Key: C Justification: One of the key functions of the Operating system is insulating the end user from the peculiarities of each hardware device (option C). OS are not directly involved in use of Data Bases or spread sheets; nor are they useful for writing programs. One would need program development software for that purpose (options A,B & D) 23. Fifth Generation programming language _________________ A. It comprises machine language & code B. Is mainly used in Artificial intelligence C. Cannot solve a problem without a programmer D. It uses long instructions & is machine dependent KEY: B Justification: Fifth generation programming language is the most advanced of the languages & is used in artificial intelligence. It is, thus, not based upon primitive machine language and code. It is also pre- programmed with options in such a way that minimum intervention of a programmer is required. It is much simpler and platform independent as compared to first generation programming languages (options A, C & D). 24. What is the function of a Compiler ? A. It translates Assembly language into Machine language B. It translates statements of a program into machine code, line by line C. A compiler translates a high level language program into a machine language program D. It allows a user to create and edit files KEY: C Justification: A compiler basically translates a high level program into machine code. It does not operate at the level of converting Assembly language into machine code or, like an Interpreter, translate into machine code line by line (options A and B) It is also not an Editor program to create and edit files (D). 25. Which software controls, among other things, ownership assignment of all data for accountability ? A. Access Control Software B. Data Communications Software C. Utility programs D. Defragmenters KEY: A Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 9 Justification: It is access control software which is vested with the responsibility for assigning ownership of all data for purposes of accountability (para 2.3.2). Data Communications software generally assists the OS for local and remote terminal access (option B). Utility programs and defragmenters basically help improve computer efficiency and performance and have nothing to do with ownership assignment of all data. 26. Access control lists in the OS manage OS Controls. The lowest level of control that can be exercised is, generally, up to : A. The level of an individual directory B. The level of a particular page in a file C. The level of individual words in a file D. The level of individual files KEY: D Justification: Most systems are designed to exercise access control only up to the level of a file and not below. Hence the choice of D as the right option above and the rejection of the other options 27. State Yes or No In a newly formed organization, the System Administrator is faced with requests for access to particular files from multiple users. On closer scrutiny, he finds that though the users are different, he is able to detect a pattern whereby individuals handling particular functions all seek access to the same files. The System Administrator is aware that, while the individuals handling these functions may change, the actual functions, by and large, are permanent. He feels that it would be simpler to provide access control for files to particular functions and would like to know the feasibility of doing so in the Operating system. What is your view ? Is it possible to provide access to ‘Roles’ which could comprise multiple users, instead of creating individual access controls for each of the users ? : A. Yes, it would be possible B. No, it would not be possible KEY: A Justification: Access control lists are widely used with Roles comprising multiple users. The individual users can keep changing depending upon the roles they take up. Hence, Option A above is correct. 28. What is the first step in Software acquisition ? A. Establish criteria for selecting and rejecting alternatives B. Carry out Cost/Benefit analysis, including make or buy decision C. Establish scope, objectives background & project charter D. Determine supplier’s technical capabilities & support services KEY: C Justification: Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 10 Without first establishing the scope and objectives, software acquisition may end up failing on fundamental aspects of meeting end user needs. This would be the starting point, therefore, for any acquisition exercise. The other options get ruled out by default. 29. What is an Endpoint device ? A. A device used as a pointer during Power point presentations B. The key-board or a mouse on a computer C. A device which identifies the end of each software program D. An internet-capable computer hardware device on a TCP/IP network KEY: D Justification: Endpoint devices can be computers, smart phones, thin clients, etc. which have connectivity to the internet as brought out in option D. The very fact that they have this connectivity raises concerns of security with respect to possible leakage of information to the outside world or vulnerability to virus or other malicious software which may attempt to enter the system from the internet. 30. What is Digital Rights Management ? A. Management of binary digit codes in the system software B. Technology used for preventing users from using the content in any manner other than that permitted by the content provider C. Conversion of analog records to digital mode D. Optimization of binary digit codes in application software KEY: B Justification: Digital Rights Management refers to the control on use of copyrighted / IPR material and, hence, option B is correct. The other options are wrong. 31. Does the Operating system need auditing ? A. Yes; there is risk of the OS being compromised B. No; the application software prevents direct access to the OS C. No; the OS is a robust system which cannot be tampered with D. No, it is adequate if the application software are audited KEY: A Justification: Though, in the normal course, end-users to do not have direct access to the OS, they could find ways of by-passing the application software and reaching out to the OS. Unlike the application software which has high security features to prevent end users tampering with data which is not open to them, the OS is relatively more vulnerable since it sees all data as simple bits/bytes & cannot even distinguish between different types of data of different criticality 32. Which of the following is the correct sequence of data hierarchy? A. File, Database, Record, Field, Characters Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 11 B. Database, Record, File, Field, Characters C. Database, File, Record, Field, Characters D. Database, File, Field, Character, Records KEY: C Justification: The sequence of hierarchy from higher to lower levels is clearly as per Option C and the sequence of hierarchy for the other options are, therefore, wrong. 33. What are Characters ? A. Characters are a group of bytes B. Characters are a collection of bits C. Characters are a group of 8 records D. Characters are a group of 16 records KEY: B Justification: Characters are at the lowest in the Data hierarchy and comprise a collection of bits (Option B). The other options are wrong. 34. What are some of the major outcomes of the non-existence of an efficient database ? A. High redundancy and low data integrity B. Improved data sharing C. Reduced dependence between data and application software D. Better linkages between data originating from different sources KEY: A Justification: An efficient data base can reduce redundancy and improve data integrity (option A). The absence of a database will hinder data sharing & increase dependence between data and application software. An efficiently configured database will provide excellent networking of data from different sources. 35. What is a Database Management System? A. A set of pre-loaded data relating to specific industries B. Customer profile data used for managing an organization C. Software for creation, control & manipulation of a database D. Hardware specifically designed to handle databases KEY: C Justification: A database management system is a software which assists in the process of managing a database as brought out in option C. It is not just a set of data or hardware as indicated in the other options. 36. What are the major risks of having a Database management system ? A. Reduced speed of access to records B. High redundancy & duplication Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 12 C. Reduced data integrity D. Cost and data security threats KEY: D Justification: The major risks involved are the cost (including time for implementation of a new system) and increased vulnerability owing to centralisation of information as indicated in Option D. Contrary to what is stated in the other options, a database management system improves speed of access to records, reduces redundancy and improves data integrity. 37. Which of the following is the logic typical of a Relational Database Management System ? A. Records have a one to many relationship in parent/child format B. Collection of one or more relations in two dimensional table form C. Records have many-to-many relationship in network form D. Data is organized in a tree structure, in hierarchical format KEY: B Justification: The logic behind RDBMS is in table form with domain & entity constraints which ensure robustness of the system (Option B). The other options relate to the hierarchical and network types of database and are, hence, wrong.. 38. Use of integrity constraints and normalisation is strongly typical of which type of software? A. Relational Database Management System B. Network Database Management System C. Hierarchical Database Management System D. Foxpro, Excel systems of spreadsheet KEY: A Justification: The use of integrity constraints and normalization is typical of RDBMS and not of the other three options. 39. Which of the following defines the logical structure of the database, its relations & constraints ? A. Internal Schema B. External Schema C. Conceptual Schema D. Logic unit in CPU KEY: C Justification: It is the Conceptual Schema which defines the logical structure of the database including its relations and constraints and not the other options indicated. 40. Which of the following is a database language used to define & describe data & relationships ? Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 13 A. Data Manipulation Language or DML B. Data Control Language or DCL C. Data Definition Language or DDL D. Excel and Lotus 123 KEY: C Justification: DDL is a collection of instructions and commands used to define and describe data and relationships (Option C). DML, DCL & the spreadsheet softwares are not the appropriate answer. 41. Which of the following are typical features of Data Definition Language? A. Not used by Database administrators or designers B. SQL commands dealing with data C. Generally used by a common user D. Used to define both conceptual & internal schemas KEY: D Justification: DDL is a database language used by administrators and designers to define both conceptual & internal schemas. It does not deal with data but only with the structure. It is generally not used by the common user. Hence, only Option D is correct. 42. Which of the following are typical of Data Manipulation Language ? A. Cannot be used for querying the database B. Used to retrieve, insert, delete or modify data C. SQL commands which do not allow changing of data D. Application software will not be able to access it KEY: B Justification: DML is a database language used to query & manipulate data. Application software are able to meet user needs only by interacting with the DML. Hence, only Option B is correct. 43. What is a Data Dictionary ? A. It provides a definition of terms and data elements B. A dictionary which facilitates conversion of bytes into numbers C. A software which helps convert machine language to English D. A software which helps convert assembly language to English KEY: A Justification: It is the documentation of database providing detailed description of every data in the database. It provides a standard definition of terms and data elements (Option A). The other options are factually wrong.. 44. What are Meta Data ? Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 14 A. Metadata refers to data of large sizes, millions, billions, etc. B. Metadata is data about one or more aspects of data C. Metadata is data relating to meteorological parameters D. Metadata is data that is universal to different types of software KEY: B Justification: Metadata is data about data. It covers aspects like meaning, purpose, time & date of creation, etc. of data. Option B, obviously, is the correct choice. The other options are incorrect. 45. Centralised Deployment Strategy involves _______________ A. Centralized database & de-centralized decision making B. De-centralized database and centralized decision making C. Centralized database & centralized decision making D. Multiple server usage KEY: C Justification: Centralized deployment strategy uses a central database with all user communication being directed to it. Decision making, too, therefore, gets centralized as a consequence (Option C). Such a strategy use of a single hardware/software platform & a single server; hence, the other options are not correct. 46. An important drawback of Centralised Deployment Strategy is _________________ A. Vulnerability to single point of failure B. Resource sharing of reduced order C. Poorer economies of scale D. Reduced security KEY: A Justification: Centralized deployment strategy concentrates all its resources at one central point making it vulnerable to total system failure in the event of this central point being compromised in any manner (Option A). Resource sharing, in fact, is a strong plus point for centralised deployment. Similarly, this system has better economies of scale owing to use of large size hardware & larger number of software licences. Since everything is centralized, possibilities of leakages are reduced since the number of exposed points are lesser. Hence, the other options are not correct. 47. An important feature of Decentralized deployment strategy would be _____________ A. Information systems would be more compatible B. Reduced duplication of records, processes C. Business strategy based localisation of database possible D. Adequate centralised control through security implementation KEY: C Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 15 Justification: The single major advantage of decentralized deployment strategy is its potential for tweaking the database to suit local requirements (Option C). However, compatibility of information systems may take a hit since multiple versions could be involved depending upon the geographic or business segment- wise spread of the organization. Risk of duplication of records is higher since multiple versions at different locations may be involved. Centralized control and security management would also be to a reduced extent. Hence, the other options are not correct. 48. A key disadvantage of Decentralised Deployment Strategy is ______________ A. Less flexibility to cope with internal/external changes B. Potentially higher CAPEX requirement C. Slower system development D. Information systems could be mutually incompatible KEY: D Justification: A major disadvantage of decentralized deployment strategy is that, with de-centralized decision making, different tailor-made information systems may be created at different locations leading to potential incompatibility (Option D). On the other hand, given their de-centralized structure, they would have greater flexibility to cope with changes and can be developed/implemented quickly. Capex requirement could also be lesser owing ability to carry out changes in phases. Hence, the other options are not correct. 49. The IT components of a Core Banking Solution Data Centre would mainly depend upon ___________ A. Number of employees in the Bank B. Type of services offered, risk management & control requirements C. Annual Business volume D. Nature of software applications used KEY: B Justification: The complexity of services offered including the response time, risk management objectives and control goals would drive the IT components of a CBS Data Centre (Option B). The elements in the other three options would have limited impact on the configuration of the data centre. 50. A near site facility is _______________ A. A data replication facility B. Disaster recovery facility C. Facility for storing data of secondary importance D. Facility for storing employee data alone KEY A Justification Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 16 A near-site facility is normally used as a data replication facility only (Option A). It would not be a prudent choice for a disaster recovery facility since, as a proximate location, the probability of its getting exposed to the same geographical risks is very high. In the usual course, no separate facility is created for secondary data or for employee data alone. Hence, the other options are not correct. 51. Configuration Identification involves ________________ A. Identification of all Information Systems components without reference to version B. Identification of software components of Information Systems alone C. Identification of all Information Systems components in a system D. Identification of hardware components of Information Systems alone Key C Justification Configuration identification involves identification of all versions & updates of both software and hardware. This facilitates continuous monitoring during the life cycle of the product & becomes useful at the time of any proposed changes in the components (Option C). Option A is wrong since it ignores the version, which is vital. B and D are incorrect since they are addressing either the software or hardware alone. 52. Hardening of Systems is _____________ A. Use of robust hardware to strengthen the system B. Securely configuring systems to minimize security risks C. Optimising configuration of hardware systems alone D. Auditing configuration of software systems Key B Justification Hardening of systems is the process of securely configuring computer systems to eliminate as many security risks as possible (Option B). It does not refer to use of robust hardware (Option A); nor does it limit itself to hardware alone (Option C) or software alone (Option D). 53. In IT, a network refers to ________________ A. Two or more devices which are able to exchange data between each other B. Two or more computers which are able to exchange data between each other C. Minimum of 8 computers which are able to exchange data between each other D. Several computers separated over a minimum distance of 100 metres from each other KEY A Justification Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 17 In IT, a network refers to two or more of any devices which are able to exchange data between each other; it includes devices like printers, computer terminals & other devices of communication (Option A). It is not limited to computers alone (Option B). A network could operate even out of the same building & there is no minimum stipulated distance between the devices (Options C & D) 54. In IT, a node refers to ______________ A. Every junction of cables in a computer network B. Every computer in a computer network C. Each component in a computer network D. Every internet device in a computer network Key C Justification In IT, a node refers to each component in a computer network (Option C). It does not refer to cable junctions (Option A). It is not restricted to computers alone but covers every type of device in the network (Option B). It is not restricted to internet devices in a network (Options D). 55. The main reason for networking computers is _______________ A. Reduce hardware cost B. Reduce software cost C. Resource sharing and communication D. Essentially, to increase speed of computing Key C Justification The main benefit of networking computers is sharing of resources and facilitating communications (Option C). Networking does not have the objective of reducing either hardware or software costs; nor does it have the advantage of improving speed of computing (Options A, B, & D). 56. One major benefit of networking computers is ________________ A. Facilitating user communication B. Compartmentalisation of data C. Reduced computing power D. Reduced software costs KEY A Justification Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 18 A. Facilitation of user communication is a major advantage of computer networking (Option A). Networking helps sharing of data and increases availability of computing power. It may not necessarily reduce software costs; in fact, they may increase on account of multiple licences being required for several terminals. Hence, the other options are not correct. 57. Protocol, in IT, is __________________ A. The basis for allotment of new computers B. Arrangement of employee directories C. A set of rules for Communication between systems D. Proper behaviour while using computers Key C Justification Protocol is a set of rules that makes communication possible (Option C). It does not refer to the basis for allotment of new computers, the arrangement of employee directories or behaviour while using computers (Options A,B, & D). 58. Data transmission _____________ A. Can be only through a voltage signal & not through radio or microwave B. Is always digital in nature; one cannot transfer data in analog form C. Ìs the physical transfer of data over a communication channel D. Can happen only through a copper wire or optical fibre Key C Justification Data transmission is the physical transfer of data. It can be through electrical, radio, microwave or infrared signals. It can be over copper wires, optical fibres, wireless channels or through a storage medium. It can be either digital or analog. Hence, only Option C is correct and the other options are wrong. 59. Simplex communication _________________ A. Always involves uni-directional transmission of data B. Can involve uni-directional or multi-dimensional data transmission C. Can handle two-way communication D. facilitates return of error or control signals to the transmitter KEY A Justification Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 19 A. In simplex communication data always flows from one node to another it is always uni- directional. It does not involve multi-dimensional transmission of data. It also cannot handle two-way communication or allow sending back of error or control signals to the transmitter. Hence, only Option A is correct & the other options are wrong. 60. Half Duplex communication ________________ A. has capability to send and receive simultaneously B. is cheaper than the Simplex system C. is costlier than the full Duplex system D. has facilities to send and receive but only one operation can be performed at a time Key D Justification Half Duplex communication has the capability to both send and receive but with the restriction that only one activity can be done at a time. It is more expensive than the Simplex system but cheaper than the full Duplex system. Hence, only Option D is correct. 61. Full Duplex communication __________________ A. Cannot handle two way communication B. Is the most expensive method in terms of equipment cost C. Cannot handle simultaneous two way communication D. is cheaper than Simplex communication Key B Justification b. Full Duplex communication has the capability to handle simultaneous two way communication. It is like two Simplex systems put together and, hence, is expensive. Hence, only Option B is correct. 62. Asynchronous transmission ___________________ A. Is a communication technique where signal timing is not used for determining byte boundary B. Does not require start and stop bits that provide byte timing C. Is not suited for applications where messages are generated at irregular intervals D. Is faster since it does not require insertion of start & stop bits into the bit stream KEY A Justification Asynchronous transmission involves the use of start and stop bits that provide byte timing. Hence, signal timing is not important & communication can happen between devices of dissimilar Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 20 speed. However, speed is slower owing to the intervening start and stop bits. Hence, only Option A is correct. 63. Synchronous transmission _____________ A. Does not place the responsibility for grouping the bits on the receiver B. Is a communication technique where start and stop bits are not used C. Requires no synchronization between clocks of the sender & receiver D. Is slow and can handle limited data rate Key B Justification Synchronous transmission does away with the use of start and stop bits that provide byte timing. It shifts the responsibility for grouping of the bits to the receiver. It, however, requires synchronization of the clocks between sender and receiver. It is faster than asynchronous transmission and can support high data rates. Hence, only Option B is correct. 64. What are the features of a Local Area Network (LAN) ? A. Connectivity is established only as and when required B. Its security is low and error rates high C. It interconnects devices within a limited geographical area D. Installation and maintenance is cumbersome Key C Justification LANs interconnect devices within a limited geographical area. Connectivity is ongoing and permanent. Its security is high and error rates low. Installation and maintenance are relatively easy. Hence, only Option C is correct. 65. What are the features of a Wide Area Network (LAN) ? A. A W AN comprises interconnected switching nodes covering a wide area B. Connectivity is established on a permanent basis C. WANs use only private networks D. All devices in a WAN will have the same network ID KEY A Justification WANs interconnect devices over a large geographical area using both private and public networks. The connected devices, therefore, could have different network Ids. Connectivity can be on demand or permanent. Hence, only Option A is correct. Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 21 66. A key characteristic of a Metropolitan Area Network (MAN) is __________ A. Can provide only for data transmission B. Feasibility to service customers in a large city-wide area C. Can handle only voice & video transmission D. Higher cost than service from telephone company Key B Justification MANs play a role in meeting the growing needs of an organization with lower costs and higher capacity. It can provide for both data and voice transmission. Its cost & efficiency are generally more favourable as compared to telephone company services. Hence, only Option B is correct. 67. Client Server architecture is characterized by ________________ A. Computational & interface-oriented logic are married together B. Client process does not avail services of server C. A dedicated server that provides resources to clients D. Client executes in the same address space as the server Key C Justification Client Server architecture is characterized by a dedicated file server that runs the network, granting other nodes or clients access to resources. The computational and interface-oriented logic are separated rather than the computers themselves. The client executes in a different address space from the server. Hence, only Option C is correct. 68. Peer-to-Peer Networking is characterized by _____________________ A. Sharing of resources without use of a separate server computer B. Need for a network administrator in lieu of the server C. Security and integrity of data is better than in client server configuration D. Horizontal & vertical scalability of architecture feasible KEY A Justification Peer-to-Peer networking involves connection of two or more computers and sharing of resourced without any separate server. All the computers share equal responsibility for processing data. No network administrator is required. Security and integrity of data is more vulnerable as compared to client server architecture. Vertical scalability of architecture is not possible since no server is involved. Hence, only Option A is correct. Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 22 69. What are the features of Middleware ? A. They manage all activities except transporting, queuing and scheduling B. They can operate with devices/systems on a single platform alone C. They control communication, leaving authentication/delivery to the server D. They are software that help clients communicate with server applications Key D Justification Middleware are programs which help clients communicate with server applications. They control communication, authentication as well as delivery. They manage transporting, queuing as well as scheduling. They have the capability to work with diverse platforms. Hence, only Option D is correct. 70. What are the features of a co-axial cable? A. The axes of the two conductors in the co-axial cable are different B. It comprises a core conductor enclosed by a plastic cladding, a wire mesh & plastic cladding C. It is easy to install but has high attenuation loss D. It is cheaper than twister pair cables but more expensive than optical fibre cable Key B Justification Co-axial cables consist of a central core conductor surrounded by a plastic cladding, an outer wire mesh and a protective outer plastic cladding. The axis of both the conductors is the same & hence the name co-axial. It is easy to install and has low attenuation loss. It is moderately expensive but cheaper than optical fibre cable. Hence, only Option B is correct. 71. What are the characteristics of a Twisted pair cable ? A. Comprises 2 separate insulated wires in a twisted pattern that run parallel to each other B. Comprises 4 separate insulated wires in a twisted pattern run parallel to each other C. Comprises 2 separate insulated wires in a twisted but non parallel pattern D. It is a form of unguided transmission media KEY A Justification Twisted pair cables consist of 2 separate insulated wires in a twisted pattern run parallel to each other. It is a form of guided transmission media with reduced electro magnetic interference. Option A is the only correct option. Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 23 72. What are the characteristics of an Optical Fibre cable ? A. It has high integrity and high attenuation over long distances B. It has lower carrying capacity as compared to metallic conductors C. It has an inner core which works through light based signalling D. It consumes more power since signals degrade faster in the system Key C Justification C. An Optic fibre cable consists of an inner core made of glass/plastic/polymer/acrylic which uses light based signalling. It has high integrity as well as low attenuation over long distances. It has higher carrying capacity & consumer lesser power since signals do not degrade as fast as in other systems. Hence, Option C is the only correct option. 73. Which of the following are un-guided transmission media ? A. Optical Fibre Cables B. Co-axial cables C. Twisted pair cables D. Radio Waves Key D Justification: D. Options A B, C are all instances of guided transmission media wherein data signals are guided through a specific path. Radio waves, on the other hand, are transmitted without any cables & are un-guided. Hence, only Option D is correct. 74. In guided media transmission, signals are propagated through _____________ A. Ground wave propagation B. Various types of cables C. Ionospheric propagation D. Line-of-sight propagation Key B Justification Options A, C and D are all instances of unguided transmission media wherein data signals are not guided through a specific path. Propagation through cables, on the other hand, is a form of guided media transmission wherein the data signals are guided along a specific path through the cable. Hence, only Option B is correct. Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 24 75. What is a Hub ? A. It is a hardware device that provides multiport connectivity B. It offers intelligence in interpreting data received by it C. It is a expensive device for transport of data between devices D. Hubs are exclusively passive & cannot do anything with the signal KEY A Justification A hub is a hardware device that contains multiple independent ports matching the cable type. It does not offer any intelligence in dealing with data received by it. However, an active hub can amplify/regenerate incoming signals before onward transmission. It is relatively inexpensive. The correct answer is in Option A. 76. What is a Switch ? A. It does not offer intelligence in interpreting data received by it B. It increases congestion & slows up the network C. It is a special type of hub with additional layer of intelligence which reads the MAC address D. It is a type of network interface card operating without a switching table Key C Justification A switch is a special type of hub with an additional layer of intelligence. It reads the MAC address of each frame received by it and, based upon the switching table, carries out onward transmission to the node to which the frame is addressed. It decreases congestion and speeds up the network. It is not a type of network interface card. The correct answer is in Option C. 77. What are Bridges ? A. Bridges are used to extend or segment networks B. Bridges sit within a segment & manage incoming/outgoing data C. Bridges cannot block or forward the data D. Bridges can forward the data to the relevant address but not block it KEY A Justification bridge is used to extend or segment networks. It sits between two physical segments & manages the flow of data. It can choose to either block or forward the data. The correct answer, hence, is in Option A. 78. What is a typical feature of a Router ? Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 25 A. It is a networking device used to forward data packets along networks B. It is always a dedicated hardware device & cannot be a computer C. It copies the packets to all connected destinations without discrimination D. It does not contain any database of network addresses or pathways KEY A Justification A router is a dedicated networking device or computer system with more than one network interface. It is used to forward data packets along networks utilising its database of network addresses and alternate pathways. It selectively forwards data packets to the next hope in the route to the destination. The correct answer, hence, is in Option A. 79. What is a typical feature of a Gateway ? A. It is necessary for connecting networks with identical protocols B. It is a device that translates one data format to another C. It translates both the data format as well as the data itself D. It is used to forward data packets along networks Key B Justification A gateway is a device that translates one data format to another, eg Email gateways. It is useful in connecting networks with different protocols. It does not tinker with the actual data & only translates the data format.. The correct answer is Option B 80. What is typical of Bus topology ? A. Bus topology contains a single hub connecting all nodes B. Connects computers on a single circle of cable C. Computers are connected on a single backbone cable D. In this system, every node is connected to every other node Key C Justification In Bus topology, all the computers in the network are connected on a single backbone cable. All the computers in the network receive incoming messages from any other computer; however, only the intended recipient accepts and processes the message. It is not on a single hub or circle of cable and each of the nodes are not connected to each other. The correct answer is Option C. 81. What is typical of Star topology ? A. Contains a central hub or switch to which each node is connected Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 26 B. All the computers are connected to a single backbone hub C. Connects computers on a single circle of cable D. In this system, every node is directly connected to every other node KEY A Justification Star topology comprises a system of a central hub or switch to which each node is connected. Separate cables are drawn from each and every node to the central hub. It does not involve a single backbone hub or a single circle of cable. Every node is connected to the central hub or switch and not to each other. The correct answer, therefore, is Option A. 82. What are the features of Ring topology ? A. All the computers are connected to a single backbone hub B. Connects computers to a central hub or switch C. In this system, every node is directly connected to every other node D. It connects computers on a single ring of cable Key D Justification D. In star topology, every computer is connected to two other neighbours for communication. Messages travel uni-directionally, either clockwise or anti-clockwise. It does not involve use of a single backbone hub or a central hub/switch. The correct answer, therefore, is Option D. 83. What are the features of Mesh topology ? A. All the computers are connected to a single backbone hub B. Involves physical connection of every node with every other node C. Connects computers to a central hub or switch D. Ideally suited for systems with need for low degree of fault tolerance Key B Justification This involves physical connection of every node with every other node. It is rather complex and requires maximum number of cables. However, it is ideally suited for large telecommunication companies or an internet service provider who cannot afford to have a high degree of fault tolerance. It is not connected to a single backbone or hub/switch. The correct answer, therefore, is Option B. 84. What are the features of Circuit switching ? A. Involves temporary connection between 2 devices for transmission duration Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 27 B. Signal transmission can commence even without end-to-end connection establishment C. Data transfer can be only through binary data & not through analog/digital voice D. Special training/protocol required to handle data traffic KEY A Justification Circuit switching is a type of communication when temporary physical connection is established between 2 devices for the duration of the transmission session. Signal transmission can commence only after establishment of end-to-end connection. Information transfer can be through binary data as well as analog/digitabl voice. No special training/protocol is required. The correct answer, therefore, is Option A. 85. What are the features of Packet switching ? A. Requires point-to-point connection establishment for transmission B. It breaks up a message into smaller packets for transmission C. Packets in each message need to travel in the same path & sequence D. Since sequential transmission happens, destination devices need not reassemble them Key B Justification Packet switching involves the breaking up of a message into smaller packets for transmission session. Since each packet has the destination address, packets need not travel in the same path or sequence; the destination device reassembles them into proper sequence. The correct answer, therefore, is Option B. 86. What are the features of Message switching ? A. Data is stored at switching point & sent forward whenever pathway is available B. Data is not stored at switching points & transmitted continuously C. Data is transmitted in packets transmitted in the same path & sequence D. Physical path establishment is a pre-requisite to transmission KEY A Justification Message switching or store-and-forward switching involves accumulation of data at switching points and onward transmission as and when pathway is available. No physical path is established in advance between the sender and the receiver. Data is not transmitted in packets. The correct answer, therefore, is Option A. 87. What is multiplexing ? A. Permits sequential transmission of multiple signals on a single carrier Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 28 B. Facilitates transmission of signals in sequence, one at a time C. It is the simultaneous transmission of multiple signals on a single carrier D. Refers to simultaneous transmission of multiple signals on multiple carriers Key C Justification Multiplexing refers to simultaneous transmission of multiple signals on a single carrier (Option C). The other options are factually incorrect. 88. Frequency division multiplexing involves _________ A. Assigning non-overlapping frequency ranges to different signals/users B. Assigning overlapping frequency ranges to different signals/users C. Assigning non-overlapping frequency ranges to a single signal/user D. Use of digital technology when the link bandwidth is greater than sum of signal bandwidths KEY A Justification FDM assigns non-overlapping frequency ranges to different signals/users. It is an analog technique that can be applied when the bandwidth of the link is greater than the combined bandwidth of the signals to be transmitted. Hence, only Option A is correct . 89. Time Division Multiplexing involves ________________ A. Primarily analog technology in which several signals/bitstreams are transferred apparently simultaneously B. Combination of analog & digital technology in which several signal/ bitstreams are transferred simultaneously C. Solely analog technology in which several signals/bitstreams are transferred simultaneously D. Division of time domain into several concurrent time slots of fixed length, one for each sub- channel Key D Justification TDM involves a type of digital technology (rarely analog) in which several signals/bitstreams are transferred apparently simultaneously. In actual practice, however, it uses sub channels & each signal takes turns on the channel . Hence, only Option D is correct 90. Wavelength Division Multiplexing is _____________ A. Conceptually similar to Time Division Multiplexing but using various wavelengths of light Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 29 B. Conceptually similar to Frequency Division Multiplexing but uses a single wavelength of light C. Conceptually similar to Frequency Division Multiplexing but using various wavelengths of light D. Conceptually similar to Time Division Multiplexing and uses a single wavelength of light Key C Justification C. WDM is conceptually like FDM and which multiplexes multiple optical carrier signals on a single optical fibre by using different wavelengths of laser light. Hence, only Option C is correct 91. Connection oriented networking involves ________________ A. Transmission of data prior to establishment of connection B. Establishment of connection prior to data exchange C. Simultaneous establishment of connection & data exchange D. Networking arrangements based upon priority of connection nodes Key B Justification Connection oriented networking involves establishment of connection prior to data exchange. The other options are factually incorrect and, hence, only Option B is correct 92. Connection less networking involves ______________ A. Data is exchanged without any prior establishment of connection B. Transmission of data after establishment of connection C. Simultaneous establishment of connection & data exchange D. Exchanged data has no contact information of recipient KEY A Justification Connectionless networking involves data exchange without any prior establishment of connection. The exchanged data has complete contact information of recipient. The other options are factually incorrect and, hence, only Option A is correct 93. Hardware __________________ A. Includes the physical computer as well as all the software loaded on to it B. Includes the physical computer as well as the operating system loaded on it C. Refers to the tangible portion of a computer D. Comprises the cables, the pipes, etc. which carry information in and out of the computer Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 30 Key C Justification As defined clearly in paragraph 1.2.6. Hardware does not include the software loaded on to a computer. It also excludes the operating system, which itself is a piece of software. It is definitely not the cables, pipes, etc. Hence, A,B & D are clearly wrong answers which have no relation to the definition in paragraph 1.2.6 94. Input devices include ______________ A. Printer B. Cathode ray tube or monitor C. Keyboard D. Speaker Key C Justification As defined clearly in paragraph 1.3.1, a keyboard helps input information into the computer The other devices falling under Options A B & D are all instances of output devices. . Hence, A B & D are clearly wrong answers. 95. Output devices include __________ A. Liquid Crystal Display B. Microphone C. Keyboard D. Mouse KEY A Justification As defined clearly in paragraph 1.3.1, a liquid crystal display is a monitor for display or output of information from the computer. Hence it is an output device The other devices falling under Options B to D are all instances of input devices. . Hence, B,C & D are clearly wrong answers. 96. The Arithmetical & Logical unit of the CPU _________________ A. Can also be Accumulators B. Performs mathematical & logical operations C. Can also be Address Registers D. Controls flow of data & instructions to and from memory Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 31 Key B Justification As defined clearly in paragraph 1.3.2, The Arithmetic and Logical Control unit performs mathematical and logical operations. The arithmetic & logic unit cannot be called accumulators or address registers. It also does not control flow of data and instructions. Hence, A,C & D are clearly wrong answers. 97. Storage Registers _____________ A. Can store memory addresses that tell the CPU where in memory an instruction is located B. Can keep running totals of arithmetic values C. Can temporarily store data coming from or being sent to system memory D. Can help move data from one location in the computer to another Key C Justification As defined clearly in paragraph 1.3.2, Storage Registers can temporarily store data coming from or being sent to system memory. Storage Registers do not store memory addresses; this function is carried out by address registers. Arithmetic and logical operations are handled by the Arithmetic & Logical unit of the computer and not the storage register. Lastly, only buses move data from one location of the computer to another. Hence, A, B, & D are clearly wrong answers. 98. Open Systems Interconnection (OSI)_______________ A. Deals with interconnection of Open systems software B. Is effective in dealing with Open-source software C. Deals with communication process without truncation in managing internetwork D. Splits communication process to small portions in managing internetwork Key D Justification Open Systems Interconnection of OSI is a model which enables integration of various technologies & provides solutions for managing the internetwork environment. It does this by splitting communication processes into small portions. It has nothing to do with Open systems or Open-source software. Hence, only Option D is correct. 99. What is ARPANET ? A. Network of computers in Arabia & Pakistan B. New cloud computing network being set up by the U.S. Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 32 C. Computer network set up under auspices of U.S. dept. Of Defence in 1969 D. Network of the Association of Resource Planners Key C Justification ARPANET is a network of computers set up under the auspices of the U.S. dept. Of Defence in 1969 and a precursor to the internet. The answers in options A, B, and D are imaginary & incorrect. Hence, only Option C is correct. 100. The suite of network protocol TCP/ IP evolved from _______________ A. Conventions developed by ARPA B. Pioneering work & norm developed by Intel C. International conference of global IT experts D. Norms developed by Indian IT developers KEY A Justification The suite of TCP/IP protocol evolved from the conventions developed by ARPANET to specify how individual computers could communicate across a network. The answers in options B, C & D are all imaginary and incorrect. Hence, only Option A is correct. 101. Which international body takes a lead role in developing common protocols for the World Wide Web to promote its evolution and ensure its inter-operability ? A. The Internet Society (ISOC) B. The Internet Architecture Board C. World Wide Web Consortium (W3C) D. The Internet Engineering Task Force (IETF) Key C Justification It is the W 3C which handles the role indicated in the question above. The organizations mentioned in the other options handle other responsibilities connected to the internet. Hence, only Option C is correct. 102. Which international body handles governance of generic Top Level Domain (gTLD) & other related responsibilities ? A. The Internet Corporation for Assigned Names and Numbers (ICANN) Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 33 B. World Wide Web Consortium (W3C) C. The Internet Society (ISOC) D. The Internet Architecture Board (IAB) KEY A Justification It is the ICANN which handles the role indicated in the question above. The organizations mentioned in the other options handle other responsibilities connected to the internet. Hence, only Option A is correct. 103. Which international body bears the responsibility for technical activities of the Internet, including writing specifications & protocols ? A. World Wide Web Consortium (W3C) B. The Internet Society (ISOC) C. The Internet Engineering Task Force (IETF) D. The Internet Architecture Board (IAB) Key C Justification It is the IETF which handles the role indicated in the question above. The organizations mentioned in the other options handle other responsibilities connected to the internet. Hence, only Option C is correct. 104. Networking Protocol ______________ A. Is a set of rules that governs what, how and when data is communicated over a network B. Is the set of international norms laid down for country priority in communication over a network C. Is the set of international norms laid down for voice data communication alone D. Is the set of international norms laid down for use of hardware in a network KEY A Justification Networking protocol is the set of rules that governs what, how and when data is communicated over a network. The protocol does not prescribe any country priority for network communication. Its coverage is not exclusive to voice data alone. It does not apply to usage of hardware in a network. Hence, only Option A is correct. Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 34 105. Syntax in Protocol represents __________ A. How data is communicated B. When data is communicated C. What is communicated D. What, When & How data is communicated Key C Justification Syntax represents only What is communicated. There are other terms which represent the How and the When of data communication. Hence, only Option C is correct. 106. Semantics in Protocol represents ________________ A. What is communicated B. When data is communicated C. What, When & How data is communicated D. How data is communicated Key D Justification Semantics represents only How data is communicated. There are other terms which represent the What and the When of data communication. Hence, only Option D is correct. 107. Timing in Protocol represents _______________ A. When data is transmitted but not how fast B. The global time zones when data can be transmitted C. When data is communicated & how fast D. What, When & How data is communicated Key C Justification Timing in Protocol represents How data is communicated & how fast. There are other terms which represent the What and the When of data communication. Hence, only Option C is correct. 108. The Open System Interaction (OSI) reference model ________________ A. Makes inter-operability across heterogeneous technology environments possible Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 35 B. Is a 5 layered model, each specifying particular network functions C. Is a 9 layered model, each specifying particular network functions D. Has layers which are not self-contained & hence, dependent upon other layers KEY A Justification The OSI model describes how information from a software application in one computer moves through a network medium to a software application in another computer. W hen messages are sent across heterogeneous networks with a large variety of hardware technologies, networking devices and protocols, etc, OSI makes inter-operability across these differing environments possible. It is a 7 layered model which are quite independent and self contained. Hence, only Option A is correct. 109. In an OSI model, interfaces _______________ A. Describe (horizontal) communication between adjacent layers B. Describe (vertical) communication between any two layers C. Describe (horizontal) communication between any two layers D. Describe (vertical) communication between adjacent layers Key D Justification In an OSI model, interfaces describe (vertical) communication between adjacent layers. The answers falling in options A to C are factually incorrect. Hence, only Option D is correct. 110. In an OSI model, protocols _____________ A. Describe (vertical) communication between adjacent layers B. Describe (vertical) communication between any two layers C. Describe (horizontal) communication between layers D. Describe (horizontal & vertical) communication between adjacent layers Key C Justification In an OSI model, protocols describe (horizontal) communication between layers. The answers falling in options A, B and D are factually incorrect & only Option C is correct. 111. The sequence of layers in a typical OSI model is ____________ A. Application, Presentation, Session, Transport, Network, Data link, Physical Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 36 B. Application, Presentation, Session, Transport, Network, Data link, Application C. Application, Presentation, Session, Transport, Network, Presentation, Application D. Physical, Application, Presentation, Session, Transport, Network, Application, Physical KEY A Justification In an OSI model, the sequence of layers is as in Option A. The answers falling in options B to D are factually incorrect & only Option A is correct. 112. TCP/IP protocol suite is a bundle of protocols that area segmented into __________ A. Five layers B. Seven layers C. Nine layers D. Six layers KEY A Justification TCP/IP protocol is segmented into Five layers & only Option A is correct. 113. The sequence of layers in a typical TCP/IP protocol suite is __________ A. Application, Presentation, Session, Transport, Network, Data link, Application B. Application, Presentation, Session, Transport, Network, Data Link, Physical C. Application, Transport, Internet, Data link, Physical D. Physical, Application, Presentation, Session, Transport, Network, Physical Key C Justification TCP/IP protocol is segmented into five layers, sequenced as shown in Option C. The answers falling in options A B and D are factually incorrect & only Option C is correct. 114. The protocol typically used for web browsing is _____________ A. Simple Mail Transfer Protocol B. Hyper Text Transfer Protocol C. Simple Network Management Protocol D. Domain Name System Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 37 Key B Justification The protocol used for web browsing is HTTP and not the protocols indicated in Options A, C and D. Only Option B is correct. 115. The protocol typically used for sending messages to other computer users based on email addresses is _____________ A. Hyper Text Transfer Protocol B. Simple Network Management Protocol C. Simple Mail Transfer Protocol D. Domain Name System Key C Justification The protocol used for sending messages to other computers using email addresses is SMTP and not the protocols indicated in Options A B and D. Only Option C is correct. 116. The protocol typically used for logging on to a remote server is ___________ A. Terminal Network or TELNET protocol B. Simple Mail Transfer Protocol C. Hyper Text Transfer Protocol D. Domain Name System KEY A Justification The protocol used for logging on to a remote server is TELNET and not the protocols indicated in Options B to D. Only Option A is correct. 117. The protocol typically used for transferring files from one computer to another is _______________ A. Terminal Network or TELNET protocol B. File Transfer Protocol C. Simple Mail Transfer Protocol D. Hyper Text Transfer Protocol Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 38 Key B Justification The protocol used for transferring files from one computer to another is FTP and not the protocols indicated in Options A C and D.. Only Option B is correct. 118. The protocol that allows images, audio & non-ASCII formats to be included in email messages is __________________ A. Post Office Protocol B. Internet Message Access Protocol C. Hyper Text Transfer Protocol D. Multipurpose Internet Mail Extensions Key D Justification The protocol that allows images, audio & non-ASCII formats to be included in email messages is MIME. The other protocols indicated in Options A B and C are not appropriate. Only Option D is correct. 119. One type of protocol used for retrieving email is ______________ A. Multipurpose Internet Mail Extensions B. Hyper Text Transfer Protocol C. Post Office Protocol D. Internet Message Access Protocol Key C Justification One type of protocol used for retrieving email is POP. The other protocols indicated in Options A B and D are not appropriate. Only Option C is correct. 120. One typical characteristic of Transmission Control Protocol is _______________ A. It is not responsible for recovery of packets lost during transmission B. It is not responsible for re-assembling the message at the other end C. It is responsible for recovery of packets lost during transmission D. It is not responsible for re-sending anything that is lost in transit Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 39 Key C Justification TCP is responsible for recovery of packets lost during transmission as mentioned in Option C. The choices in other options are factually incorrect. Only Option C is correct 121. Positive Acknowledgement with Re-transmission (PAR), the mechanism that sends data to a recipient repeatedly till it receives a Data OK signal, is an inherent part of _____________ A. Transmission Control Protocol B. Internet Message Access Protocol C. Simple Mail Transfer Protocol D. Terminal Network Protocol KEY A Justification PAR is an inherent part of TCP and not the other protocols indicated in Options B to D. Hence, only Option A is correct. 122. The objective of Network Layer is _______________ A. To provide security by building in fail-safe protection B. To decide which physical path the information should follow from source to destination C. Accelerate the flow of data through encryption D. To validate the data & ensure delivery is completed without errors Key B Justification The objective of Network Layer is to decide which physical path the information should follow from source to destination. The answers given in the other options A, C and D are not correct. Hence, only Option B is correct. 123. What is Internet Control Message Protocol (ICMP) ? A. A mechanism to ascertain the IP address given a physical address (MAC) B. A method of ascertaining the physical address (MAC), given the IP address C. A mechanism to send notification of datagram problems back to sender D. A system by which new internet IP addresses can be created Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 40 Key C Justification ICMP is a mechanism to send notification of datagram problems back to sender. It cannot help locate the IP address or physical address, given the other element. Nor can it help create new IP addresses. Hence, only Option C is correct 124. What is Address Resolution Protocol (ARP) ? A. A method of ascertaining the physical address (MAC), given the IP address B. A mechanism to ascertain the IP address given a physical address (MAC) C. A mechanism to send notification of datagram problems back to sender D. A system by which new internet IP addresses can be created KEY A Justification ARP is a method of ascertaining the physical address (MAC), given the IP address. It cannot help locate the IP address given a physical address. It is also not a mechanism to send notification of datagram problems back to sender. Nor can it help create new IP addresses. Hence, only Option A is correct. 125. What is Reverse Address Resolution Protocol (RARP) ? A. A mechanism to ascertain the physical address (MAC), given an IP address B. A mechanism to send notification of datagram problems back to sender C. A method of ascertaining the IP address, given the physical address (MAC) D. A system by which new internet IP addresses can be created Key C Justification RARP is a method of ascertaining the IP address, given the physical address (MAC). It cannot help locate the physical address given an IP address. It is also not a mechanism to send notification of datagram problems back to sender. Nor can it help create new IP addresses. Hence, only Option C is correct. 126. The protocol data unit for Transport layer of TCP/IP is called __________ A. A Segment B. A Packet C. A Frame D. A Bit Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 41 KEY A Justification The protocol data unit for Transport Layer of TCP/IP is called a Segment; the others refer to names used for other layers. Hence, only Option A is correct. 127. The protocol data unit for Network Layer of TCP/IP is called ___________ A. A Segment B. A Bit C. A Packet D. A Frame Key C Justification The protocol data unit for Network Layer of TCP/IP is called a Packet; the others refer to names used for other layers. Hence, only Option C is correct. 128. The protocol data unit for Data Link Layer of TCP/IP is called _____________ A. A Segment B. A Frame C. A Packet D. A Bit Key B Justification The protocol data unit for Data Link Layer of TCP/IP is called a Frame; the others refer to names used for other layers. Hence, only Option B is correct. 129. The protocol data unit for Physical Layer of TCP/IP is called ? A. A Packet B. A Frame C. A Bit D. A Segment Key C Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 42 Justification The protocol data unit for Physical Layer of TCP/IP is called a Bit; the others refer to names used for other layers. Hence, only Option C is correct. 130. The Data Link Layer ____________ A. Performs the task of delivery over local networks and error detection B. Enables us to find the best way from origin to destination C. Runs application to access other layers’ services & defines protocols D. Provides the path through which data moves among network devices KEY A Justification The Data Link Layer performs the task of delivery over local networks and error detection. The other options refer to functions of other layers of TCP/IP protocol. Hence, only Option A is correct. 131. The Application Layer __________ A. Performs the task of delivery over local networks and error detection B. Provides the path through which data moves among network devices C. Runs application to access other layers’ services & defines protocols D. Enables us to find the best way from origin to destination Key C Justification The Application Layer runs various applications which provide them the ability to access the services of the other layers and define the protocols that applications use to exchange data. The other options refer to functions of other layers of TCP/IP protocol. Hence, only Option C is correct. 132. The Cyclic Redundancy Check ________________ A. Is a check conducted by Application Layer B. Is a check carried out by the Physical Layer on each stream of bits C. Is a calculated value of the Data Link Layer for error detection D. Is a check carried out by the Network Layer to identify the shortest route Key C Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 43 Justification The Cyclic Redundancy Check is a calculated value that is place in the Data Link trailer that is added to the message frame. It helps detect errors. The information given in the other options A B and D are incorrect. Hence, only Option C is correct. 133. One characteristic of the Physical Layer of TCP/IP is ___________ A. The sender and receiver need not be synchronized at the bit level B. It deals in zeroes and ones and voltages C. The bits need not be encoded into electrical/optical signals for purposes of transmission D. Its data unit is called a segment Key B Justification The Physical Layer deals in zeroes and ones and voltages. The sender and receiver need to be synchronized at the bit level. The bits themselves need to be encoded as electrical or optical signals before transmission. Its data unit is called a bit. Hence, only Option B is correct. 134. Wi-Fi ____________ A. Is a wireless networking technology that uses radio waves B. Has typical access range of about 130 metres C. Can handle internet connectivity but not to other networks D. Is a networking technology that requires physical cable connections KEY A Justification Wi-Fi is a wireless networking technology using radio waves that can handle both internet and other network connections. The typical range of Wi-Fi is about 32 metres. Being a wireless facility, it does not require any physical cabling for access. Hence, only Option A is correct. 135. Bluetooth Technology ______________ A. Has typical access range of about 200 metres B. Can handle data but not voice transmission C. Aims at unifying different platforms & devices D. Has a major drawback, that of data security Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 44 Key C Justification Bluetooth technology, a wireless technology for exchange of data over short distances, aims at unifying different platforms and devices. It has a typical range of about 50 metres. Both data as well as voice can be transmitted through it. Data security is fairly good. Hence, only Option C is correct. 136. An IP Network ____________ A. Uses Internet Protocol to send/receive messages between computers B. Can be implemented only in internet networks C. Can operate even in the absence of an IP address D. Is designed to function effectively without configuration of the hosts with the TCP/IP suite KEY A Justification An IP Network uses Inter Protocol to send/receive messages between two or more computers. It can be implemented over internet networks, LAN & enterprise networks. Its fundamental pre- requisites are the need for an IP address to identify the host as also configuration of the host with the TCP/IP suite. Hence, only Option A is correct. 137. IP Addresses _____________ A. Are allocated to computer servers alone on the network B. Are allocated to client devices alone on the network C. Are given by IP Addressing Scheme for identifying hosts D. For the destination host alone are contained in every IP packet Key C Justification IP addresses are, indeed allocated by the IP Addressing Scheme for every host, whether client, server or network device. W hile transmitting messages, each IP packet contains both the source host IP address as well as the destination host IP address. Hence, only Option C is correct. 138. IP Version 4 ________________ A. Is an address which is 8-bits in length B. Is an address which is 32-bits in length C. Is an address which is 16-bits in length Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 45 D. Varies in address length depending upon the message Key B Justification IP Version 4 addresses are invariably of 32-bit length; the choices given in Options A C & D are incorrect. Hence, only Option B is correct. 139. IP Version 4 is written in the form of ______________ A. 32 bytes separated by dots B. 16 bytes separated by dots C. 4 Octets or bytes separated by dots D. 4 bits separated by dots Key C Justification IP Version 4 is written in the form of 4 Octets or bytes separated by dots. The choices in options A B and D are erroneous. Hence, only Option C is correct. 140. An IP Version 4 address can have a value from _____________ A. to 11111111.11111111.11111111.11111111 B. to 99999999.99999999.99999999.99999999 C. to 88888888.88888888.88888888.88888888 D. to 32000000.32000000.32000000.32000000 KEY A Justification An IP Version 4 can have a value from 00000000.00000000.00000000.00000000 to 11111111.11111111.11111111.11111111 since each bit is binary and can take either a 0 or 1 value. All the other choices from B to D above are incorrect. Only option A is correct. 141. Each Octet in an IP Version 4 address ____________ A. Could have as many as 32 values B. Could have as many as 1 billion values C. Could have only two values 0 or 1 D. Could have as many as 256 values Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 46 Key D Justification Each Octet in an IP Version 4 address could have a value ranging from 0000 to 1111 or 0 to 255 in binary language. Thus 256 values in total are possible. Hence, only Option D is correct. 142. A Network IP has ______________ A. All zeros in the host bit B. All ones in the network bit C. All zeros in the network bit D. All ones in the host bit KEY A Justification A Network IP has all zeros in the host bit whereas a Broadcast IP has all ones in the host bit. Hence, only Option A is correct. 143. A Broadcast IP has ___________ A. All zeros in the network bit B. All ones in the host bit C. All ones in the network bit D. All zeros in the host bit Key B Justification A Broadcast IP has all ones in the host bit whereas a Network IP has all zeros in the host bit. Hence, only Option B is correct. 144. The objective of the IP Classful Addressing Scheme is _____________ A. To Designate separate classes based upon software used B. Designate separate classes based upon geographical location C. Designate separate classes based upon year of allocation D. improve efficiency in address allocation Key D Justification Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 47 The purpose of the IP Classful Addressing Scheme is to improve efficiency in address allocation. It has nothing to do with discrimination based upon software, geographical location or timing of allocation. Hence, only Option D is correct. 145. The Octet decimal range of Class A of the IP Classful Addressing Scheme is _____________ A. 1 to 126 B. 0 to 126 C. 155 to 201 D. 224 to 239 KEY A Justification The Octet decimal range of Class A of the IP Classful Addressing Scheme is 1 to 126 as indicated in Option A. The other options are neither of Class A nor of the other major classes of the addressing scheme and are, hence, wrong. 146. The Octet decimal range of Class B of the IP Classful Addressing Scheme is ______________ A. 138 to 191 B. 201 to 239 C. 128 to 191 D. 205 to 255 Key C Justification The Octet decimal range of Class B of the IP Classful Addressing Scheme is 128 to 191 as indicated in Option C. The other options are neither of Class B nor of the other major classes of the addressing scheme and are, hence, wrong. 147. The Octet decimal range of Class C of the IP Classful Addressing Scheme is _______ A. 201 to 223 B. 1 to 126 C. 205 to 255 Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 48 D. 192 to 223 Key D Justification The Octet decimal range of Class C of the IP Classful Addressing Scheme is 192 to 223 as indicated in Option D. The other options are neither of Class C nor of the other major classes of the addressing scheme and are, hence, wrong. 148. The Octet decimal range of Class D of the IP Classful Addressing Scheme is ____________ A. 224 to 239 B. 201 to 239 C. 1 to 126 D. 205 to 255 KEY A Justification The Octet decimal range of Class D of the IP Classful Addressing Scheme is 224 to 239 as indicated in Option A. The other options are neither of Class D nor of the other major classes of the addressing scheme and are, hence, wrong. 149. The Octet decimal range of Class E of the IP Classful Addressing Scheme is ____________ A. 240 to 256 B. 240 to 254 C. 1 to 126 D. 205 to 255 Key B Justification The Octet decimal range of Class E of the IP Classful Addressing Scheme is 240 to 254 as indicated in Option B. The other options are neither of Class E nor of the other major classes of the addressing scheme and are, hence, wrong. 150. The Higher Order bit in the first Octet of Class A of the IP Classful Addressing Scheme is _______________ Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 49 A. 0000 B. 1 C. 1111 D. 0 Key D Justification The higher order bit in the first Octet of Class A of the IP Classful Addressing Scheme is 0 as shown in Option D. The other options are not true. 151. The Higher Order bit in the first Octet of Class B of the IP Classful Addressing Scheme is ______________ A. 110 B. 11 C. 10 D. 1111 Key C Justification The higher order bit in the first Octet of Class B of the IP Classful Addressing Scheme is 10 as shown in Option C. The other options are not true. 152. The Higher Order bit in the first Octet of Class C of the IP Classful Addressing Scheme is _____________________ A. 110 B. 30 C. 111 D. 1111 KEY A Justification The higher order bit in the first Octet of Class C of the IP Classful Addressing Scheme is 110 as shown in Option A. The other options are not true. 153. The Higher Order bit in the first Octet of Class D of the IP Classful Addressing Scheme is ___________________ Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 50 A. 9999 B. 111 C. 1110 D. 1111 Key C Justification The higher order bit in the first Octet of Class D of the IP Classful Addressing Scheme is 1110 as shown in Option C. The other options are not true. 154. The Higher Order bit in the first Octet of Class E of the IP Classful Addressing Scheme is ___________________ A. 9999 B. 1111 C. 1110 D. 1010 Key B Justification The higher order bit in the first Octet of Class E of the IP Classful Addressing Scheme is 1111 as shown in Option B. The other options are not true. 155. The Network (N)/Host (H) id of Class A of the IP Classful Addressing Scheme is __________________ A. N.H.H.H B. H.N.N.N C. N.N.H.H. D. H.H.N.N KEY A Justification The Network (N)/Host (H) id of Class A of the IP Classful Addressing Scheme is N.H.H.H as indicated in Option A. The other options are not true. Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 51 156. The Network (N)/Host (H) id of Class B of the IP Classful Addressing Scheme is _________________ A. H.N.N.N B. N.H.H.H. C. H.H.N.N D. N.N.H.H Key D Justification The Network (N)/Host (H) id of Class B of the IP Classful Addressing Scheme is N.N.H.H as indicated in Option D. The other options are not true. 157. The Network (N)/Host (H) id of Class C of the IP Classful Addressing Scheme is _________________ A. H.H.H.N B. N.N.N.H C. N.H.H.H. D. H.H.N.N Key B Justification The Network (N)/Host (H) id of Class C of the IP Classful Addressing Scheme is N.N.N.H as indicated in Option B. The other options are not true. 158. The default sub-net mask of Class A of the IP Classful Addressing Scheme is _________________ A. H.H.H.N B. N.H.H.H. C. 255.255.0.0 D. 255.0.0.0 Key D Justification: The default sub-net mask of Class A of the IP Classful Addressing Scheme is 255.0.0.0 as indicated in Option D. The other options are not true. Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 52 159. The default sub-net mask of Class B of the IP Classful Addressing Scheme is __________________ A. 255.255.0.0 B. H.H.H.N C. N.H.H.H. D. 255.255.255.0 KEY A Justification The default sub-net mask of Class B of the IP Classful Addressing Scheme is 255.255.0.0 as indicated in Option A. The other options are not true. 160. The default sub-net mask of Class C of the IP Classful Addressing Scheme is _____________ A. 255.255.0.0 B. N.H.H.H. C. 255.255.255.0 D. 256.256.256.0 Key C Justification The default sub-net mask of Class C of the IP Classful Addressing Scheme is 255.255.255.0 as indicated in Option C The other options are not true. 161. The number of networks that can be accommodated in Class A of the IP Classful Addressing Scheme is __________________ A. 255 B. 1 million C. 365 D. 126 Key D Justification The number of networks that can be accommodated in Class A of the IP Classful Addressing Scheme is 126 as indicated in Option D. The figures given in the other options are not true. Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 53 162. The number of networks that can be accommodated in Class B of the IP Classful Addressing Scheme is ____________ A. 16,382 B. 126 C. 1 million D. 255 KEY A Justification The number of networks that can be accommodated in Class B of the IP Classful Addressing Scheme is 16,382 as indicated in Option A. The figures given in the other options are not true. 163. The number of networks that can be accommodated in Class C of the IP Classful Addressing Scheme is _____________ A. 16382 B. 1 million C. 20,97,150 D. 255 Key C Justification The number of networks that can be accommodated in Class C of the IP Classful Addressing Scheme is 20,97,150 as indicated in Option C. The figures given in the other options are not true. 164. The number of hosts per network (usable addresses) that can be accommodated in Class A of the IP Classful Addressing Scheme is ______________ A. (224 -2) or 1,67,77,214 B. (210-2) or 1022 C. 126 D. 255 KEY A Justification The number of hosts per network that can be accommodated in Class A of the IP Classful Addressing Scheme is (224-2) or 1,67,77,214 as indicated in Option A. The figures given in the other options are not true. 165. The number of hosts per network (usable addresses) that can be accommodated in Class B of the IP Classful Addressing Scheme is _____________ Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 54 A. 126 B. 256 C. (224 -2) or 1,67,77,214 D. (216-2) or 65,534 Key D Justification The number of hosts per network that can be accommodated in Class B of the IP Classful Addressing Scheme is (216-2) or 65,534 as indicated in Option D. The figures given in the other options are not true. 166. The number of hosts per network (usable addresses) that can be accommodated in Class C of the IP Classful Addressing Scheme is _______________ A. 126 B. (216-2) or 65,534 C. (28-2) or 254 D. (224 -2) or 1,67,77,214 Key C Justification The number of hosts per network that can be accommodated in Class C of the IP Classful Addressing Scheme is (28-2) or 254 as indicated in Option C. The figures given in the other options are not true. 167. In IP Addressing, Unicast addressing mode involves ______________ A. Sending of data only to one destined host B. Sending of data universally to all hosts on a network C. Sending of data to all hosts on all networks D. Configuration disabling sending of data to all except one host KEY A Justification Unicast addressing mode involves sending of data only to one destined host as indicated in Option A. The information in the other options are not correct. 168. In IP Addressing, Broadcast addressing mode involves _______________ A. Sending of data to a single host on a network B. Sending of data to all hosts on all networks C. addressing of data packet to all hosts in a network segment Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 55 D. Configuration disabling sending of data to individual hosts Key C Justification Broadcast addressing mode involves addressing of data packets to all hosts in a network segment, as indicated in Option C. The information in the other options are not correct. 169. In IP Addressing, Multicast addressing mode involves addressing of data packets _________________ A. Sending of data to a single host on a network B. to hosts at special addresses in a network segment C. Sending of data to all hosts on all networks D. Configuration disabling sending of data to individual hosts Key B Justification Multicast addressing mode involves addressing of data packets to hosts at special addresses in a network segment, as indicated in Option B. The information in the other options are not correct. 170. In IP Addressing scheme, which of the following class / classes are defined for universal Unicast Addressing ? A. Classes C alone B. Class D C. Classes A, B & C D. Class E Key C Justification Classes A, B and C are defined for Universal Unicast addressing as indicated in Option C. The information in the other options are not correct. 171. In IP Addressing scheme, which of the following class / classes are reserved for Multicasting ? A. Class D B. Classes A & B alone C. Class C D. Class E KEY A Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 56 Justification Class D alone is reserved for Multicast addressing as indicated in Option A. The information in the other options are not correct. 172. In IP Addressing scheme, which of the following class / classes are reserved for Experimental purposes ? A. Classes D B. Class A C. Class E D. Classes B & C Key C Justification Class E alone is reserved for Experimental & research purposes as indicated in Option C. The information in the other options are not correct. 173. Which class/classes of networks are reserved for government agencies & huge companies ? A. Classes D B. Class E C. Classes D & E D. Class A Key D Justification Class A alone is reserved for Government agencies and huge companies as indicated in Option D. The information in the other options are not correct. 174. A characteristic of a private address in an IP Network is ? A. Hosts within the same local network can use the same private address B. Its IP address will be unique in the internet network as a whole C. A user in Company A cannot have the same address as a user in Company B D. Its IP address should not be from the three blocks created by IANA KEY A Justification Multiple hosts within a specified network can use the same private address out of the three blocks spelt out by IANA. Their individual addresses need not be unique in the internet network as a whole; Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 57 a user in one company can have the same IP address as another user in another company. Hence, Option A alone is correct. The information in the other options are not correct. 175. A characteristic of a public address in an IP Network is ? A. Hosts within the same local network cannot use the same public address B. A user in Company A can have the same public address as a user in Company B C. Its IP address will be unique in the internet network as a whole D. Its IP address should be from the three blocks created by IANA Key C Justification A public address is exposed to the internet network & is unique. Multiple hosts within a specified network cannot use the same public address. The public address should be one which is not out of the three blocks spelt out by IANA for use as private addresses. Hence, Option C alone is correct. The information in the other options are not correct. 176. The start address for private networks with Class A addressing is ? A. 10.0.0.0 B. 192.168.0.0 C. 100.100.100.0 D. 172.16.0.0 KEY A Justification The start address for private networks with Class A addressing is 10.0.0.0 as indicated in Option A. The other options are not correct. 177. The start address for private networks with Class B addressing is ? A. 192.168.0.0 B. 100.100.100.0 C. 172.16.0.0 D. 10.10.0.0 Key C Justification The start address for private networks with Class B addressing is 172.16.0.0 as indicated in Option C. The other options are not correct. 178. The start address for private networks with Class C addressing is ? Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 58 A. 192.168.0.0 B. 100.100.100.0 C. 172.16.0.0 D. 10.10.0.0 KEY A Justification The start address for private networks with Class C addressing is 192.168.0.0 as indicated in Option A. The other options are not correct. 179. The finish address for private networks with Class A addressing is ? A. 999.999.999.000 B. 10.255.255.255 C. 172.31.255.255 D. 000.000.000.000 Key B Justification The finish address for private networks with Class A addressing is 10.255.255.255 as indicated in Option B. The other options are not correct. 180. The finish address for private networks with Class B addressing is ? A. 10.255.255.255 B. 000.000.000.000 C. 999.999.999.000 D. 172.31.255.255 Key D Justification The finish address for private networks with Class B addressing is 172.31.255.255 as indicated in Option D. The other options are not correct. 181. The finish address for private networks with Class C addressing is ? A. 192.168.255.255 B. 172.31.255.255 C. 101.255.255.255 D. 999.999.999.000 Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 59 KEY A Justification The finish address for private networks with Class C addressing is 192.168.255.255 as indicated in Option A. The other options are not correct. 182. Private IP addresses ___________ A. are translated into public IP addresses through IANA process B. cannot be translated into public IP addresses using NAT process C. are translated into public IP addresses through NAT process D. are translated into public IP addresses through SMTP Key C Justification Private IP addresses are translated into public IP addresses through Network Address Translation or NAT. Thus, multiple hosts with a private IP addresses are enabled to access using one or two public IP addresses as indicated by Option C above. The other options are not correct. 183. Dynamic Host Control Protocol is a software _____________ A. That can de-link particular hosts from a network during congestion B. That allows definition of a range of dynamic IP addresses C. That allows definition of a range of static IP addresses D. That regulates host access to a network depending upon priority Key B Justification Dynamic Host Control Protocol is a software that allows definition of a range of dynamic IP addresses for a specified period of time. Hence, Option B above is correct and the other options are incorrect. 184. What is the IP network address of a default gateway ? A. 1.1.1.1 B. 255.255.255.255 C. 0.0.0.0 D. 255.255.255.000 Key C Justification As indicated in Option C above, the IP network address for a default gateway is 0.0.0.0. The other options are incorrect. Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 60 185. Which IP address is called a Loopback address ? A. 100.001.100.001 B. 121.0.0.121 C. 127.0.0.127 D. 127.0.0.1 Key D Justification The Loopback address is 127.0.0.1 as indicated in Option D above. It is used to simplify programme testing and troubleshooting. The other options are incorrect. 186. A Loopback address ______________ A. Is used to simplify programme testing and troubleshooting B. Helps communicate with local host using local address C. Facilitates getting acknowledgement for delivery of messages D. Helps catalogue errors in communication for future use KEY A Justification The Loopback address is used to simplify programme testing and troubleshooting. The other options are incorrect. Hence, Option A above alone is correct. 187. Which one of the following is a non-reserved address in IP networks ? A. Broadcast address B. Default gateway address C. Loopback address D. Dynamic IP addresses Key D Justification The Broadcast, Default gateway and Loopback addresses are all reserved addresses. The Dynamic IP address is not a reserved address and allows hosts to be allotted different IP addresses within a specified range. Hence, Option D above is alone correct. 188. A Subnet Mask is ? A. Comprises 32 bits divided into 2 octets B. Comprises 8 bits which are not divided further Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 61 C. Used for deriving network & host portions from an IP address D. Comprises 16 bits which are divided into 2 octets Key C Justification A subnet mask comprises 32 bits divided into 4 octets. It is used for deriving network and host portions from an IP address and helps minimize waste of IP addresses. The information in Options A B and D is erroneous. Hence, Option C above alone is correct. 189. IP version 6 ___________ A. Is a 64 bit addressing scheme B. Is a 96 bit addressing scheme C. Is a160 bit addressing scheme D. Is a 128 bit addressing scheme Key D Justification IP version 6 is a128 bit version as against the 32 bit of the IP 4 version. The information in Options A to C is erroneous. Hence, Option D above alone is correct. 190. IP version 6 _____________ A. Can accommodate as many as 2128 addresses B. Can handle as many as 264 addresses C. Can handle as many as 232 addresses D. Can handle only 216 addresses KEY A Justification As against IP version 4,IP version 6 is a128 bit version which can thus accommodate as many as 2128 addresses. The information in Options B to D is erroneous. Hence, Option A above alone is correct. 191. Migration from IP version 4 to IP version 6 ____________ A. Has not commenced in India yet; they are unwilling to do so B. Is not possible until all devices are migrated globally C. Has commenced in India under NASSCOM leadership D. Is underway but many devices continue to be under version 4 Key D Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 62 Justification Migration from version 4 to version 6 is underway & India is one of the countries undergoing the transition. The process is anchored by the Telecom Regulatory Authority of India. Till complete migration takes place, it is possible to have both systems in operation with appropriate mechanisms in place. Hence, Option D above alone is correct. 192. IP version 6 is in the form of _____________ A. Heptadecimals B. Decimals C. Hexadecimals D. Octodecimals Key C Justification As against IP version 4, IP version 6 is in Hexadecimal form. The information in Options A, B and D are erroneous. Option C above alone is correct. 193. IP version 6 addresses are separated by _________________ A. Single Colons B. Double Colons C. Single Periods D. Semi Colons KEY A Justification As against IP version 4 which uses periods for separation, IP version 6 uses single colons. The information in Options B to D is not correct. Option A above alone is correct. 194. A Port forms a socket along with an IP address. It is composed of ___________ A. 8 bits B. 32 bits C. 16 bits D. 64 bits Key C Justification A port comprises 16 bits. The information in Options A, B and D is not correct. Option C above alone is correct. Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 63 195. The maximum number of ports possible per IP network address is _______________ A. 216 B. 232 C. 264 D. 28 KEY A Justification A port comprises 16 bits & hence the maximum number of ports possible is 216. The information in Options B to D is not correct. Option A above alone is correct. 196. Destination ports ______________ A. Are used to route packets from source to a destination host computer B. Are used to route packets on a server to the appropriate network application C. Are used only for HTTP traffic which are processed by a web server D. Of numbers 0 to 1023 are used by vendors for proprietary applications Key B Justification Destination ports are used to route packets on a server to the appropriate network application, as indicated in Option B. It is used for various purposes like HTTP, FTP & SMTP traffic. The numbers used by vendors of proprietary applications are from 1024 to 49151. Hence, Option B above alone is correct. 197. Source ports ______________ A. Are assigned to clients & used for tracking user sessions B. Are the ports through which data packets originate from the source C. Are allocated numbers ranging from 49,152 to 68,568 D. Are allocated numbers ranging from 0 to 49,152 KEY A Justification Source ports are assigned to clients and used for tracking user sessions as indicated in Option A. These can be any random number and no specific range is defined. Hence, Option A above alone is correct. 198. Domain Name System ________________ A. Has the host name in binary & heptadecimal form Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 64 B. When it is in non-generic category, can be used by any person/organization C. Envisages that both the host name & IP address are a must for communication D. Is a distributed database with host name & IP address for all domains Key D Justification The Domain Name system is a distributed database with host name & IP address for all domains, as indicated in Option D. It has the host name in normal English and the IP address as per decimal format (IP Version 4) of hexadecimal format (IP Version 6). Only the generic category of domain names are available for use by any organization of person for any use. It is possible for us, through the Domain Name system, to identify the IP address, given the host name and vice versa. Hence, Option D above alone is correct. 199. On Demand Computing _______________ A. Is less economical for users with volatility in quality/volume of computing needs B. Is not an issue in terms of privacy or security C. Envisages provision of computing resources on as-needed/when-needed basis D. Is ideally suited for users who have consistent quality & volume of computing needs Key C Justification On Demand Computing envisages provision of computing resources on as-needed/when-needed basis & is best suited to users who have uncertain volume of demand for computing services. It helps them minimise capital expenditure & hire computing resources on need basis. The concept’s biggest concern is privacy and security of data. Hence, Option C alone is correct. 200. Firewall _____________ A. Can be only software programme designed to secure networks B. Protects systems/networks of systems from network-based security threats C. Can be only hardware devices designed to secure networks D. Needs to be installed well within the perimeter of the network Key B Justification Firewalls can be either software programmes or hardware devices designed to protect systems/networks of systems from network-based security threats. For best results they need to be installed at the entry point or perimeter of the network. Hence, only Option B is correct. 201. Role of Firewall _________ A. Burns malicious programmes entering the network Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 65 B. Allows users free access to external network but blocks entry of suspect programmes C. Filters both in-bound and out-bound traffic from secured network D. Blocks users from free access to external network but allows free entry from external network Key C Justification Firewalls play the dual role of filtering in-bound and out-bound traffic from a secured network. Only Option C above is correct. 202. The nature & scope of the Firewall depends upon ____________ A. The security policy laid down by the secured network’s organization B. The rules laid down by TELNET protocol C. Directives of the Internet Architecture Board (IAB) D. Rules prescribed by the Internet Engineering Task Force (IETF) KEY A Justification The nature & scope of Firewalls is determined by the security policy laid down by the secured network’s organization. It will vary from organization to organization depending upon their perception of the underlying risks, the economics of security software, etc. None of the internet bodies prescribe any rules regarding the firewalls to be erected by any organization. Hence, only Option A above is correct. 203. Firewall can filter _______________ A. Only incoming application software but not its data contents B. Outgoing software but not block access to external networks C. Incoming application software as well as its data contents D. Only outgoing software but not its data contents Key C Justification A well designed firewall can filter both incoming software as well as its data contents for maliciousness. In respect of outgoing information, it can prevent access to undesirable or risky sites as also block sending out of sensitive data. Hence, only Option C above is correct. 204. Firewalls can be configured _______________ A. Cannot be configured for maintaining logs or issuing alerts on firewall policy B. Can be configured to maintain logs but not for issuing alerts on firewall policy C. Can be configured to maintain logs and issue alerts on firewall policy Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 66 D. Can be configured to issue alerts but not for maintaining logs Key C Justification A well designed firewall can be configured both to maintain logs as well as issuing alerts on firewall policy violations. Hence, only Option C above is correct. 205. Firewalls authenticate access ____________ A. Post establishment of connection B. Prior to establishment of connection C. Prior to establishment of connection &, thereafter, periodically during the session D. Post establishment of connection &, thereafter, periodically during the session Key B Justification A robust firewall system will authenticate access prior to establishment of connection. Once authenticated, the user will no longer be prompted for authentication. Authentication post establishment of connection will not serve the purpose since security of the system could have been compromised by then. Hence, only Option B above is correct. 206. The Default Deny Access Control Policy _______________ A. Envisages denial of all traffic & selectively allowing certain traffic through the firewall B. Prescribes allowing all traffic & selectively denying certain traffic through the firewall C. Is frequently used for granting access from a trusted network to an external systems D. Is also called Discretionary Access Control Policy KEY A Justification The Default Deny Access Control Policy envisages denial of all traffic by default and selectively allowing certain traffic alone through the firewall. It is frequently used for granting access from an un- trusted source to a protected system. It is also called Mandatory Access Control Policy. Hence, only Option A above is correct. 207. The Allow All Access Control Policy _____________ A. Prescribes blocking of all traffic by default & allowing certain traffic alone selectively the firewall B. Is frequently used for granting access from an un-trusted source to a protected system C. Envisages allowing of all traffic & selectively denying certain traffic through the firewall D. Is also called Mandatory Access Control Policy Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 67 Key C Justification The Allow All Access Control Policy envisages allowing of all traffic by default and selectively denying certain traffic alone through the firewall. It is frequently used for granting access from a trusted network to external systems like the Internet. It is also called Discretionary Access Control Policy. Hence, only Option C above is correct. 208. Network Address Translation (NAT) ______________ A. Permits a single unique IP address to represent a group of computers & is now a function of most firewalls by concealing the internal network B. Permits multiple unique IP addresses to represent a group of computers & is now a function of most firewalls C. Provide firewall protection to systems behind the firewall by allowing connections that originate both from systems inside of the firewall as well as outside the firewall D. Provide firewall protection to systems behind the firewall by transparently showing the internal network KEY A Justification NAT systems allow a network to use one set of network addresses internally and another unique IP address when dealing with external networks. They, thus, conceal the internal network, thus protecting it from external access. They have thus become an important element of Firewall systems. Hence, only Option A above is correct. 209. A Network Based Firewall __________________ A. Is a device deployed within networks for restricting movement of selected traffic types within the networks B. Is a device deployed on a single host within a network, thus restricting incoming/outgoing traffic for that host alone C. Is a device deployed between networks for restricting movement of selected traffic types from one network to another D. Is a device deployed between networks for protecting the network linkages but not the hosts on the network Key C Justification A Network based firewall, as stated in Option C above, is a device deployed between networks for restricting movement of selected traffic types from one network to another. It is not deployed on a single host within a network. Hence, only Option C above is correct. 210. A Host Based Firewall ______________ Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 68 A. Is a device deployed between networks for restricting movement of selected traffic types from one network to another B. Is a device deployed within networks for restricting movement of selected traffic types within the networks C. Is a device deployed between networks for protecting the network linkages but not the hosts on the network D. Is a device deployed on a single host within a network, thus restricting incoming/outgoing traffic for that host alone Key D Justification A Host based firewall, as stated in Option D above, is a device deployed on a single host within a network, thus restricting incoming/outgoing traffic for that host alone. It is not deployed between networks or within an entire network for restricting movement of selected traffic types. Hence, only Option D above is correct. 211. A Personal Firewall _____________ A. Controls traffic between a personal computer/workstation and the Internet/enterprise network B. Can be used only on home computers but not in the corporate environment C. Is typically a piece of hardware installed on a personal computer at home D. Assumes that inbound traffic can be permitted and outbound traffic has to be inspected KEY A Justification A Personal Firewall controls traffic between a personal computer or workstation on the one side and the Internet / enterprise network on the other. It is normally a piece of software and can be installed on a personal computer at home or even in a corporate environment. It assumes that outbound traffic can be freely permitted and inbound traffic has to be inspected & controlled. Hence, only Option A above is correct. 212. A Personal Firewall Appliance _______________ A. Envisages protection to a single computer through a hardware device installed on it B. Envisages protection to multiple computers & is housed on a router connected to them C. Is typically a hardware installed on a router which provides protection to a single SOHO computer D. Is typically built into the operating system of individual computers Key B Justification Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 69 A Personal Firewall Appliance refers to housing of firewall functionality on the router connected to multiple computers, generally in a SOHO environment. This is unlike the normal personal firewall which tends to be installed in the computer’s operating system. Hence, only Option B above is correct. 213. The Firewall term, Dual Homed ___________ A. Means two houses. It is a firewall system which serves two computers B. Means two houses. It is a computer that has at least 2 computers with minimum 2 network interfaces, both of which are connected to insecure sides C. Means a house with two doors. It is a computer that has at least 2 network interfaces one connected to a secure side and the other to an unsecure side D. Means a house with two doors. It is a computer that has at least 2 network interfaces, both of which are connected to insecure sides Key C Justification The Firewall term, Dual Homed, means a house with two doors. It refers to a computer that has at least 2 network interfaces with one connected to a secure side and the other to an unsecure side. Hence, only Option C above is correct. 214. De-Militarized Zone (DMZ) ___________ A. Is the zone between computers which has firewalls on either side B. Refers to the border between North & South Korea wherein no IT firewalls are installed C. Houses the IT components which do not require public access D. Houses the IT components which require public access like mail server, etc. Key D Justification A DMZ houses the IT components which require public access like mail server, etc as pointed out in Option D. The answers in the other options are incorrect. 215. Bastion Hosts ___________ A. Are computer systems that have Hardened systems B. Are Hardened systems that are not exposed to the Internet C. Are Hardened systems having non-essential services installed on them D. Allow free access to all hosts since they have Hardened systems anyway KEY A Justification Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 70 Bastion Hosts are computer systems that have Hardened systems because they are vulnerable to attack & are exposed to the internet and are also a main point of contact for internal network users. They have essential services installed on them & restrict access to specific hosts alone. Hence, answer in Option A is correct. The answers in the other options are incorrect. 216. Bastion Hosts ______________ A. Cannot maintain detailed logs of all traffic B. Are Hardened systems having non-essential services installed on them C. Have each proxy independent of other proxies loaded on them D. Allow free access to all hosts since they have Hardened systems anyway Key C Justification Bastion Hosts are computer systems that have Hardened systems because they are vulnerable to attack & are exposed to the internet and are also a main point of contact for internal network users. A Bastion Host has each proxy independent of other proxies loaded on it. It has essential services installed on it & restricts access to specific hosts alone. Hence, answer in Option C is correct. The answers in the other options are incorrect. 217. Packet Filtering Router Firewall ______________ A. Has no default parameter and drops any traffic whose header does not match firewall rules B. Is deployed on a router within a private network C. Matches the header content with the firewall rules to allow or block traffic D. Is deployed on a router within a public network Key C Justification Packet Filtering Router Firewall is deployed on a screening router between a private and a public network. It operates by matching the header content of each packet with the firewall rules. If the content matches the firewall rule & it permits, it allows it. In case the rule matches but does not permit, it blocks the traffic. If no match is found, the router goes by the default parameter. Hence, answer in Option C is correct. The answers in the other options are incorrect. 218. Packet Filtering Router Firewall _______________ A. Works at the Internet layer of the TCP/IP model B. Works at the Internet Layer of the OSI model C. Is deployed on a router within a private network D. Is deployed on a router within a public network KEY A Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 71 Justification Packet Filtering Router Firewall works at the Internet layer of the TCP/IP model or at Network layer of the OSI model. It is deployed on a screening router between a private and a public network. It operates by matching the header content of each packet with the firewall rules. If the content matches the firewall rule & it permits, it allows it. In case the rule matches but does not permit, it blocks the traffic. If no match is found, the router goes by the default parameter. Hence, answer in Option A is correct. The answers in the other options are incorrect. 219. Packet Filtering Router Firewall ______________ A. Works at the Network Layer of the TCP/IP model B. Works at the Network Layer of the OSI model C. Has two main weaknesses speed and flexibility D. Is one of the simplest but most expensive of firewalls Key B Justification Packet Filtering Router Firewall works at the Internet layer of the TCP/IP model or at Network layer of the OSI model. It is a very simple and relatively inexpensive firewall model. Its strength lies in its speed and flexibility. It is deployed on a screening router between a private and a public network. It operates by matching the header content of each packet with the firewall rules. If the content matches the firewall rule & it permits, it allows it. In case the rule matches but does not permit, it blocks the traffic. If no match is found, the router goes by the default parameter. Hence, answer in Option B is correct. The answers in the other options are incorrect. 220. Packet Filtering Router Firewall ______________ A. Mostly does not support advanced user authentication schemes B. Works at the Network Layer of the TCP/IP model C. Has two main weaknesses speed and flexibility D. Have high impact on network performance KEY A Justification Packet Filtering Router Firewall works at the Internet layer of the TCP/IP model or at Network layer of the OSI model. It is a very simple and relatively inexpensive firewall model. Its strengths lies in its speed and flexibility as also low impact on network performance. One major drawback of this type of firewall is that it does not support most advanced user authentication schemes. Hence, answer in Option A is correct. The answers in the other options are incorrect. 221. Packet Filtering Route Firewalls _______________ A. Have the advantage of ease of defining access criteria as also configuration B. Has two main weaknesses speed and flexibility Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 72 C. Are ideal for high speed environments where logging & user authentication is not important D. Have high impact on network performance Key C Justification Packet Filtering Router Firewall are ideal for high speed environments where logging and user authentication is not important. One major drawback of this type of firewall is that it does not support most advanced user authentication schemes. It works at the Internet layer of the TCP/IP model or at Network layer of the OSI model. It is a very simple and relatively inexpensive firewall model. Its strengths lies in its speed and flexibility as also low impact on network performance. Hence, answer in Option C is correct. The answers in the other options are incorrect. 222. Packet Filtering Route Firewalls _____________ A. Are not vulnerable to IP Address spoofing attack B. Are not vulnerable to Source Routing attack C. Are not very costly & have low impact on network performance D. Have the advantage of ease of defining access criteria as also configuration Key C Justification Packet Filtering Router Firewall works at the Internet layer of the TCP/IP model or at Network layer of the OSI model. It is a very simple and relatively inexpensive firewall model. It is vulnerable to attacks like the IP Address spoofing attack as also Source Routing Attack. Hence, answer in Option C is correct. The answers in the other options are incorrect. 223. What are Stateful Inspection Packet Filtering Firewall ______________ A. They ignore current connection while allowing traffic to pass through B. They are packet filters that incorporate added awareness of OSI model data C. They possess packet characteristics but ignore session status D. They are less secure than Packet Filtering Router Firewall Key B Justification Stateful Inspection Packet Filtering Firewall are packet filters (like Packet Filtering Firewalls) but incorporate added awareness of OSI model data. They keep track of current connection to ensure that only permitted traffic is allowed to pass. They keep track of both packet characteristics as well as session checks to make sure that a specific session is allowed. They are more secure because they track client ports individually rather than opening all ‘high numbered ports’ for external access. Hence, answer in Option B is correct. The answers in the other options are incorrect. 224. Stateful Inspection Packet Filtering Firewall ____________ Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 73 A. They possess packet characteristics but ignore session status B. They are less secure than Packet Filtering Router Firewall C. Uses a ‘State Table’ to validate inbound traffic D. They ignore current connection while allowing traffic to pass through Key C Justification Stateful Inspection Packet Filtering Firewall are packet filters (like Packet Filtering Firewalls) but incorporate added awareness of OSI model data. They keep track of current connection to ensure that only permitted traffic is allowed to pass. They keep track of both packet characteristics as well as session checks to make sure that a specific session is allowed. They use a State Table to validate inbound traffic. They are more secure because they track client ports individually rather than opening all ‘high numbered ports’ for external access. Hence, answer in Option C is correct. The answers in the other options are incorrect. 225. Circuit Level Gateways ____________ A. Used when internal users cannot be trusted to decide what external devices to access B. Validate connections before data is exchanged C. Filter individual packets of data which pass through them D. They do not hide information about the network they protect Key B Justification Circuit Level Gateways validate connections before data is exchanged. They do not filter individual packets of data which pass through them; instead they merely decide which connections can be allowed. They do have the advantage of hiding information about the private network they protect. Hence, they are used when internal users can be trusted to decide what external devices to access. Hence, answer in Option B is correct. The answers in the other options are incorrect. 226. Circuit Level Gateways ____________ A. Function at the Session layer of the OSI B. Are relatively expensive in usage C. Filter individual packets of data which pass through them D. Scrutinize the application-level content of packets relayed through them KEY A Justification Circuit Level Gateways operate at the Sessions layer of the OSI & validate connections before data is exchanged. They do not examine the application-level content / filter individual packets of data which pass through them; instead they merely decide which connections can be allowed. They do have the Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 74 advantage of hiding information about the private network they protect. Hence, they are used when internal users can be trusted to decide what external devices to access. Hence, answer in Option A is correct. The answers in the other options are incorrect. 227. What is a characteristic of Application Level Gateway Firewall ? A. It is not operated on hardened operating systems B. Like Circuit level gateways, it ignores the content of traffic C. It functions at the Application layer of the OSI D. It authenticates devices and not individuals Key C Justification Application Level Gateways operate at the Applications layer of the OSI. They are similar to Circuit gateways with the exception that they are application specific & monitor content of the application. They have the advantage of authenticating individuals rather than devices. They are operated on hardened operating systems. Hence, answer in Option C is correct. The answers in the other options are incorrect. 228. Application Level Gateway Firewalls ______________ A. It is not operated on hardened operating systems B. Are implemented on hardened operating systems C. Cannot control access based upon content or source address D. Will result in compromising the entire network in the event of a break-in Key B Justification Application Level Gateways operate at the Applications layer of the OSI. They are similar to Circuit gateways with the exception that they are application specific & monitor content of the application. Among other things, they can control access based upon content as also source address. They have the advantage of authenticating individuals rather than devices. They are operated on hardened operating systems. Any break-in will only compromise the firewall and not the entire network. Hence, answer in Option B is correct. The answers in the other options are incorrect. 229. Application Level Gateway Firewalls ____________ A. Are process intensive & can cause performance issues B. Are not vulnerable to bugs in the running application / operating system C. Cannot provide auditing & logging functions for future review D. Will result in compromising the entire network in the event of a break-in KEY A Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 75 Justification Application Level Gateways operate at the Applications layer of the OSI. They are similar to Circuit gateways with the exception that they are application specific & monitor content of the application. Among other things, they can control access based upon content as also source address. They have the advantage of authenticating individuals rather than devices. They are operated on hardened operating systems. Any break-in will only compromise the firewall and not the entire network. Their drawbacks include vulnerability to bugs in the running application / operating system as also performance issues arising out of process intensive nature. Hence, answer in Option A is correct. The answers in the other options are incorrect. 230. Application Level Gateway Firewalls ______________ A. Are not vulnerable to bugs in the running application / operating system B. Cannot provide auditing & logging functions for future review C. Will not result in compromising the entire network in the event of a break-in D. Are less secure than Packet Filters and Stateful Inspection Firewalls Key C Justification Any break-in will only compromise the firewall and not the entire network in the case of Application Level Gateway firewalls. They can provide auditing and logging functions. They are more secure than Packet Filters and Stateful Inspection Firewalls. Their drawbacks include vulnerability to bugs in the running application / operating system as also performance issues arising out of process intensive nature. Hence, answer in Option C is correct. The answers in the other options are incorrect. 231. One of the major drawbacks of Application Level Gateway Firewalls is _____________ A. Compromise the entire network in the event of a break-in B. Cannot provide auditing & logging functions for future review C. Are less secure than Packet Filters and Stateful Inspection Firewalls D. They are process intensive & cause performance issues Key D Justification Application level gateway firewalls are process intensive and cause performance issues. However, any break-in will only compromise the firewall and not the entire network in the case of Application Level Gateway firewalls. They can provide auditing and logging functions. They are more secure than Packet Filters and Stateful Inspection Firewalls. Hence, answer in Option D is correct. The answers in the other options are incorrect. 232. One of the major drawbacks of Application Level Gateway Firewalls is ______________ A. Compromise the entire network in the event of a break-in Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 76 B. They are vulnerable to bugs in the running application & operating system C. Cannot provide auditing & logging functions for future review D. Are less secure than Packet Filters and Stateful Inspection Firewalls Key B Justification Application level gateway firewalls are process intensive and cause performance issues. However, any break-in will only compromise the firewall and not the entire network in the case of Application Level Gateway firewalls. They can provide auditing and logging functions. They are more secure than Packet Filters and Stateful Inspection Firewalls. Hence, answer in Option B is correct. The answers in the other options are incorrect. 233. Application Level Gateway Firewalls _____________ A. Are also called proxies & are similar to circuit-level gateways but application-specific B. Compromise the entire network in the event of a break-in C. Cannot provide auditing & logging functions for future review D. Are less secure than Packet Filters and Stateful Inspection Firewalls KEY A Justification Application level gateway firewalls are also called proxies and are similar to circuit-level gateways. However, they are application-specific & monitor the contents of applications before allowing traffic. However, any break-in will only compromise the firewall and not the entire network in the case of Application Level Gateway firewalls. They can provide auditing and logging functions. They are more secure than Packet Filters and Stateful Inspection Firewalls. Hence, answer in Option A is correct. The answers in the other options are incorrect. 234. Single Homed Firewalls ______________ A. Bypass the Packet Filtering router & allow packets directly to the proxy server B. Have increased traffic and load on the proxy server despite the Packet Filtering router C. Combines the Packet Filtering router with a separate, dedicated firewall D. Screen only for applications and not content, making them more vulnerable Key C Justification Single Homed Firewalls combine the Packet Filtering router with a separate dedicated firewall called a Bastion proxy server. The system envisages traffic passing through the Packet Filtering router first before crossing the proxy server. This reduces the traffic and the load on the proxy server. They screen both for applications as well as content. Hence, answer in Option C is correct. The answers in the other options are incorrect. Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 77 235. One Single Homed Firewalls characteristic is that ____________ A. They screen only for applications and not content, making them more vulnerable B. They do not allow traffic to flow directly between the internet and other hosts on the private network C. Have increased traffic and load on the proxy server despite the Packet Filtering router. D. They ensure greater security than a packet filtering router or application level gateway firewall alone Key D Justification Single Homed Firewalls combine the Packet Filtering router with a separate dedicated firewall called a Bastion proxy server. The system envisages traffic passing through the Packet Filtering router first before crossing the proxy server. This reduces the traffic and the load on the proxy server. They screen both for applications as well as content. They are considered to be more secure than a packet filtering router or application level gateway firewall alone. A disadvantage is that traffic can flow directly between the internet and other hosts on the network if the packet filtering firewall is compromised. Hence, answer in Option D is correct. The answers in the other options are incorrect. 236. An advantage of a Single Homed Firewall is _______________ A. It screens only for applications and not content B. It allows traffic to flow directly between the internet and other hosts on the private network if the packet filtering router is compromised C. An intruder has to penetrate two systems before security of internal network is compromised D. It has increased traffic and load on the proxy server despite the Packet Filtering router Key C Justification Single Homed Firewalls combine the Packet Filtering router with a separate dedicated firewall called a Bastion proxy server. The system envisages traffic passing through the Packet Filtering router first before crossing the proxy server. This reduces the traffic and the load on the proxy server. Also, an intruder has to penetrate two systems before security of internal network is compromised. They screen both for applications as well as content. They are considered to be more secure than a packet filtering router or application level gateway firewall alone. A disadvantage is that traffic can flow directly between the internet and other hosts on the network if the packet filtering firewall is compromised. Hence, answer in Option C is correct. The answers in the other options are incorrect. 237. A Dual Homed Host Firewall is different from Single Homed Firewall in that ____________ A. It has two NICs one connected to the external & the other connected to the internal network B. It screens only for applications and not content Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 78 C. It does not allow traffic to flow directly between the internet and other hosts on the private network if the packet filtering router is compromised D. It has increased traffic and load on the proxy server despite the Packet Filtering router KEY A Justification Single Homed Firewalls combine the Packet Filtering router with a separate dedicated firewall called a Bastion proxy server. The system envisages traffic passing through the Packet Filtering router first before crossing the proxy server. This reduces the traffic and the load on the proxy server. It has two NICs; one connected to the external and the other connected to the internal network. Also, an intruder has to penetrate two systems before security of internal network is compromised. They screen both for applications as well as content. They are considered to be more secure than a packet filtering router or application level gateway firewall alone. A disadvantage is that traffic can flow directly between the internet and other hosts on the network if the packet filtering firewall is compromised. Hence, answer in Option A is correct. The answers in the other options are incorrect. 238. Screened Subnet Firewalls with DMZ ___________ A. Has four packet filtering routers, two each between bastion host/internet & bastion host/internal network B. Screens only the applications but not the content, making their networks more vulnerable to attack C. Are the best configuration for most secure environment D. The private network is not invisible to the internet / unsecured network Key C Justification Screened Subnet firewalls are the best configuration for most secure environment. They have two packet filtering routers, one each between the bastion host & internet and between bastion host & internal network. They screen both for application as well as content. Since the outside router advertises the DMZ to the external network or Internet, the internal private network becomes invisible to it. Hence, answer in Option C is correct. The answers in the other options are incorrect. 239. Screened Subnet Firewalls with DMZ ______________ A. Have two packet filtering routers, one each between bastion host/internet & bastion host/internal network B. Are vulnerable in that Internet systems can see through the DMZ into the internal private network & initiate attacks C. Permit internal users’ risky behaviour of bypassing the proxy server on the bastion system to access the Internet directly D. Are the least robust of firewall systems, providing limited security to internal network systems KEY A Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 79 Justification Screened Subnet firewalls are the best configuration for most secure environment. They have two packet filtering routers, one each between the bastion host & internet and between bastion host & internal network. They screen both for application as well as content. Since the outside router advertises the DMZ to the external network or Internet, the internal private network becomes invisible to it. Similarly, the internal user is forced to go through the proxy server on the bastion system to access the Internet, minimizing risky behaviour. Hence, answer in Option A is correct. The answers in the other options are incorrect. 240. Screened Subnet Firewalls with DMZ ______________ A. Have four packet filtering routers, two each between bastion host/internet & bastion host/internal network B. Are robust in that Internet systems cannot see through the DMZ into the internal private network & initiate attacks C. Are the least robust of firewall systems, providing limited security to internal network systems D. Permit internal users’ risky behaviour of bypassing the proxy server on the bastion system to access the Internet directly Key B Justification Screened Subnet firewalls are the best configuration for most secure environment. They have two packet filtering routers, one each between the bastion host & internet and between bastion host & internal network. They screen both for application as well as content. Since the outside router advertises the DMZ to the external network or Internet, the internal private network becomes invisible to it. Similarly, the internal user is forced to go through the proxy server on the bastion system to access the Internet, minimizing risky behaviour. Hence, answer in Option B is correct. The answers in the other options are incorrect. 241. Screened Subnet Firewalls with DMZ _______________ A. Are vulnerable in that Internet systems can see through the DMZ into the internal private network & initiate attacks B. Ensure that internal users access the Internet via the proxy services residing on the bastion host C. Have four packet filtering routers, two each between bastion host/internet & bastion host/internal network D. Are the least robust of firewall systems, providing limited security to internal network systems Key B Justification Screened Subnet firewalls are the best configuration for most secure environment. They have two packet filtering routers, one each between the bastion host & internet and between bastion host & internal network. They screen both for application as well as content. Since the outside router advertises the DMZ to the external network or Internet, the internal private network becomes invisible Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 80 to it. Similarly, the internal user is forced to go through the proxy server on the bastion system to access the Internet, minimizing risky behaviour. Hence, answer in Option B is correct. The answers in the other options are incorrect. 242. Screened Subnet Firewalls with DMZ ___________ A. Are the least robust of firewall systems, providing limited security to internal network systems B. Have four packet filtering routers, two each between bastion host/internet & bastion host/internal network C. Will need a Network Address Translator (NAT) to be installed on the bastion host to eliminate the need to re-number or re-subnet the private network D. Are vulnerable in that Internet systems can see through the DMZ into the internal private network & initiate attacks Key C Justification Screened Subnet firewalls are the best configuration for most secure environment. They have two packet filtering routers, one each between the bastion host & internet and between bastion host & internal network. They screen both for application as well as content. Since the outside router advertises the DMZ to the external network or Internet, the internal private network becomes invisible to it. Similarly, the internal user is forced to go through the proxy server on the bastion system to access the Internet, minimizing risky behaviour. Since the DMZ network is different from the private network, a NAT can be installed on the bastion host to eliminate the need to re-number or re-subnet the private network. Hence, answer in Option C is correct. The answers in the other options are incorrect. 243. In general, Firewalls ____________ A. Can enforce password policy and prevent misuse of passwords B. Are very effective against non-technical security risks such as social engineering C. Can block internal users from accessing websites with malicious codes D. Cannot prevent users or attackers with modems from dialling into or out of the internal network, bypassing the firewall Key D Justification Firewalls have quite a few limitations. They cannot prevent users or attackers with modems from dialling into or out of the internal network. They cannot enforce password policy or prevent misuse of passwords. They are not very effective against non-technical security risks like social engineering. They cannot, also, block internal users from accessing websites with malicious codes. Hence, answer in Option D is correct. The answers in the other options are incorrect. 244. In general, Firewalls _________ A. Cannot enforce password policy and prevent misuse of passwords Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 81 B. Can prevent users or attackers with modems from dialling into or out of the internal network, bypassing the firewall C. Can provide complete protection against viruses D. Can block internal users from accessing websites with malicious codes KEY A Justification Firewalls have quite a few limitations. They cannot enforce password policy and prevent misuse of passwords. They cannot prevent users or attackers with modems from dialling into or out of the internal network. They cannot enforce password policy or prevent misuse of passwords. They are not very effective against non-technical security risks like social engineering. They cannot provide complete protection against viruses. They cannot, also, block internal users from accessing websites with malicious codes. Hence, answer in Option A is correct. The answers in the other options are incorrect. 245. In general, Firewalls __________ A. Can enforce password policy and prevent misuse of passwords B. Can prevent users or attackers with modems from dialling into or out of the internal network, bypassing the firewall C. Cannot provide complete protection against viruses D. Can block internal users from accessing websites with malicious codes Key C Justification Firewalls have quite a few limitations. They cannot provide complete protection against viruses. They cannot enforce password policy and prevent misuse of passwords. They cannot prevent users or attackers with modems from dialling into or out of the internal network. They cannot enforce password policy or prevent misuse of passwords. They cannot, also, block internal users from accessing websites with malicious codes. Hence, answer in Option C is correct. The answers in the other options are incorrect. 246. Appliance based firewall ___________ A. Is a firewall software installed on top of commercial operating systems B. Is less secure than those deployed on top of commercial operating systems C. Is scalable depending upon changing requirements of business D. Refers to appliances with firewall software embedded as firmware Key D Justification Appliance based Firewalls refer to appliances with firewall software embedded as firmware. They are more secure than those deployed on top of commercial operating systems since the latter are more Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 82 vulnerable. Their major drawback is the limitation on scalability. Hence, answer in Option D is correct. The answers in the other options are incorrect. 247. Appliance based firewall ______________ A. Does not include appliances with firewall software embedded as firmware B. Is more secure than those deployed on top of commercial operating systems C. Is a firewall software installed on top of commercial operating systems D. Are scalable depending upon changing requirements of business Key B Justification Appliance based Firewalls refer to appliances with firewall software embedded as firmware. They are more secure than those deployed on top of commercial operating systems since the latter are more vulnerable. Their major drawback is the limitation on scalability. Hence, answer in Option B is correct. The answers in the other options are incorrect. 248. Appliance based firewall __________ A. Is less secure than those deployed on top of commercial operating systems B. Does not include appliances with firewall software embedded as firmware C. Suffers from scalability issues & inability to meet changed environmental needs D. Is a firewall software installed on top of commercial operating systems Key C Justification Appliance based Firewalls refer to appliances with firewall software embedded as firmware. They are more secure than those deployed on top of commercial operating systems since the latter are more vulnerable. Their major drawback is the limitation on scalability. Hence, answer in Option C is correct. The answers in the other options are incorrect. 249. Software Based Firewall __________ A. Suffers from scalability issues & inability to meet changed environmental needs B. Is deployed on top of commercial operating systems C. Is more secure than those deployed on top of commercial operating systems D. Includes appliances with firewall software embedded as firmware Key B Justification Software based firewalls are deployed on top of commercial operating systems. They are less secure than Appliance based Firewalls in view of the vulnerability of the operating system itself. Their major Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 83 advantage, however, is scalability in the face of changes in the environment. They exclude appliances with firewall software embedded as firmware. Hence, answer in Option B is correct. The answers in the other options are incorrect. 250. Software Based Firewall ____________ A. Enjoys the major advantage of scalability in the face of changed environment B. Is never deployed on top of commercial operating systems C. Is more secure than those deployed on top of commercial operating systems D. Includes appliances with firewall software embedded as firmware KEY A Justification Software based firewalls are deployed on top of commercial operating systems. They are less secure than Appliance based Firewalls in view of the vulnerability of the operating system itself. Their major advantage, however, is scalability in the face of changes in the environment. They exclude appliances with firewall software embedded as firmware. Hence, answer in Option A is correct. The answers in the other options are incorrect. 251. Unified Threat Management _____________ A. Cannot operate on a simple plug and play architecture B. Has increased technical training requirements owing to its complexity C. Is the Evolution of the traditional firewall into an all-inclusive security product D. Complicates installation of security products Key C Justification Unified Threat Management is the evolution of the traditional firewall into an all-inclusive security product able to perform multiple security functions within one single appliance. It can operate on a simple plug and play architecture. It has reduced technical training requirements since only one product has to be learnt and understood. Installation of security products is also easier and maintenance/vendor issues become simpler. Answer in Option C is correct. The answers in the other options are incorrect. 252. Unified Threat Management ____________ A. Is the Evolution of the traditional firewall into a compound security system with multiple products B. Has increased technical training requirements owing to its complexity C. Complicates installation of security products D. Can support various functionalities like VPN, gate-way anti-virus/anti-spam, etc. apart from firewall Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 84 Key D Justification Unified Threat Management is the evolution of the traditional firewall into an all-inclusive security product able to perform multiple security functions within one single appliance. Apart from the firewall, it can support VPN, gate-way anti-virus/anti-spam, intrusion prevention, content filtering, bandwidth management, etc. It can operate on simple plug and play architecture. It has reduced technical training requirements since only one product has to be learnt and understood. Installation of security products is also easier and maintenance/vendor issues become simpler. Answer in Option D is correct. The answers in the other options are incorrect. 253. Unified Threat Management _____________ A. Can support firewall but not various functionalities like VPN, gate-way anti-virus/anti-spam, etc. B. Can provide centralized support with complete control for globalized operations C. Is the Evolution of the traditional firewall into a compound security system with multiple products D. Has increased technical training requirements owing to its complexity Key B Justification Unified Threat Management is the evolution of the traditional firewall into an all-inclusive security product able to perform multiple security functions within one single appliance. Apart from the firewall, it can support VPN, gate-way anti-virus/anti-spam, intrusion prevention, content filtering, bandwidth management, etc. It has reduced technical training requirements since only one product has to be learnt and understood. Installation of security products is also easier and maintenance/vendor issues become simpler. Overall, it is very well suited to an organization with global operations wherein it can provide centralized support with complete control. Answer in Option B is correct. The answers in the other options are incorrect. 254. Unified Threat Management ______________ A. Can support firewall but not various functionalities like VPN, gate-way anti-virus/anti-spam, etc. B. Is the Evolution of the traditional firewall into a compound security system with multiple products C. Can also support data-loss prevention by blocking accidental or incidental loss of key data D. Has increased technical training requirements owing to its complexity Key C Justification Apart from the firewall, Unified Threat Management can support VPN, gate-way anti-virus/anti-spam, intrusion prevention, content filtering, bandwidth management, etc. It can also support data-loss prevention by blocking accidental or incidental loss of confidential, proprietary or regulated data. It has Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 85 reduced technical training requirements since only one product has to be learnt and understood. Installation of security products is also easier and maintenance/vendor issues become simpler. Overall, it is very well suited to an organization with global operations wherein it can provide centralized support with complete control. Answer in Option C is correct. The answers in the other options are incorrect. 255. A disadvantage of Unified Threat Management is ____________ A. That it becomes a Single Point of Failure (SPOF) for network traffic B. It cannot support various functionalities like VPN, gate-way anti-virus/anti-spam, etc. C. Has increased technical training requirements owing to its complexity D. It cannot support GUI interface for manageability KEY A Justification The single biggest disadvantage of Unified Threat Management (UTM) is the obvious risks of centralization it becomes a Single Point of Failure (SPOF). The other major drawback is that its deployment may have an impact on latency and band width when the UTM cannot keep up with the traffic. Apart from the firewall, it can, indeed, support VPN, gate-way anti-virus/anti-spam, intrusion prevention, content filtering, bandwidth management, etc. It has reduced technical training requirements since only one product has to be learnt and understood. It can comfortably support GUI interface for manageability. Hence, answer in Option A is correct. The answers in the other options are incorrect. 256. A disadvantage of Unified Threat Management is ____________ A. It cannot support GUI interface for manageability B. Has increased technical training requirements owing to its complexity C. That it can have impact on latency and bandwidth when it cannot cope with the traffic D. It cannot support various functionalities like VPN, gate-way anti-virus/anti-spam, etc. Key C Justification A major drawback of UTM is that its deployment may have an impact on latency and band width when the UTM cannot keep up with the traffic. Apart from the firewall, it can, indeed, support VPN, gate-way anti-virus/anti-spam, intrusion prevention, content filtering, bandwidth management, etc. It has reduced technical training requirements since only one product has to be learnt and understood. It can comfortably support GUI interface for manageability. Hence, answer in Option C is correct. The answers in the other options are incorrect. 257. Baseline Configuration of Firewall __________ A. Should have a default policy of allowing all traffic/connections unless not specifically permitted B. Should not allow remote users access through VPN Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 86 C. Should be preceded by a general risk assessment & cost-benefit analysis D. Should not allow deployment of Web & other publicly accessible servers on a DMZ in respect of multi-location organizations Key C Justification Baseline configuration of a firewall should be preceded by a general risk assessment & cost-benefit analysis. It should have a default policy of not allowing any traffic/connections unless specifically permitted. It should permit remote users access through VPN. In respect of large multi-location organizations, it should ideally have the Web & other publicly accessible servers place on a DMZ for best security. Hence, answer in Option C is correct. The answers in the other options are incorrect. 258. Baseline Configuration of Firewall _________________ A. Should have a default policy of not allowing any traffic/connections unless specifically permitted B. Need not have an additional firewall for internal users since the main firewall would be adequate C. Should not allow deployment of Web & other publicly accessible servers on a DMZ in respect of multi-location organizations D. Should not allow remote users access through VPN KEY A Justification Baseline configuration should have a default policy of not allowing any traffic/connections unless specifically permitted. It should permit remote users access through VPN. In respect of large multi- location organizations, it should ideally have the Web & other publicly accessible servers place on a DMZ for best security. It should also ensure that internal users should be protected with an additional firewall. Hence, answer in Option A is correct. The answers in the other options are incorrect. 259. Personal Firewalls A. Are based upon different methods & techniques as compared to an enterprise firewall B. Are more complicated compared to an enterprise firewall & require technical expertise to operate C. Are software installed on a user’s computer protecting against unwanted intrusion & attacks from the Internet D. Control incoming traffic from the Internet alone, based upon defined security policy Key C Justification A. Personal Firewalls are software installed on a user’s computer for protection against unwanted intrusion and attacks from the Internet. They are based upon the same methods Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 87 and techniques as firewalls for enterprises. They are simpler and can be handled by less technically savvy persons too. Like the firewalls for enterprises, they, too, control and monitor both incoming as well as outgoing traffic based upon a defined security policy. Answer in Option C above is correct whereas the other answers are obviously wrong. 260. Personal firewalls ________________ A. Are hardware devices installed on a user’s computer protecting against unwanted intrusion & attacks from the Internet B. Need not be monitored as constantly as firewalls for enterprises C. Control incoming traffic from the Internet alone, based upon defined security policy D. Are based upon different methods & techniques as compared to an enterprise firewall Key B Justification Personal Firewalls are software installed on a user’s computer for protection against unwanted intrusion and attacks from the Internet. They are based upon the same methods and techniques as firewalls for enterprises. They are simpler and can be handled by less technically savvy persons too. Like the firewalls for enterprises, they, too, control and monitor both incoming as well as outgoing traffic based upon a defined security policy. They need not be monitored as constantly as enterprise firewalls. Answer in Option B above is correct whereas the other answers are obviously wrong. 261. Personal Firewall __________________ A. Cannot block or alert the user about outgoing connection attempts B. Cannot provide information about destination server with which an application is trying to communicate C. Is based upon security policy of the computer whereas enterprise firewall is based on enterprise security policy D. Are hardware devices installed on a user’s computer protecting against unwanted intrusion & attacks from the Internet Key C Justification A Personal Firewall is based upon the security policy of the individual computer whereas enterprise firewall is based on enterprise security policy. It is a software installed on a user’s computer for protection against unwanted intrusion and attacks from the Internet. Like the firewalls for enterprises, it controls and monitors both incoming as well as outgoing traffic based upon a defined security policy. It can block and alert the user about outgoing connection attempts too. It can go to the extent of providing information about a destination server with which an application is trying to communicate. Answer in Option C above is correct whereas the other answers are obviously wrong. 262. Personal Firewall ________________ Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 88 A. Can protect a computer from unwanted incoming connection attempts B. Are hardware devices installed on a user’s computer protecting against unwanted intrusion & attacks from the Internet C. Cannot provide information about destination server with which an application is trying to communicate D. Cannot block or alert the user about outgoing connection attempts KEY A Justification A Personal Firewall is based upon the security policy of the individual computer whereas enterprise firewall is based on enterprise security policy. It is a software installed on a user’s computer for protection against unwanted intrusion and attacks from the Internet. Like the firewalls for enterprises, it controls and monitors both incoming as well as outgoing traffic based upon a defined security policy. It can protect a computer from unwanted incoming connection attempts. It can block and alert the user about outgoing connection attempts too. It can go to the extent of providing information about a destination server with which an application is trying to communicate. Answer in Option A above is correct whereas the other answers are obviously wrong. 263. State True or False One of the limitations of Personal Firewall is that many malwares can compromise the system, manipulate the firewall & even shut it down. A. TRUE B. FALSE KEY A Justification It is true that some malwares exist which can penetrate & compromise the firewall system , disarming it in the process, leaving the internal network exposed to security risks. Hence, answer in Option A above is correct. 264. State True or False Personal Firewalls could be impacted by vulnerabilities in the Operating System. A. TRUE B. FALSE KEY A Justification It is true that vulnerabilities in the Operating system itself could impinge on the security of the firewall system. Hence, answer in Option A above is correct. 265. State True or False These personal firewalls could sometimes generate false alerts which could irritate non tech-savvy users. A. TRUE Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 89 B. FALSE KEY A Justification It is true that some could sometimes generate false alerts which could irritate non tech-savvy users. Hence, answer in Option A above is correct. 266. Windows 7 software _______________ A. Has no inbuilt firewall system; we would need to go in for a third party product for security B. Has a network-based firewall system, not host-based system C. Has an inbuilt stateful, host-based firewall that filters incoming and outgoing connections D. Has a Firewall that cannot block or alert the user about outgoing connection attempts Key C Justification Windows 7 software has an inbuilt, stateful, host-based Firewall system that can filter both incoming as well as outgoing connections. It can block or alert the user against outgoing connection attempts too. Answer in Option C above is correct whereas the other answers are obviously wrong. 267. Windows 7 software ______________ A. Has two network location types with advanced security B. Has a network-based firewall system, not host-based system C. Is a network location-aware host firewall D. Has a Firewall that cannot block or alert the user about outgoing connection attempts Key C Justification Windows 7 software is a network location-aware host firewall. It has three network location types with advanced security Domain, public & private. It has a Firewall system that can filter both incoming as well as outgoing connections. It can block or alert the user against outgoing connection attempts too. Answer in Option C above is correct whereas the other answers are obviously wrong. 268. Windows 7 software ______________ A. Has a Firewall that cannot block or alert the user about outgoing connection attempts B. Stores firewall properties based on location types or profiles C. Has a network-based firewall system, not host-based system D. Has two network location types with advanced security Key B Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 90 Justification Windows 7 software is a network location-aware host firewall. It stores firewall properties based on location types called profiles. It has three network location types with advanced security Domain, public & private. It has a Firewall system that can filter both incoming as well as outgoing connections. It can block or alert the user against outgoing connection attempts too. Answer in Option B above is correct whereas the other answers are obviously wrong. 269. Intrusion Detection Systems (IDS) _______________ A. Like Firewalls, they are a method of preventive control B. Monitors, alerts & corrects the problem C. Cannot detect network scans, packet-spoofing & Denial of service D. Will alert us if there are intruders in the host or the network Key D Justification Intrusion Detection Systems (IDS) are a detective control system which will alert us post intrusion into the host or the network. They will monitor & alert the user about exceptions but will not correct the problem. They can, indeed, detect network scans, packet-spoofing & denial of service. Answer in Option D above is correct whereas the other answers are obviously wrong. 270. Network Intrusion Detection Systems (NIDS) ____________ A. Are placed at choke points on the network & monitor traffic to & from devices on the network B. Do not check the content of individual packets for malicious traffic C. Create substantial system overhead D. Does not inhibit the effectiveness of packet analysis even with encrypted payloads and high- speed networks KEY A Justification NIDS are placed at choke points like routers, switches, etc. within the network and they monitor to and from devices on the network. In operations, they do check the content of individual packets for malicious traffic. They do not create any significant system overhead. The effectiveness of packet analysis, however, is inhibited with encrypted payloads and high-speed networks. Answer in Option A above is correct whereas the other answers are wrong. 271. Host Intrusion Detection Systems (HIDS) ______________ A. Monitors all packets but does not alert the administrator when suspicious activity is detected B. Involve lesser deployment and reduced maintenance cost C. Monitors all packets to and fro the hosts only. D. Are not implemented on individual hosts or network devices Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 91 Key C Justification HIDS are implemented on individual hosts or devices on the network and they monitor all packets to and from the hosts only. They alert the administrator when suspicious activity is detected. Since they are deployed on each computer, they involved higher deployment and proportionately higher maintenance cost. Answer in Option C above is correct whereas the other answers are wrong. 272. Signature based IDS _____________________ A. Monitors packets on network but does not validate them since they do not have a database for comparison B. Will be able to detect attacks pre-emptively, even before the event C. Can successfully handle even new attacks D. Monitors packets on network and compares them against large databases of attack signatures Key D Justification SIDS are signature based IDS that monitor packets on networks and compare them against large databases of attack signatures. They cannot, however, detect attacks pre-emptively and cannot handle new attacks since a comparable signature would not be available with them. Answer in Option D above is correct whereas the other answers are wrong. 273. Statistical Anomaly / Behaviour based IDS ________________ A. Monitors packets on network and validates them by comparing the signature in the database B. Assume that an intrusion can be detected by observing a normal behaviour of the system/users C. Will not be able to detect attacks pre-emptively, before the event D. Cannot handle effectively new attacks Key B Justification SAB IDS monitor packet traffic on networks and compare them against an established baseline of behaviour. They can detect attempts to exploit new and unforeseen vulnerabilities. Their downside is that they generate a large number of false positives. Answer in Option B above is correct whereas the other answers are wrong. 274. Cryptography is _____________ A. The process of transforming data into something that can be understood B. The process of transforming data into something that cannot be understood with some additional information Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 92 C. The practice and study of hiding information D. Cannot provide mechanisms for authenticating users on a network Key C Justification Cryptography is the practice and study of hiding information. It involves the process of transforming data into something that cannot be understood without additional information. It provides mechanisms for authenticating users on a network. Answer in Option C above is correct whereas the other answers are wrong. 275. Cryptography_________________ A. Involves use of encryption for transforming data into something that can be understood B. Is the process of transforming data into something that cannot be understood even with some additional information C. Cannot provide mechanisms for authenticating users on a network D. Is the theory and practice of secure communication Key D Justification Cryptography is the practice and study of hiding information with the objective of secure communication. It involves the use of encryption for transforming data into unintelligible form. The unintelligible form can be converted back into understandable information with the help of some additional information like a code or a key. It does provide mechanisms for authenticating users on a network. Answer in Option D above is correct whereas the other answers are wrong. 276. Cryptography ____________ A. Provides mechanisms for preventing users from repudiating ownership of messages B. Cannot provide mechanisms for authenticating users on a network C. Is the process of transforming data into something that cannot be understood even with some additional information D. Involves use of encryption for transforming data into something that is intelligible KEY A Justification Cryptography is the practice and study of hiding information with the objective of secure communication. It involves the use of encryption for transforming data into unintelligible form. The unintelligible form can be converted back into understandable information with the help of some additional information like a code or a key. It does provide mechanisms for authenticating users on a network. It also enables prevention of users from repudiating ownership of their messages. Answer in Option A above is correct whereas the other answers are wrong. 277. Cryptography _________________ Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 93 A. Helps assure the receiver about the integrity of the message B. Does not help in preventing users from repudiating ownership of messages C. Cannot provide mechanisms for authenticating users on a network D. Is the process of transforming data into something that cannot be understood even with some additional information E. Involves use of encryption for transforming data into something that is intelligible KEY A Justification Cryptography is the practice and study of hiding information with the objective of secure communication. It involves the use of encryption for transforming data into unintelligible form. The unintelligible form can be converted back into understandable information with the help of some additional information like a code or a key. It does provide mechanisms for authenticating users on a network. It also enables prevention of users from repudiating ownership of their messages. It helps the receiver in ensuring that the message received by him has not been altered in any fashion; ie, protect the integrity of the message. Answer in Option A above is correct whereas the other answers are wrong. 278. Cryptography ________________ A. Does not help in preventing users from repudiating ownership of messages B. Cannot provide mechanisms for authenticating users on a network C. Ensures the privacy or confidentiality of the contents of the message D. Involves use of encryption for transforming data into something that is intelligible Key C Justification Cryptography ensures the privacy or confidentiality of a message i.e. it ensures that no one except the intended receiver of the message can read the message. Cryptography is the practice and study of hiding information with the objective of secure communication. It involves the use of encryption for transforming data into unintelligible form. The unintelligible form can be converted back into understandable information with the help of some additional information like a code or a key. It does provide mechanisms for authenticating users on a network. It also enables prevention of users from repudiating ownership of their messages. It helps the receiver in ensuring that the message received by him has not been altered in any fashion; ie, protect the integrity of the message. Answer in Option C above is correct whereas the other answers are wrong. 279. Cryptography ______________ A. Involves use of encryption for transforming data into something that is intelligible B. Authenticates & convinces the receiver that the message has actually come from the sender C. Does not help in preventing users from repudiating ownership of messages Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 94 D. Cannot provide mechanisms for authenticating users on a network Key B Justification Cryptography authenticates & convinces the recipient that the message has actually come from the sender. It involves the use of encryption for transforming data into unintelligible form. The unintelligible form can be converted back into understandable information with the help of some additional information like a code or a key. It does provide mechanisms for authenticating users on a network. It also enables prevention of users from repudiating ownership of their messages. Answer in Option B above is correct whereas the other answers are wrong. 280. Any message that is intelligible is considered to be in _________________ A. Encrypted form B. Coded form C. Plaintext form D. Ciphertext form Key C Justification Any message that is intelligible is considered to be in plaintext form. An encrypted form will not be intelligible without the use of additional information. A ciphertext form would be in unintelligible form till it is decrypted into plaintext form. Hence, answer in Option C above is correct whereas the other answers are wrong. 281. Any message that is converted into un-intelligible form is considered to be in _________ A. Ciphertext form B. Plaintext form C. Understandable form D. Coded form KEY A Justification A ciphertext form arises post encryption & would be in unintelligible form till it is decrypted into plaintext form. Any message that is intelligible is considered to be in plaintext form. An encrypted form will not be intelligible without the use of additional information. Hence, answer in Option A above is correct whereas the other answers are wrong. 282. The process of converting a given plaintext into ciphertext form is called ____________ Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 95 A. Decryption B. Translation C. Transcription D. Encryption Key D Justification The conversion of a given plaintext into ciphertext form is called encryption. This form would be in unintelligible form till it is decrypted into plaintext form through decryption. Any message that is intelligible is considered to be in plaintext form. An encrypted form will not be intelligible without the use of additional information. Hence, answer in Option D above is correct whereas the other answers are wrong. 283. The process of converting ciphertext back into plaintext form is called _____________ A. Transcription B. Encryption C. Decryption D. Translation Key C Justification The conversion of a given plaintext into ciphertext form is called encryption. This form would be in unintelligible form till it is decrypted into plaintext form through decryption. Any message that is intelligible is considered to be in plaintext form. An encrypted form will not be intelligible without the use of additional information. Hence, answer in Option C above is correct whereas the other answers are wrong. 284. The mathematical function used for encryption & decryption is ______________. A. Binomial analysis B. Cryptographic Algorithm C. Transcription Algorithm D. Exponential function Key B Justification The mathematical function used for encryption & decryption is called the cryptographic algorithm or Cipher. Answer in Option B above is correct whereas the other answers are wrong. Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 96 285. The mathematical function used for encryption & decryption is _______________. A. Transcription Algorithm B. Binomial analysis C. Cipher D. Exponential function Key C Justification The mathematical function used for encryption & decryption is called the cryptographic algorithm or Cipher. Answer in Option C above is correct whereas the other answers are wrong. 286. A Cipher is also called _______________ A. A Cryptographic Algorithm B. Transcription Algorithm C. Binomial analysis D. Exponential function KEY A Justification The mathematical function used for encryption & decryption is called the cryptographic algorithm or Cipher. Answer in Option A above is correct whereas the other answers are wrong. 287. A Cryptographic algorithm _______________ A. Must be difficult to use but easy to crack B. Must be easy both to use and crack C. Must be easy to use but difficult to crack D. Must be difficult to use as well as to crack Key C Justification An effective cryptographic algorithm must be easy to use but difficult to crack. Answer in Option C above is correct whereas the other answers are wrong. 288. A Cryptographic algorithm ____________ A. Can be used for one function encryption alone B. Can be used for one function decryption alone Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 97 C. Can be used for one function creation of a key D. Can be used for two functions encryption as well as decryption Key D Justification A cryptographic algorithm can be used for encryption as well as decryption. Answer in Option D above is correct whereas the other answers are wrong. 289. Keys ______________ A. Are not required in the encryption or decryption process B. Should be difficult to use but easy to break C. Are additional secret data in the cryptographic process D. Should be easy to use as well as to break Key C Justification Keys are additional secret data which are used in the encryption or decryption process of cryptography. They need to be long enough to make breaking difficult but short enough to use and transmit. Answer in Option C above is correct whereas the other answers are wrong. 290. Keys ______________ A. Should be difficult to use but easy to break B. Should be easy to use as well as to break C. Are not required in the encryption or decryption process D. Prevent the message from being decoded even if the algorithm is known Key D Justification Keys are additional secret data which are used in the encryption or decryption process of cryptography. They need to be long enough to make breaking difficult but short enough to use and transmit. Without the keys, even if the mathematical algorithm of encryption were known, decryption into plaintext is not possible. Answer in Option D above is correct whereas the other answers are wrong. 291. The Caesar cipher was used to transmit messages during Roman wars. It was actually a ‘shift by 3’ rule wherein alphabet A is replaced by the third alphabet D, B by E and so on. In this case, the Key is ___________ A. 3 Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 98 B. Alphabet A C. Alphabet D D. Alphabet B KEY A Justification Keys are additional secret data which are used in the encryption or decryption process of cryptography. In this case, the recipient of the message needs to know the algorithm of shifting the alphabet by a few positions. However, in this specific instance, the shifting of the alphabet is by three positions. Hence, the key is 3. In another situation, the key can be changed to 5 or any other number depending upon security requirements without changing the basic algorithm. Answer in Option A above is correct whereas the other answers are wrong. 292. Symmetric Key Cryptography _____________ A. Envisages the use of different keys for encryption and decryption B. Envisages the use of a single key both for encryption as well as decryption C. Suffers from no difficulty in terms of distribution of the key D. Envisages the use of one key by the sender & another by the receiver Key B Justification Symmetric Key cryptography envisages the use of a single key both for encryption as well as decryption. Thus, the receiver uses the same key for decryption as was used by the sender for encryption. The difficulty lies in distribution of the key. Answer in Option B above is correct whereas the other answers are wrong. 293. The Digital Encryption Standard __________________ A. Is a NIST standard using 256 keys B. Continues to be used by NIST even today C. Is a NIST standard using 228 keys D. Is not a Symmetric Encryption Standard KEY A Justification DES is a National Institute for Standards and Technology Symmetric Encryption Standard using 256 keys. It has been replaced by the Advanced Encryption standard which deploys 128, 192 and 256 bits and proportionately more keys for better security. Answer in Option A above is correct whereas the other answers are wrong. Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 99 294. The Advanced Encryption Standard _________________ A. Has been discontinued for use by NIST B. Is a NIST standard using 228 keys C. Is not a Symmetric Encryption Standard D. Is a NIST standard using up to 256 bits or 2256 keys Key D Justification AES is a National Institute for Standards and Technology Symmetric Encryption Standard using up to 256 bits or 2256 keys. It has replaced the DES in the interest of for better security. Answer in Option D above is correct whereas the other answers are wrong. 295. Asymmetric or Public Key Cryptography ___________ A. Involves the use of a single key both for encryption as well as decryption B. Is inferior to Symmetric key since safe distribution of the key to the recipient is an issue C. Involves the use of a pair of keys, one for encryption & the other for decryption D. Involves the use of two pairs of keys, one each for encryption and decryption Key C Justification Asymmetric or Public key cryptography involves the use of a pair of keys, one for encryption and the other for decryption. It overcomes the difficulty of key distribution faced in the case of symmetric key cryptography. Answer in Option C above is correct whereas the other answers are wrong. 296. Asymmetric or Public Key Cryptography ____________ A. Involves the use of a public key of the individual in a private domain B. Involves the use of a private key of the individual in a public domain C. Is thousands of times slower than symmetric key cryptography D. Involves the use of two pairs of keys, one each for encryption and decryption Key C Justification Asymmetric or Public key cryptography involves the use of a pair of keys, one for encryption and the other for decryption. The public key of the individual would be in the public domain whereas the private key would remain secret and not revealed. It overcomes the difficulty of key distribution faced in the case of symmetric key cryptography. This process, however, is thousands of times slower than the symmetric key cryptography process. Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 100 Answer in Option C above is correct whereas the other answers are wrong. 297. Asymmetric or Public Key Cryptography _______________ A. Can be initiated by using either of the two keys first B. Is not used for exchange of symmetric keys C. Is not used for exchange of Digital signatures D. Involves the use of two pairs of keys, one each for encryption and decryption KEY A Justification Asymmetric or Public key cryptography involves the use of a pair of keys, one for encryption and the other for decryption. Either of the two keys can be used, without any particular sequence. The public key of the individual would be in the public domain whereas the private key would remain secret and not revealed. It overcomes the difficulty of key distribution faced in the case of symmetric key cryptography. This process, however, is thousands of times slower than the symmetric key cryptography process. Its use, therefore, is mainly in exchange of symmetric keys and digital signatures. Answer in Option A above is correct whereas the other answers are wrong. 298. Asymmetric or Public Key Cryptography ___________________ A. Is not used for exchange of symmetric keys B. Is not used for exchange of Digital signatures C. Uses more computer resources compared to Symmetric key cryptography D. Provides lesser security as compared to Symmetric key cryptography Key C Justification Asymmetric or Public key cryptography involves the use of a pair of keys, one for encryption and the other for decryption. Either of the two keys can be used, without any particular sequence. The public key of the individual would be in the public domain whereas the private key would remain secret and not revealed. It overcomes the difficulty of key distribution faced in the case of symmetric key cryptography. This process, however, is thousands of times slower than the symmetric key cryptography process and uses up more computer resources too. Its use, therefore, is mainly in exchange of symmetric keys and digital signatures. Answer in Option C above is correct whereas the other answers are wrong. 299. Asymmetric or Public Key Cryptography ___________ A. Uses less computer resources compared to Symmetric key cryptography B. Generally has larger key size as compared to Symmetric key cryptography C. Provides lesser security as compared to Symmetric key cryptography Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 101 D. Is not used for exchange of symmetric keys Key B Justification Asymmetric or Public key cryptography involves the use of a pair of keys, one for encryption and the other for decryption. Either of the two keys can be used, without any particular sequence. The public key of the individual would be in the public domain whereas the private key would remain secret and not revealed. It overcomes the difficulty of key distribution faced in the case of symmetric key cryptography. This process, however, involves larger key sizes, is thousands of times slower than the symmetric key cryptography process and uses up more computer resources too. Its use, therefore, is mainly in exchange of symmetric keys and digital signatures. .Answer in Option B above is correct whereas the other answers are wrong. 300. RSA is _________________ A. A form of cryptography which uses 24096 keys B. Not used in common software products C. The most common form of Asymmetric Key Cryptography in use D. An acronym for its developers Robin Sharma, Sundararaman and Anjaneyulu Key C Justification RSA was developed by Ronald Rivest, Adi Shamir and Leonard Adleman & hence its name. It is the most common form of Asymmetric Key Cryptography in use. It currently uses 22048 keys for high security. It is used extensively in common software products for key exchange, digital signatures or encryption for small blocks of data. Answer in Option C above is correct whereas the other answers are wrong. 301. What are Message Hash Functions ? A. They are algorithms involved in computing a fixed length hash value B. They are algorithms from which the contents & length of the plaintext can be recovered C. They are algorithms whose limitation is that they cannot guarantee message integrity They are algorithms involved in computing a variable length hash value KEY A Justification Message Hash Functions are algorithms involved in computing a fixed length hash value. In lieu of a key, a fixed length hash value is computed based upon the plaintext that makes it impossible to recover the contents or length of the plaintext. The hash value is recalculated at the receiver’s end and matched with that generated by the sender. If they match, the message has not been altered during transmission. Hence, Option A alone is correct. Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 102 302. Message Hash Functions __________ A. Are algorithms involved in computing a fixed length hash value B. Are algorithms from which the contents & length of the plaintext can be recovered C. Are algorithms whose limitation is that they cannot guarantee message integrity D. Are also called Message Digests and One-way hash functions Key D Justification Message Hash Functions are algorithms involved in computing a fixed length hash value. They are also called Message Digests and One-way hash functions. In lieu of a key, a fixed length hash value is computed based upon the plaintext that makes it impossible to recover the contents or length of the plaintext. The hash value is recalculated at the receiver’s end and matched with that generated by the sender. If they match, the message has not been altered during transmission. Hence, Option D alone is correct. 303. What are Digital Signatures ? A. Are data strings dependent only on a secret known only to the sender B. Are data strings dependent on a secret known only to the sender & the message content C. Are cryptography tools which depend upon use of Symmetric Keys D. They are algorithms whose limitation is that they cannot guarantee message integrity Key B Justification Digital signatures are data strings dependent on a secret known only to the sender and, additionally, on the content of the message. They use Asymmetric Keys and Hash. They meet the communication objectives of authentication, integrity and repudiation. .Option B alone is correct. 304. What are Digital Signatures ? A. They are algorithms whose limitation is that they cannot guarantee message integrity B. Are data strings dependent on a secret built into the message content alone C. Are cryptography tools which depend upon use of Asymmetric Keys & Message Hash content D. Are data strings dependent only on a secret known only to the sender Key C Justification Digital signatures are data strings dependent on a secret known only to the sender and, additionally, on the content of the message. They use Asymmetric Keys and Hash. They meet the communication objectives of authentication, integrity and repudiation. Option C alone is correct. 305. What are the characteristics of Digital Signatures ? Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 103 A. They achieve the communication objectives of confidentiality, authentication & integrity B. They comply with the goals of authentication, access control and non-repudiation C. They are algorithms whose limitation is that they cannot guarantee message integrity D. They achieve the communication objectives of authentication, integrity & non-repudiation Key D Justification Digital signatures are data strings dependent on a secret known only to the sender and, additionally, on the content of the message. They use Asymmetric Keys and Hash & involve the use of private and public keys. They meet the communication objectives of authentication, integrity and repudiation. Option D alone is correct. 306. What are the characteristics of Public Key Infrastructure (PKI) ? A. They achieve the communication objectives of confidentiality & authentication alone B. They achieve all the five basic communication objectives C. They provide the infrastructure for generation, storage and security of public keys D. They are algorithms which are not as effective as Digital signatures Key B Justification PKI are advanced cryptographic tools which help achieve all the five basic communication objectives of confidentiality, authentication, integrity, non-repudiation and access control. It involves the use of a digital envelope, which, in turn, deploys both secret KEY And public key cryptography methods to send the secret key to the recipient. It thus combines public-key encryption and digital signature services to create a comprehensive system. Hence, Option B alone is correct. 307. What are characteristic of Public Key Infrastructure (PKI) ? A. Digital certificates are used with support from Certificate authority & LDAP directory B. They provide the infrastructure for generation, storage and security of public keys C. They achieve the communication objectives of confidentiality & authentication alone D. They are algorithms which are not as effective as Digital signatures KEY A Justification PKI are advanced cryptographic tools which help achieve all the five basic communication objectives of confidentiality, authentication, integrity, non-repudiation and access control. It involves the use of a digital envelope, which, in turn, deploys both secret KEY And public key cryptography methods to send the secret key to the recipient. It thus combines public-key encryption and digital signature Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 104 services to create a comprehensive system. The system leans heavily on a robust Certification authority and Lightweight Directory Access Protocol (LDAP) directory. Hence, Option A alone is correct. 308. What are the typical characteristics of a Digital Certificate ? A. It is a digitally signed document used to verify that a private key belongs to an individual B. It is a digitally signed document used to verify that a public key belongs to an individual C. It is a digitally signed document which is permanent, without any validity/expiry date D. It is a digitally signed document used to verify both public & private keys of an individual Key B Justification A Digital certificate is a digitally signed document that associates a public key with a user. It will be signed by a Certification Authority. Its contents would include serial number, subject, signature, issuer, validity dates(valid from, expiry date), public key, thumbprint algorithm and thumbprint. Hence, Option B alone is correct. 309. Who are Certifying Authorities ? A. In India, Certifying authorities are not regulated/ licensed & hence, certificates have no legal validity B. They are not responsible for verification of registration, suspension and revocation requests C. They are Trusted Third Parties to verify and vouch for the identities of entities in an electronic environment D. In India, Certifying authorities are regulated/licensed by NASSCOM Key C Justification Certifying Authorities (CAs) are Trusted Third Parties to verify and vouch for the identities of entities in an electronic environment. In India, the IT Act provides for the Controller of Certifying Authorities, a body under the Ministry of Communications & Information Technology, is responsible for the licensing and regulation of Certifying Authorities & to ensure that the IT Act provisions are complied with. The main role of a CA is to digitally sign and publish the public key bound to a given user. One of the major roles & responsibilities is verification of registration, suspension and revocation requests. Hence, answer in Option C is correct. 310. Who are Registering Authorities ? A. They authenticate the identity of a person before the CA releases the digital certificate B. They are independent of the CA and are responsible to NASSCOM C. They are not responsible for verification of identity but only for formal registration D. They are a Government department who register the Certifying Authority KEY A Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 105 Justification Registering Authorities are work under the control of Certifying authorities (CAs) and are responsible for authenticating the identity of a person prior to issue of a digital certificate by the CA. They are also the body who interact with subscribers for providing CA services. The CAs themselves, who are independent entities, are licensed and regulated by the Controller of Certifying Authorities, a government body under the Ministry of Communications and Information Technology. Hence, only the answer in Option A is correct. 311. Certification Revocation Lists (CRLs) ______________ A. Are lists of Certifying Authorities who have been de-licensed by the CCA B. Are issued by a Certifying Authority different from one that issued the original certificate C. Are lists of serial numbers of certificates which have been revoked D. Are issued by Registering Authorities and not signed by the Certifying Authority Key C Justification Certificate Revocations Lists (CRLs) are lists of serial numbers of digital certificates which have been revoked along with reasons for revocation. These certificates are themselves signed by the Certifying Authority (CA) themselves. The CRL is always issued by the CA who issued the corresponding certificate. Entities presenting those certificates can no longer be trusted. Hence, only the answer in Option C is correct. 312. Certification Practice Statement is a statement of the practices which a Certification Authority employs in issuing and managing certificates. A. TRUE B. FALSE KEY A Justification Certification Practice Statement is a statement of the practices which a Certification Authority employs in issuing and managing certificates. It carries various types of information like policies, procedures & processes involved in certificate issue, policies for revocation, policies for renewal, certificate lifetime, etc. The answer in Option A is correct. 313. Which of the following is true off Cryptanalysis ? A. Analysis of data for encryption using Symmetric key B. Analysis of encryption/decryption records for audit purposes C. Refers to methods of recovering plaintext from ciphertext without using the key Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 106 A. It is used to study strengths of a cryptosystem Key C Justification Cryptanalysis refers to methods of recovering plaintext from ciphertext without using the key. In other words, it is the study of methods for obtaining the meaning of encrypted information, without access to the secret information which is normally required to do so. It also deals with identifying weaknesses in the cryptosystem. The term cryptanalysis is also used to refer to attempts to break the security of other types of cryptographic algorithms and protocols, apart from encryption. The answer in Option C only is correct. 314. How does a Cryptanalyst manage to identify the key for launching a Known plaintext attack ? A. He ascertains the key by compromising the Certifying Authority’s servers B. He programs his computer to continuously check random keys till he finds the right one C. He breaks into the sender’s system and identifies the private key for the transmission D. He deduces the key by accessing both ciphertext as well as plaintext of several messages Key D Justification The Cryptanalyst can deduce the key by accessing & comparing both the ciphertext as well as the plaintext of several messages. He can then launch a Known plaintext attack. The answer in Option D only is correct. 315. Secure Socket Layer (SSL) _____________ A. Cannot work with any program using TCP, even with modifications B. Is a protocol that provides a secure communication channel between two machines C. Has limited flexibility in choice of encryption used D. Does not have built-in data compression capability Key B Justification SSL is a protocol that provides a secure communication channel between two machines operating on the Internet or an internal network. Any program using TCP can be modified to use SSL connection. SSL is also flexible in choice of symmetric encryption, authentication and message digest that can be used. It does have in-built data compression capability. Hence, the answer in Option B only is correct. 316. Secure Socket Layer (SSL) __________ Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 107 A. Subsequently became an internet standard known as Transport Layer Security B. Does not have built-in data compression capability C. Has limited flexibility in choice of encryption used D. Is not widely used currently in the international communication network KEY A Justification SSL was originally developed by Netscape and subsequently became the Internet standard known as Transport Layer Security (TLS). It is a protocol that provides a secure communication channel between two machines operating on the Internet or an internal network. Any program using TCP can be modified to use SSL connection. SSL is also flexible in choice of symmetric encryption, authentication and message digest that can be used. It does have in-built data compression capability. It is the most widely used security protocol system in the world currently. Hence, the answer in Option A only is correct. 317. Secure Socket Layer (SSL) __________ A. Does not have built-in data compression capability B. Has limited flexibility in choice of encryption used C. Is the most widely deployed security protocol used today D. Is not used for handling sensitive information like credit card/social security numbers, etc. Key C Justification SSL was originally developed by Netscape and subsequently became the Internet standard known as Transport Layer Security (TLS). It is a protocol that provides a secure communication channel between two machines operating on the Internet or an internal network. SSL is also flexible in choice of symmetric encryption, authentication and message digest that can be used. It does have in-built data compression capability. It is the most widely used system in the world currently. In particular, it is capable of handling sensitive information like credit card numbers, social security numbers and login credentials to be transmitted securely. Hence, the answer in Option C only is correct. 318. Secure Socket Layer (SSL) ______________ A. Has limited flexibility in choice of encryption used B. Cannot work with any program using TCP, even with modifications C. Does not have built-in data compression capability D. Has the capability to handle sensitive information like credit card/social security numbers, etc. Key D Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 108 Justification SSL was originally developed by Netscape and subsequently became the Internet standard known as Transport Layer Security (TLS). It is a protocol that provides a secure communication channel between two machines operating on the Internet or an internal network. SSL is also flexible in choice of symmetric encryption, authentication and message digest that can be used. Any program using TCP can be modified to use SSL connection. It does have in-built data compression capability. It is the most widely used system in the world currently. In particular, it is capable of handling sensitive information like credit card numbers, social security numbers and login credentials to be transmitted securely. Hence, the answer in Option D only is correct. 319. Secure Socket Layer (SSL) ______________ A. Is a transparent protocol requiring little user interaction for establishing a secure session B. Cannot secure cloud-based computing platforms C. Has limited flexibility in choice of encryption used D. Cannot secure connection between E-mail Client and E-mail Server KEY A Justification SSL was originally developed by Netscape and subsequently became the Internet standard known as Transport Layer Security (TLS). It is a protocol that provides a secure communication channel between two machines operating on the Internet or an internal network. SSL is also flexible in choice of symmetric encryption, authentication and message digest that can be used. It is a transparent protocol requiring little end user interaction for establishing a secure session. Hence, the answer in Option A only is correct. 320. Secure Socket Layer (SSL) ______________ A. Alerts users to its presence by displaying an eagle’s head in the browser B. Alerts users to its presence by displaying a padlock in the browser C. Cannot secure system logins and any sensitive information exchanged online D. Cannot secure connection between E-mail Client and E-mail Server Key B Justification SSL is a protocol that provides a secure communication channel between two machines operating on the Internet or an internal network. It is a transparent protocol requiring little end user interaction for establishing a secure session. It alerts users to its presence by displaying a padlock in the browser. Among other things, it can secure system logins and other sensitive information normally exchanged online. It can also secure connection between E-mail Client and E-mail Server. Hence, the answer in Option B only is correct. Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 109 321. HTTP Secure _______________ A. Is used widely except for payment transactions & other sensitive transactions B. Is an advanced version of HTTP which is superior to SSL/TLS protocol C. Is basically layering of HTTP protocol over the SSL/TLS protocol D. Requires both the client as well as the remote server to be authenticated compulsorily Key C Justification HTTP Secure is basically layering of HTTP protocol over the proven Secure Sockets Layer (SSL) protocol. It is used widely, especially for payment transactions, emails, etc. W hile the SSL portion can comfortably authenticate both ends of a session, in the normal course only the server end is authenticated by the client. Hence, the answer in Option C only is correct. 322. HTTP Secure _____________ A. Is an advanced version of HTTP which is superior to SSL/TLS protocol B. Requires both the client as well as the remote server to be authenticated compulsorily C. Has a basic limitation of slowing down the web service D. Is used widely except for payment transactions & other sensitive transactions Key C Justification HTTP Secure is basically layering of HTTP protocol over the proven Secure Sockets Layer (SSL) protocol. It is used widely, especially for payment transactions, emails, etc. W hile the SSL portion can comfortably authenticate both ends of a session, in the normal course only the server end is authenticated by the client. Its one limitation is that it slows down the web service. Hence, the answer in Option C only is correct. 323. Virtual Private Network (VPN) _______________ A. Can operate between two private networks but not the Internet B. Does not provide confidentiality & integrity over un-trusted intermediate networks C. Not compatible for operations with IPSec D. Can link two networks or individual systems providing privacy & strong authentication Key D Justification VPNs can link two individual systems or networks providing privacy and strong authentication. The networks can be private networks or the Internet. They provide confidentiality & integrity over un- Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 110 trusted intermediate networks. IPSec enables VPN and creates a virtual tunnel with encryption to ensure secure communication. Hence, the answer in Option D only is correct. 324. IPSec ___________ A. Protects application data across IP Networks B. Requires applications to be specifically designed to work with it C. Cannot be of help for implementation of VPN D. Cannot be of help for remote user access through dial-up connection KEY A Justification IPSec protects application data across IP Networks. It is encrypted at network layer of IP. Hence, it does not require applications to be specifically designed for use with it. It is useful for implementation of VPN as also for remote user access through dial-up connection. Hence, the answer in Option A only is correct. 325. IPSec ______________ A. Is encrypted at IP(Transport layer) B. Is implemented at end routers/firewalls C. Cannot be of help for implementation of VPN D. Cannot be of help for remote user access through dial-up connection Key B Justification IPSec protects application data across IP Networks. It is encrypted at network layer of IP. Hence, it does not require applications to be specifically designed for use with it. It is useful for implementation of VPN as also for remote user access through dial-up connection. Hence, the answer in Option B only is correct. 326. IPSec _____________ A. Is encrypted at IP(Transport layer) B. Can operate in transport mode with both data & packet header encrypted C. Has as its basic goals authenticity and data integrity D. Can operate in tunnel mode with entire IP packet encrypted & old header added Key C Justification IPSec protects application data across IP Networks. It is encrypted at network layer of IP. Hence, it does not require applications to be specifically designed for use with it. It is useful for implementation Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 111 of VPN as also for remote user access through dial-up connection. It has as its basic goals authenticity and data integrity. It can operate in two modes transport & tunnel. In transport mode, it provides secure connection between two end points. In this mode, the data is encrypted and the packet header is not encrypted. In tunnel mode, used for VPN, the entire IP packet is encrypted and a new header added to the packet for transmission. Hence, the answer in Option C only is correct. 327. Transport Mode of IPSec _____________ A. Involves encryption of data but not of the packet header B. Involves encryption of the entire packet, for use in VPN C. Can operate with entire IP packet encrypted & old header added D. Provides secure connection between two points Key D Justification IPSec protects application data across IP Networks. It is encrypted at network layer of IP. Hence, it does not require applications to be specifically designed for use with it. It is useful for implementation of VPN as also for remote user access through dial-up connection. It has as its basic goals authenticity and data integrity. It can operate in two modes transport & tunnel. In transport mode, it provides secure connection between two end points. In this mode, the data is encrypted and the packet header is not encrypted. In tunnel mode, used for VPN, the entire IP packet is encrypted and a new header added to the packet for transmission. Hence, the answer in Option D only is correct. 328. Tunnel Mode of IPSec _____________ A. Is used to create Virtual Private Networks B. Involves encryption of data but not of the packet header C. Involves encryption of the entire packet, for use in non-VPN functions D. Can operate with entire IP packet encrypted & old header added KEY A Justification IPSec protects application data across IP Networks. It is encrypted at network layer of IP. Hence, it does not require applications to be specifically designed for use with it. It is useful for implementation of VPN as also for remote user access through dial-up connection. It has as its basic goals authenticity and data integrity. It can operate in two modes transport & tunnel. In tunnel mode, used for VPN, the entire IP packet is encrypted and a new header added to the packet for transmission. Hence, the answer in Option A only is correct. Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 112 329. Secure Shell (SSH) is a protocol ____________ A. Which is basically VPN layered on SSL protocol B. Which cannot operation in conjunction with Telnet C. Used for secure remote login & for command execution over an insecure network D. Works only for peer-to-peer mode Key C Justification SSH is a protocol used for remote login and for executing commands over an insecure network. It is basically Telnet +SSL+ some other features. It works well for client-server mode, with both ends authenticated using certificates. It is usually used on UNIX systems. The correct answer is as in Option C 330. Secure Shell (SSH) is a protocol ____________ A. That cannot be used for remote login or command execution B. Comprising Telnet+SSL+other features C. Which is basically VPN layered on SSL protocol D. Which cannot operation in conjunction with Telnet Key B Justification SSH is a protocol used for remote login and for executing commands over an insecure network. It is basically Telnet +SSL+ some other features. It works well for client-server mode, with both ends authenticated using certificates. It is usually used on UNIX systems. The correct answer is as in Option B. 331. Secure Shell (SSH) is a protocol ____________ A. Which cannot operation in conjunction with Telnet B. Which is basically VPN layered on SSL protocol C. That cannot be used for remote login or command execution D. That is usually used on UNIX systems Key D Justification SSH is a protocol used for remote login and for executing commands over an insecure network. It is basically Telnet +SSL+ some other features. It works well for client-server mode, with both ends authenticated using certificates. It is usually used on UNIX systems. Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 113 The correct answer is as in Option D. 332. Secure Electronic Transaction (SET) _____________ A. Was originally developed by Visa & Master card for secured electronic transactions B. Uses a system involving three signatures C. Uses a system involving two signatures, one each of the customer and the merchant D. Uses a system involving three signatures, one each of the customer, the merchant & the bank KEY A Justification SET is a protocol originally developed by Visa & Master card for securing electronic transactions. It uses a system of Dual Signatures. The objective is to link two messages that are intended for two different recipients. In a typical case, the message to the merchant will not allow reading of the credit card details and that to the bank will not give access to the order number details. The customer will have a link between order information & payment information for resolving disputes, if any. The correct answer is as in Option A. 333. Secure Electronic Transaction (SET) ________________ A. Uses a system involving three signatures, one each of the customer, the merchant & the bank B. Is basically a combination of Telnet+SSL C. Used exclusively on UNIX based systems D. Uses a system of Dual signature to link two messages intended for two different recipients Key D Justification SET uses a system of Dual Signatures. The objective is to link two messages that are intended for two different recipients. In a typical case, the message to the merchant will not allow reading of the credit card details and that to the bank will not give access to the order number details. The customer will have a link between order information & payment information for resolving disputes, if any. It uses a combination of RSA public key cryptography, DES private key cryptography & digital certificates to ensure security of transactions. It is not a combination of Telnet+SSL; nor is it used exclusively on UNIX based systems. The correct answer is as in Option D 334. Secure Electronic Transaction (SET) _______________ A. Uses a system involving three signatures, one each of the customer, the merchant & the bank B. Used exclusively on UNIX based systems C. Uses a cryptography combination of RSA public key, DES private key & digital certificates Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 114 D. Is basically a combination of Telnet+SSL Key C Justification SET uses a system of Dual Signatures. The objective is to link two messages that are intended for two different recipients. In a typical case, the message to the merchant will not allow reading of the credit card details and that to the bank will not give access to the order number details. The customer will have a link between order information & payment information for resolving disputes, if any. It uses a combination of RSA public key cryptography, DES private key cryptography & digital certificates to ensure security of transactions. It is not a combination of Telnet+SSL; nor is it used exclusively on UNIX based systems. The correct answer is as in Option C 335. Secure Multipurpose Internet Mail Extension _________________ A. Uses the DES encryption system B. Is a secure method for VPN access & remote log in C. Is a secure method for Internet payment transactions D. Is a secure method of sending emails and extensions Key D Justification S/MIME is a secure method for sending emails and extensions. It is based on public key cryptography, using RSA encryption system. It does not use the DES encryption system. It is also not used for VPN/remote log in or for internet payment transactions. The correct answer is as in Option D 336. Secure Multipurpose Internet Mail Extension _____________ A. Is based on public key cryptography & uses RSA encryption system B. Is a secure method for Internet payment transactions C. Is a secure method for VPN access & remote log in D. Cannot handle emails and attachments KEY A Justification S/MIME is a secure method for sending emails and extensions. It is based on public key cryptography, using RSA encryption system. It does not use the DES encryption system. It is also not used for VPN/remote log in or for internet payment transactions. The correct answer is as in Option A. Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 115 337. The prime drivers of choice of network technology for a typical large bank will be ______________ A. Primarily Business Focus followed by Risk Management B. Business Focus, Risk Management & Govt. / Compliance needs C. Primarily Risk Management followed by Govt. / Compliance needs D. Solely Business Needs Key B Justification The prime drivers for choice of networking technology would be all the three major factors of Business Focus, Risk Management & Govt. / Compliance needs. The correct answer is, thus, as in Option B 338. The architecture of an enterprise-wide network in a bank ________________ A. Would be dual-layered, comprising Security & Internet B. Would be dual-layered, comprising WAN Network Topology & Security C. Would vary significantly, depending upon size, structure & goals of each bank D. Would be multi-layered, comprising WAN Network Topology, Security & Interfaces to Service delivery & Internet Key D Justification The architecture of an enterprise-wise network in a bank should ideally be multi-layered, comprising WAN Network Topology, Security & Interfaces to Service Delivery & Internet. It would be able to address the core needs of the bank in terms of business focus, security, Government & compliance needs. The correct answer is, thus, as in Option D 339. The most popular choice of backbone network technology is ___________ A. IP core technology B. IP/ATM technologies C. Multi-Protocol Label Switching or MPLS technology D. AT&T technology Key C Justification Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 116 MPLS technology supported networks are being used extensively as the backbone in view of the high usage of data, voice & video. The correct answer is, thus, as in Option C 340. One feature of WAN Network Topology is ____________ A. The backbone is usually of optical fibre, with redundant routes B. The last mile connects the central or head office to nearby Service Provider POP C. The last mile primary links, in most cases, are VSATs D. The Data Centre & the Disaster Recovery Centre are in the same safe seismic zone KEY A Justification The backbone in a typical WAN Network Topology is usually of optical fibre with redundant routes. The last mile connects the branch / small office to the POP of the service provider. The last mile links, in most cases, are leased lines backed up by a secondary link ISDN, WiFi or satellite link. The Data Centre and the Disaster Recovery Centre are invariably located in different seismic zones to prevent the possibility of both being impacted simultaneously. The correct answer is, thus, as in Option A. 341. One feature of WAN Network Topology is ____________ A. The backbone is usually of traditional copper wire used for telephony B. The Data Centre & the Disaster Recovery Centre are in different seismic zones C. The last mile connects the central or head office to nearby Service Provider POP D. The last mile primary links, in most cases, are VSATs Key B Justification The backbone in a typical WAN Network Topology is usually of optical fibre with redundant routes. The last mile connects the branch / small office to the POP of the service provider. The last mile links, in most cases, are leased lines backed up by a secondary link ISDN, WiFi or satellite link. The Data Centre and the Disaster Recovery Centre are invariably located in different seismic zones to prevent the possibility of both being impacted simultaneously. The correct answer is, thus, as in Option B 342. One feature of WAN Network Topology is ____________ A. The Near-site DC is normally located in a different room/floor within the same complex as the DC B. The DC, Near-site DC and DRC are not connected, to prevent spread of malicious viruses, etc. Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 117 C. Banks maintain a Near-site Data Centre (Near DC) in addition to the Data centre (DC) & Disaster Recovery Centre (DRC) D. The DC and the DRC are invariably located in the same seismically safe area Key C Justification The Data Centre and the Disaster Recovery Centre are invariably located in different seismic zones to prevent the possibility of both being impacted simultaneously. The Near-site Data Centre is maintained in addition to the DRC within a radius of about 20-30 kms of the DC. The Near DC is connected both to the DC as well as the DRC through redundant links and would serve as the back- up for operational data in case of failure of the DC. The correct answer is, thus, as in Option C 343. One feature of WAN Network Topology is ____________________ A. Data to & from the W AN to branches, DC, Near DC & DRC is in plaintext & not encrypted B. The DC, Near-site DC and DRC are not connected, to prevent spread of malicious viruses, etc. C. The DC and the DRC are invariably located in the same seismically safe area D. Domain services are hosted in the Data centre (DC), Near-site Data Centre (Near DC) & Disaster Recovery Centre (DRC) in different De-Militarized Zones (DMZs) Key D Justification Domain services are hosted in the DC, Near DC & DRC in different DMZs. The Data Centre and the Disaster Recovery Centre are invariably located in different seismic zones to prevent the possibility of both being impacted simultaneously. The Near-site Data Centre is maintained in addition to the DRC within a radius of about 20-30 kms of the DC. The Near DC is connected both to the DC as well as the DRC through redundant links and would serve as the back-up for operational data in case of failure of the DC. Data to and from the WAN to branches, DC, Near DC & DRC is all encrypted. The correct answer is, thus, as in Option D 344. This is a feature of WAN Network Topology. A. Redundancy is built in at DC, with links from minimum of two ISPs B. The DC and the DRC are invariably located in the same seismically safe area C. Data to & from the W AN to branches, DC, Near DC & DRC is in plaintext & not encrypted D. The DC, Near-site DC and DRC are not connected, to prevent spread of malicious viruses, etc. KEY A Justification Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 118 To pre-empt the risk of failure of ISP (Internet Service Provider) link, redundancy is built in at the DC with links from a minimum of two ISPs. The Data Centre and the Disaster Recovery Centre are invariably located in different seismic zones to prevent the possibility of both being impacted simultaneously. The Near-site Data Centre is maintained in addition to the DRC within a radius of about 20-30 kms of the DC. The Near DC is connected both to the DC as well as the DRC through redundant links and would serve as the back-up for operational data in case of failure of the DC. Data to and from the WAN to branches, DC, Near DC & DRC is all encrypted. The correct answer is, thus, as in Option A. 345. Chartered Accountants are impacted by IT mainly in the following way _______________ A. The IT industry is becoming global B. The IT industry is being dominated by India C. Automation of their clients’ operations & their data going digital D. The Institute of Chartered Accountants is going digital Key C Justification CAs are impacted by IT primarily by the automation of their client’s operations & their data going digital. Also, CA firms themselves have to use IT in their own offices to provide services. The correct answer is, thus, as in Option C. 346. Chartered Accountants are impacted by IT mainly in the following way _________ A. The Institute of Chartered Accountants is going digital B. The IT industry is being dominated by India C. CA firms themselves will need to use IT for servicing their customers D. The IT industry is becoming global Key C Justification CAs are impacted by IT primarily by the automation of their client’s operations & their data going digital. Also, CA firms themselves have to use IT in their own offices to provide services. The correct answer is, thus, as in Option C 347. A Data Warehouse is a collection of decision-support data that is _________________ A. Volatile & updated on a daily basis B. Exclusively relating to sales & marketing Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 119 C. Historical, supporting analysis & reporting functions D. De-centralized with warehouses distributed over the country Key C Justification A data warehouse is a centralized analytically oriented, integrated, time-oriented & non-volatile collection of data. It relates to all areas of operations which have relevance to business goals. Hence, only Option C is correct. 348. A Data Mart ___________ A. Contains detailed data relating to a single aspect of business in large companies B. Refers to a data storage product marketed by a business intelligence company C. Stores all marketing related data alone for a company D. Is a software used by Data Warehouses KEY A Justification A Data Mart is a subset of a Data W arehouse & contains detailed data about a single aspect of business in large companies. Hence, only Option A is correct. 349. Data Mining ____________ A. Is the recovery of all hidden data B. Refers to the automated extraction of hidden predictive information C. Helps analyse historical data but has little predictive value D. Helps summarize data for regular MIS reporting systems Key B Justification Data Mining refers to the automated extraction of hidden predictive information. The KEY Aspect is detection of hidden information which helps predict the future through identification of patterns, etc.. Hence, only Option B is correct. 350. Which are the business activities which are strong contenders for conversion to e-commerce ? A. Those relating to software development B. Those relating to the ‘electronic’ aspects of commerce C. Those that are paper-based, time consuming & inconvenient for customers D. Those that are not paper-based, speedy & convenient for customers Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 120 Key C Justification Maximum mileage can be gained from e-commerce by converting those business activities which are paper-based, time consuming & inconvenient for customers as indicated in Option C. This will help us reduce paperwork, accelerate delivery & make it convenient for customers to operate from the comfort of their homes as also at any other place of their convenience. Hence, the other options are wrong. 351. Your daughter orders five salwar-kameez sets on the Myntra website for door delivery. She uses the Government wireless communication facility for carrying out this task. Which model of e-commerce would this fall in ? A. Business-to-business B. Consumer-to-consumer C. Business-to-Government D. Business-to-consumer Key D Justification This would obviously be a case of a business-to-consumer model &, hence, only Option D is correct. 352. Cloud computing refers to ___________ A. On demand, networked access to a shared pool of computing resources B. Computing carried out using software loaded on satellites C. Strategic planning carried out through computerised simulations D. Computing with light & minimal software KEY A Justification Cloud computing refers to on demand, networked access to a shared pool of computing resources as indicated in Option A. It is generally offered as a utility to users, payable on the basis of consumption. Hence Option A is correct & the other options incorrect. 353. The Front-end in Cloud computing refers to _________ A. The Client’s computer alone; the access software is available on the cloud B. The various computers, servers & data storage systems in the cloud system C. The software available on the cloud computing systems D. The Client’s computer as well as the software required to access the cloud Key D Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 121 Justification The Front-end in Cloud computing comprises the Client’s computer as well as the software required to access the cloud. Hence, Option D is correct whereas the other options are incorrect. 354. The Back-end in Cloud computing refers to ___________ A. The Client’s computer as well as the software required to access the cloud B. The various computers, servers & data storage systems in the cloud system C. The Client’s computer alone; the access software is available on the cloud D. Solely, the software available on the cloud computing systems Key B Justification The Back-end in Cloud computing comprises the various computers, servers & data storage systems in the cloud system. Hence, Option B is correct whereas the other options are incorrect. 355. Which of the following falls outside the typical features of Cloud computing ? A. Resource Pooling capability B. Rapid elasticity in meeting changed client demands C. A large, offsite, remotely accessible computing facility created by a large enterprise for self use D. Measured services with pay per use facility for clients Key C Justification Cloud computing basically involves pooling of resources for use by multiple agencies featuring the various attributes listed in Options B to D. Option A alone doesn’t fall within the typical features of cloud computing since it speaks simply of a internal computing facility which happens to be located at a remote site. Hence, Option C is correct whereas the other options are incorrect. 356. What is a Hybrid Cloud computing facility ? A. It provides both hardware as well as software services to its clients B. It combines analog as well as digital computing capabilities C. It provides free services to certain clients while charging others D. It provides both private & public Cloud computing services Key D Justification Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 122 Hybrid Cloud computing provides both private & public computing services, as indicated in Option D. Hence, the other options are incorrect. 357. A Platform as a Service (PaaS) Cloud Computing model allows clients access to ______________ A. Hardware & operating system on the cloud but not the underlying infrastructure B. Hardware & operating system on the cloud and also the underlying infrastructure C. A variety of software provided on the cloud D. Infrastructure, in terms of processing, storage & other computer networks, alone KEY A Justification Option A above captures the correct services offered by PaaS; the other options are incorrect. 358. A Software as a Service (SaaS) Cloud Computing model allows clients access to ______________ A. Hardware & operating system on the cloud but not the underlying infrastructure B. Hardware & operating system on the cloud and also the underlying infrastructure C. Infrastructure, in terms of processing, storage & other computer networks, alone D. A variety of software applications made available by the provider on the cloud Key D Justification Option D above captures the correct services offered by SaaS; the other options are incorrect. 359. One of the major risks associated with Cloud computing is __________________ A. Increased cost of operations B. Greater dependency on third parties & vulnerability to risk C. Increase in manpower requirements D. Loss of competitive advantage Key B Justification Options at A,C & D are incorrect; cloud computing should actually help reduce costs, improve competitive advantage & not lead to increased manpower requirements. However, to the extent one is forced to use a third party cloud computing service, the client’s dependency increases with consequent risk perception. Hence, Option B alone is correct. Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 123 360. What are the major perspectives in the role of a Chartered Accountant (CA) in the post implementation stage of Enterprise Resource Planning (ERP) software ? A. Defining criticality of the business & applying priorities B. Cost-benefit analysis of customization C. Optimization & security of the software system D. Reports required for monitoring and control Key C Justification Post implementation, the CA would have already helped map the business processes & arrived at the best configuration of the software and its applications. His focus would, hence, be on optimization of the system & ensure adequate security. Hence, Option C alone is correct. 361. What are some of the major challenges of using Enterprise Resource Planning (ERP) software ? A. Reduced data access B. Need for redundant legacy systems to be maintained in parallel C. Expenses & time in implementation D. Increased operating costs Key C Justification The large expenditure involved in purchase as also the intricacies of implementation of this software are the major challenges which would be faced by an individual launching ERP software. Implementation of the ERP system would actually help improve data access, reduce operating costs & eliminate the need for legacy systems, contradicting the answers in Options A, B and D. Hence, Option C alone is correct. 362. Your client has a diversified business with manufacturing units & offices at multi-locations. He is now trying to streamline operations by opting for a centralized ERP system. You have assisted him in screening potential products & arriving at the one best suited to his needs. The next step which would be critical for optimizing the ERP software & aligning it to the business’s needs would be _______________ A. Understanding business processes, identifying priorities & incorporating best practices B. Eliminating legacy systems C. Implementing the system immediately to save on time & reap the benefits quickly D. Implementing the system in a part of the organization alone, to start with KEY A Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 124 Justification Before commencing implementation of the ERP software, it is important to get a thorough understanding of the business processes involved & identifying priority areas (as mentioned in Option A). Based upon this, relevant best practices & benchmark indices can be identified & incorporated in the final model in order to extract maximum benefit from the software. Legacy systems elimination can be undertaken only after successful commissioning of the ERP (at least at the pilot level). While it may seem attractive to accelerate the implementation with the objective of generating savings earlier, it would be far better to ensure that the approved model is robust & flexible enough to accommodate potential changes in the environment. Lastly, an ERP is ideally implemented enterprise-wide in order to harness the power of the software. Implementing it in part of the organization would leave it in a stunted & sub-optimal form. Hence, Option A alone is correct. 363. Which of the following is true of a typical Enterprise Resource Planning (ERP) system ? A. Capable of operation only on batch processing basis; cannot be real-time based B. At any point of time, the same data, on real-time basis, can be accessed by people in different parts of the organization C. Capable of generating a balance sheet and P&L statement even on a daily basis D. Implementation of a new ERP system can be done very quickly since it is modular Key C Justification ERP systems allow all users access to real-time data. Of course, access may be limited to individual users on a ‘need-to-know’ basis. Once configured & implemented, it should technically be possible to generate financial statements even on a daily basis. One of the limitations of any robust ERP system is the time taken for implementation. For best results, the implementation process has to be rigorous & scrupulously adhered to. Short cuts can be counter-productive. Hence, Option C alone is correct. 364. One of the major risks of Enterprise Resource Planning (ERP) systems is ? A. Increased complexity of simply legacy processes B. Increased manpower requirement, particularly in the accounting area C. Risk of depending upon one ERP vendor for all the critical operations of the organization D. Increased operating costs Key C Justification A major risk with ERP systems is the fact that they cover the entire operations of an organization & any default or failure on the part of the ERP system vendor can have catastrophic consequences for operations. The situation is further compounded by the fact that there are very few dependable ERP system vendors, leaving little choice. A well implemented ERP would actually simplify legacy business processes. A major positive outcome of ERP implementation is generally a reduction in manpower, particularly in the accounting department. Costs would, obviously be lower than before. Hence, Option C alone is correct. Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 125 365. You are a budding entrepreneur running a Small & Medium Enterprise. The SME is on a rapid growth path & you have ambitious expansion plans. You have invested substantial sums in creating a robust IT system for the organization keeping in mind your future plans. You realize that the success of any system lies in checks and balances, including a proper auditing system & decide on appointing an auditor. The qualities you would pragmatically expect an ideal auditor to possess for this role would be ______________ A. Expertise in all areas of IT technology B. Thorough knowledge on the financial aspects alone C. Adequate working knowledge of IT hardware & software D. Expertise both in financial and IT technology aspects Key C Justification C.A.s knowledge of IT technology need not and cannot be complete and total. They only need adequate knowledge to effectively audit the IT functions of an organization C.A.s cannot be expected to be experts in all areas of IT technology; this is not their role Knowledge of financial aspects alone in a technology oriented function like IT will not facilitate effective auditing of the IT function A C.A. cannot be expected to have thorough knowledge of both financial & IT technology aspects 366. You are a Sales Manager in a consumer product company equipped with the latest laptop computer. You use the laptop for analysing territory-wise sales trends, customer preferences, etc. After a recent upgrade of software by your company’s IT department, you observe that you are no longer able to analyze historical sales trends. However, when you check the database in the computer, the historical sales data is very much available. The problem you are facing is probably due to ___________ A. A bug or inadequacy in the operating system B. A bug or inadequacy in the application software C. Insufficient memory space in the computer D. Defective hardware in the laptop Key B Justification The problem has arisen after upgrade of the application software by the IT department. The database clearly has the relevant data & it is the access to and/or manipulation of this data which is the issue. Hence, Option B is correct. The other options are not correct since they are not likely to create the problem encountered by the Sales Manager. 367. Following an orientation programme on Information Technology, four members from the group of participants are picked up and named Mr Fetch, Mr Decode, Ms Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 126 Execute and Ms Store as representative parts of the CPUs machine cycle. In which sequence should these individuals queue up in order to accurately demonstrate the machine cycle performed by the CPU ? A. Mr Decode, Ms Execute, Ms Store and Mr Fetch B. Ms Store, Mr Fetch, Mr Decode and Ms Execute C. Ms Execute, Mr Fetch, Mr Decode and Ms Store D. Mr Fetch, Mr Decode, Ms Execute and Ms Store Key D Justification As defined clearly in paragraph 1.3.2 A B, & C are clearly wrong answers which contain the wrong sequence 368. Your client’s business volume has been stagnating & he is keen to explore ways and means of growing it. With the objective of drawing up an appropriate strategy, you advise him to conduct a SWOT analysis for which he collects a lot of operational information related to marketing, manufacturing, etc.. He realizes that his information system is now faced with information overload & he needs to supplement his Secondary Memory capacity. Secondary memory ___________ A. Is non-volatile memory with large storage capacities B. Is volatile memory with large storage capacities C. Is non-volatile memory which is fast & responsive D. Involves higher cost per unit of information than RAM KEY A Justification As brought out in paragraph 1.3.3, secondary memory is non-volatile, with large storage capacities. It is, however, slower than registers or primary storage. Secondary memory is not volatile. It is not fast. Its cost per unit of information is lower than RAM 369. You are auditing the recent purchase of IT hardware equipment in your client’s office. You study the Mean Time before failure (MTBF) as also Mean Time to Repair (MTTR) of the equipment. Ideally, ____________ A. MTBF must be low and MTTR must be high B. MTBF must be high and MTTR must be low C. Both MTBF and MTTR must be high Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 127 D. MTBF and MTTR must be equal to each other. Key B Justification As brought out in paragraph 1.5.2., Mean Time Between Failures must be high and Mean Time To Repair must be low. All the other answers are, therefore, obviously wrong. 370. As a Chartered Accountant, you feel that Hardware Auditing __________ A. Is best carried out by the purchase department of the I.T. department B. Should be restricted to the financial aspects of hardware usage C. Primarily encompasses hardware acquisition & capacity management D. Is not as critical as software auditing which can be a more vulnerable area Key C Justification Paragraph1.6 elaborates on the criticality of hardware acquisition & capacity management as KEY Areas of Hardware auditing. Hardware is a vulnerable area which needs to be closely reviewed by Audit. Hence, the other three options are not correct 371. Your client reports to you concern about security of the data in his organization and would like to install software which effectively manages ownership assignment of all data for accountability. What type of software would you recommend him to install ? A. Data Communications Software B. Access Control Software C. Utility programs D. Defragmenters Key B Justification It is access control software which is vested with the responsibility for assigning ownership of all data for purposes of accountability (para 2.3.2). Data Communications software generally assists the OS for local and remote terminal access (option A). Utility programs and defragmenters basically help improve computer efficiency and performance and have nothing to do with ownership assignment of all data. 372. You are auditing a major software purchase transaction by your client. In your opinion, what should your client have done as a first step in acquiring the software ? Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 128 A. Establish scope, objectives background & project charter B. Establish criteria for selecting and rejecting alternatives C. Carry out Cost/Benefit analysis, including make or buy decision D. Determine supplier’s technical capabilities & support services KEY A Justification Without first establishing the scope and objectives, software acquisition may end up failing on fundamental aspects of meeting end user needs. This would be the starting point, therefore, for any acquisition exercise. The other options get ruled out by default. 373. Your client is in the process of deploying IT in his business operations & seeks advice about the potential drawbacks of following a Centralised Deployment Strategy. Your answer would be that the major drawback of this strategy would be ____________ A. Resource sharing of reduced order B. Poorer economies of scale C. Reduced security D. Vulnerability due to single point of failure Key D Justification Centralized deployment strategy concentrates all its resources at one central point making it vulnerable to total system failure in the event of this central point being compromised in any manner (Option D). Resource sharing, in fact, is a strong plus point for centralised deployment. Similarly, this system has better economies of scale owing to use of large size hardware & larger number of software licences. Since everything is centralized, possibilities of leakages are reduced since the number of exposed points are lesser. Hence, the other options are not correct. 374. Your client is in the process of deploying IT in his business operations & seeks advice about the potential drawbacks of following a De-centralised Deployment Strategy. Your answer would be that the major drawback of this strategy would be _____________ A. Less flexibility to cope with internal/external changes B. Potentially higher CAPEX requirement C. Information systems could be mutually incompatible D. Slower system development Key C Justification Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 129 A major disadvantage of decentralized deployment strategy is that, with de-centralized decision making, different tailor-made information systems may be created at different locations leading to potential incompatibility (Option C). On the other hand, given their de-centralized structure, they would have greater flexibility to cope with changes and can be developed/implemented quickly. Capex requirement could also be lesser owing ability to carry out changes in phases. Hence, the other options are not correct. 375. A large private sector bank offering Core Banking Solutions has sought your assistance in auditing its Data centre operations. While drawing up your auditing approach to this bank, you would primarily focus upon ________ A. Number of employees in the Bank B. Annual Business volume C. Nature of software applications used D. Type of services offered, risk management & control requirements Key D Justification The complexity of services offered including the response time, risk management objectives and control goals would drive the IT components of a CBS Data Centre (Option D). The elements in the other three options would have limited impact on the configuration of the data centre. 376. A large international airline has entered Indian airspace & is setting up IT and other infrastructure in a metro city in India. Its business is strongly dependent upon the internet & accuracy and prompt availability of data is critical to successful operations. It has already decided on backing up of all information as also storing of all transactional information at a remote site to overcome the contingency of any break-down of the infrastructure at its metro city office. As a Consultant to the business, what other measures of redundancy would you suggest to improve reliability, fault tolerance & accessibility, without, however, compromising on security? A. A near-site data replication facility B. A near-site Disaster recovery facility C. Filing of hard copies of all transaction documents D. Hiring cloud storage facilities as an additional back up KEY A Justification A near-site facility is normally used as a data replication facility only (Option A). It would not be a prudent choice for a disaster recovery facility since, as a proximate location, the probability of its getting exposed to the same geographical risks is very high. Use of hard copies of documents would be a retrograde step which would only delay processes & add costs. While cloud storage could be a solution, it could raise issues of data security. Hence, the other options are not correct. 377. You have been appointed as a Consultant to a SME which is slowly outgrowing its status & morphing into a large enterprise. The organization has invested in various Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 130 types of software at different stages of its growth but now seeks to rationalize its IT infrastructure with an eye on future growth. Faced with the complexity of the existing Information System, you decide on first implementing a process of Configuration Identification (CI). This involves ___________ A. Identification of all IS components without reference to version B. Identification of software components of IS alone C. Identification of all IS components in a system D. Identification of hardware components of IS alone Key C Justification Configuration identification involves identification of all versions & updates of both software and hardware. This facilitates continuous monitoring during the life cycle of the product & becomes useful at the time of any proposed changes in the components (Option C). Option A is wrong since it ignores the version, which is vital. B and D are incorrect since they are addressing either the software or hardware alone. 378. A SME which is slowly outgrowing its status & morphing into a large enterprise has appointed you as a Consultant. The organization has invested in various types of software & hardware at different points of time. You have realized that this disorganized and unplanned method of software & hardware acquisition has made it very vulnerable. Your considered view is that the first step towards securing the systems is to carry out Hardening of the Systems. This involves __________ A. Use of robust hardware to strengthen the system B. Optimising configuration of hardware systems alone C. Auditing configuration of software systems alone D. Securely configuring systems to minimize security risks Key D Justification Hardening of systems is the process of securely configuring computer systems to eliminate as many security risks as possible (Option D). It does not refer to use of robust hardware (Option A); nor does it limit itself to hardware alone (Option B) or software alone (Option C). 379. Your client asks you as to which type of Communication system facilitates simultaneous two way communication. You would then advise them to go in for ___________ A. Half Duplex communication system B. Full Duplex communication system C. Simplex communication system D. Combination of Simplex and Half Duplex systems Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 131 Key B Justification Full Duplex communication has the capability to handle simultaneous two way communication. It is like two Simplex systems put together. A half duplex system / simplex system or a combination of these cannot meet this objective. 380. You are being briefed by an accountant in your client’s office who has limited knowledge of cable technology. He speaks of the type of cable which has been chosen by his IT department for transmission of information. He explains that the cable’s positive features include high integrity, low attenuation over long distances, high carrying capacity & lesser power consumption. He also feels that it comprises an inner core made of glass or plastic type of material. What is your educated guess of the nature of this cable ? A. Optical fibre cable B. Co-axial cable C. Twisted pair cable D. Bi-metallic cable KEY A Justification An Optic fibre cable consists of an inner core made of glass/plastic/polymer/acrylic which uses light based signalling. It has high integrity as well as low attenuation over long distances. It has higher carrying capacity & consumer lesser power since signals do not degrade as fast as in other systems. Hence, Option A is the only correct option. 381. You have recently taken on a Travel agency as your client. You are familiarizing yourself with the agency & its operations. You are told that they use a network of computers which are designed as per Bus topology. You realize then that the agency’s computer system involves ____________ A. A single hub connecting all nodes B. Connection of its computers on a single circle of cable C. Connection of computers on a single backbone cable D. Connection of every node to every other node Key C Justification In Bus topology, all the computers in the network are connected on a single backbone cable. All the computers in the network receive incoming messages from any other computer; however, only the intended recipient accepts and processes the message. It is not on a single hub or circle of cable and each of the nodes are not connected to each other. The correct answer is Option C Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 132 382. You have signed on for an audit of an Internet service provider. What sort of network topology do you expect this organization to have adopted ? A. Ring topology, involving connection of all the computers on a single ring of cable B. Star topology, connecting all the computers to a central hub or switch C. Mesh topology, involving physical connection of every node with every other node D. Bus topology with all systems Ideally suited for systems with need for low degree of fault tolerance Key C Justification This involves physical connection of every node with every other node. It is rather complex and requires maximum number of cables. However, it is ideally suited for large telecommunication companies or an internet service provider who cannot afford to have a high degree of fault tolerance. It is not connected to a single backbone or hub/switch. The correct answer, therefore, is Option C. 383. Your client has noted that a user with a particular IP address has been trying to access its server & wishes to identify the physical address (MAC) of the user. Which is the protocol which would have to be used for doing this ? A. Internet Control Message Protocol (ICMP) B. Transmission Control Protocl (TCP) C. Simple Mail Transfer Protocol (SMTP) D. Address Resolution Protocol or ARP Key D Justification ARP is a method of ascertaining the physical address (MAC), given the IP address. The other protocols in Options B to C have other capabilities. Hence, only Option D is correct. 384. You observe that the first Octet of the IP address of one of your clients is 195 in decimal range. In which Class of the IPv4 Classful Addressing Scheme does this fall ? A. C B. D C. A D. E KEY A Justification Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 133 The first Octet of Class C of the IPv4 Classful Addressing Scheme is any number ranging between 192 and 223 & the client’s number of 195 falls within this range. Hence, the answer in Option A is correct. The other options are incorrect. 385. Technology development by design from a strategic perspective by CA firms could _____________ A. Be a promotional tool for CA firms, attracting more clients B. Be a Growth Catalyst / key differentiator for current/new services to existing / new customers C. Be an expensive proposition with doubtful long term benefits D. Be a wasteful exercise since IT technology is very volatile & could become obsolete quickly Key B Justification Technology development by design from a strategic perspective by CA firms could be a growth catalyst and key differentiator for current as well as new services for existing and new clients . The correct answer is, thus, as in Option B. 386. You have just taken on as your client, a huge international organization with a large presence on internet networks. To which class of IPv4 Classful Addressing Scheme do you expect its IP address to belong & within what range would the first Octet of its address fall ? A. Class B, 128-191 B. Class C, 192-223 C. Class A, 1-126 D. Class E, 240-254 Key C Justification Large organizations with extensive presence on the internet are generally included in Class A of the IPv4 Classful Addressing scheme. The first Octet would then fall within a range of 1 – 126. Option C, thus, gives the correct answer & the other options are incorrect. 387. Your client company is involved in research & development on the internet. Which class of IPv4 Classful Addressing Scheme do you expect it to use & within what range would the first Octet of that address fall ? A. Class A, 1-126 B. Class B, 128-191 C. Class C, 192-223 D. Class E, 240-254 Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 134 KEY D Justification Class E of the IPv4 Classful Addressing scheme is reserved for research & development / study. The first Octet would fall within a range of 240 to 254. Option D, thus, gives the correct answer & the other options are incorrect. 388. You have just taken on as your client, a huge international organization with a large presence on internet networks. Which of the following types of Network (N)/Host (H) id of the IPv4 Classful Addressing Scheme would you expect the client to have ? A. N.H.H.H B. H.N.N.N C. N.N.H.H. D. H.H.N.N KEY A Justification Large organizations with extensive presence on the internet are generally included in Class A of the IPv4 Classful Addressing scheme. The first Octet would then represent the network id and the other Octets, the host id, as indicated in Option A. The other options are not correct. 389. Your new client advises you that its IP address falls under Class C of the IPv4 Classful Addressing Scheme. Which of the following types of Network (N)/Host (H) id would you expect the client to have ? A. H.N.N.N B. N.N.H.H. C. N.N.N.H D. H.H.N.N Key C Justification Large organizations with extensive presence on the internet are generally included in Class A of the IPv4 Classful Addressing scheme. The first Octet would then represent the network id and the other Octets, the host id, as indicated in Option C. The other options are incorrect. 390. If your client’s IT manager advises you that his company’s default sub-net mask under the IP Classful Addressing Scheme is 255.255.0.0, which of the following IP classes does his company’s network belong ? A. Class A B. Class C C. Class B Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 135 D. Class E Key C Justification The default sub-net mask of Class B of the IP Classful Addressing Scheme is 255.255.0.0; hence, Option C is correct. The other options are not correct. 391. You are with the IT Manager of your client, trying to understand their systems. The IT Manager is a person who revels in creating puzzles. When you ask him about his company’s IP address, he tells you that it belongs to an IPv4 class that can accommodate the least number of networks but the maximum number of hosts per network (usable addresses). To which IP class is he referring ? A. Class A B. Class B C. Class C D. Class D KEY A Justification The IP class A of IPv4 can handle the least number of networks (126) and maximum number of usable addresses (1,67,77,214). Hence, Option A is correct & the other options are incorrect. 392. You are with the IT Manager of your client, trying to understand their systems. The IT Manager is a person who revels in playing with puzzles. When you ask him about his company’s IP address, he tells you that it belongs to an IPv4 class that can accommodate nearly 21 lakh networks. He adds, however, that the flip side is that the number of useable addresses per network would be a measly figure of about 250. To which IP class is he referring ? A. Class A B. Class B C. Class D D. Class C Key D Justification The IP class C of IPv4 can handle as many as 20,97,150 networks but number of usable addresses can be only 254. Hence, Option D is correct & the other options are incorrect. 393. As an experienced Chartered Accountant, you are addressing a group of freshers on the subject of the massive quantities of information available to any organization. In this background, what would you stress as most critical for successful business operations ? Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 136 A. Establishing hardware infrastructure to handle voluminous information B. Recruiting more IT personnel to handle large volume of data C. Building more storage space for the voluminous data D. Capability to pick out the KEY Aspects which can help serve the customer better Key D Justification The most critical factor for business success in the current information age is the capability to sift the grain from the chaff, pick out the exceptions & appreciate customer preferences & nuances of demand. The other options of creating infrastructure, adding people or storage space are, at best, short term measures for coping with dealing with ‘big data’ rather than means of identifying customer needs & satisfying them. A retail grocery chain store analyses data of its sales over different time periods over the day. It observes that in many of its markets, substantial sales happen throughout the day but in certain specific markets, sales peaked late in the evening. In these markets, frequent instances were also reported of staff having to send away customers as late as 10 pm in the night since closing time for the store had been crossed. On carrying out a more detailed analysis of the profile of the customers in these markets, it discovered that these were dominated by young employees of IT & BPO companies, many of whom worked in line with U.S. and European markets & returned home late in the night. 394. The store then decided to experiment with extended timings, up till midnight, for the stores in such markets & was delighted to find sales burgeoning. Which of the following best describes this initiative ? A. Leveraging Business Intelligence to identify latent customer needs B. Increasing investments in people for higher returns C. Improved channel management D. Cost saving experiment KEY A Justification This is a clear case of leveraging business intelligence to identify latent customer needs. But for the capability to collect, analyse data & draw insightful conclusions there-from, this success could not have been achieved. Option A, therefore, is correct. The other answers may be the incidental outcomes of the action taken in the process of leveraging business intelligence and not the actual initiative per se. 395. You are a Consultant to a budding Small & Medium Enterprise which is aiming at growing into a large enterprise. You carry out a detailed study of the current state of the enterprise in terms of people, systems, procedures, etc. You decide to focus on systems and IT, in particular, as the backbone for the enterprise’s future growth plans. You observe that the existing system has limitations in terms of lack of uniformity of software, databases, delay in availability of analysed data, etc. Your recommended solution would be for ___________ Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 137 A. Up-gradation of all the current versions of software B. Installation of an Enterprise Resource Planning software C. Up-gradation of the current versions of software & addition of fresh software D. Installation of a new Database Management system Key B Justification Answers at Options A, C & D could at best achieve partial solutions. A robust ERP software system, however, will help integrate all aspects of the business and support online recording as well as speedy analysis & decision support. This could help eliminate multiple legacy systems & help improve business processes. Hence, Option B would be the correct recommendation of the Consultant. 396. The Indian fertilizer industry depends heavily on Government subsidies since they are expected to sell their products to customers at prices far below the cost of production. The Government has evolved a complicated mechanism for deciding the subsidy level for each type of fertilizer depending upon various dynamic factors like the international price of the raw material / finished product, the Rupee/dollar exchange rate, conversion & added costs, etc. The industry association decides to set up a common cloud facility for helping the individual units manage the work of raising regular subsidy claims linked to the various cost factors as also sales elements, etc. Such a cloud facility would be deemed to be a ______________ A. Public Cloud facility B. Private Cloud facility C. Community Cloud facility D. Hybrid Cloud facility KEY C Justification When several businesses share a common cloud computing resource, it is called a community cloud facility. Hence, Option C is correct whereas the other options are incorrect. 397. One of your client’s managers tells you that they have recently opted for some cloud computing facilities. Being a non-IT official, he says he does not understand what exactly is meant by the term but he has been told that they have opted for a model of Infrastructure as a Service (IaaS). With your own background knowledge of the subject, you explain to him that an IaaS model involves _____________ A. Provision of processing, storage networks & other basic computing resources B. Provision of various types of software on the cloud which can be used by any client C. Provision of hardware & operating system platform alone Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 138 D. Provision of manpower on remote access basis KEY A Justification The IaaS model involves provision of processing, storage networks & other basic computing resources as brought out in Option A. Hence, the other options are incorrect. 398. Your client hires the services of an e-auction platform for launching its reverse auction for purchase of various raw materials. The client accesses the platform through the internet. Several suppliers register themselves with the platform & participate in the reverse auction on the planned date. Which model of e-commerce would this fall in _____________ A. Business-to-Government B. Business-to-consumer C. Business-to-business D. Consumer-to-consumer Key C Justification This would obviously be a case of a business-to-business model &, hence, only Option C is correct. 399. The Tamil Nadu State Government has announced that payment of house taxes, electricity bills, etc. can be made by citizens through the respective portals using internet banking or credit / debit cards. Which model of e-commerce would this fall in ______________ A. Business-to-business B. Business-to-Government C. Consumer-to-consumer D. E-Government KEY D Justification This would obviously be a case of E-Government, facilitating payment of taxes & bills through an Internet based facility. Hence, only Option D is correct. 400. You are a Google account holder. Google informs you that they have begun to offer cloud computing facilities to its users & that, as an existing user, you will be allowed up to 15 GB of data storage on the cloud free of cost & thereafter, a nominal $ 0.026 per GB per month. Delighted, you begin using the facility with your laptop. Soon, you receive an alert on the system that you have exhausted the 15 GB free storage space & would need to begin paying for securing more storage space. Which of the characteristics of Cloud computing does this demonstrate ? Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 139 A. Resource Pooling B. Network access from any device C. Measured services & on-demand self-service D. Access to software & computing capabilities Key C Justification In the given instance, the client is being offered measured services & on-demand self service as brought out in Option C. The example does not throw up any specific information about Resource pooling or facility for accessing the cloud through any device other than the laptop being used. It does not also speak of other Cloud computing services like access to software, etc. Hence, only Option C is correct. 401. The Bring Your Own Device (BYOD) concept _____________ A. Envisages permitting employees to use their own personal devices for official work B. Envisages permitting employees to do their personal work on official devices C. Is a risk free & beneficial system for corporate D. Envisages storage of both official & personal information on the same device without any demarcation KEY A Justification The BYOD concept envisages permitting employees to use their own personal devices for official work. It has the advantage of saving IT infrastructure expenditure & convenience for employees. It does not envisage usage of company properties by employees for their personal work. While it has many advantages, it is vulnerable to some risks. In general, when the same device is used both for personal as well as official use, virtual demarcation is made of the information storage system & adequate firewalls incorporated. Thus, Option A alone is correct. 402. eXtensible Markup Language or XML _______________ A. Describes how data can be presented in the form of web pages B. Involves use of pre-determined tags C. Is a platform-independent, standard data exchange format D. Is less powerful than Hypertext Markup Language or HTML Key C Justification As indicated in Option A above, XML is a platform-independent, standard data exchange format. It performs presentation, communication & storage of data. It does not involve use of pre-determined Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 140 tags; instead, users need to define their own tags. XML is more powerful than HTML since it facilitates automatic manipulation & interpretation of data. Thus, Option C alone is correct. 403. eXtensible Markup Language or XML _________________ A. Can handle data transfer only when the data is in a compatible format B. Facilitates exchange of data even in incompatible formats C. Is supported only by some of the major software products D. Involves use of pre-determined tags Key B Justification The main strength of XML is its ability to create data in a format which can be read by different applications. It is portable, supported by major software products & is in easily readable format. It does not involve use of pre-determined tags; instead, users need to define their own tags. Hence, Option B is correct. 404. A limitation of eXtensible Markup Language or XML is that it ___________ A. Software developers do not build their new products on it, limiting interoperability B. Can handle data transfer only when the data is in a compatible format C. Is less powerful than Hypertext Markup Language or HTML D. Lacks inherent security; any means of validation, confidentiality or integrity Key D Justification One weakness of XML is that it lacks inherent security, any means of validation, confidentiality or integrity. However, its main strength is its ability to create data in a format which can be read by different applications & can handle data even when it is not in compatible format. It is supported by major software products & is in easily readable format. XML is, in fact, more powerful than HTML since it facilitates automatic manipulation & interpretation of data. Hence, Option D is correct. 405. An advantage of eXtensible Business Reporting Language or XBRL over eXtensible Markup Language or XML is that the former ___________ A. Can help create data that can be read by different applications B. Is portable and vendor neutral C. Is a standard that has been accepted & adopted the world over D. Provides a standard format for data exchange Key C Justification Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 141 As indicated in Option A above, XBRL has the advantage of being a standard that has been accepted and adopted the world over. The other answers in Options A B and D are equally applicable both to XML as well as XBRL. Hence, the correct answer is only in Option C. 406. An advantage of eXtensible Business Reporting Language or XBRL over eXtensible Markup Language or XML is that the former _______________ A. Is much faster and allows real-time preparation of reports B. Provides a standard format for data exchange C. Is portable and vendor neutral D. Can help create data that can be read by different applications KEY A Justification As indicated in Option A above, XBRL has the advantage of facilitating faster and real-time preparation of business reports. The other answers in Options B to D are equally applicable both to XML as well as XBRL. Hence, the correct answer is only in Option A. 407. An advantage of eXtensible Business Reporting Language or XBRL over eXtensible Markup Language or XML is that the former ______________ A. Provides a standard format for data exchange B. Is portable and vendor neutral C. Can express more than one relationship amongst elements D. Can help create data that can be read by different applications Key C Justification As indicated in Option A above, XBRL has the advantage of being capable of expressing more than one relationship amongst elements, such as multiple hierarchies. This is because it defines relationships separately from elements, unlike XML. The answers in Options A B and D are equally applicable both to XML as well as XBRL. Hence, the correct answer is only in Option C. 408. A feature of eXtensible Business Reporting Language or XBRL which is not found in eXtensible Markup Language or XML is that the former _________ A. Uses Taxonomy & Instance documents B. Uses XML standard C. Can define elements & relationships for data used internally D. Is supported by XML validation tools KEY A Justification Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 142 As indicated in Option A above, XBRL uses Taxonomy (procedure for creating files with relevant business terminology, etc. along with the rules that they must follow) & Instance documents (documents containing the data in well-formed XML.) The answers in Options B to D are applicable equally both to XML as well as XBRL. Hence, the correct answer is only in Option A. 409. CAs need to be well versed with the benefits & control issues of eXtensible Business Reporting Language or XBRL because _____________ A. It uses XML standard B. More and more countries are mandating the use of XBRL C. It can define elements & relationships for data used internally D. It is supported by XML validation tools Key B Justification As indicated in Option B above, more and more countries are mandating the use of XBRL because it has been validated and declared as a standard. It also has the advantages of being able to ensure compatibility with regulatory standards, improved data quality & is faster in report preparation. The answers in Options A, C and D are applicable equally both to XML as well as XBRL &, hence, cannot account for the significant difference in importance of XBRL. Hence, the correct answer is only in Option B. 410. Which of the following is an example of Social Media _________ A. LinkedIn B. Times of India newspaper C. Society monthly magazine D. National Geographic magazine KEY A Justification Social media is social interaction among people in which they create, share or exchange information & ideas in virtual communities and networks. LinkedIn as an example of social networking is an example of social media. The other instances are examples of magazines and newspapers which do not fall within the ambits of social media. Hence, the correct answer is only in Option A. 411. State True or False. In Social Media, content is supplied and managed by user himself through the use of tools and platforms supplied by social media sites. A. TRUE B. FALSE KEY A Justification Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 143 Social media is social interaction among people in which they create, share or exchange information & ideas in virtual communities and networks. Social media sites like Facebook do allow users to supply & manage content using the tools and platform provided by the sites. Hence, the correct answer is as in Option A. 412. What is the major aspect of Social Media which is relevant to business, in general ____________ A. It helps sell more software related to tools of social media B. It renders physical markets and direct contact with customers redundant C. It facilitates a platform for business to interact with customers D. It is relevant only to members of the higher income group in society Key C Justification Social media is social interaction among people in which they create, share or exchange information & ideas in virtual communities and networks. It provides businesses a platform to interact with customers to conduct market research, carry out sales promotion, reward campaigns, etc. The prospect of selling relevant software is not a generalized benefit but restricted to a narrow spectrum of business. While it does increase the importance of presence in social media, it does not, necessarily, reduce the importance of physical markets & direct customer contact. It is also not true to say that social media is more relevant only to members of the higher income group in society. Hence, the correct answer is as in Option C. 413. Breach of privacy, fear of legal action, potential for negative reputation, etc. are potential risks for business leveraging social media. What is the other major type of risk which a CA may have to address ______________ A. The risk of ignoring customers who are not members of the social media B. The risk of development of new social media platforms C. The risk of use of social media by employees on organization networks/devices D. The risk of the collapse of all social media Key C Justification The risk of use of social media by employees on organization networks and devices is the other major risk which CAs would have to be alert to. For, this could lead to intentional or accidental leak of organizational data as also provide a route for hackers to access the organization’s data base. The other risks outlined in Options A B and D are not significant enough to cause concern. Hence, the correct answer is as in Option C. 414. What is one of the important measures required for mitigating security concerns in using Social Media? A. The organization avoiding use of Social media Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 144 B. Creation of & compliance with a robust, comprehensive Social Media policy C. Banning employees from being members of social media D. Creating firewalls blocking out potential hackers Key B Justification The single major initiative that an organization can take is the creation of a robust & comprehensive Social Media policy. Avoiding use of social media is a sub-optimal & escapist solution which will not benefit the organization. Banning employees is too tyrannical a measure to take in an era when most people, particularly, from the younger generation, are members of some form or social media. This may actually deter potential employees from joining the organization. The use of firewalls is required as a matter of standard policy, whether the organization is using social media or not. Hence, the correct answer is as in Option B. 415. How is Geolocation different from Global Positioning System (GPS) ? A. It is not different; it is just another term for GPS B. Geolocation ascertains location of satellites rather than individuals/devices on the earth C. Geolocation helps identify the ideal location for installation of disaster recovery systems D. Geolocation focuses more on a meaningful location rather than mere geographical co- ordinates Key D Justification Geolocation, as brought out in Option D above, focuses more on a meaningful location rather than just determining the bare geographical co-ordinates which GPS. Hence, the correct answer is as in Option D. 416. State True or False . A major risk involved with the use of Geolocation services is the concern of source, ownership & misuse of data owing to involvement of multiple data controllers. A. TRUE B. FALSE KEY A Justification One of the major risks involved with the use of Geolocation services is, indeed, the concern regarding source, ownership & misuse of data arising from the involvement of multiple data controllers. Hence, the correct answer is as in Option A. 417. The Business Information System used for handling structured problems as also doing routine transactional jobs is _________________ Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 145 A. Transaction Processing System or TPS B. Decision Support System or DSS C. Executive Support System or ESS D. Structured Query Language or SQL KEY A Justification The Business Information System used for handling structured problems as also transactional jobs is the Transaction Processing System or TPS. DSS & ESS are higher level systems which aim more at problem solving & also address strategic concerns. Hence, the correct answer is as in Option A. 418. The Business Information System which provides answers to semi-structured problems used for handling structured problems & for validation of business decisions is ________________ A. Structured Query Language or SQL B. Transaction Processing System or TPS C. Decision Support System or DSS D. Executive Support System or ESS Key C Justification The Business Information System used for handling semi-structured problems & for validation of business decisions is the Decision Support System or DSS. TPS address lower level needs while ESS deals with higher level systems which aim more at problem solving & also address strategic concerns. Hence, the correct answer is as in Option C. 419. The Business Information System which provides answers to un-structured problems & supports Executive management in planning strategy & vision is ______________ A. Structured Query Language or SQL B. Executive Support System or ESS C. Transaction Processing System or TPS D. Decision Support System or DSS Key B Justification The Business Information System used for handling un-structured problems & for supporting Executive management in planning strategy & vision is validation of business decisions is the ESS. TPS & DSS address lower level needs. Hence, the correct answer is as in Option B. Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 146 420. In an inter school competition on Artificial Intelligence, four children develop software which perform the following different functions respectively. Which of them is a correct example of the use of basic Artificial Intelligence ? A. A calculation software which arrives at the arithmetic total of figures keyed in B. A password system which allows access based upon keying in of the correct password C. Predictive & self learning word-processing software D. A software which rejects invalid dates like 32nd March 2014 Key C Justification The word-processing software pops up suggested words based upon the first few words keyed in by the user. Also, when the user keys in a new word which is not available in its repertoire, it adds it to its collection & reflects it as an option the next time similar letters are initiated. In effect, the software is able to observe & record patterns and improves through ‘learning’. The other answers in Options A B and D involve the basic computing functions of a computer which is based on a ‘go / no-go’ logic which does not involve pattern recognition or further learning. Hence, the correct answer is only as in Option C which displays characteristics of artificial intelligence. 421. Artificial Intelligence works with the help of two concepts; one of them is Artificial neurons. The other is ? A. ‘If-then’ statements and logics B. ‘W hat-if’ scenarios C. The four ‘W’s What, When, Where & W hy D. ‘How-Why’ statements KEY A Justification Artificial intelligence works with the help of Artificial neurons as also ‘If-then’ statements /logics. The answers in the other options are no correct. Hence, the correct answer is only as in Option A. 422. Artificial Intelligence works with the help of two concepts; one of them is Artificial neurons. The other is ? A. ‘W hat-if’ scenarios B. The four ‘W’s What, When, Where & W hy C. ‘If-then’ statements and logics D. ‘How-Why’ statements Key C Justification Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 147 Artificial intelligence works with the help of Artificial neurons as also ‘If-then’ statements /logics. The answers in the other options are no correct. Hence, the correct answer is only as in Option C. 423. An Expert System _____________ A. Is a software that supersedes the operation of other software B. Is a panel of software experts who are consulted for solving security threats C. Is a computer hardware that manages other hardware in a computer system D. Is a software that comprises specialized human knowledge in a specific, narrow domain Key D Justification As indicated in Option A above, an Expert system is a software that contains a significant portion of the specialized knowledge of one or more human experts in a specific, narrow domain. The answers given in the other options are not correct . Hence, the correct answer is only as in Option D. 424. A characteristic of Expert Systems is ______________ A. They cannot be used in embedded systems B. They will have either a knowledge base or a set of rules for application, not both C. They are used for structured logic like if- then-else D. They are best suited to situations not requiring precision & error-free operations Key C Justification As indicated in Option A above, Expert systems are used for structured logic like if-then-else. They are best suited to situations requiring precision and error-free operations & hence, are best suited for use in embedded systems, atomic power plants, space stations, etc. They will have both a knowledge base as well as a set of rules for application. Hence, the correct answer is only as in Option C. 425. You have received an alert about the due date for payment of your post paid mobile phone charges. You log on to the service provider’s website and attempt to transfer the payment through net banking. However, while you were able to complete the formalities involved at your bank’s portal, the system hangs later on and a message is flashed saying that there is a problem with the service provider’s system & asking users to try later. This is an issue with the service provider’s ___________ A. Transaction Processing System B. Expert systems C. Decision Support systems D. Executive Support systems KEY A Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 148 Justification The service provider’s transaction processing system has obviously failed & hence the difficulty the user is facing in completing the payment process for his bill. The answers in the options B to D are incorrect. Hence, the correct answer is only as in Option A. 426. You are an active player on the stock market & place buy / sell orders for shares throughout the working day with your broker. In the middle of a day characterised by particularly volatile movements in share prices & potential risk of losses, you wish to make an assessment of your positions. However, when you speak to your broker and ask him for a report of the transactions carried out on that day till that point of time, the broker responds saying that you would be able to access an online report by the end of the day, for all the transactions of the day at one go. This is an example of ____________________. A. Online Transaction Processing system B. Online Expert System C. Batch Transaction Processing System D. Online Executive Support systems Key C Justification The service provider’s transaction processing system obviously operates on a batch process & reports are run at the end of a particular period, in this case, one day. The answers in Options A, B and D are wrong. Hence, the correct answer is only as in Option C. 427. You are an active player on the stock market & place buy / sell orders for shares throughout the working day with your broker. In the middle of a day characterised by particularly volatile movements in share prices & potential risk of losses, you wish to make an assessment of your positions. You speak to your broker and ask him for a report of the transactions carried out on that day till that point of time. The broker responds saying that you could access their website & be able to generate a report at any point of time in the day & get a report for all the transactions of the day at one go. This is an example of _______________ A. Online Transaction Processing system B. Online Executive Support systems C. Online Expert System D. Batch Transaction Processing System KEY A Justification The service provider’s transaction processing system obviously operates on online transaction processing system since transactions are reflected in their reports at any point of time in the day. Hence, the answers in Options B to D are wrong. The correct answer is only as in Option A. Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 149 428. Your client is in the process of growing his business from the level of a Small & Medium Business into a larger organization. His operations have been computerized & customer transactions are being managed reasonably well. However, in order to take the next leap forward, he would like to get more insights into his business, appreciate customer needs better and would like data from his systems help him take business decisions which would propel him towards his goal of an enlarged business. You realise that his existing computer systems are basically Transaction Processing Systems (TPS) and he needs to transform them into Decision Support Systems (DSS) to enable him achieve his objective. One of the major advantages of DSS over TPS is ________________ A. It can handle huge amounts of data from various sources B. It responds rapidly C. It is reliable D. It provides information which helps the manager assess alternatives & choose the best Key D Justification DSS have as their primary role the provision of information which can help a manager take a decision. The answers in Options A ,B and C are applicable to TPS too and are not exclusive to DSS. Hence, the answers in Options A, B to C are wrong. The correct answer is only as in Option D.. 429. State TRUE or FALSE. ‘Decision Support Systems can support both semi- structured as well as structured problems; they can be useful both to operational as well strategic decision-making’ A. TRUE B. FALSE KEY A Justification DSS have the capability to support both semi-structured as well as structured problems. Their configuration is such that they can be used by managers as an aid to both operational as well as strategic decision-making. Hence, the above statement is true and Option A is correct. 430. A key differentiator for a Decision Support System over a Transaction Processing System is _______________. A. It can handle large amounts of data in batch as well as online mode B. It is more interactive & model-driven, performing mathematical & qualitative analysis C. It has a larger database as compared to the transaction processing system D. It can more reliably handle large volume of information relating to transactions Key B Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 150 Justification Decision support systems are far more interactive and model-driven, as brought out in Option A above. The answers in Options A,C and D are not correct and probably relate more to Transaction processing systems. They are surely not key differentiators. Hence, the correct answer is only as in Option B. 431. The type of software support system which would generally be suited for top- level decision-making, like spinning-off a portion of the company, acquiring another company, entering a new business, etc. is ____________ A. Decision Support System B. Data Base Management System C. Executive Support System D. Delphi system Key C Justification Executive support systems are the appropriate choice for such top-level decision making support, as brought out in Option C above. The answers in Options A, B and D are not correct. The correct answer is only as in Option C. 432. Executive Support Systems address ______________ A. External, un-structured and uncertain information through a structured approach B. Internal & structured information through a un-structured approach C. Day-to-day information for operational control & monitoring D. Analysis of routine transactional data KEY A Justification Executive support systems are the appropriate choice for top-level decision making support. They are futuristic and deal with the macro world & potential changes in the environment & changed times. Hence, intrinsically, it deals with uncertain information substantially into the future but through a structured, well thought out approach. Hence, the answer in Option A above is correct. The answers in Options B to D are not correct. 433. Big Data refers to ____________ A. Data connected to the top few companies in each industry B. Trillions of records from various sources with potentially high value C. Data related to space research, involving great distances in the galaxy D. Data relating to the largest selling products of each organization Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 151 Key B Justification Big Data refers to a large collection of data from various sources with potentially high value. The high value emanates from the insights which it is possible to derive from a careful analysis of the available data. Hence, the answer in Option B above is correct. The answers in Options A C and D are not correct. 434. The main value of Big Data arises from ____________ A. Having more data than the competition B. Having comprehensive information about all aspects of the business C. Insights that can be gleaned about niche customers from large data D. Its ability to cover all transactions with customers Key C Justification Data collection in large quantities, per se, carries limited value. It is the careful analysis of humongous volumes of data to elicit patterns of customer behaviour, market trends, etc. that are the major prize won through Big Data. Such exercises help companies to tap new markets, implicit demand, etc. and thus, be one up on the competition. Hence, the answer in Option C above alone is correct. The answers in Options A B and D are not correct. 435. What is the major control aspect of dealing with Big Data which a Chartered Accountant needs to be aware of ? A. Privacy, security & legal aspects of dealing with customer & other parties’ information B. Providing adequate storage space for the large volumes of data C. Instituting adequate steps for collection & collation of the data D. Ensuring adequate storage security through redundancy KEY A Justification There are potential risks involved in collecting, storing & utilising customer data. There is a need for ensuring the entire process is carried out in a legal manner without causing dis-comfort or loss of faith with the customer. Protecting information passed on by a customer based upon trust, is another KEY Aspect. Thus, the answer in Option A above is correct & the other answers are wrong. 436. Returning from school one day, your daughter cannot wait to talk about what they taught her on that day regarding environmental degradation & global warming. She tells you that electricity is generated by power plants to meet our energy needs but they are, at the same time, releasing greenhouse gases like Carbon dioxide which contribute to global warming, leading to cascading effects. An impact of this sort, created by an organization, individual or activity is referred to as _________ Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 152 A. Carbon credits B. Carbonification C. Carbon footprint D. Oxidisation Key C Justification The level of green house gases generated by activities & actions of an individual or organization is referred to as a ‘carbon footprint’. Hence, the girl’s description of her learnings at school refer to the carbon footprint of setting up a power plant. Thus, the answer in Option C above is correct & the other answers are wrong. 437. Apart from the conscious choices of minimising the carbon foot print & networking hardware, Green Information Technology involves ______________ A. Use or organic products in the organization B. Minimizing use of water in the organization C. Avoiding air conditioning, utilising natural cooling and light D. Minimization of computer devices’ energy consumption Key D Justification The third of the choices to be made in Green Information technology is minimization of computer devices’ energy consumption over their life cycle, as indicated in Option D above. The answers in the other options are not correct. 438. One of following actions could be an intrinsic part of Green Information Technology implementation ________________ A. Moving back storage & processing capacity from the cloud B. Replacing a single server system with multiple servers C. Installation of automatic shutdown/power-up processes D. Avoiding replacement of old equipment with new ones Key C Justification The answers in Options A, B and D would act, by and large, counter to the goals of Green information technology. Moving to cloud computing helps improved utilisation of resources; similarly, a single server system is probably more energy efficient than multiple servers. Though it may appear worthwhile continuing to sweat old equipment, new equipment are generally more energy efficient and can more than compensate the benefits of retaining the old equipment. The answer in Option C, Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 153 however, is relevant & will make a meaningful contribution to the goals of Green IT. Hence, only Option C is the correct answer. 439. One of the initiatives in Green Information Technology implementation could be ______________ A. Using single power efficient server combined with virtualization B. Avoiding replacement of old equipment with new ones C. Replacing a single server system with multiple servers D. Moving back storage & processing capacity from the cloud KEY A Justification The answers in Options B to D would act, by and large, counter to the goals of Green information technology. Though it may appear worthwhile continuing to sweat old equipment, new equipment are generally more energy efficient and can more than compensate the benefits of retaining the old equipment. Moving to cloud computing helps improved utilisation of resources; similarly, a single server system is probably more energy efficient than multiple servers. The answer in Option A, however, is relevant & will make a meaningful contribution to the goals of Green IT. Hence, only Option A is the correct answer. 440. Effective Green Information Technology implementation could involve _______________ A. Replacing a single server system with multiple servers B. Avoiding replacement of old equipment with new ones C. Using power efficient hardware & thin clients D. Moving back storage & processing capacity from the cloud Key C Justification The answers in Options A, B and D would act, by and large, counter to the goals of Green information technology. Moving to cloud computing helps improved utilisation of resources; similarly, a single server system is probably more energy efficient than multiple servers. Though it may appear worthwhile continuing to sweat old equipment, new equipment are generally more energy efficient and can more than compensate the benefits of retaining the old equipment. The answer in Option C, however, is relevant & will make a meaningful contribution to the goals of Green IT. Hence, only Option C is the correct answer. 441. An useful step in Green Information Technology implementation could be ________________ A. Setting of clear goals for power reduction, decreased carbon footprint, etc. B. Replacing a single server system with multiple servers Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 154 C. Avoiding replacement of old equipment with new ones D. Moving back storage & processing capacity from the cloud KEY A Justification The answers in Options B to D would act, by and large, counter to the goals of Green information technology. Moving to cloud computing helps improved utilisation of resources; similarly, a single server system is probably more energy efficient than multiple servers. Though it may appear worthwhile continuing to sweat old equipment, new equipment are generally more energy efficient and can more than compensate for the benefits of retaining the old equipment. The answer in Option A, however, is relevant & will make a meaningful contribution to the goals of Green IT. The setting of clear goals helps direct focus to the effort. Hence, only Option A is the correct answer. 442. What is characteristic of Web 2.0 ? A. Communication from one person/unit to many B. HTML Web pages & email newsletters C. Facilitates collaboration & information sharing online D. Two-way communication not possible Key C Justification The Web 2.0 version is a two-way communication facility covering blogs, wikis and social networking sites. It facilitates collaboration & information sharing online, as indicated in Option C. It is not a case of communication from only one person to many. It is also an improvement over the Web 1.0 version which comprised HTML web pages & email newsletters. Hence, Option C is the correct answer. 443. What is a distinguishing feature of Web 3.0 ? A. Communication from one person/unit to many B. Facilitates convergence of mobile phones, smartphone apps, etc. C. HTML Web pages & email newsletters D. Two-way communication not possible Key B Justification The Web 3.0 version is an evolving system which is an improvement over W eb 2.0. It facilitates convergence of mobile phones, smart phone apps, tablets, etc. It is not a case of communication from only one person to many. Like W eb 2.9, it is also an improvement over the Web 1.0 version which comprised HTML web pages & email newsletters. Hence, Option B is the correct answer. 444. What is one of the controls that can be practically established for overcoming the risks of Web 2.0 without compromising on operational efficiencies ? Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 155 A. Blocking social networking sites like Facebook B. Restricting access to blog sites C. Blocking access to forums D. Using extended validation, SSL certification for websites Key D Justification Blocking out features like social networking, forums, blogs, etc. would prevent utilization of some of the key features of W eb 2.0 and, hence, would be a sub-optimal approach. It would be better to build in preventive measures like website validation, as brought out in Option D. Hence, Option D is the correct answer. 445. One practical control that can be established for overcoming the risks of Web 2.0 without compromising on operational efficiencies is ? A. To develop & implement internal policies for safeguarding against risks B. Restricting access to blog sites C. Blocking access to forums D. Blocking social networking sites like Facebook KEY A Justification Blocking out features like social networking, forums, blogs, etc. would prevent utilization of some of the key features of W eb 2.0 and, hence, would be a sub-optimal approach. It would be better to draw up a robust policy which addresses all the potential risks of Web 2.0 and the preventive measures required to minimizing them. Hence, only answer in Option A is correct. 446. What is an example of Click jacking ? A. Malicious take-over of a computer on remote basis B. Stealing files in a computer from a remote location C. Stealing of keyed in credentials information D. Resolution of software issues on a device from remote location Key C Justification Click jacking is the malicious stealing of keyed in credentials information through a transparent second layer. The answers in Options A,B and D are incorrect; only the answer in Option C is correct. 447. What is the Web of Everything ? Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 156 A. Coverage of all theoretical concepts by the Internet B. Encompasses the Internet as well as all forms of telecommunication C. Comprises the Internet, all telecommunication as well as satellites D. Expansion of Internet to objects like cars, refrigerators, etc. Key D Justification The Web of Everything or the Internet of Everything is the integration of objects like cars, refrigerators, etc. into the internet. It basically merges the physical world with the digital world. The answers in Options A B and C are incorrect; only the answer in Option D is correct. 448. What is 3D printing ? A. Printing of a 3 dimensional video or movie on to paper B. Technology for printing images on paper in 3-dimensional form C. An additive manufacturing process for printing 3-dimensional objects D. Technology which permits printing of images incorporating movement/change Key C Justification 3D printing in an exciting development in printing technology which permits the use of various types of materials, including metals, to create 3 dimensional objects. This is done through a process of additive manufacturing (AM) and can be used for creating virtually any 3 dimensional object. Answer at Option C is, hence, correct whereas the other answers are wrong. 449. Which is one of the major areas of emerging technology wherein CAs need to play a key role ? A. Management of social media & the risks associated with it B. Development of new software technology C. New techniques of marketing of products D. Developments in the field of integrated circuits KEY A Justification One major area of importance to CAs in the changing global environment is that of management of social media & the risk associated with it. For, organizations are increasingly shifting their marketing focus from the physical to the virtual market, exploiting the strengths of the Internet. As more and more products get linked to the Internet, the value of social media will increase tremendously as will the risks associated with it. Hence, Option A is the correct answer. The other answers from Options B to D are not correct. Module 1 Primer on Information technology, IS Infrastructure & Emerging Technologies 157 450. Which one of the following is a KEY Area to be focussed upon by CAs in the current era of emerging technologies ? A. New techniques of marketing of products B. Developments in the field of integrated circuits C. Security of Systems and Data D. Development of new software technology Key C Justification Apart from social media, the other major area of importance to CAs in the changing global environment is security of systems and data. With the explosion of the Internet & connected devices and expanded use of the Internet, the number of interfaces between an organization & its customers / stake holders has grown exponentially. As a consequence, security risks have mushroomed & the CA would have to focus on this as a key element driving not just the success of an organization but also in preventing failures in the organization. Thus, the answer in Option C is the correct answer. The other answers from Options A, B and D are not correct. 451. Information System Audit encompasses independent review & evaluation of ___________ A. Automated information systems, related manual systems & their interfaces B. All computerised information systems alone C. All financial information stored in computers D. All financial & regulatory information stored in computers KEY A Justification IS Audit encompasses all automated information systems (containing both financial as well as non- financial information), related manual systems and the interfaces between them. Hence, Answer at Option A is correct & the other answers are incorrect. Module 2 Information Systems Assurance Services 158 452. In COBIT 5 enablers are factors that influence that something will work in governance & management of enterprise IT. How many such categories of enablers does the COBIT 5 system identify ? A. 7 categories of enablers B. 5 categories of enablers C. 8 categories of enablers D. 10 categories of enablers KEY A Justification COBIT5 is a framework for governance & management of enterprise IT. It helps organizations manage risk & ensure compliance, continuity, security & privacy. One of its 5 key principles is meeting stakeholders’ needs. This principle creates value by balancing the benefits against the optimization of risk & the use of resources. The system identifies 7 categories of enablers that facilitate governance & management of enterprise IT. Hence, the answer in Option A is correct and the other options are wrong. 453. Guidance on evaluating and assessing the internal controls implemented in an enterprise is available in _________________ A. MEA 02 of COBIT 5 B. ITAF 1200 series C. IS/IEF 27001 D. ITAF 1400 series KEY A Justification COBIT5 is a framework for governance & management of enterprise IT. MEA 02 of COBIT5 is a process which provides guidance on evaluating and assessing the internal controls implemented in an enterprise. Hence, the answer in Option A is correct and the other options are wrong. 454. You have been engaged as a Consultant to carry out IS Audit of a large organization. What is the first step you would take while commencing your work ? A. Commence auditing of the financials B. List all the software and hardware used in the organization C. Peruse financials for the previous three years D. Identify all risks present in the IT environment of the organization Key D Justification Module 2 Information Systems Assurance Services 159 The first step in audit engagement is risk assessment based upon which the auditing programme can be developed, giving more importance to high risk areas. Thus, the auditor needs to identify all the risks present in the IT environment of the organization. Hence, the answer in Option D is correct and the other options are wrong. 455. What is the minimum frequency of risk assessment to be carried out as per ISACA guidelines ? A. Once in 6 months B. Once in 3 years C. Once a year D. Once in 2 years or whenever any major change in systems takes place Key C Justification The minimum frequency of risk assessment to be carried out as per ISACA guidance is one year. Hence, the answer in Option C is correct and the other options are wrong. 456. State TRUE or FALSE. As per ISACA guidance, the IS auditor can complete the risk assessment process and present the final findings to the stake holders. The auditor needs to maintain his independence and does not need to seek the specific approval of the stake holders for the findings. A. FALSE B. TRUE KEY A Justification As per ISACA guidance, the IS auditor needs to seek approval of the risk assessment from the audit stake holders and other appropriate parties Hence, the statement in the question stem is false & the answer in Option A is correct. 457. State True or False. Standards on Risk assessment pertaining to IS Audit are different from those prescribed by ICAI under SA315. IS Audit follow a different set of standards laid down by ISACA. A. TRUE B. FALSE Key B Justification The standards on risk assessment pertaining to IS audit as prescribed by ICAI under SA315 are also applicable to risk assessment under IS Audit. Hence, the statement in the question stem is false & the answer in Option B is correct. 458. For effective risk assessment, auditors should ideally supplement the regular risk assessment procedures with _______________ Module 2 Information Systems Assurance Services 160 A. Observation, inspection & analytical procedures B. Interviews with client’s competitors C. Intensive analysis of historical data D. Interviews with client’s suppliers KEY A Justification While the risk assessment procedures outlined by ISACA, ICAI, etc. provide a ready-made template that helps ensure typically vulnerable areas to be captured, observation, inspection & analytical procedures help zero in on risk areas which are peculiar to the particular business or specific period of time. The approaches in the other options may also add value but may not be as significant as that achievable through the answer at Option A. Hence, the statement in the question stem is false & the answer in Option A is correct. 459. The ideal risk assessment technique _____________ A. Is a computerized scoring system based upon evaluation of risk factors B. Is judgemental, based upon the auditor’s personal assessment C. Depends upon the complexity level & detail appropriate for the organization D. Is a combination of computerized scoring & judgemental system Key C Justification The ideal risk assessment technique depends upon the complexity level & detail appropriate for the particular organization. It could be one or a combination of more than one technique. Hence, the statement in the question stem is false & the answer in Option C is correct. 460. An IS Auditor carries out a preliminary visit to his client’s site to get a feel of the operations and identify risks, if any, missed out during his initial study of the records of the organization. In the server room, he feels uncomfortable and realizes that the humidity level as well as the ambient temperature are quite high. On further probing, he discovers that the air conditioning equipment had failed & the original supplier had ceased operations. The administration manager was struggling to find an alternate agency to set the problem right. Also, no fall back system was in place. The IS Auditor is wondering whether this would fall within the purview of his IT General Controls Review. What is your view ? A. Yes, it would fall within the purview of IT General Control Review B. No, it would not fall within the purview of IT General Control review KEY A Justification A general control review would include infrastructure and environment controls too. Hence, the answer in Option A is correct. Module 2 Information Systems Assurance Services 161 461. As part of his exploratory trips to his client’s office, an IS Auditor meets up with the Server Manager. The manager is despondent and the auditor learns it is because of his network cable supervisor’s resignation and impending relief. The manager is unable to find a substitute immediately and dreads the thought of managing any network cabling issues in the interim. The auditor discusses the matter with the manager who feels that the incumbent supervisor is virtually indispensable and he has no subordinate who could step into his shoes. The auditor probes further and also visits some of the locations wherein cable inspection slots were located. He discovers that the cabling junctions had been done in a very haphazard fashion and were not even labelled. Nor was there any manual or chart identifying the network of cables, their junctions/ports, etc. He realizes that the incumbent supervisor had become indispensable on account of this disorganized cabling system as also the absence of any manual. Ideally, the cabling should have been carried out more scientifically, there should have been a ready-reckoner or manual showing the details of the network and a second-in-line should have been in place to stand in for the supervisor in the event of his short term absence or resignation. Would the auditor be well within his rights to include this aspect as a lacuna in the general controls review ? A. No, he would not be right to include this as a lacuna in his general controls review B. Yes, he would be right in including this aspect as a lacuna in his general controls review Key B Justification A general control review would include infrastructure and environment controls too. Hence, the answer in Option B is correct. 462. Is segregation of duties useful as an Organizational control ? Why ? A. Yes, it reduces employee cost B. Yes, it reduces fraud risk & facilitates accuracy check of one person’s work by another C. No, it is not an advantage; it increases employee cost D. No, it complicates the role of the manager who has to manage more employees Key B Justification Segregation of duties is an important control tool whereby, conflicting roles in particular, are segregated and handled by different individuals. It reduces the risk of fraud since one person cannot independently commit any fraud but would need to collude with the second. Also, since the output of one individual may become the input of another, an independent accuracy check of one person’s work by another person becomes a built-in reality. This may increase head-count and, hence, manpower cost but, employed judiciously, the higher manpower cost can be more than compensated by the reduced risks to the organization. Hence, the answer in Option B is correct. 463. A newly appointed Senior executive in an organization, who happened to be a close relative of the promoter, is miffed when the IT Manager refuses access to him to the Server room citing policy guidelines. The executive shares with you, the Auditor of Module 2 Information Systems Assurance Services 162 the organization, what he perceives to be insulting behaviour by the IT Manager. You question him about the purpose of the visit and learn that the executive just wanted to have a tour of the facility, as part of his induction. Do you agree or disagree with the executive ? Why ? A. Yes, I would agree. As a close relative of the promoter, he would surely have the organization’s best interests at heart. B. No, I would not agree. As a new employee, he should not be given access to the server room C. Yes, I would agree. The server, in any case, would be password protected & no harm can be done D. No, I would not agree. Physical access control to the server is an important control mechanism Key D Justification Physical access control to the server room is an important part of IT General controls in any organization. The server is a sensitive equipment with certain commands & settings being exclusive to it. Un-authorized access to it could compromise the security of the IT system & the organization, obviously, has a clearly defined access policy which has to be respected. Relationship to the promoter cannot be an excuse for breaking the policy; if, indeed, he had genuine need to visit the server room, he could have got the necessary clearances. Denial of access cannot be owing to the newness of the employee. Lastly, any robust system operates at different levels of redundancy & the mere existence of password protected access to the server does not prevent a second level of defence, in the form of access control, being done away with. Hence, the answer in Option D is correct. 464. As a measure of IT General control, an organization decides to separate those who can input data from those that can reconcile or approve data. Is this a good move ? Why ? A. No, it is not a good move; the person who inputs the data is the best person to approve the data too B. Yes, it is a good move; it can help prevent unauthorised data entry C. Yes, it is a good move; inputting data & reconciling data requires different skills D. No, it is not a good move; data entry errors would be compounded Key B Justification Segregation of duties is an important control tool whereby, conflicting roles in particular, are segregated and handled by different individuals. It reduces the risk of fraud since one person cannot independently commit any fraud but would need to collude with the second. Also, since the output of one individual may become the input of another, an independent accuracy check of one person’s work by another person becomes a built-in reality Hence, the answer in Option B is correct. Module 2 Information Systems Assurance Services 163 465. As a measure of IT General control, an organization decides to separate those who can test programs (e.g. Users) from those who can develop programs (e.g. Application programmers). Is this a good move ? Why ? A. No, it is not a good move; the person who develops the program is the best person to test it too B. Yes, it is a good move; program testing and program development require different skills C. Yes, it is a good move; it can help prevent unauthorised programs from being run D. No, it is not a good move; significant time would be lost in the process Key C Justification Segregation of duties is an important control tool whereby, conflicting roles in particular, are segregated and handled by different individuals. It reduces the risk of fraud since one person cannot independently commit any fraud but would need to collude with the second. Also, since the output of one individual may become the input of another, an independent accuracy check of one person’s work by another person becomes a built-in reality. In this case, conflict in roles is clearly existing. Time savings could, perhaps, be gained by using the same person but this would mean paying the expensive price of potentially unauthorised programs being run. Hence, the answer in Option C is correct. 466. As a measure of IT General control, an organization decides to separate those who can run live programs (e.g. Operations department) from those who can change programs (e.g. programmers). Is this a good move ? Why ? A. Yes, it is a good move; it can help prevent unauthorised programs from being run B. No, it is not a good move; the user dept. knows best & should be allowed to change programs C. Yes, it is a good move; since the programmers would have no work to do otherwise D. No, it is not a good move; significant time would be lost in the process & potential savings lost KEY A Justification Segregation of duties is an important control tool whereby, conflicting roles in particular, are segregated and handled by different individuals. It reduces the risk of fraud since one person cannot independently commit any fraud but would need to collude with the second. Also, since the output of one individual may become the input of another, an independent accuracy check of one person’s work by another person becomes a built-in reality. In this case, conflict in roles is clearly existing. Also, while the user dept. may have the need for a change, it is up to the programmer to devise an appropriate method of programming logic to satisfy the user’s requirement. Time savings could, perhaps, be gained by using the same person but this would mean paying the expensive price of potentially unauthorised & defective programs being run. Hence, the answer in Option A is correct. 467. Thanks to its growing popularity, a family-run fast food restaurant is transforming itself into a chain of branded restaurants & has created a formal organization structure to manage the growing organization. Having identified young and upcoming IT industry employees as their core base of customers, the family decides to build a strong backbone of IT to facilitate online ordering of food, creation Module 2 Information Systems Assurance Services 164 of customer database, etc. Since the immediate primary purpose is to enable online payments for the purchases by customers, the trustworthy family retainer & Junior Accountant is given the responsibility of installing and maintaining the IT system. As an IS Auditor, do you think the family was right in giving the Junior Accountant the responsibility ? Why ? A. No. A senior management representative should take responsibility in the interest of IT General Control B. Yes, since the accountant is the main beneficiary of the IT system C. No. The Senior Accountant in the chain should have been given the responsibility D. Yes, this role requires a trustworthy person & the family retainer is the best fit KEY A Justification Responsibility for IT systems should lie with the top management with appropriate delegation to lower levels. This would not only ensure that the highly vulnerable IT systems are properly controlled at the highest levels in the company but also ensure that appropriate IT policies are framed, keeping in mind organizational objectives and goals. The perspective of an accountant, whether junior or senior, would be rather limited to his area of operations and responsibility; it may lack the breadth of vision which would be essential at the top management level as also the interfaces between various functions in the business. In any professional organization, no positive bias can be allowed for the dominance of so-called ‘family retainers’ however trustworthy they may be. The operations have to be system driven & not personality driven. Hence, the answer in Option A is correct. 468. An important element of Management Control for the Information System in an organization is the Information Technology Steering Committee. The Committee _________ A. Will be exclusively representatives from the IT division B. Will cover core IT alone, excluding telecommunication, automation systems, etc. C. Will handle operational issues only; overall goals & strategies would be outside its purview D. Will include members from all areas of business, apart from IT personnel Key D Justification The IT Committee in an organization would drive IT in line with organizational goals, vision & mission. It will be manned by senior officials from all areas of the business, apart from IT professionals. Its scope will include all types of IT related operations including telecommunication, automation systems, manufacturing processing systems, etc. Hence, the answer in Option D is correct. 469. A leading exporter of cut & polished diamonds has a specially designed vault for storing its raw as well as processed diamonds. At any point of time, the material stored in the vault is worth several crores of rupees. Module 2 Information Systems Assurance Services 165 The exporter has laid down a clear procedure for operation of the vault. It can be opened or closed using two different keys which are held by the Operations Head and the Finance Head respectively. These officials cannot pass on their individual key to the other official or any other official. They have to be necessarily present and operate their key themselves. Both at the time of every opening the vault as also every closing of the vault, a vault register is signed by both these officials after filling in relevant information. The vault is also sealed with individual unique seals of these officials & checked every time before the vault is opened afresh. Thus, the vault can be opened only when both these officials are present & a record is also maintained of every transaction. These officials carry their individual keys home but never travel together while coming to the office or while leaving it. What type of control is being exercised by this Diamond exporter through this process ? A. Dual Finance Control B. Physical Access Control C. Operating System Control D. Management Control KEY A Justification This is a dual control system which falls under Finance control mechanism since it entails two people simultaneously accessing an asset. Hence, the answer in Option A is correct. 470. What is the first step for an Auditor in an Application software review ? A. Ascertain the creator of the application software B. Ascertain the validity of the user licence for the software C. Ascertain the business function or activity that the software performs D. Identify the users who have been granted access to the software Key C Justification The first step for an Auditor is to ascertain the business function or activity that the software performs. The auditor needs to understand the intricacies of the business and the way in which the software facilitates the business. Hence, the answer in Option C is correct. 471. As an IS Auditor reviewing Application software in your new client’s organization, you have started by thoroughly understanding the nature of the business and the manner in which the Application software meets the business requirements. What is the next step which you would take in the process of the Application software review ? A. Identify the users who have been granted access to the software B. Ascertain the creator of the application software C. Ascertain the validity of the user licence for the software Module 2 Information Systems Assurance Services 166 D. Check how the software handles the risks associated with the particular area of business dealt with by it Key D Justification The next important step for an Auditor is to identify the potential risks associated with the business activity/function served by the software & see how the risks are handled by the software. Hence, the answer in Option D is correct. 472. State True or False. IT Application controls are controls which are in-built in the software application itself. A. FALSE B. TRUE Key B Justification IT application controls are, indeed, controls which are in-built in the software application itself. Hence, the answer in Option B is correct. 473. Which of the following are one of the KEY Areas that should be covered during an IS Audit of Application software ? A. List of authorised users of the software B. Adherence to business rules in the flow & processing accuracy C. Validity of software licence D. Cost of the software & availability of cheaper alternatives Key B Justification One of the KEY Areas to be covered is the software’s adherence to business rules in the flow and processing accuracy. The other answers in Options A, C and D are not of immediate relevance or urgency. The answer in Option B is correct. 474. Which of the following are one of the KEY Areas that should be covered during an IS Audit of Application software ? A. Cost of the software & availability of cheaper alternatives B. List of authorised users of the software C. Validations of various data inputs D. Validity of software licence Key C Justification One of the KEY Areas to be covered is the validation of various data inputs. The other answers in Options A, B and D are not of immediate relevance or urgency. The answer in Option C is correct. Module 2 Information Systems Assurance Services 167 475. Which of the following are one of the KEY Areas that should be covered during an IS Audit of Application software ? A. Logical access control and authorization B. Validity of software licence C. Cost of the software & availability of cheaper alternatives D. List of authorised users of the software KEY A Justification One of the KEY Areas to be covered is logical access control and authorization. The other answers in Options B to D are not of immediate relevance or urgency. The answer in Option A is correct. 476. Which of the following are one of the KEY Areas that should be covered during an IS Audit of Application software ? A. Validity of software licence B. Cost of the software & availability of cheaper alternatives C. Exception handling and logging D. List of authorised users of the software Key C Justification One of the KEY Areas to be covered is exception handling and logging. The other answers in Options A, B and D are not of immediate relevance or urgency. The answer in Option C is correct. 477. Audit Sampling _____________ A. Involves application of audit procedures to less than 100 % of the population B. Can be carried out only through rigorous statistical sampling C. Can be applied only for compliance and not for substantive testing D. Involves use of Auditing standard SA 350 in the auditing process KEY A Justification When it is not practically feasible to check every one of the elements in a population & the population is reasonably random, sampling is resorted to as an indication of the nature of the population as a whole. It can be carried out both through statistical sampling as well as non-statistical sampling. It can be applied both for compliance as well as substantive testing. Auditing standard SA 530 is the relevant one applicable to use of sampling in the auditing process. Hence, the answer in Option A is the correct one. 478. Audit Sampling _______________ A. Involves use of Auditing standard SA 350 in the auditing process Module 2 Information Systems Assurance Services 168 B. Can be carried out only through rigorous statistical random sampling C. For IS Audit can be done using ISACA’s guidelines D. Can be applied only for compliance and not for substantive testing KEY C Justification When it is not practically feasible to check every one of the elements in a population & the population is reasonably random, sampling is resorted to as an indication of the nature of the population as a whole. It can be carried out both through statistical sampling as well as non-statistical sampling. The statistical sampling could be either random or systematic. It can be applied both for compliance as well as substantive testing. Auditing standard SA 530 is the relevant one applicable to use of sampling in the auditing process. ISACA guidelines in this regard can also be followed. Hence, the answer in Option C is the correct one. 479. In IS Audit, sample design would be driven by ________________ A. Resource availability & auditor’s convenience B. Type of sampling whether statistical or haphazard/judgemental C. The advice of the auditee, based upon his past experience D. Objectives of test & attributes of the population Key D Justification Sample design would be driven by test objectives and attributes of the population. The sample size & complexity cannot be compromised owing to resource constraint on the part of the auditor; the outcome could be sub-standard. The sampling type chosen would not have that significant impact on the sample size. The auditee’s advice will not be the basis for sample design for obvious reasons. Hence, the answer in Option D is the only correct answer. 480. What are CAATs ? A. Computer Assisted Audit Tools B. Council for Association of Auditors & Trainers C. Chartered Accountants’ Audit Tools D. Corporate Audit & Accounting Tools KEY A Justification CAATs are basically computer assisted audit tools which help auditors sift through large volumes of information to identify control issues, defaults, etc. They can greatly enhance the efficiency and effectiveness of IS auditors. The answer in Option A is the correct one. 481. What are some of the key reasons for establishing controls and auditing in a computerized environment ? Module 2 Information Systems Assurance Services 169 A. Computers are more prone to make errors in handling subjective big data B. There is more scope for fraud & error in a computerized environment C. Data may be entered into the system without supporting documents D. There is no choice since most operations are computerized Key C Justification A key vulnerability of computerized systems is the fact that, at times, data may be entered into the system without supporting documents. This is a fundamental principle of accounting which we cannot afford to ignore. Hence, the answer in Option C is the correct one. The others are incorrect Computer are not more prone than humans in making errors & one cannot say that there is increased scope for fraud & error in a computerized environment. 482. What are some of the key reasons for establishing controls and auditing in a computerized environment ? A. Transaction trail may be partly in machine language & retained only for a limited period B. There is more scope for fraud & error in a computerized environment C. Computers are more prone to make errors in handling subjective big data D. There is no choice since most operations are computerized KEY A Justification A key vulnerability of computerized systems is the fact that, at times, data may be entered into the system without supporting documents. This is a fundamental principle of accounting which we cannot afford to ignore. Another aspect is the fact that transaction trails may not be visible they may be partly in machine language & retained only for a limited period. Hence, the answer in Option A is the correct one. The others are incorrect Computer are not more prone than humans in making errors & one cannot say that there is increased scope for fraud & error in a computerized environment. 483. What is one of the key tests which can be ideally carried out using Computer Assisted Audit Tools (CAATs) ? A. Projections on future trends for specific parameters B. Carrying out employees’ reference checks C. Identification of exceptional transactions based upon set criteria D. Carry out employee appraisals Key C Justification One of the many key tests that can be carried out by CAATs is identification of exceptional transactions based upon set criteria. The IS auditor can set the criteria based upon the sort of transactions which are not expected to occur basis the controls which are to have been incorporated Module 2 Information Systems Assurance Services 170 in the organization’s systems. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options A, B and D above. Hence, answer at Option C alone is correct. 484. What is one of the key tests which can be ideally carried out using Computer Assisted Audit Tools (CAATs) ? A. Carry out employee appraisals B. Identify potential areas of fraud C. Projections on future trends for specific parameters D. Carrying out employees’ reference checks Key B Justification One of the many key tests that can be carried out by CAATs is identification of potential areas of fraud. The IS auditor can set the criteria based upon the sort of transactions which are not expected to occur basis the controls which are to have been incorporated in the organization’s systems. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in other options above. Hence, answer at Option B alone is correct. 485. What is one of the key tests which can be ideally carried out using Computer Assisted Audit Tools (CAATs) ? A. Carry out employee appraisals B. Projections on future trends for specific parameters C. Identify data which is inconsistent or erroneous D. Carrying out employees’ reference checks Key C Justification One of the many key tests that can be carried out by CAATs is identification of data which is inconsistent or erroneous. The IS auditor can set the criteria based upon the sort of data which are not expected to occur basis the controls which are to have been incorporated in the organization’s systems. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options A,B and D above. Hence, answer at Option C alone is correct. 486. What is one of the key tests which can be ideally carried out using Computer Assisted Audit Tools (CAATs) ? A. Carry out employee appraisals B. Projections on future trends for specific parameters C. Carrying out employees’ reference checks D. Perform various types of statistical analysis Key D Justification Module 2 Information Systems Assurance Services 171 One of the many key tests that can be carried out by CAATs is the carrying out of various types of statistical analysis which could throw up areas of in-consistencies, defaults, etc. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options A to C above. Hence, answer at Option D alone is correct. 487. What is one of the key tests which can be ideally carried out using Computer Assisted Audit Tools (CAATs) ? A. Establishing whether the set controls are working as prescribed B. Carry out employee appraisals C. Projections on future trends for specific parameters D. Estimation of competitor activity KEY A Justification One of the many key tests that can be carried out by CAATs is establishing whether the set controls are working as intended. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options B to D above. Hence, answer at Option A alone is correct. 488. What is one of the key tests which can be ideally carried out using Computer Assisted Audit Tools (CAATs) ? A. Carry out market surveys for a new product launch B. Projections on future trends for specific parameters C. Establishing relationship between two or more areas & identify duplicate transactions D. Estimation of competitor activity Key C Justification One of the many key tests that can be carried out by CAATs is establishing whether the set controls are working as intended. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options A, B and D above. Hence, answer at Option C alone is correct. 489. What is Compliance testing ? A. Testing any activity in compliance with Government rules and regulations B. Checking whether the organization has remitted employee provident fund into the relevant account C. Checking whether the office employees are checking into and leaving the office as per approved working hours D. Checking whether controls are operated in compliance with management policies/procedures Key D Justification Module 2 Information Systems Assurance Services 172 Compliance testing deals with checking the controls which have been established in the organization rather than checking compliance of any specific activity per se. Hence, answer at Option D alone is correct. The answers in other options deal with the actual activity rather than the controls and, hence, are not correct. 490. What are Substantive tests ? A. Tests which validate the internal controls exercised over financial transactions B. Tests which are done only by choice, if required, rather than by default C. Tests to evaluate the integrity of individual transactions, data, etc. D. Tests which are not used for checking for monetary errors affecting financial parameters Key C Justification Compliance testing deals with checking the controls which have been established in the organization. In contrast, Substantive testing tests to evaluate the completeness, accuracy, etc. or the integrity, in general, of individual transactions, data, information, etc. They are carried out in most audits & are often called default procedures. They are often used for checking for monetary errors affecting financial statement balances. Hence, answer at Option C alone is correct. The answers in other options are obviously not correct. 491. How can design effectiveness for compliance for a process be evaluated ? A. By a walkthrough of the business process and the risk controls B. By carrying out substantive testing C. By carrying out compliance testing D. By checking the financials for errors & inconsistencies KEY A Justification Design effectiveness for compliance for a process can be evaluated by a walkthrough of the business process This will help identifying the existence of controls, the design of the risk controls as well as the accuracy of process documentation. Compliance testing deals with checking the controls which have been established in the organization. In contrast, Substantive testing tests to evaluate the completeness, accuracy, etc. or the integrity, in general, of individual transactions, data, information, etc. In isolation, neither of them will comprehensively address design effectiveness. Merely checking the financials will also not achieve the desired objective. Hence, answer at Option A alone is correct. 492. In IS Audit, Operational Effectiveness ______________ A. Refers to effectiveness of the organization’s operations B. Refers to effectiveness of the IS Audit C. Refers to actual performance of the Control in IT environment D. Refers to achievements in line with overall organizational strategy Module 2 Information Systems Assurance Services 173 Key C Justification In IS Audit, Operational Effectiveness refers to the actual performance of the Control in IT environment. This is in contrast with the intended design or goal. Answer at Option C alone is correct. 493. In IS audit, for manual controls, documented evidence substantiating control performance as per design is ______________ A. Through physical records created when the controls have been operated B. Through appropriate reports and screen shots from the system C. Through records of interviews with operational staff D. Through software trail of the various components of the control process KEY A Justification For manual controls, documented evidence substantiating control performance as per design is through physical records created when the controls have been operated. This can be supplemented by samples of samples to ensure that purported reviews conducted by an individual have actually taken place. Answer at Option A alone is correct. 494. Audit evidence in IS Audit ____________ A. Excludes IS Auditor observations, notes from interviews etc. B. Is not subject to the usual audit rules of sufficiency & competency C. Is information substantiating alignment with objectives & supporting audit conclusions D. That which would stand scrutiny in a court of law Key C Justification Audit evidence in IS Audit is any information that substantiates alignment of that particular aspect with the intended objectives and that also support audit conclusions. Thus, the answer at Option C alone is correct. 495. In IS Audit, when is evidence said to be competent ? A. When it is given by an individual who is competent B. When it is both valid and relevant C. When the evidence is backed by senior management of the organization D. When the evidence has been historically demonstrated Key B Justification Module 2 Information Systems Assurance Services 174 In IS Audit, evidence is said to be competent when it is both valid and relevant. Thus, the answer at Option B alone is correct. 496. In IS Audit, how is sufficiency of evidence assessed ? A. Through Audit judgement B. When the evidence is valid at the two standard deviation level C. When the evidence is valid at the three standard deviation level D. When more than 90 % of the relevant transactions can be explained KEY A Justification In IS Audit, sufficiency of evidence is assessed through Audit judgement. Thus, the answer at Option A alone is correct. 497. Which is the ICAI standard on auditing which deals with the Auditor’s responsibility to prepare audit documentation for financial statements ? A. SA 500 B. SA 580 C. SA 230 D. SA 1205 Key C Justification The ICAI standard on auditing which deals with the Auditor’s responsibility to prepare audit documentation for financial statements is SA 230. Hence, the answer at Option C alone is correct. 498. Which is the ICAI standard on auditing which deals with what constitutes audit evidence in an audit of financial statements as also with the Auditor’s responsibility to design and perform audit procedures ? A. SA 230 B. SA 500 C. SA 1205 D. SA 580 Key B Justification SA 500 is the ICAI standard on auditing which deals with what constitutes audit evidence in an audit of financial statements as also with the Auditor’s responsibility to design and perform audit procedures. Hence, the answer at Option B alone is correct. Module 2 Information Systems Assurance Services 175 499. Which is the ICAI standard on auditing which deals with the Auditor’s responsibility to obtain written representations from the management as also those charged with governance ? A. SA 580 B. SA 230 C. SA 1205 D. SA 500 KEY A Justification SA 580 is the ICAI standard on auditing which deals with the Auditor’s responsibility to obtain written representations from the management as also those charged with governance. Hence, the answer at Option A alone is correct. 500. Which is the ISACA standard on evidence which IS auditors are required to comply with? A. 230 B. 1206 C. 500 D. 1205 Key D Justification The ISACA standard on evidence which IS auditors are required to comply with is 1205. Hence, the answer at Option D alone is correct. 501. What are Test working papers in IS Audit Documentation ? A. Draft of the final IS audit report prepared for the Board of Directors B. Those prepared or obtained as a result of compliance/testing procedures C. Draft of the preliminary IS audit report submitted to senior management for comments D. IS audit team’s answers to test questions on the auditee’s business & environment Key B Justification Test working papers in IS Audit documentation are those prepared or obtained as a result of compliance/testing procedures. Hence, the answer at Option B alone is correct. 502. Which is the ISACA standard relating to use of services of external experts ? A. 1206 B. 230 Module 2 Information Systems Assurance Services 176 C. 1205 D. 500 KEY A Justification The ISACA standard relating to use of services of external experts is 1206. Hence, the answer at Option A alone is correct. 503. Which is the tool used in IS audit for assessing the proper level of controls ? A. ISACA method 230 B. Random sampling of transactions C. A control matrix, comparing known types of errors with known type of controls D. ICAI guidelines on the appropriate level of controls Key C Justification The tool used in IS audit for assessing the proper level of controls is the control matrix. This basically involves comparison of known types of errors with known types of controls. Hence, the answer at Option C alone is correct. 504. Prior to reporting a control weakness, an IS auditor ______________ A. Should carry out random sampling of transactions B. Should check whether there are 2 or more weak controls C. Should check for a minimum of 3 strong controls D. Should look for compensating controls Key D Justification Prior to reporting a control weakness, an IS auditor should look for compensating controls. . Hence, the answer at Option D alone is correct. 505. State True or False. Materiality of an IS auditor’s findings will not be different for different levels of management. The auditor will have to report his findings impartially & consistently whether it be to the lower echelons of management or senior management. A. FALSE B. TRUE KEY A Justification Module 2 Information Systems Assurance Services 177 Materiality of an IS auditor’s findings to different levels of management would depend upon its significance to each level. Thus, what may be material to a lower level of the management may not be so for the higher level and vice versa. Hence, the cited statement is false & the answer at Option A alone is correct. 506. What is Forensic Audit ? A. Audit specializing in discovering, disclosing and following up on frauds and crimes B. Audit relating to the Chemical and Pesticide industry C. Audit relating to environmental matters, including pollution D. Audit relating to hospitals and healthcare facilities KEY A Justification Forensic audit specializes in discovering, disclosing and following up on frauds and crimes. It is assuming increasing significance owing to the enhanced risks involved with increased use of IT and globalization. Answer at Option A alone is correct. 507. What are Control Self-Assessments ? A. These are self- assessments of the auditing process adopted by auditors B. These are self- assessments by business process owners independent of auditors C. These are conducted by business process owners but facilitated by auditors D. These are compliance audits carried out by auditors Key C Justification Control Self-Assessments are those that are conducted by business process owners on their own but facilitated by auditors. Answer at Option C alone is correct. 508. Protective / Preventative controls and Detective controls are two of the three fundamental types of controls. Which is the third type of control ? A. Forensic Controls B. Security Controls C. Reactive / Corrective Controls D. Legislative Controls Key C Justification The third type of Controls is Reactive/Corrective Control. Answer at Option C alone is correct. 509. Reactive / Corrective Controls and Detective controls are two of the three fundamental types of controls. Which is the third type of control ? Module 2 Information Systems Assurance Services 178 A. Protective / Preventative controls B. Security Controls C. Forensic Controls D. Legislative Controls KEY A Justification The third type of Controls is Protective / Preventative Control. Answer at Option A alone is correct. 510. Reactive / Corrective Controls and Protective / Preventative controls are two of the three fundamental types of controls. Which is the third type of control ? A. Legislative Controls B. Detective controls C. Security Controls D. Forensic Controls Key B Justification The third type of Controls is Detective Control. Answer at Option B alone is correct. 511. What is Cyber fraud ? A. A fraud that involves use of computers and computer networks B. A fraud committed exclusively through the internet C. A fraud exceeding U.S. $ 1 million in value D. A fraud involving software alone KEY A Justification Cyber fraud is a fraud that involves use of computers and computer networks. Answer at Option A alone is correct. 512. Which standard of auditing defines fraud & the management’s responsibility ? A. SIA 2 B. SIA 17 C. SIA 11 D. SIA 21 Key C Justification Module 2 Information Systems Assurance Services 179 SIA 11 defines fraud & lays the responsibility on the management for prevention & detection of frauds. Answer at Option C alone is correct. 513. A holistic approach to deterrence & prevention of fraud would be ? A. Focussing on integrity of new recruits B. Establishing severe punishment for fraud C. Compensating employees adequately to minimize temptation D. Strengthening of Governance and management framework Key D Justification A holistic approach to deterrence and prevention of fraud would require strengthening of governance and management framework. The answers in options A to C address the issue in bits and pieces and, hence, are not the right answers . Answer at Option D alone is correct. 514. State True or False. Computer Forensics deals only with digital evidence acceptable to a court of law; non-digital evidence would not fall under this category. A. TRUE B. FALSE KEY A Justification Computer Forensics is the process of identifying, preserving, analysing and presenting digital evidence in a manner that is legally admissible in legal proceedings. Hence, answer at Option A is correct. 515. Evidence loses its value in legal proceedings in the absence of _______________ A. Recency of information B. Validation by the I.T. dept. of the police C. Professional maintenance of the chain of custody D. Authenticated hard copies Key C Justification Evidence loses its value in legal proceedings in the absence of professional maintenance of the chain of custody. Hence, answer at Option C is correct. 516. Demonstrating integrity & reliability of evidence are key for it to be acceptable to law enforcement enforcers. This can be done through identification of evidence, preservation of evidence including documentation of chain of custody, analysis & interpretation of data and _______________. Module 2 Information Systems Assurance Services 180 A. Recency of information B. Validation by the I.T. dept. of the police C. Use of authenticated hard copies D. Presentation to relevant parties for acceptance of evidence Key D Justification Evidence loses its value in legal proceedings in the absence of professional maintenance of the chain of custody. Hence, answer at Option D is correct. 517. Which is one of the most effective tools and techniques to combat fraud ? A. Computer Assisted Audit Techniques (CAAT) B. Threats of severe punishment C. Validation by the I.T. dept. of the police D. Use of authenticated hard copies KEY A Justification CAAT is one of the time-tested tools required for carrying out the above exercise. . Hence, answer at Option A is correct. Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 181 518. Distinguish between Enterprise Governance and Corporate Governance. A. Corporate governance is applying the principles of enterprise governance to the corporate structure of enterprises B. Corporate governance relates to principles applying to the top management of a company whereas enterprise governance relates to all the employees of the company or enterprise C. Corporate governance relates to compliance related to regulatory mechanisms whereas enterprise governance relates to protection of shareholders’ interests D. Corporate governance pertains to conformance whereas enterprise governance relates to performance KEY A Justification As indicated in Option A, corporate governance is applying the principles of enterprise governance to the corporate structure of enterprises. The answers in the other Options are not factually correct. 519. Which of the following provides for mandatory Internal Audit and reporting on Internal financial controls for companies in India? A. Companies Act, 2013 B. IT Act, 2008 C. Sarbanes Oxley Act, 2002 D. Shops and Establishments Act KEY A Justification As indicated in Option A, the Companies Act, 2013, under section 138, provides for mandatory Internal Audit and reporting on internal financial controls. Hence, the answers in the other Options are not factually correct. 520. Which of the following provides for compliance requirements & maintenance of privacy of information for companies in India? A. IT Act, amended 2008 B. Companies Act, 2013 C. Sarbanes Oxley Act, 2002 D. Shops and Establishments Act KEY A Justification Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 182 As indicated in Option A, the IT Act amended during 2013 provides for maintaining privacy of information & compliance requirements on management, including penalties for non-compliance. Hence, the answers in the other Options are not factually correct. 521. Which of the following prescribes mandatory audit covering corporate governance as per clause 49 ? A. IT Act, amended 2008 B. Companies Act, 2013 C. SEBI, for listed companies D. Sarbanes Oxley Act, 2002 Key C Justification As indicated in Option C, SEBI has provided for mandatory audit as per clause 49 of the equity listing agreement. The audit primarily covers governance. Hence, the answers in the other Options are not factually correct. 522. As per Clause 49 V (C) and (D) of the SEBI Equity listing agreement, which of the following are held responsible for establishment and maintenance of internal controls for financial reporting ? A. Managing Director of listed companies B. The Board of Directors of listed companies C. Audit Committee of the Board of Directors of listed companies D. CEO/CFO of listed companies Key D Justification As per Clause 49 V (C) and (D) of the SEBI Equity listing agreement, the CEO/CFO are held responsible for establishment and maintenance of internal controls for financial reporting. Hence, the answer in Option D is correct and those in the other Options are not factually correct. 523. Good governance alone cannot make an organization successful. Governance should ideally be implemented with the right balance in two dimensions of conformance and a second element. What is the second element ? A. Risk protection B. Internal Audit C. Performance D. Trust Key C Justification Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 183 Good governance alone cannot make an organization successful. Governance should ideally be implemented with the right balance in two dimensions of conformance and a second element, performance. Hence, the answer in Option C is correct and those in the other Options are not factually correct. 524. Which is one of the major oversight mechanisms available to the Board of Directors to ensure that corporate governance processes are effective ? A. Incentive schemes for Directors B. The company’s annual report C. Committees like audit committee comprising independent non-executive Directors D. Quarterly Board meetings Key C Justification One of the major oversight mechanisms available to the Board of Directors to ensure that corporate governance is effective are mandatory committees like the Audit committee. 525. State TRUE or FALSE. ‘Unlike the conformance dimension of Corporate Governance, which is backed by an audit committee manned by independent directors, the performance dimension has no dedicated oversee mechanism.’ A. TRUE B. FALSE KEY A Justification It is true that the performance dimension of Corporate governance has no dedicated oversee mechanism, unlike the conformance dimension. Hence, answer at Option A is correct. 526. There are oversight mechanisms for the Performance and Conformance dimensions of business governance. One other KEY Aspect of business conformance that is often left out is _____________ A. Profitability B. Information Technology C. Strategy D. Capital investments Key C Justification The neglected aspect of oversight is generally that of strategy. Hence, answer at Option C is correct. 527. What is the key benefit of Governance of Enterprise IT (GEIT) ? Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 184 A. It ensures the efficiency of the IT system B. It facilitates the Balance Score card system C. It facilitates capital investment decision making D. It provides a consistent approach integrated & aligned with enterprise governance Key D Justification The key benefit of GEIT is that it provides a consistent approach, integrated & aligned with enterprise governance. Hence, answer at Option D is correct. 528. State True or False. With reference to Governance of Enterprise IT, the Reserve Bank of India issues guidelines covering various aspects of secure technology deployment. These guidelines are prepared based on various global practices such as COBIT & ISO 27001. A. TRUE B. FALSE KEY A Justification Yes, the RBI does issue guidelines covering various aspects of secure technology deployment which are based upon various global practices such as COBIT & ISO 27001. Hence, answer at Option A is correct. 529. Benefit realization & Risk optimization are two of the three areas of focus of Governance of Enterprise IT as specified under COBIT 5. What is the third area of focus ? A. The third area of focus is Personnel Policies B. The third area of focus is Information Technology C. The third area of focus is Resource optimization D. COBIT 5 specifies only two areas of focus Key C Justification The third area of focus prescribed by COBIT 5 is Resource optimization. Hence, answer at Option C is correct. 530. Resource optimization & Risk optimization are two of the three areas of focus of Governance of Enterprise IT as specified under COBIT 5. What is the third area of focus ? A. The third area of focus is Information Technology B. The third area of focus is Personnel Policies Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 185 C. The third area of focus is Benefit realization D. COBIT 5 specifies only two areas of focus Key C Justification The third area of focus prescribed by COBIT 5 is Benefit realization. Hence, answer at Option C is correct. 531. Which of the following could be a recommended framework for internal controls & risk management ? A. COSO 2013 (Council of Sponsoring Organizations of the Tread way Commission) B. ISO 17001 C. ITAF 1200 series D. COBIT 5 KEY A Justification COSO 2013 framework would be ideal for internal controls and risk management. Hence, answer at Option A is correct. 532. GEIT involves both Conformance as well as Performance perspectives. What would be the KEY Areas of focus of GEIT from the Conformance perspective ? A. Strategic decision making and value creation B. Best practices, tools and techniques C. Board Structure, Roles and Remuneration D. Balanced Score Card Key C Justification The Board Structure, Roles and Remuneration would be the key focus areas of GEIT from the Conformance perspective. Hence, answer at Option C is correct. The other options are incorrect. 533. GEIT involves both Conformance as well as Performance perspectives. What would be the KEY Areas of focus of GEIT from the Performance perspective ? A. Board Structure, Roles and Remuneration B. Standards and Codes C. Strategic decision making and value creation D. Audit Committee Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 186 Key C Justification From the Business performance angle, quite obviously, strategic decision making and value creation would be the key focus areas for GEIT. The other options from A,B to D are incorrect. Hence, answer at Option C is correct. 534. Operations and reporting are two of the three categories of objectives of the COSO 2013 framework. What is the third category of objectives ? A. Information Technology B. Security C. Compliance D. Risk Management Key C Justification Compliance is the third category of objectives of the COSO 2013 framework as indicated in Option C. The answers in the other options are incorrect. 535. Reporting and Compliance are two of the three categories of objectives of the COSO 2013 framework. What is the third category of objectives ? A. Information Technology B. Security C. Operations D. Risk Management Key C Justification Compliance is the third category of objective of the COSO 2013 framework as indicated in Option C. The answers in the other options are incorrect. 536. Control environment, risk assessment, control activities and information & communication are four of the five integrated components of internal control in COSO. What is the fifth component ? A. Risk Management B. Information Technology C. Security D. Monitoring activities Key D Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 187 Justification Monitoring activities is the fifth component of internal controls in COSO as indicated in Option D. The answers in the other options are incorrect. 537. Control environment, control activities, information & communication and monitoring activities are four of the five integrated components of internal control in COSO. What is the fifth component ? A. Risk Management B. Information Technology C. Risk assessment D. Security Key C Justification Risk assessment is the fifth component of internal controls in COSO as indicated in Option C. The answers in the other options are incorrect. 538. Risk assessment, control environment, control activities and monitoring activities are four of the five integrated components of internal control in COSO. What is the fifth component ? A. Information & communication B. Risk Management C. Information Technology D. Security KEY A Justification Information and communication is the fifth component of internal controls in COSO as indicated in Option A. The answers in the other options are incorrect. 539. State True or False. The COSO 2013 framework prescribes the controls to be selected, developed and deployed for effective internal control. The management is not left with any choice in the matter and has to rigorously comply with the COSO 2013 framework. A. FALSE B. TRUE KEY A Justification Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 188 The COSO 2013 framework does not prescribe the controls to be selected, developed and deployed. It is a function of management judgement based upon factors unique to the entity. Hence, the statement in the stem is false and Option A is correct. 540. State True or False. What COSO 2013 is to internal controls, COBIT 5 is to governance in Governance of Enterprise Information Technology. A. FALSE B. TRUE Key B Justification In GEIT, COBIT 5 is the business framework of governance and management of IT. COSO 2013 is a framework for managing internal controls. Hence, the statement in the stem above is correct and the answer is true as per Option B above. 541. COBIT 5 ______________ A. Is best suited for large corporates B. Is best suited for small and medium enterprises C. Is a set of globally accepted principles, practices, analytical tools and models D. Is not ideally suited for non-profit and government enterprises Key C Justification As indicated in Option C above, COBIT 5 is a set of globally accepted principles, practices, analytical tools and models for governance. It can be used by all types and sizes of organizations, whether profit-oriented or otherwise. Hence, answers at Options A,B and D are wrong. 542. Meeting stakeholder needs, Covering the enterprise end-to-end, Applying a single integrated framework and Enabling a holistic approach are 4 of the 5 key principles of COBIT 5. Which is the fifth principle ? A. Separating Governance from Management B. Risk management C. Human resources management D. Strategic and long term planning KEY A Justification The fifth principle of governance of COBIT 5 is Separating Government from Management. The answers in Options B to D are, hence, wrong and Option A is correct. Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 189 543. Covering the enterprise end-to-end, Applying a single integrated framework, Enabling a holistic approach and Separating Governance from Management are 4 of the 5 key principles of COBIT 5. Which is the fifth principle ? A. Risk management B. Human resources management C. Meeting Stakeholder needs D. Strategic and long term planning Key C Justification The fifth principle of governance of COBIT 5 is Meeting Stakeholder needs. The answers in Options A,B and D are, hence, wrong and Option C is correct. 544. Meeting Stakeholder needs, Covering the enterprise end-to-end, Applying a single integrated framework, and Separating Governance from Management are 4 of the 5 key principles of COBIT 5. Which is the fifth principle ? A. Enabling a holistic approach B. Human resources management C. Risk management D. Strategic and long term planning KEY A Justification The fifth principle of governance of COBIT 5 is Enabling a holistic approach. The answers in Options B to D are, hence, wrong and Option A is correct. 545. Which is the ISO standard for corporate governance ? A. ISO 31000 B. ISO 27001 C. ISO 20100 D. ISO 38500 Key D Justification The ISO standard for corporate governance is ISO 38500. The other Options are, hence, wrong and Option D is correct. 546. Which is the ISO standard for IT risk management ? A. ISO 31000 Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 190 B. ISO 38500 C. ISO 27001 D. ISO 20100 KEY A Justification The ISO standard for IT risk management is ISO 31000. The answers in Options B to D are, hence, wrong and Option A is correct. 547. Which is the ISO standard for Risk management ? A. ISO 38500 B. ISO 27001 C. ISO 31000 D. ISO 20100 Key C Justification The ISO standard for IT risk management is ISO 31000. The answers in other Options are, hence, wrong and Option C is correct. 548. A company has developed a mobile phone which is unique for its simplicity and ease of use. During laboratory tests, it finds that the product is really robust and rarely fails. The industry norm is that mobile phone manufacturers invariably offer customers the comfort of prompt and efficient after sales service, including repair. After a lot of introspection, the company decides that the probability of failure of their product was so low and it would not be worth their while to invest in a network of servicing facilities. They decided, instead to offer a free replacement in the event of failure of their product. In fact, they decided to leverage this itself as a marketing strategy for their product and it turned out to be a roaring success. What type of risk management strategy has the company adopted in this case ? A. Terminate/eliminate the risk B. Transfer/share the risk C. Tolerate/accept the risk D. Treat/mitigate the risk Key C Justification The company has obviously chose to tolerate/accept the risk in view of the low probability of its occurrence and likely lower cost of incurring the risk. The answers in other Options are, hence, wrong and Option C is correct. Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 191 549. A company markets agro chemicals on a pan India basis. Farmers use agro chemicals, typically, only when they perceive a pest attack and would like to act immediately then to save their crop. Hence, prompt and speedy availability is the main driver for sales of this product. The company, which had its manufacturing facility located in South India, found that it invariably lost out in meeting the demand from the Northern States owing to their inability to reach their product in time to meet such unpredictable demand. Since the market size being lost out was substantial as compared to the cost of setting up a new plant, they ultimately decide to set up a new manufacturing facility in Punjab which could ensure availability of product in a timely fashion. What type of risk management strategy has the company adopted in this case ? A. Terminate/eliminate the risk B. Tolerate/accept the risk C. Transfer/share the risk D. Treat/mitigate the risk KEY A Justification The company has obviously chosen to terminate/eliminate the risk after weighing the pros and cons of loss of business/profit versus cost of setting up a new manufacturing facility. The answers in Options B to D are, hence, wrong and Option A is correct. 550. Section 49 C of the Listing Agreement of SEBI addresses the need for _________________ A. Minimum public shareholding percentage B. Creation of a board sub-committee for auditing C. Board disclosures related to risk management & states D. Compliance with government regulations Key C Justification This section relates to need for Board disclosures related to risk management & states. Hence, answer at Option C is correct and the other options are incorrect. 551. Section 49 V of the Listing Agreement of SEBI deals with _________ A. Board disclosures related to risk management & states B. Minimum public shareholding percentage C. Creation of a board sub-committee for auditing D. CEO/CFO certification, among other things, of internal controls Key D Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 192 Justification This section of SEBI’s Listing agreement relates to need for CEO/CFO certification accepting, among other things, responsibility for establishing and maintaining internal controls. Hence, answer at Option D is correct and the other options are incorrect. 552. Section 49 (VII) of the Listing Agreement of SEBI deals with ____________ A. Creation of a board sub-committee for auditing B. Compliance aspects & certificate of compliance C. Minimum public shareholding percentage D. Compliance with government regulations Key B Justification This section of the Listing Agreement of SEBI deals with compliance aspects and the need for certificate either from the auditors or the company secretary regarding compliance of conditions of corporate governance. Hence, answer at Option B is correct and the other options are incorrect. 553. How can a Governance-Risk-Compliance (GRC) program be enhanced from merely ensuring compliance to ensuring performance too ? A. Reward compliance at all levels B. Ensure Risk-Reward ratio is commensurate with the cost/investment C. Implement GRC program using GEIT (Governance of Enterprise IT) framework D. Implement GRC utilising external resource like auditor Key C Justification A GRC program will basically ensure compliance. However, the GEIT framework focuses on benefit realization, risk optimization and resource optimization. Hence, implementing a GRC program using the GEIT framework will help achieve both the objectives of compliance as well as performance. Hence, Option C is the correct answer. 554. Apart from Clause 49 of the SEBI Listing agreement, which is based upon SOX provisions, which other mandatory provision exists on internal controls for corporate in India ? A. The Indian Companies Act, The Companies (Auditor’s Report) Order 2003 B. Information Technology Act 2008 C. Sarbanes Oxley Act, 2003 D. COBIT 5 KEY A Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 193 Justification Mandatory provisions on internal controls do exist, as per CARO, as brought out in Option A above. The IT Act has no such provision, the SOX Act applies in the USA and COBIT 5 is not an Act but a framework. Hence, answer at Option A above is correct. 555. State True or False. Under GRC (Governance, Risk and Compliance) norms, compliance refers exclusively to compliance with statutory Laws and Regulations; compliances with internal policies of an organization are not a part of it. A. TRUE B. FALSE Key B Justification Compliance under GRC refers both to external compliances, in terms of statutory laws and regulations, as also internal compliances with regard to policies of an organization. Hence, the above statement is false and answer at Option B is correct. 556. Principles, policies & framework, (b) Processes, (c) Organization structure, (d) Roles, responsibilities & risks of IT department, (e) Information and (f) Services, infrastructure & applications are six of the seven enablers of COBIT 5. Which is the 7th enabler ? A. Planning & communication B. Delegation of authority C. Compliance with statutory regulations D. Culture, ethics & behaviour Key D Justification Culture, Ethics & Behaviour is the 7th enabler under COBIT 5. Hence, answer at Option D is the correct one. 557. Principles, policies & framework, (b) Processes, (c) Organization structure, (d) Roles, responsibilities & risks of IT department, (e) Culture, ethics & behaviour and (f) Services, infrastructure & applications are six of the seven enablers of COBIT 5. Which is the 7th enabler? A. Information B. Planning & communication C. Delegation of authority D. Compliance with statutory regulations KEY A Justification Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 194 Information is the 7th enabler under COBIT 5. Hence, answer at Option A is the correct one. 558. What is the purpose of Principles, policies and framework in an organization ? A. To control the employees B. To arrive at the business strategy of the organization C. To convey the management’s direction & instruction D. To comply with statutory regulations Key C Justification The purpose of Principles, policies and framework in an organization is to communicate downward the direction the management would like the organization to take and the means through which this can be done. They reflect the culture, ethics and values of the organization. The objective is not to control the employees; not are they in compliance with statutory regulations. Principles, policies and framework are not drawn up for the purpose of business strategy; however, the strategy will evolve based upon these elements and other strategic inputs like the market, competition, etc. Hence, answer at Option C is the correct one. 559. Apart from being effective and efficient, what other characteristic should a good policy possess ? A. To control the employees B. Making sense & appearing logical to those who have to comply with them C. To arrive at the business strategy of the organization D. To comply with statutory regulations Key B Justification The third important attribute of any good policy is that it makes sense and appears logical to those who are required to comply with them. But for this, policies would fail in actual practice during implementation for want of buy in. Hence, answer at Option B is the correct one. 560. Processes are one of the 7 enablers of Governance of Enterprise IT under COBIT 5. What are the types of processes distinguished under COBIT 5 ? A. Strategy processes and action processes B. Group processes versus individual processes C. Governance processes and management processes D. Macro versus micro processes Key C Justification Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 195 COBIT 5 distinguishes between governance and management processes with the latter concerned more with performance matters. Answer at Option C is the correct one. 561. How does the RACI (Responsible, Accountable, Consulted, Informed) model help in an organization ? A. Helps clarify roles and responsibilities B. Facilitates documentation of processes C. Basis for development of organization chart D. Accelerates decision-making process KEY A Justification The RACI model helps clarify roles and responsibilities and is particularly of value in cross departmental projects and processes. Answer at Option A is the correct one. 562. In Governance of Enterprise IT, the IT Strategy Committee should include _____________ A. Board members alone, considering the strategic content B. Non-Board members alone, considering the need for implementation support C. Both Board as well as non-Board members D. Board members and IT managers alone Key C Justification The IT Strategy Committee should have representation from Board as well as non-Board members, with representation from all divisions. Answer at Option C is the correct one. 563. Which of the following has primary responsibility for implementation of Governance of Enterprise IT ? A. The Managing Director or CEO of the Organization B. The CIO of the organization C. The IT Strategy Committee D. The IT Steering Committee Key C Justification It is the IT Strategy Committee whose primary responsibility it is to implement GEIT, while the accountability is of the Board of Directors itself. Answer at Option C is the correct one. 564. Which of the 7 enablers of COBIT 5 is considered the most important ? Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 196 A. Organization structure B. Principles, policies & framework C. Processes D. Information Key D Justification Information is considered the most important of the enablers of COBIT 5. Answer at Option D is the correct one. 565. What is most important in developing a performance management system ? A. Deciding on incentive schemes B. Identifying enterprise goals & their linkage to operating environment C. Developing clear organization structure D. Benchmarking with industry Key B Justification The most important aspect of performance management development is ensuring that organizational goals, vision, mission are cascaded downwards to all, establishing a clear linkage. But for this, the entire exercise would be fruitless since the performance could be directed at goals other than those established through the vision / mission of the organization. Answer at Option B is the correct one. 566. A good performance management system assesses performance against goals through Key Goal Indicators. Simultaneously, it monitors performance of process through _________ A. Work flow indicators B. Moving average indicators C. Key Process Indicators D. Industry benchmarks Key C Justification Monitoring of performance of process is through the Key Process Indicator. Hence, the answer at Option C is the correct one. 567. The approach of using lead indicators for performance measurement is called __________ A. Reactive approach Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 197 B. Retroactive approach C. Proactive approach D. Retrospective approach Key C Justification The approach of using lead indicators for performance measurement is called Proactive approach. Hence, the answer at Option C is the correct one. 568. The approach of using lag indicators for performance measurement is called ? A. Proactive approach B. Reactive approach C. Retroactive approach D. Retrospective approach Key B Justification The approach of using lag indicators for performance measurement is called Reactive approach. Hence, the answer at Option B is the correct one. 569. Where is the Capability Maturity framework of Performance Management Systems generally used? A. Hardware Development Company B. Research & Development institution C. Software Development Company D. Educational institutions Key C Justification The Capability Maturity framework of Performance Management Systems is generally used in the software development companies. . Hence, the answer at Option C is the correct one. 570. Mr Johnson has just taken charge as Head of a fledgling educational institution which has not had a good track record. He feels that he has his task cut out for him he needs to focus more on the lead parameters rather than lag indicators so that he can create sustainable results. Which of the following would be an example of lead indicators ? A. Number of passes by students in the Matriculation examination B. Number of all-India rank holders from the school in the Matriculation examination C. Number of failures in the Matriculation examination Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 198 D. Number of hours of refresher courses attended by teachers Key D Justification The correct answer would obviously be the number of hours of refresher courses. Hence, the answer at Option D is the correct one. 571. In Governance, value creation happens through Benefits Realisation, Risk optimization & Resource Optimization decisions taking into account _________ A. All Stakeholders’ needs B. All Shareholders’ needs C. Organizational goals D. Organizational vision, mission KEY A Justification In Governance, all stakeholders’ needs should be taken into account while taking decisions related to benefits realization, risk optimization & resource Optimization. Hence, the answer at Option A is the correct one. 572. Which framework specifically enables users to relate their enterprise’s current business & IT environment to specific objectives & relevant processes ? A. Quality management system B. Six Sigma approach C. COBIT 5 framework D. Blue Ocean framework Key C Justification While many frameworks may address such linkages generically, the advantage of COBIT 5 is that it specifically enables users to relate their enterprise’s current business and IT environment to specific objectives and relevant processes. Hence, the answer at Option C is the correct one. 573. The Balanced Score Card is an invaluable management tool that helps translate strategy into action and also for ________________ A. Balancing share holders needs with employee needs B. Bringing non-financial indicators into better focus C. Balancing needs of multiple functions within an organization D. Balancing lead and lag indicators Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 199 Key B Justification As brought out in Option B above, one of the major advantages of the Balanced score card mechanism is its ability to focus on non-financial indicators too, thus bringing in a balance between financial & non-financial parameters. The answers in other Options are incorrect. 574. The Balanced Score Card is designed to ensure that performance metrics and strategic themes are balanced with financial & non-financial, operational & financial, lead & lag indicators. Financial, Customer & Internal Business process perspectives are three of the four perspectives of BSC. The fourth perspective is _________________. A. Learning & Growth B. Shareholders versus Employees C. Short term versus Long term D. Lead and lag indicators KEY A Justification As brought out in Option A above, the fourth perspective of BSC is Learning & Growth. The answers in Options B to D are incorrect. 575. The Balanced Score Card ____________ A. Is meant for the use of only the senior level executives B. Cannot be linked to the IT goals & objectives C. Cannot be the basis for performance incentives D. Can be cascaded down to all levels of the organization Key D Justification As brought out in Option D above, the BSC can, indeed, be cascaded down to all the levels of organization. The answers in other options are incorrect. 576. What is the most important aspect of the CIMA Strategic Score Card approach ? A. Focuses exclusively on strategy matters B. Focuses exclusively on IT governance & strategy aspects C. Addresses conformance as well as performance, focussing on strategic issues D. Unlike the Balanced Score card, it focuses on lead indicators alone Key C Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 200 Justification The CIMA Strategic Score Card approach addresses both conformance as well as performance, focussing on strategic issues. The answers in other options are incorrect. 577. Strategic position, Strategic options and Strategic implementation are three of the four basic elements of the CIMA Strategic Score card. What is the fourth element ? A. Strategic Risks B. Strategic Conformance C. Strategic Performance D. Strategic IT KEY A Justification The fourth element of the CIMA Strategic Score Card approach is Strategic Risks. The answers in Options B to D are incorrect. 578. What is fundamental to the Capability Maturity Model Integration (CMMI) ? A. Used universally, except in the I.T. industry B. Is superior to COBIT 5 which does not have process capability C. It is a process improvement approach D. Focuses on internal process alone Key C Justification The CMMI model is a process improvement approach & is a preferred model for the IT industry. COBIT 5, too, has process capability built in. CMMI addresses all processes. Hence, answer at Option C above alone is correct. 579. What is the essence of Total Quality Management strategy ? A. Focus exclusively on products & services rather than processes B. Producing best quality products C. Focus on exclusively on processes as a means to an end D. Achieving long term success through customer satisfaction Key D Justification TQM strategy aims at achieving long term success through customer satisfaction. It aims to do this through quality management at all levels, improving products, services, processes as also culture. Hence, answer at Option D above alone is correct. Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 201 580. State True or False. The guidelines for specific processes and procedures in COBIT 5 have been designed robustly with the latest best practices incorporated. While implementing the framework, these processes / procedures need to be kept intact and not tweaked or tinkered with. A. FALSE B. TRUE KEY A Justification The design of processes and procedures suggested in COBIT 5 need to be tailored appropriately to suit the needs of the enterprise’s culture, management style & IT environment. The recommended best practices, too, should be adapted to suit the particular enterprise where it is being implemented. Hence, the statement in the Stem is incorrect and the answer at Option A is correct. 581. One of the primary reasons for implementing Governance of Enterprise IT (GEIT) is to alleviate pain points in the organization. Another major reason is ______________ A. Ensure up-to-date technology B. Trigger events like merger/acquisition, new regulations, etc. C. Achieve stake holder satisfaction D. Higher vulnerability of IT compared to other functions Key B Justification The other major reasons for implementing GEIT are trigger events which create changes in the environment. Answers in Options A and C may also be factually true but are not necessarily major reasons for implementing GEIT. Answer in Option D is not correct. Hence, the answer at Option B is correct. 582. Which one of the following could be a Critical Success factor in GEIT implementation ? A. The project is handled exclusively & in isolation to day-to-day business B. Execution authority & responsibility is retained at the highest levels C. Top management provides direction and mandate D. Trigger events like merger/acquisition, new regulations, etc. Key C Justification One of the critical success factors above is the need for top management to provide direction and mandate for the project, as indicated in Option C. Integration of the project with day-to-business is Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 202 essential for the success of the project contrary to what is stated in Option B. Similarly, authority & responsibility have to be cascaded down to the level at which project implementation happens, ideally at the level of an anchor person. Trigger events may precipitate the implementation of GEIT but cannot be critical success factors. Hence, the answer at Option C is correct 583. Which one of the following could be a Critical Success factor in GEIT implementation ? A. Trigger events like merger/acquisition, new regulations, etc. B. The project is handled exclusively & in isolation to day-to-day business C. Focus on quick wins to demonstrate benefit & build confidence D. Execution authority & responsibility is retained at the highest levels Key C Justification Early successes help instil confidence in the initiative & stimulate co-operation, as indicated in Option C. Trigger events may precipitate the implementation of GEIT but cannot be critical success factors. Integration of the project with day-to-business is essential for the success of the project contrary to what is stated in Option A. Similarly, authority & responsibility have to be cascaded down to the level at which project implementation happens, ideally at the level of an anchor person. Hence, the answer at Option C is correct. 584. What should be the first phase of GEIT implementation ? A. Forming an implementation team B. Communication desired vision C. Enable operation & use D. Establish desire to change, stressing pain points, trigger events Key D Justification The first phase of GEIT implementation is preparing the ground for the project to take off and targeting the mind sets of the people concerned. This can be done by identifying the pain points / trigger events as also the consequences of inaction for the organization as well as the individual. The answers in other options can be successive steps in the project implementation and not the initial one. Hence, the answer at Option D is correct. Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 203 585. What should be the final phase of GEIT implementation ? A. Establish desire to change, stressing pain points, trigger events B. Communication desired vision C. Sustain changes through conscious reinforcement D. Enable operation & use Key C Justification Any initiative, however good it may be, will not yield the desired results unless mechanisms are built in for sustaining the momentum which has been gained in the initial launch. This can be done, as pointed out in Option C above, through conscious reinforcement & continuous top management commitment. The answers in the other options are intermediate phases in the GEIT implementation process and, hence, are not correct. 586. In line with ISO/IEC 38500, Governance processes under COBIT 5 are based upon the principles of ______________ A. Evaluate, Direct, Monitor B. Align, Plan & Organize C. Monitor, Evaluate & Assess D. Build, Acquire and Implement KEY A Justification Governance process under COBIT 5 are based upon the principles of Evaluation of strategic options, Direction to IT & Monitoring of the outcome. Hence, answer in Option A above is correct and the other answers are wrong. 587. The most critical factor in implementing GEIT is ______________ A. Taking a bottom-up perspective B. Identifying implementation scope & objectives, prioritization of processes C. Availability of trained individuals to spearhead the project D. Organization chart combined with Delegation of Authority Key B Justification The most critical factor in implementing GEIT is identifying implementation scope and objectives as also prioritization of processes, as shown in Option B. Answers in other options are not correct. Hence, answer in Option B above is correct. Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 204 588. How is alignment of strategic IT Plans with business done? A. Holding regular meetings with IT department participation B. Having an IT department nominee in non-IT meetings C. Clearly communicating the objectives & accountabilities D. Taking a bottom-up perspective Key C Justification Alignment of strategic IT Plans with business is done by clearly communicating the objectives & accountabilities so that they are understood by all & IT strategic options are integrated with the business plans as required. Hence, Option C is the correct answer. 589. Which one of the following is a key management practice for aligning IT strategy with enterprise strategy ? A. Identify gaps between current & target environments B. Taking a bottom-up perspective C. Holding regular meetings with IT department participation D. Having an IT department nominee in non-IT meetings KEY A Justification Identifying gaps between the current & target environments is one of the key management practices for aligning IT strategy with enterprise strategy. Hence, Option A is the correct answer. 590. How is Value Optimization of IT achieved ? A. Going in for low cost IT equipment B. Replacing full time IT employees with outsourced personnel C. Taking a bottom-up perspective D. Value Optimization of business processes, IT services & assets Key D Justification Value Optimization of IT is achieved through value optimization of business processes, IT services & IT assets. Hence, Option D is the correct answer. 591. Which of the following metrics could be used for evaluation of value optimization ? A. Number of low cost IT equipment procured during a financial year B. Replacing full time IT employees with outsourced personnel Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 205 C. Percentage of IT enabled investments where claimed benefits were met or exceeded D. Wage cost reduction through non-filling of some vacant IT positions Key C Justification One metric which could be used for evaluation of value optimization could be the percentage of IT enabled investments where claimed benefits were met or exceeded. Answers in other options, however, will not meet the requirement. Hence, Option C is the correct answer. 592. COBIT 5 has a resource governance process to ensure that resources needs of the enterprise are met in an optimal manner. Which one of the following is key governance process to be followed ? A. Evaluate, Direct and Monitor resource management B. Build, Acquire and Implement C. Align, Plan & Organize D. Monitor, Evaluate & Assess KEY A Justification The key governance process to be followed in this case is Evaluate, Direct and Monitor resource management as brought out in Option A. The answers in the other options B to D are incorrect and not applicable to the instant case. 593. Which one of the following is an important tool used for managing & monitoring service providers ? A. Regular meetings B. Third party inspection arrangements C. Service Level Agreements (SLAs) D. Cost comparison through industry benchmarking Key C Justification While all the answers in the options above may be true to some extent or the other, the most important tool used for managing & monitoring service providers are Service Level Agreements which play the role not only of enforceability of commitments but, simultaneously, of capturing clearly the responsibilities of both parties as also other aspects like delivery expectations, escalation clauses, penalties, etc. Hence, the answer in Option C above is correct and the rest can be deemed to be wrong. 594. The success of capacity management would depend most upon which one of the following factors ? A. Historical trend of capacity expansions Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 206 B. Availability of precise and timely business forecasts C. Cost comparison through industry benchmarking D. Availability of adequate funds for procurement Key B Justification Capacity Management success would depend to a great extent upon the availability of precise and timely business forecast, as indicated in the answer in Option B. The answers in other options are incorrect. 595. With reference to Capex & Opex, how can valuation of any business be improved ? A. Increasing Capex & proportionately reducing Opex B. Reduction in Opex irrespective of impact on day-to-day operations C. With Capex constant, reduction in Opex without hurting day-to-day operations D. Increasing both Capex & Opex with the objective of increased profits Key C Justification In general, industry prefers to restrict Capex & also optimize Opex to get best results for stakeholders. Capex is considered undesirable owing to restrictions on dividend cost being allowed as a business cost for tax purposes unlike Opex. However reduction in Opex can hurt operations too, leading to reduced profits. Hence, the ideal situation would be, while Capex is kept constant, Opex is reduced without hurting day-to-operations, as indicated in Option C above. The answers in other 0ptions are incorrect. 596. What is Information ? A. It is a collection of data which need not necessarily have meaning for its user B. It is restricted to data in the form of numbers C. It is data which is not necessarily specific & organized D. It is all data processed in a meaningful context Key D Justification Information is data processed in a meaningful context. It is specific & organized and has value to the user. It includes all forms of information like numbers, text, images, sound, codes, etc. Hence, the answer at Option D is correct & the other options incorrect. 597. State TRUE or FALSE. When the Information System Auditor delegates work to others, he will continue to be responsible for forming and expressing his opinion on auditee environment as per the scope and objectives of the audit. Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 207 A. TRUE B. FALSE KEY A Justification The responsibility for forming and expressing opinion on auditee environment rests with the IS Auditor even in respect of work he delegates to others. Hence, answer at Option A above is correct. 598. Are Audit professionals considered to be the most appropriate professionals to audit Information Systems (rather than IT professionals) ? A. No; since they do not have adequate expertise in Information Technology B. Yes; since it involves the evaluation of internal controls in computerized business processes C. No; since Information systems have built-in safeguards and an audit would be superfluous D. Yes; but only to the extent of regulatory matters about which they are proficient Key B Justification Audit professionals are, indeed, considered to be the most appropriate professionals to audit Information systems since knowledge of business processes is extremely critical for such audit, more than that of technical knowledge of Information technology. What is required is an audit professional who has supplemented his audit/financial/regulatory background with knowledge of the basics of Information technology. Hence, answer at Option B above is correct. IS can build safeguards to meet all contingencies. The other answers are, therefore, incorrect. 599. Risk in Information Technology ____________ A. Can be depicted as hierarchically dependent upon other risk categories B. Does not impact on long term strategy C. Can also be defined as Threat exploiting Vulnerabilities D. Is not considered operational in financial industry as per Basel II framework Key C Justification Since Information systems impinge on each and every part of an organization’s business today, any risks in IT would automatically extend to all aspects of the business. It is, in fact, considered even an operational risk in the financial industry as per Basel II framework. However, since it is relevant to different aspects of an organization, it is not to be depicted as hierarchically dependent upon other risk categories. Hence, answers in Options A, B and D are incorrect. However, the definition given in Option C is correct it is, in a way, threat exploiting vulnerabilities. Hence, answer at Option C above is correct. 600. What is the Risk Universe ? A. Is restricted to selected components of the business Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 208 B. Is restricted to the enterprise & excludes suppliers, service providers, clients C. It needs to be defined & frozen for a reasonable period of time of about 5 years D. It defines the overall environment & provides a structure for managing the IT risk Key D Justification The Risk Universe extends to the overall environment, covering all stake holders including suppliers, service providers & clients. It aims at providing a structure for managing IT risk. It crosses functional silos and is intended to cover end-to-end business perspective. It needs to be dynamic & updated regularly to be aligned with changes in the environment. Hence, answer at Option D alone is correct. 601. During 2009, the Satyam Computers scandal broke out. The Company’s Chairman admitted to falsification of accounts to the tune of U.S. $ 1.47 billion. The auditors for this company were mainly exposed to what type of risk ? A. Audit Risk B. Financial Risk C. Procedural Risk D. IT Risk KEY A Justification Audit risk refers to the risk that an auditor may issue unqualified report due to the auditor’s failure to detect material misstatement either due to error or fraud. The cited example clearly refers to such a situation and, hence, answer at Option A above is the correct answer. 602. Audit risk is _______________ A. A product of control risk & detection risk B. A product of inherent risk, control risk & detection risk C. Sum of inherent risk, control risk & detection risk D. A product of inherent risk and detection risk Key B Justification Audit risk refers to the risk that an auditor may issue unqualified report due to the auditor’s failure to detect material misstatement either due to error or fraud. It is a product of inherent risk, control risk & detection risk. Hence, answer at Option B alone is correct. 603. In the case of IS Audit, materiality is _____________ A. Based upon value and volume of transactions B. Based on impact of non compliance Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 209 C. Consequence of risk in terms of potential loss D. A product of inherent risk and detection risk Key C Justification Materiality in IS Audit is a consequence of risk in terms of potential loss. Hence, answer at Option C is correct while the other answers are incorrect. 604. In the case of Financial audit, materiality is ______________ A. Based upon value and volume of transactions B. Based on impact of non compliance C. Consequence of risk in terms of potential loss D. A product of inherent risk and detection risk KEY A Justification Materiality in Financial Audit is based upon value and volume of transactions and the relevant error or discrepancy or control weakness detected. Hence, answer at Option A is correct while the other answers are incorrect. 605. In the case of Regulatory audit, materiality is _________________ A. Based upon value and volume of transactions B. Consequence of risk in terms of potential loss C. Based on impact of non- compliance D. A product of inherent risk and detection risk Key C Justification Materiality in Regulatory Audit is based upon the impact of non-compliance with regulations. Hence, answer at Option C is correct while the other answers are incorrect. 606. Internal Controls _______________ A. Are restricted to tools for prevention of risks alone B. Focus exclusively on financial rather than non-financial risks C. Are driven exclusively by automated computerised systems D. Facilitate achievement of business objectives & management of risks Key D Justification Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 210 Internal controls are designed to assure the management that the organization’s business objectives will be achieved and risk events prevented or detected and corrected. They target prevention as well as detection & correction and are aimed at both financial as well as non-financial risks. They can be driven either by automated computerised systems or even manual systems. Hence, answer at Option D alone is correct. 607. Internal Controls ________________ A. Target risk management rather than achievement of business objectives B. Comprise Preventive, Detective & Corrective controls C. Are driven exclusively by automated computerised systems D. Focus exclusively on financial rather than non-financial risks Key B Justification Internal controls are designed to assure the management that the organization’s business objectives will be achieved and risk events prevented or detected and corrected. They target prevention as well as detection & correction and are aimed at both financial as well as non-financial risks. They can be driven either by automated computerised systems or even manual systems. Hence, answer at Option B alone is correct. 608. Internal Controls _______________ A. Are the sum total of IT General controls and IT Application Controls B. Focus exclusively on prevention of errors or irregularities C. Are driven exclusively by automated computerised systems D. Focus exclusively on financial rather than non-financial risks KEY A Justification Internal controls are designed to assure the management that the organization’s business objectives will be achieved and risk events prevented or detected and corrected. They target prevention as well as detection & correction and are aimed at both financial as well as non-financial risks. They can be driven either by automated computerised systems or even manual systems. They include General controls which encompass all administrative areas and Application controls which are related to specific application software. Hence, answer at Option A alone is correct. 609. The authority, scope and responsibility of the Information System Audit function is ________________ A. Defined by the I.T. Head of the organization, as the expert in the matter B. Defined by the various functional divisions, depending upon criticality C. Defined by the audit charter approved by the senior management/Board D. Generated by the Audit division of the organization Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 211 Key C Justification The authority, scope and responsibility of the Information system audit is invariably defined by the audit charter which is approved by the senior management and, most often, by the Board of Directors. It is not left to the Audit division, the IT Head or the functional heads to decide on this. Hence, answer at Option C alone is correct.. 610. Audit objectives, in general _____________ A. Are not concerned with substantiation of internal controls B. Refer to the specific goals that must be met by audit C. Are not concerned with how internal controls function D. Are derived & stated at the end of the audit process Key B Justification Audit objectives refer to the specific goals that must be met by audit. This is in contrast to a control objective which refers to how an internal control functions. They often focus on substantiating the existence of internal controls & the appropriateness of functioning. They are invariably set down at the beginning of the audit process. Hence answer at Option B alone is correct. 611. The major purpose of Information Systems Audit is whether _____________ A. Internal control system design is robust & operated effectively B. Financials are properly reflected in the books of the organization C. All the hardware in the organization have appropriate warranties D. All the software in the organization have valid licences KEY A Justification A major purpose of Information Systems audit is whether the internal control system design is robust and is operated effectively. It is not directly related to ensuring financial correctness or to validate warranties/licences for hardware/software. Hence, answer at Option A alone is correct. 612. A Request for Proposal (RFP) _______________ A. Is sent by prospective supplier to buyer, seeking information B. Will help identify the lowest-priced bidder as the successful bidder C. Is used for acquiring services &, sometimes, goods D. Is used exclusively for buying goods and not services Key C Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 212 Justification A RFP is used primarily for acquiring services and, on occasion, goods. It comprises a complete description of the buyer’s requirements of the service/product. The successful bidder in this process need not necessarily be the lowest-priced; non-financial aspects like credibility, technical superiority, etc. will also be taken into account to arrive at the optimal supplier. Hence, answer at Option C alone is correct. 613. You are advising your client on the selection & appointment of an IT service provider. You suggest that the client should go through a Request for Proposal (RFP) process for best results. Your client is happy with your suggestion but requests that not all aspects of the selection process be publicised up-front. For, the client had faced situations in the past wherein, openness in such matters had lead to issues of disputes with suppliers who were rejected in the selection process. The client’s argument is that, in any case, the selection will be on a fair and equitable basis & the idea is just to avoid giving too much information to the bidders and create the potential for nuisance attacks by mischievous, unsuccessful bidders. As a Chartered Accountant, would your suggestion be to clearly spell out the selection criteria or leave it ambiguous ? A. Clearly spell out the selection criteria B. Leave the selection criteria ambiguous KEY A Justification It would be best to clearly spell out all the selection criteria. For, it would give confidence to the potential bidders about the credibility of the buyer and also avoid build up of un-necessary cushions to take care of any unknown contingencies. Also, ambiguities cut both ways & may provide loopholes for unscrupulous bidders to wriggle out of commitments or raise disputes. Contractually & legally speaking, too, such a RFP will strengthen the organization’s hands in the event of any default or failure on the part of the chosen supplier. Hence, answer at Option A alone is correct. 614. What are the elements common to both the Audit Charter and Audit Engagement Letter ? A. Responsibility, Authority & Professional Fees payable B. Responsibility, Authority & Travel expenses budget for auditors C. Responsibility, Authority & Accountability Key C Justification The elements common to both the Audit Charter & Audit Engagement Letter are Responsibility, Authority & Accountability. Aspects like the Professional fees payable, travel expenses budget for auditors, etc. are generally dealt with in the Engagement Letter and not in the Charter. Hence, answer at Option C alone is correct. 615. Based upon scope, objectives, etc. drawn up in consultation with the senior management of an organization, an experienced audit team which has sound Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 213 knowledge of I.T. has completed & filed its preliminary audit report of the I.T. department of the organization. On receiving the draft report, the officials in the I.T. department react negatively to the report. They argue that the bulk of the conclusions drawn in the report, the information reported, etc. are erroneous. They question the validity of the findings. In your view, which one of the following could be the likely major cause for this situation ? A. Lack of adequate technical IT knowledge of the auditing team B. Poor quality of audit by the team C. Malafide intentions of the auditee team D. In-effective communication with Auditee & buy-in Key D Justification It is clear that the auditing team is a competent one with sound knowledge of I.T. It is unlikely that the auditee team deliberately sought to scuttle the auditing team’s report. For, given the fact that they have the top management’s approval, the I.T. department cannot hope to gain anything by throwing mud on the auditing team. If the auditee still questions the validity of the team’s report, the single major cause which can be inferred from the question stem is that the communication to the auditee has not been carried out in an effective manner & adequate steps have not been taken to secure auditee buy-in for the process . Hence, answer at Option D appears to be more appropriate. 616. You have just taken on the Audit of a large, established multinational company with operations spread geographically across continents. You need to draw up detailed scope of the proposed audit of the organization in consultation with its top management. Your approach would be to focus upon _____________ A. Areas identified to be high risk &/or high significance to the organization B. Sample audit of each and every geographical unit of the organization C. Sample audit of each and every function in the organization D. Areas related to I.T. software and hardware alone KEY A Justification Given the fact that any audit team would have limitations in terms of auditing resources as well as budget, it would have to get maximum mileage for the auditee with the limited resources at its disposal. Hence, rather than spreading itself too thin by trying to audit as many areas as possible, the ideal strategy would be to arrive at a consensus regarding a few areas of high risk as also high significance for the organization. Auditing these areas alone initially would help maximise the value of the auditing exercise. Hence, answer at Option A is the most appropriate one. 617. You have just taken on the Audit of a large, established company with diverse businesses involving manufacturing as well as trading. You are now at the planning stage & need to draw up your draft audit plan for clearance by the top management. What is the most important planning activity involved at this stage of the exercise ? A. Historical financial for the organization Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 214 B. Cost of carrying out the audit C. Thorough understanding of the nature of each of the businesses & nuances D. Number of people required for carrying out the auditing exercise Key C Justification Considering the diverse nature of the organization’s businesses as also its existence both in trading as well as manufacturing, the fundamental drivers of these areas of business are likely to be totally different. The most important part of the planning exercise would hence be the thorough understanding of each of the organization’s businesses & its nuances. This alone will help the auditor to appreciate the areas of significance & high risk so that focus can be shifted to these areas for maximum results. Hence, answer at Option C above is the most appropriate. 618. Which are the three major categories of IS Controls ? A. Fiduciary, Quality & Security B. Financial, Quality & Security C. Audit, Quality & Security D. Economic, Financial & Quality KEY A Justification The major categories of IS Controls are Fiduciary, Quality & Security. Hence, answer at Option A above is the correct one. 619. The basic principles of Fiduciary Controls in Information Systems are ____________ A. Efficiency & Effectiveness of process, service or activity B. Reliability of information & Compliance with laws, regulations, etc. C. Confidentiality & Integrity of information D. Confidentiality, Integrity & Availability of information Key B Justification The basic principle of Fiduciary Controls in IS are reliability of information & compliance with laws, regulations, etc.. Hence, the correct answer is as per Option B. The other answers are incorrect. 620. The basic principles of Quality Controls in Information Systems are ____________ A. Reliability of information & Compliance with laws, regulations, etc. B. Confidentiality & Integrity of information C. Efficiency & Effectiveness of process, service or activity Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 215 D. Confidentiality, Integrity & Availability of information Key C Justification The basic principle of Quality Controls in IS are efficiency & effectiveness of processes, services or activities. Hence, the correct answer is as per Option C. The other answers are incorrect. 621. The basic principles of Security Controls in Information Systems are ____________ A. Confidentiality, Integrity & Availability of information B. Reliability of information & Compliance with laws, regulations, etc. C. Efficiency & Effectiveness of process, service or activity D. Confidentiality & Integrity of information KEY A Justification The basic principle of Security Controls in IS are Confidentiality, Integrity & Availability of information. Hence, the correct answer is as per Option A. The other answers are incorrect. 622. Which of the following is one of the four KEY Areas which have to be understood by Information System Auditors prior to commencement of audit ? A. Thorough understanding of the business of the entity B. Efficiency & Effectiveness of process, service or activity C. Sales turnover & employee strength of the entity D. Status of entity whether government or private KEY A Justification One of the KEY Areas which have to be understood by Information System Auditors is thorough understanding of the business of the entity. Hence, the correct answer is as per Option A. The other answers are incorrect. 623. Which of the following is one of the four KEY Areas which have to be understood by Information System Auditors prior to commencement of audit ? A. Status of entity whether government or private B. Efficiency & Effectiveness of process, service or activity C. Organization structure, roles, responsibilities, policy framework, etc. D. Sales turnover & employee strength of the entity Key C Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 216 Justification One of the KEY Areas which have to be understood by Information System Auditors is the organization structure, roles, responsibilities, policy framework. Hence, the correct answer is as per Option C The other answers are incorrect. 624. Which of the following is one of the four KEY Areas which have to be understood by Information System Auditors prior to commencement of audit ? A. Status of entity whether government or private B. Efficiency & Effectiveness of process, service or activity C. Sales turnover & employee strength of the entity D. IT infrastructure including capacities, age of software/hardware, etc. Key D Justification One of the KEY Areas which have to be understood by Information System Auditors is the IT infrastructure in terms of capacities, age of software/hardware, etc. Hence, the correct answer is as per Option D. The other answers are incorrect. 625. Which of the following is one of the four KEY Areas which have to be understood by Information System Auditors prior to commencement of audit ? A. Statutory regulations, standards, frameworks B. Status of entity whether government or private C. Efficiency & Effectiveness of process, service or activity D. Sales turnover & employee strength of the entity KEY A Justification One of the KEY Areas which have to be understood by Information System Auditors includes statutory regulations, standards & frameworks. Hence, the correct answer is as per Option A. The other answers are incorrect. 626. Section 7A of the Information Technology Act 2000 (as amended in 2008) addresses which of the following issues ? A. Damage liability to a corporate negligent handling of personal data B. Identity theft by corporate or individual C. Extension of audit coverage to documents, etc. in electronic form D. Publishing or transmission of obscene material Key C Justification Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 217 Section 7A relates to extension of audit coverage to documents, records or information stored in electronic form. Hence, the correct answer is as per Option C. The other answers are incorrect. 627. Recently, there were reports of some criminal hacking of Facebook accounts and theft of passwords and other personal information. You, as a Facebook account holder, apprehend personal loss/damage and would like to proceed legally against the Facebook organization. You would like to issue a notice to them, to start with. Which Indian Act and which section of the Indian Act would you cite in your notice alleging violations ? A. Information Technology Act, 2000, Section 7A B. Right to Information Act, 2006, Section 43A C. Information Technology Act, 2000, Section 43 A D. Right to Information Act, 2006, Section 7A Key C Justification A Corporate’s liability to damages on negligent handling of personal information is covered by Section 43A of the IT Act, 2000. Hence answer in Option C is correct and the other options are wrong. 628. A famous cinema actor has learnt that his password and personal information on a social networking website have been compromised owing to suspected breach of the security of the relevant networking website. The actor is furious and feels that the potential for damage to his image and reputation is great. The actor is convinced that there has been negligence involved & is particular that the website needs to be taught a lesson and made to understand that such breaches in security leading to violation of privacy are not acceptable. He proceeds, therefore, to sue the website and seeks damages of the seemingly steep amount of Rs. 1000 crores. Is there any Indian Act which would cover this situation ? If so, which Act and which clause of the Act, do you think, the actor would be able to cite for claiming such a large quantum of damages ? A. Information Technology Act, 2000, Section 7A, damages limited to proven loss suffered B. Information Technology Act, 2000, Section 43 A C. Right to Information Security Act, 2006, Section 43A D. No Indian Act covers this situation &, hence, the actor’s claim may not be enforceable Key B Justification A Corporate’s liability to damages on negligent handling of personal information is covered by Section 43A of the IT Act, 2000. There is no upper limit specified for compensation under the Act &, hence, even a Rs. 1000 crore claim for damages would be tenable. Hence answer in Option B is correct and the other options are wrong. 629. An employee of an organization is caught using his official computer for sending offensive messages to one of his colleagues in the organization. Which Indian Act and which clause of the Act would cover this violation of the law ? Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 218 A. Sarbanes Oxley Act, 2002, Sections 401 to 403 B. Information Technology Act 2000, Sections 7A, B and C C. Information Technology Act 2000, Sections 66 to 66F and 67 D. Right to Information Security Act, 2006, Section 7A Key C Justification The illegal act of sending offensive messages through electronic media is covered under Sections 66 to 66F and 67 of the Information Technology Act 2000. Hence answer in Option C is correct and the other options are wrong. 630. A small scale industry has developed an effective, organic mosquito repellent which shows great promise. Since they had limitations in terms of resources, capability to scale up operations & marketing, they decided to join hands with a large marketing company. They signed off on a contract for marketing of their product, working capital funding and long term product development in the larger company’s R& D laboratories. They also built in protective clauses on non-disclosure of manufacturing formula, secret ingredients, etc. which were provided to them as encrypted soft copies. After a few months, the small scale industry learns that the larger company has begun marketing a me-too product abroad, manufactured by another unit, utilising the knowledge obtained while manufacturing the small scale industry’s unique product. Since informal discussions on the subject failed to make progress, the small scale industry has decided to proceed legally against the larger company. Which Indian Act and which clause of the Act would support the small scale industry in their legal battle ? A. Sarbanes Oxley Act, 2002, Sections 401 to 403 B. Information Technology Act 2000, Sections 43A C. Right to Information Security Act, 2006, Section 7A D. Information Technology Act 2000, Section 72A Key D Justification Intentional disclosure of information, without the consent of the person concerned and in breach of lawful contract, is covered under Section 72A of the Information Technology Act 2000. Hence answer in Option D is correct and the other options are wrong. 631. A small scale industry has developed an effective, organic mosquito repellent which shows great promise. Since they had limitations in terms of resources, capability to scale up operations & marketing, they decided to join hands with a large marketing company. They signed off on a contract for marketing of their product, working capital funding and long term product development in the larger company’s R& D laboratories. They also built in protective clauses on non-disclosure of manufacturing formula, secret ingredients, etc which were provided to them as encrypted soft copies. After a few months, the small scale industry learns that the Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 219 larger company has begun marketing a me-too product abroad, manufactured by another unit, utilising the knowledge obtained while manufacturing the small scale industry’s unique product. Under the Information Technology Act 2000, what is the potential punishment & penalty for such intentional disclosure of information, without the consent of the person concerned and in breach of lawful contract ? A. Fine of Rs. 3 lacs alone, no imprisonment B. Imprisonment up to 3 years and fine up to Rs. 5 lacs C. Imprisonment up to 5 years and fine up to Rs. 10 lacs D. Fine of Rs. 5 lacs alone, no imprisonment Key B Justification Under Section 72A of the Information Technology Act 2000, such intentional disclosure of information, without the consent of the person concerned & in breach of lawful contract is punishable with imprisonment up to 3 years and fine up to Rs. 5 lacs. Hence answer in Option B is correct and the other options are wrong. 632. In addition to giving opinion on the fair presentation of the organization’s accounts, an independent auditor of an organization is expected to opine on the effectiveness of internal control over financial reporting as per a particular Act. This is mandatory as per which Act and which section of the Act ? A. Information Technology Act 2000, Section 43A B. Information Technology Act 2000, Section 7A C. Sarbanes Oxley Act 2002, Section 404 D. Gramm Leach Bliley Act or the Financial Services Modernisation Act 1999, Section 14A Key C Justification This is mandatory in the U.S. as per Section 404 of the Sarbanes Oxley Act 2002. Hence answer in Option C is correct and the other options are wrong. 633. What does Auditing Standard 5 of the Public Company Accounting Oversight Board (PCAOB) relate to ? A. Independence & performance of statutory auditors B. Appointment, removal & terms of the Chief Internal Auditor C. Audit of Internal control over financial reporting integrated with audit of financial statements D. Implementation of enterprise risk management system in the organization Key C Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 220 Justification The PCAOB was set up as a non-profit body as per the provisions of the Sarbanes Oxley Act with the objective of setting up standards of auditing. Auditing Standard 5 of the PCAOB relates to audit of internal control over financial reporting integrated with audit of financial statements. Hence answer in Option C is correct and the other options are wrong. 634. Corporate governance, including internal controls, enterprise risk management, etc. are covered under the provisions of ______________ A. Clause 49 of the Listing agreement of SEBI B. Section 43A of the Information Technology Act 2000 C. Section 126A of the Sarbanes Oxley Act 2002 D. Section 14A of the Gramm Leach Bliley Act or the Financial Services Modernisation Act 1999 KEY A Justification Corporate governance, including internal controls, enterprise risk management, etc. are covered under the provisions of Clause 49 of the Listing agreement of SEBI. Hence answer in Option A is correct and the other options are wrong. 635. ISO/IEC 27000 is basically a/an ______________ A. Information security standard B. Auditing related standard C. Standard for quality in auditing D. Generic standard for quality in accounting KEY A Justification ISO/IEC 27000 is basically an Information security standard established by the International Standards Organization in association with the International Electro-technical Commission. It lays down the specification for information security management. Hence answer in Option A is correct and the other options are wrong. 636. Which is the International system which has laid down standards for information security & information security management system ? A. IS 21000 B. GAAP 2014 C. IS / IEC 27001 D. IS /IEC 24007 Key C Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 221 Justification ISO/IEC 27001 is basically an Information security management system established by the International Standards Organization in association with the International Electrotechnical Commission. It lays down the specification for information security management. Hence answer in Option C is correct and the other options are wrong. 637. Information Technology Assurance Framework (ITAF) ___________ A. Is a good-practice-setting reference standard for audit & assurance B. Standards are divided into two categories C. Standards are divided into four categories D. Is not recognized by ISACA KEY A Justification ITAF has been designed and created by ISACA. It is a good-practice-setting reference standard for audit and assurance. It is divided into three categories. Hence answer in Option A is correct and the other options are wrong. 638. Information Technology Assurance Framework (ITAF) standards comprise three categories, viz. ______________ A. General, IT and non IT standards B. General, industry specific and non-financial standards C. General, performance and reporting standards D. Macro, micro and non-financial standards Key C Justification The three categories of ITAF are General, Performance and Reporting standards. Hence answer in Option C is correct and the other options are wrong. 639. General standards under Information Technology Assurance Framework (ITAF) __________________ A. Fall under the 1100 series of ITAF standards B. Are the guiding principles under which IS assurance profession operates C. Relate to the non-financial aspects of audit & assurance D. Are yet to be validated & approved by ISACA Key B Justification Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 222 ITAF has been designed and created by ISACA. The General standards, falling under the 1000 series, are the guiding principles under which the IS assurance profession operates. Hence, the answer in Option B is correct and the other options are wrong. 640. Performance standards under Information Technology Assurance Framework (ITAF) _______________ A. Deal with the minimum performance standards expected of installed software B. Deal with conduct of the assignment & exercising of professional judgement & due care C. Relate to the minimum level of quality of audit to be carried out by IS auditors D. Fall under the 1400 series of ITAF Key B Justification ITAF has been designed and created by ISACA. The Performance standards, falling under the 1200 series, deal with conduct of the assignment & the exercising of professional judgement & due care. Hence, the answer in Option B is correct and the other options are wrong. 641. Reporting standards under Information Technology Assurance Framework (ITAF) _______________ A. Deal with report types, communication means & communicated information B. Deal with the minimum performance standards expected of installed software C. Relate to the minimum level of quality of audit to be carried out by IS auditors D. Fall under the 1200 series of ITAF KEY A Justification ITAF has been designed and created by ISACA. The Reporting standards, falling under the 1400 series, deal with report types, communication means & communicated information. Hence, the answer in Option A is correct and the other options are wrong. 642. COBIT 5 _____________ A. Is a framework for governance & management of enterprise IT, excluding risk aspects B. Operates through 7 principles C. Is a framework for governance & management of enterprise IT D. Can be useful only for large organizations with ERP systems Key C Justification COBIT is a framework for governance & management of enterprise IT. It helps organizations manage risk & ensure compliance, continuity, security & privacy. It has 5 key principles and can be used in Module 3 Governance and Management of Enterprise Information Technology, Risk Management & Compliance 223 any type of organization, irrespective of size or nature of business. Hence, the answer in Option C is correct and the other options are wrong. 643. COBIT 5’s key principles _____________ A. Are 3 in number & focus on shareholders’ needs B. Are 7 in number and applies multiple frameworks to cover the whole organization C. Are 5 in number & Include meeting stakeholders’ needs D. Marries the management & governance, creating shared goals & objectives Key C Justification COBIT5 is a framework for governance & management of enterprise IT. It helps organizations manage risk & ensure compliance, continuity, security & privacy. It has 5 key principles and can be used in any type of organization, irrespective of size or nature of business. It applies a single integrated framework to address the entire organization. It deliberately separates governance & management. Hence, the answer in Option C is correct and the other options are wrong. 644. COBIT 5’s key principle of meeting stakeholders’ needs creates value by _____________ A. Maximizing dividend payout to shareholders B. Balancing benefits and the optimization of risk & use of resources C. Reducing costs to the minimum D. Eliminating risks & avoiding wasteful expenditure Key B Justification COBIT5 is a framework for governance & management of enterprise IT. It helps organizations manage risk & ensure compliance, continuity, security & privacy. One of its 5 key principles is meeting stakeholders’ needs. This principle creates value by balancing the benefits against the optimization of risk & the use of resources. Hence, the answer in Option B is correct and the other options are wrong. Module 4 Protection of Information Assets 224 645. In order to protect its critical data from virus attacks an organisation decides to limit internet access to its employees. What type of risk response has the organisation exercised? A. Mitigate B. Avoid C. Accept D. Transfer Key: A A.“Mitigate” is the correct answer. Risk Mitigation primarily focuses on designing and implementing controls to prevent incidents due to risk materialisation. B “Avoid” is not correct as the organisation is not avoiding the use of technology to avoid risks C “Accept” is not correct as the organisation has not chosen to accept the risk D “transfer” is not correct as the organisation is not passing on the risk to another entity 646. A production company decides to insure against production loss due to natural calamities. What type of response is this classified as? A. Mitigate B. Accept C. Transfer D. Avoid Key: A C “Transfer” is correct as the organisation passes on the risk to the insurance company. A: “Mitigate” is not correct as the organisation is not implementing any controls within B: “Accept” is not correct as organisation has not accepted the risk D “Avoid” is not correct as the organisation has not decided to avoid technology to minimise risk 647. Implementation of Information system control in an organisation ensures that: A. Risk is transferred to another entity B. Desired Outcome from business process is not affected C. Losses are avoided D. Incidents due to risk materialisation are avoided Key: B B is correct – Information Control includes implementation of policies, procedures and practices which ensure that the desired outcome from business is not affected A is not correct – this is a type of risk response C & D are not correct – They are not a direct result of implementation of controls 648. Which of the following leads to destruction of information Assets such as hardware, software and critical data? Module 4 Protection of Information Assets 225 A. Data error during data entry B. Non maintenance of privacy with respect to sensitive data C. Unauthorised access to computer systems D. Using systems that do not meet user requirements Key: C C is correct - Unauthorised access to computer systems, computer viruses, unauthorised physical access to computer facilities and unauthorised copies of sensitive data can lead to destruction of assets A is not correct – data error causes damage to the business process only B is not correct – non maintenance of privacy does not cause damage to Information Assets, it infringes on the privacy of the customer D is not correct – this is a system efficiency objective 649. Maintenance of privacy in relation to data collected by an organisation is very important because: A. Errors committed during entry would cause great damage B. It has an impact on the infrastructure and business competitiveness C. It can be easily accessed by third parties D. It contains critical and sensitive information pertaining to a customer Key: D D is correct - Today data collected in a business process contains details about an individual on medical, educational, employment, residence etc. A B and C are incorrect as these are not related to privacy of data 650. The role of an internal auditor in Information Systems auditing includes: A. Safeguarding data integrity B. Attesting management objectives C. Attesting System effectiveness and system efficiency objectives D. Implementing control procedures Key: C C is correct - management objectives of the internal auditor includes not only attest objectives but also effectiveness and efficiency objectives. A & B are incorrect – these are the responsibilities of an external auditor D is incorrect – this is the responsibility of the organisation 651. What does an external Information Systems auditor focus on? A. Attesting objectives that focus on asset safeguarding and data integrity B. Attesting system effectiveness C. Attesting system efficiency D. Implementing control procedures Module 4 Protection of Information Assets 226 Key: A A is correct - Information systems auditing is the process of attesting objectives (those of the external auditor) that focus on asset safeguarding and data integrity B & C are incorrect – these are the responsibilities of an external auditor D is incorrect. This is the responsibility of the organisatio006E 652. By auditing the characteristics of the system to meet substantial user requirements, which control objective does an IS Auditor attest? A. Data integrity objectives B. System Effectiveness Objectives C. Asset safeguarding objectives D. System efficiency objectives Key: B B is correct - Effectiveness of a system is evaluated by auditing the characteristics and objective of the system to meet substantial user requirements. A is incorrect – the auditor checks the extent of access to information and the value of data to business C is incorrect – the auditor assesses the internal controls to protect software and hardware D is incorrect – the auditor assesses the optimal usage of system resources 653. A statement of purpose achieved by implementing control procedures in a particular IT process is defined as: A. IS Control framework B. Internal Controls C. Control Objective D. Preventive Controls Key: C C is correct - Control objective is defined as “A statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT process or activity” B is incorrect – it is the basic outline of the policies of the organisation towards IS control A & D are incorrect – these are the steps taken by the organisation to protect information and system assets 654. Which of the following is an example of technical implementation of Internal Control? A. Outlining policies that safeguard information assets B. Installing a security guard in the premises to restrict entry of unauthorised persons C. Locking the room containing sensitive documents D. Investing in tools and software to restrict unauthorised access to information Key: D Module 4 Protection of Information Assets 227 D is correct - this is an example of technical implementation B is incorrect – this is an example of administrative implementation A & C are incorrect – these are examples of physical implications 655. What are preventive controls? A. those mechanisms which refer unlawful activities to the appropriate person/group B. those controls which attempt to predict potential problems before they occur C. those mechanisms which modify the processing system to minimise error occurrences D. those controls which corrects the error arising from a problem Key: B B is correct - Preventive controls attempts to predict problems before they occur and make necessary adjustments. They are designed to protect the organisation from unauthorised activities A is incorrect – this is a characteristic of detective control C & D are incorrect – these are characteristics of corrective control 656. What are detective controls? A. Provision for control of probable threats from materializing B. Those controls that are designed to detect errors and omissions of malicious acts C. Those controls which assess probable threats D. Those controls which minimise the impact of threat Key: B B is correct - These controls are designed to detect errors, omissions of malicious acts that occur and reporting the occurrence. A & C are incorrect – this is a characteristic of preventive control D is incorrect – this is a characteristic of corrective control 657. What are corrective controls? A. Those controls that correct an error once it has been detected B. Those mechanisms which provide a clear understanding of the vulnerabilities of an asset C. Surprise checks by an administrator D. Those mechanisms by which the management gets regular reports of spend to date against a profiled spend Key: A A is correct - These controls are designed to reduce the impact or correct an error once it has been detected. B is incorrect – this is a characteristic of preventive control C is incorrect – this is a characteristic of detective control Module 4 Protection of Information Assets 228 D is incorrect – this is an example of detective control 658. An organisation decides to control the access to a software application by segregating entry level and updation level duties. What type of internal control does this amount to? A. Preventive Control B. Detective Control C. Corrective Control D. physical implementation of a control Key: A A is correct - Examples of preventive controls include – employing qualified personnel, segregation of duties, access control, documentation etc. B and C are incorrect – detective and corrective controls are not designed to predict potential problems D is incorrect – physical implementation of a control includes only physical aspects like security guards and locked rooms 659. Under which type of control mechanism does taking a back up of everyday activity classify as? A. Detective Control B. Preventive control C. Corrective control D. Administrative Implementation of Control Key: C C is correct – Examples of Corrective Controls are - contingency planning, backup and restoration procedure, rerun procedure, procedure for treating error, etc. A & B are incorrect – Detective and Preventive controls are not designed to reduce the impact or correct an error once it has been detected. D is incorrect – Administrative implications of controls are items such as policies and processes 660. As an IS auditor, how would you rate a computerised detective control which is moderately efficient and with corresponding corrective action? A. High B. Low C. Moderate D. Blank Key: A A is correct - Computerised control which is most effective, generally controls that are computerized and applied before processing can take place; moderately efficient, with corresponding corrective action are rated as “High” B, C and D are incorrect – Moderate- Controls implemented over a cause of exposure/error type and is moderately effective. Module 4 Protection of Information Assets 229 Low-Controls implemented over a cause of exposure/error type but have low effectiveness. Blank- Controls not implemented or does not exist to that cause or exposure or error type. 661. As an IS auditor, how would you rate a least effective and inefficient manual detective control without corrective action? A. High B. Low C. Blank D. Moderate Key: C C is correct - Manual control which is least effective, generally manual controls applied at front-end of processing; moderately efficient are rated as “Blank” A, B & D are incorrect – High- Controls implemented over a cause of exposure/error type and should be highly effective. Moderate- Controls implemented over a cause of exposure/error type and is moderately effective. Low-Controls implemented over a cause of exposure/error type but have low effectiveness. 662. Which of the following describes the role of a risk owner? A. Ensuring that all control objectives that focus on asset safeguarding and data integrity are attested B. Ensuring that the risk response is effective enough and is translated into actions that will prevent and/or detect the risk. C. Ensuring that all system effectiveness and system efficiency objectives are attested D. Ensuring that risk associated with a certain activity is mitigated either by reducing likelihood or reducing impact Key: B B is correct - Generally owner is a person or position within the organization that has close interest about the processes affected due to risk. The person responsible needs to ensure that the risk response is translated into actual day-to-day actions that will prevent and/or detect the risk. A, C and D are incorrect – These are the roles of IS auditors 663. The process of Information Security does not end with implementation of risk responses. The next step is to: A. Facilitate to conduct risk assessment workshops B. Ensure that key business risks are being managed appropriately C. Plan the audit cycle according to the perceived risk D. Ensure that the identified risk stays within an acceptable threshold Key: D Module 4 Protection of Information Assets 230 D is correct - After implementation of the risk responses and management techniques, the managers need to monitor the actual activities to ensure that the identified risk stays within an acceptable threshold. A, B and C are incorrect – these are the roles that an auditor has to perform in view of control assessment 664. What process must an organisation follow to ensure that the identified risk stays within the acceptable limits? A. Evaluate the efficiency of the objectives of controls B. Designing an effective internal control framework C. Periodic review of the risk assessment exercise and proactive review of possible risks D. Optimise the use of various information resources Key: C C is correct - To ensure that risks are reviewed and updated organizations must have a process that will ensure the review of risks. Periodic review: the risk assessment exercise may be conducted after predefined period say annual. Change management processes proactively review the possible risks and ensure they are part of organization’s risk register. A B and D are incorrect – these are steps to be taken towards identifying, assessing risks and implementing internal controls 665. How does an IS auditor prioritise the controls that needs to be tested? A. By reviewing the control catalogue (which is a collective record of all controls implemented) B. By reviewing control procedure documents C. By facilitating risk assessment workshops D. Planning the audit cycle according to the risks perceived Key: A A is correct - The first step in control’s assessment is to review the control catalogue (which is a collective record of all controls implemented) and ensure that associated risk is mitigated either by reducing likelihood or reducing impact or both. B is incorrect – This should be done after reviewing the control procedure documents C and D are incorrect – These are the roles of an auditor with respect to Information risk management 666. In case of control self assessment, who does the actual testing of controls? A. The owner of the identified risk for which the control has been implemented B. Internal auditor, during the audit cycle as planned C. Staff whose day-to-day role is within the area of the organisation D. External auditor, while reviewing the management of key risks Key: C C is correct - In case organization has implemented control self-assessment, the actual testing of the controls is performed by staff whose day-to-day role is within the area of the organisation that is being examined as they have the greatest knowledge of how the processes operate. Module 4 Protection of Information Assets 231 A is incorrect – though he/she is the risk owner, it is appropriate that the person who is actually involved in the activity does the self- assessment B and D are incorrect – they are external to the specified activity and are not eligible to do the self- assessment. 667. Of the below mentioned roles, which one should an auditor refrain from performing? A. Giving assurance that the risks are being evaluated correctly B. Implementing risk response on management’s behalf. C. Evaluating the risk management process D. Reviewing the management of key risks Key: B B is correct - This is the job of the management, an auditor only needs to review the risk response A, C and D are incorrect – these are the roles of an IS auditor 668. Of the below mentioned roles, which one of the following should be performed by an IS auditor? A. Set the risk appetite B. Impose risk management process C. Evaluate Risk Management process D. Take decision on risk responses Key: C C is correct - Evaluating the risk management process is the key role of an IS auditor A, B and D are incorrect – these are the roles of the management and the risk owner. 669. A data centre housing about 200 employees is involved in handling businesses processes of multinational companies. For security reasons, it decides to shift its network server and mail server to a secluded room with restricted entry. What kind of internal control is this? A. Manual Preventive Control B. Manual Detective Control C. Computerised Preventive Control D. Computerised Corrective Control Key: A A is correct - This is a preventive control which is designed to protect the data and mail server from unauthorised access. Moreover, it is a manual control as the servers are physically moved to a secluded room. B, C and D are incorrect – The action does not categorise under any of these categories for the reasons mentioned above. Module 4 Protection of Information Assets 232 670. Company depends on an MIS given to it by an outsourced vendor to identify payment defaulters and fine them. On further investigation about the correctness of data supplied, he finds that though at the entry level, a lot of mistakes are prone to happen, there are computerised controls at the vendors end and also the company’s end at processing level to minimise these. As an IS auditor, how would you rate efficiency of these controls? A. Blank B. Low C. Moderate D. High Key: D D is correct – Computerised corrective controls are applied before processing and hence efficiency of controls is high A, B and C are incorrect – The Company is not relying on unchecked information. The information is checked not by manual corrective control but computerised corrective control. Hence the efficiency cannot be rated as blank, low or moderate. 671. The HR department of a company pays its employees medical claims subject to a maximum limit per employee per year. For this, it relies on data partaining to a full year downloaded through the appropriate software. However, it does not have a proper back up or restoration procedure in place. How will an IS auditor rate this? A. High control B. Low Control C. Blank Control D. Moderate Control Key: B B is correct - Here there is no corrective control in case of loss of data and there is no way the department can ascertain how much it has paid an employee in a year. A, C and D are incorrect – Reason is as mentioned above 672. A data centre handling outsourced operations decides to set up a parallel facility for its critical activities at some place other than its present place of operations. This is done with an intention to facilitate return of business to normal levels in case of impact of natural disasters or unforeseen events. Under what security policy is this categorised? A. Business Continuity Management Policy B. Acceptable use of Information Assets policy C. Physical Access and Security Policy D. Asset Management Policy Key: A Module 4 Protection of Information Assets 233 A is correct - This policy defines the requirements to ensure continuity of business critical operations. It is designed to minimize the impact of an unforeseen event (or disaster) and to facilitate return of business to normal levels. B is incorrect - An acceptable use policy (AUP), also known as an Acceptable Usage policy or Fair Use policy, is a set of rules applied by the owner or manager of a network, website or large computer system that restrict the ways in which the network, website or system may be used. C is incorrect - Physical security describes security measures that are designed to restrict unauthorized access to facilities, equipment and resources, and to protect personnel and property from damage or harm (such as espionage, theft, or terrorist attacks). D is incorrect – This policy defines the requirements for Information Asset’s protection. It includes assets like servers, desktops, handhelds, software, network devices etc. Besides, it covers all assets used by an organization- owned or leased. 673. What are the three key objectives of Information Security Management (CIA Triad)? A. Compliance, Integrity and Availability B. Confidentiality, Information Security and Availability C. Confidentiality, Integrity and Availability D. Confidentiality, Integrity and Asset Management Key: C C is correct - Protection of information assets includes the key components that ensure confidentiality, integrity and availability (CIA) of information assets. There are three key objectives of Information Security Management viz.: Confidentiality, Integrity and Availability also called CIA Triad. A, B and D are incorrect – Though important for Information Security, these are not the key components. 674. What does “Integrity” mean with respect to Information Security Management? A. No data/information or programs shall be allowed to be modified by anyone without proper authority. B. No data or information is made available to any person within or outside the organization, other than the persons who are authorized to use that data. C. All Information Systems including hardware, communication networks, software applications and the data they hold, is available to authorized users to carry out business activities. D. Executive management endorsement of intrinsic security requirements to ensure that security expectations are met at all levels of the enterprise Key: A A is correct – This is the correct definition as per paragraph 2.1 of the chapter B and C are incorrect – these are definitions of “Confidentiality” and “Availability” D is incorrect – this clause pertains to Senior Management Commitment and support Module 4 Protection of Information Assets 234 675. What provides the basis for ensuring that information security expectations are met at all levels of an enterprise? A. Adopting an internationally recognized reference framework to establish an Information Security framework B. Successful establishment and endorsement of intrinsic security measures by the senior management C. Prioritising expenditures to mitigate risks and avoid spending more resources in assessing risks D. Ensuring that the framework followed to implement, maintain, monitor and improve Information Security is consistent with the organisational culture. Key: B B is correct - Commitment and support from senior management are important for successful establishment and continuance of an information security management program. A C and D are incorrect – These are some of the critical success factors to Information Security Management. 676. How does an enterprise ensure that the information present in any of its business processes is protected and secure? A. By ensuring that the framework followed to implement, maintain, monitor and improve Information Security is consistent with the organisational culture. B. By adopting an internationally recognized reference framework to establish an Information Security framework C. By spending resources widely and transparently D. By establishing and enforcing an Information Security Program Key: D D is correct - Information Security program focuses on protecting information present in business processes. Establish a program to improve Information Security management enterprise-wide and enforce it. A B, and C are incorrect – These are other critical success factors to Information Security Management. 677. How does an enterprise demonstrate to staff, customers and trading partners that their data is safe? A. By establishing and enforcing an Information Security Program B. By ensuring that the framework followed to implement, maintain, monitor and improve Information Security is consistent with the organisational culture. C. Adopting an information security standard D. By spending resources widely and transparently Key: C C is correct - Adopting an information security standard seems to demonstrate to staff, customers and trading partners that their data is safe, and that there is an independent verification of this fact. Module 4 Protection of Information Assets 235 A B and D are incorrect – These are other critical success factors to Information Security Management. 678. The IS policy of an enterprise that talks about protecting non-public personal information from unauthorised use, corruption, disclosure and distribution is: A. Acceptable usage policy or Fair Use policy B. Data classification and Privacy Policy C. Physical Access and Security policy D. Asset Management Policy Key: B B is correct - the policy of the Organization to protect against the unauthorized access, use, corruption, disclosure, and distribution of non-public personal information in its possession, and to comply with all applicable laws and regulations regarding such information is termed as the Data Classification and privacy policy A is incorrect – is a set of rules applied by the owner or manager of a network, website or large computer system C is incorrect – Physical security describes security measures that are designed to restrict unauthorized access to facilities, equipment and resources D is incorrect - This policy defines the requirements for Information Asset’s protection 679. The policy which restricts the ways in which the network, website or system may be used by a user of an enterprise is termed as: A. Acceptable usage policy or Fair Use policy B. Physical Access and Security policy C. Asset Management Policy D. Business Continuity Management Policy Key: A A is correct - An acceptable use policy (AUP), also known as an Acceptable Usage policy or Fair Use policy, is a set of rules applied by the owner or manager of a network, website or large computer system that restrict the ways in which the network, website or system may be used. B is incorrect – Physical security describes security measures that are designed to restrict unauthorized access to facilities, equipment and resources C is incorrect - This policy defines the requirements for Information Asset’s protection D is incorrect - This policy defines the requirements to ensure continuity of business critical operations. 680. he IS policy which talks about protecting personnel and physical property from damage or harm is termed as: A. Asset Management policy B. Business Continuity Management policy C. Physical access and security policy D. Password policy Module 4 Protection of Information Assets 236 Key: C C is correct - Physical security describes security measures that are designed to restrict unauthorized access to facilities, equipment and resources, and to protect personnel and property from damage or harm (such as espionage, theft, or terrorist attacks). A is incorrect - This policy defines the requirements for Information Asset’s protection B is incorrect - This policy defines the requirements to ensure continuity of business critical operations. D is incorrect - This policy defines high-level configuration of password to be used within organization to access the information assets. 681. What is the IS policy that defines the requirements for Information Assets protection? A. Business Continuity Management Policy B. Asset Management Policy C. Network Security Policy D. Password policy Key: B B is correct - This policy defines the requirements for Information Asset’s protection. It includes assets like servers, desktops, handhelds, software, network devices etc. Besides, it covers all assets used by an organization- owned or leased. A is incorrect - This policy defines the requirements to ensure continuity of business critical operations. C is incorrect - A network security policy defines the overall rules for organisation’s network access D is incorrect - This policy defines high-level configuration of password to be used within organization to access the information assets. 682. The characteristics of a strong password that protects information assets should be: A. Maximum 8 characters, case specific B. Minimum 8 characters, only alpha numeric C. Minimum 8 characters, only alphabets and easy to remember D. Minimum 8 characters, case specific and containing special characters Key: D D is correct - The password policy defines high-level configuration of password to be used within organization to access the information assets. For example: not be changed in consecutive sequence A B and C are incorrect – These are not the characteristics of a strong password 683. What should be done to ensure that security policies are in tune with the management’s intent? Module 4 Protection of Information Assets 237 A. Change passwords regularly B. Restrict unauthorised access to facilities C. Review the security policies periodically D. Hold non public personal information in strict confidence Key: C C is correct - Information security policies need to be maintained and updated regularly. This might need to revisit the security requirements and hence policies. Hence, it is necessary to review the security policies periodically to ensure that they are in line with the management’s intent. A, B and D are incorrect – These are the parts of an information security policy 684. Policies are generic and sometimes cannot be enforced in specific situations. Can there be a relaxation of adherence to policy in such cases? A. Yes. But, it is necessary to ensure that there are suitable compensating controls B. Yes. Policies can be relaxed in case of such situations unconditionally C. No. Under no circumstances can an Information Security policy be relaxed D. Yes. Adherence to the policy can be relaxed for an indefinite period for the specific activity only. Key: A A is correct - In such situations it is necessary to ensure there are suitable compensating controls so that the risks mitigated by enforcement of policy are within acceptable limits. B, C and D are incorrect – Policies can be relaxed for a specific period provided the exceptions are appropriately approved and these exceptions must be reviewed periodically. 685. Standards, Guidelines and Procedures are the three elements of policy implementation. In what order should they be followed for proper implementation? A. Guidelines, Procedures and Standards B. Procedures, Standards and Guidelines C. Standards, Guidelines and Procedures D. Guidelines, Standards and Procedures Key: C C is correct - The next level down from policies is three elements of policy implementation as given here: Standards: Specify the uniform way for the use of specific technologies in an organization. Guidelines: Guidelines are similar to standards; they refer to the methodologies of securing systems, but they are only recommended actions and are not compulsory. Procedures: Procedure contains the detailed steps that are followed to perform a specific task. Procedures are the detailed actions that must be followed. A, B and D are incorrect – These do not specify the correct levels of implementation. Unless Standards are set, guidelines cannot be recommended. Unless guidelines are recommended, procedures cannot be outlined for implementing policies. 686. With respect to Information Security, what does ‘Segregation of Duties’ mean? Module 4 Protection of Information Assets 238 A. No individual, of whatever seniority in the organization, should have the ability to carry out every step of a sensitive business transaction. B. The responsibility of powerful and key access to the system should not be carried out by one person alone. C. No person should be kept in one particular post for too long D. Organisations should avoid situations where an individual becomes indispensable to the business Key: A A is correct - No individual, of whatever seniority in the organization, should have the ability to carry out every step of a sensitive business transaction. Access to too many functions enables staff to carry out a fraudulent transaction and hide their tracks. B is incorrect – This pertains to the ‘Four Eyes’ or ‘Two Person’ principle C is incorrect – This pertains to rotation of duties D is incorrect – This pertains to ‘Key Man’ policies 687. In a bank, the chest in which cash is kept has to be opened with two keys, one which is in the control of the manager and the other which is in the control of the accountant/sub manager. Under what security rule does this aspect classify? A. Segregation of Duties B. The ‘Four Eyes’ or ‘Two Person’ principle C. Rotation of Duties D. ‘Key Man’ policies Key: B B is correct - To reduce the opportunities for any person to breach security, those responsibilities and duties which would afford particularly powerful access to the system, or which act at key control points, should not be carried out by one person alone. A, C and D are incorrect – These are other security rules designed for implementation of IS policies 688. An organisation which is IS compliant requires its employees to take two weeks consecutive mandatory leave. Under which security rule does this feature classify as? A. Rotation of duties B. ‘Key Man’ policies C. Two person principle D. Segregation of duties Key: A A is correct - No one person should be kept in one particular post for too long, especially if that appointment involves any particular security responsibilities opportunities for dishonesty. A similar rule should insist that staff take at least two consecutive weeks; holiday in any year, as experience has shown that many frauds need continual masking by the perpetrator and may surface when the individual is away. Module 4 Protection of Information Assets 239 B, C and D are incorrect – These are other security rules designed for implementation of IS policies 689. Every corporate asset, building, item of equipment, bank account and item of information should have a clearly defined ‘owner’. What are the responsibilities of the owner of such assets? A. Adding and deleting user identifiers from the system B. Defining security responsibilities for every person in the organization C. Ensuring that the asset is well maintained, accurate and up to date D. Establishing and Implementing an effective IS program Key: C C is correct - The owner should have a defined set of responsibilities. A,B and D are incorrect – These are steps to ensure that Information Security is implemented in an organisation. 690. When an owner is not able to manage a particular asset on a day to day basis, the responsibility is passed on to a custodian. Which of the following is an example of a custodian? A. a vendor responsible for an outsourced activity B. data center controlling access to production data C. a subordinate doing the function of an owner during his absence D. an auditor auditing the effectiveness of an asset Key: B B is correct - The owner should clearly state the requirements, the responsibilities and associated levels of authority of the custodian and final management responsibility will always reside with the owner. Examples of custodian include a data center operations function controlling access to production data, and a computer bureau running an application for a client. A,C and D are incorrect – these are not examples of a custodian. They pertain to roles of other players in Information Security Management. 691. The actual security mechanism has its application in certain key tasks of security systems. What are these called as? A. Organisational control B. Backup data C. Control points D. Operating System Key: C Module 4 Protection of Information Assets 240 C is correct - In all security systems there are key tasks which can be called control points. It is at these control points that the actual security mechanism has its application. A is incorrect – this is the control that an organisation places to secure its information assets B is incorrect – this is a procedure that is adopted for safeguarding critical data D is incorrect – Operating system is a software that manages computer hardware and software resources 692. Name the participant which ensures that all stakeholders impacted by security considerations are involved in the Information Security Management process. A. Steering committee B. Information Owner C. Information Custodian D. System Owner Key: A A is correct - It serves as an effective communications channel and provides an ongoing basis for ensuring the alignment of the security program with business objectives. It can also be instrumental in achieving modification of behavior toward a culture more conducive to good security. B is incorrect - Information Owner (also called Data Owners) is responsible for a company information asset. C is incorrect – Information custodian is assigned the task of implementing the prescribed protection defined by the security procedure D is incorrect – The system owner is responsible for one or more systems, each of which may process and store data owned by different information owners. 693. Name the participant who ensures that security controls have been implemented in accordance with the information classification. A. nformation Custodian B. Information Owner C. System Owner D. Process Owner Key: B B is correct - Information Owner (also called Data Owners) is responsible for a company information asset. The responsibilities are generally assigned to person/position that owns business process. A is incorrect - Information custodian is assigned the task of implementing the prescribed protection defined by the security procedure C is incorrect – The system owner is responsible for one or more systems, each of which may process and store data owned by different information owners. D is incorrect – This person is responsible for the implementation, management and continuous improvement of a process that has been defined to meet a business requirement. 694. Name the participant who ensures safe keeping of information on behalf of the information owner. Module 4 Protection of Information Assets 241 A. System Owner B. Process Owner C. Information Custodian D. System Administrator Key: C C is correct - Information custodian is assigned the task of implementing the prescribed protection defined by the security procedure and top level/Senior management decisions. Among other activities, information custodian also performs following activities: ecessary A is incorrect – The system owner is responsible for one or more systems, each of which may process and store data owned by different information owners. B is incorrect – This person is responsible for the implementation, management and continuous improvement of a process that has been defined to meet a business requirement. D is incorrect - System Administrator is the one with administrative / root level privileges of the Operating systems like Windows, Unix etc 695. Whose responsibility is it to ensure that adequate security is built once the applications and systems have been acquired and are ready for use in the production department? A. System Owner B. Process Owner C. System Administrator D. User Manager Key: A A is correct - A system owner is responsible for: acquired and are ready for use in production environment. response team and information owner. B is incorrect – This person is responsible for the implementation, management and continuous improvement of a process that has been defined to meet a business requirement. C is incorrect - System Administrator is the one with administrative / root level privileges of the Operating systems like Windows, Unix etc D is incorrect - User manager is the immediate manager or reporting manager of an employee. 696. Who is the person responsible for creating new system user accounts and changing permissions of existing user accounts? A. User Manager Module 4 Protection of Information Assets 242 B. System Administrator C. Super User D. Security Manager Key: B B is correct - A system administrator is responsible for: A is incorrect - User manager is the immediate manager or reporting manager of an employee. C is incorrect – Super User is the person with the highest level of authorization access, who can make any transaction and master setup activity immediately and sets the conditions for transaction approvals, financial daily limits of each transaction type, and classifies and authorizes other Users. D is incorrect - Security manager is responsible for defining security strategy and policies for the organization. 697. Who holds the ultimate responsibility for all user id’s and information assets owned by the company’s employees? A. Super User B. Security Manager C. Steering Committee D. User Manager Key: D D is correct - User manager is the immediate manager or reporting manager of an employee. They have ultimate responsibility for all user IDs and information assets owned by company employees. A is incorrect – Super User is the person with the highest level of authorization access, who can make any transaction and master setup activity immediately and sets the conditions for transaction approvals, financial daily limits of each transaction type, and classifies and authorizes other Users. B is incorrect - Security manager is responsible for defining security strategy and policies for the organization. C is incorrect - a steering committee is comprised of senior representatives of affected groups. This facilitates achieving consensus on priorities and trade-offs. It also serves as an effective communications channel and provides an ongoing basis for ensuring the alignment of the security program with business objectives. 698. Who is responsible for defining security strategy and policies for an organisation? A. Steering Committee B. Information Owner C. Security Manager D. Information Custodian Module 4 Protection of Information Assets 243 Key: C C is correct - Security manager is responsible for defining security strategy and policies for the organization. The manager also ensures defining roles and responsibilities. A is incorrect - a steering committee is comprised of senior representatives of affected groups. This facilitates achieving consensus on priorities and trade-offs. It also serves as an effective communications channel and provides an ongoing basis for ensuring the alignment of the security program with business objectives. B is incorrect - Information Owner (also called Data Owners) is responsible for a company information asset. The responsibilities are generally assigned to person/position that owns business process. D is incorrect - Information custodian is assigned the task of implementing the prescribed protection defined by the security procedure 699. What is the role of Human Resources Security when the employment of a person is terminated? A. Ensure that access to sensitive data is revoked immediately B. Define appropriate access to sensitive information for another person C. Send regular updates in an effort to safeguard the data which was in their possession D. Educate the terminated employee to prevent data disclosure to 3rd parties Key: A A is correct - To prevent unauthorized access to sensitive information, access must be revoked immediate upon termination/separation of an employee and 3rd parties with access to such information. This also includes the return of any assets of the organization that was held by the employee. B is incorrect – Before granting access to a replacement, access of the leaving employee should be revoked C and D are incorrect – these are wrong steps – terminated employee should not have access to sensitive data 700. What is ‘Acknowledge Policy’ with regard to Security Awareness training program? A. All employees are required to undergo security awareness training B. All employees and third parties having access to sensitive information have to complete training at least once a year C. All employees are required to acknowledge that they have read and understood the organization's information security / acceptable use policy. D. All employees have to go through a formal induction process designed to introduce the organisations security policies Key: C C is correct - Acknowledge Policy ensures that all employees are required to acknowledge that they have read and understood the organization's information security / acceptable use policy. A, B, and D are incorrect – These are other important considerations for a security awareness training program 701. What is the primary goal of configuration management? Module 4 Protection of Information Assets 244 A. Ensuring that changes to the system do not unintentionally diminish security B. Mitigate the impact that a change might have on the security of other systems C. Configuring systems to meet the security requirement of the organisation D. Updating the software with the latest versions of all applications Key: A A is correct - The primary security goal of configuration management is to ensure that changes to the system do not unintentionally diminish security. B is incorrect – This is also a goal of configuration management, though not primary C and D are incorrect – These are not goals, they form part of configuration management 702. What is the objective of a non- disclosure agreement? A. Identify functional and physical characteristics of each configuration setting B. Impose limitations on like organisations that operate in the same competitive space C. Creates a confidential relationship between parties to protect any type of confidential information D. Follow a checklist to address whether any of the security holes remain unplugged Key: C C is correct - A non-disclosure agreement (NDA), also known as a confidentiality agreement (CA), is a legal contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes, but wish to restrict access to or by third parties. A, B and D are incorrect – these are some of the issues and challenges of IS Management 703. What is the primary cause for lack of integration in system and security design? A. inadequacy of checklists as a means to address security concerns B. limitations imposed on like organizations that operate in its competitive space C. the challenge of finding the right balance between protecting the organization’s core assets and processes and enabling them to do their job D. systems and security design are undertaken in parallel rather than in an integrated manner Key: D D is correct - Development duality is a phenomenon where systems and security design are undertaken in parallel rather than in an integrated manner. A.B and C are incorrect – These are other issues and challenges of IS management 704. What is a Denial-of-Service attack? A. An attempt to make a machine or network unavailable to its intended users. B. Unauthorized access to an organisation’s internal network. C. Illegal copying of software. D. Creation of Internet Protocol (IP) packets with a forged source IP address Module 4 Protection of Information Assets 245 Key: A A is correct - A Denial-of-Service attack (DoS) is an attempt to make a machine or network unavailable to its intended users. This causes legitimate users to not be able to get on the network and may even cause the network to crash. B is incorrect - unauthorized access to an organisation’s internal network is referred to as Network Intrusion C is incorrect – Illegal copying of software is referred to as Software Piracy D is incorrect – creation of Internet Protocol (IP) packets with a forged source IP address, with the purpose of concealing the identity of the sender or impersonating another computing system is termed as ‘spoofing IP addresses’. 705. What is ‘Phishing’? A. Unauthorized real-time interception of a private communication B. Attempting to obtain otherwise secure data by conning an individual into revealing secure information C. Trying to obtain information like user ID and password for bank accounts, credit card pin etc. using electronic communication means D. Exploiting vulnerabilities of a system to gain unauthorized access to system or resources Key: C C is correct - Phishing is the act of trying to obtain information like user ID and password for bank accounts, credit card pin etc. using electronic communication means like emails, fake websites etc. A is incorrect - unauthorized real-time interception of a private communication is called eavesdropping B is incorrect - attempting to obtain otherwise secure data by conning an individual into revealing secure information is called Social Engineering D is incorrect – exploiting vulnerabilities of a system to gain unauthorized access to system or resources like a website, bank accounts etc. is called hacking 706. What are ‘botnets’? A. underground network established by hackers by sending malware B. targeted attack that continues for a sustained period for about a year or more C. attacks that are specifically targeted to selected organization D. changing of data before or during entry into the computer system Key: A A is correct - Botnets: Acronym for robotic network. An underground network established by hackers by sending malware. This malware goes undetected since it is part of targeted attack. B is incorrect - A type of targeted attack that continues for a sustained period for about a year or more is called Advanced Persistent Threat (APT) C is incorrect - attacks that are specifically targeted to selected organization are called ‘targeted attacks’. D is incorrect - changing of data before or during entry into the computer system is called ‘dat diddling’. Module 4 Protection of Information Assets 246 707. What should be done to minimise damage from security incidents and and to recover from them? A. Report an incident to an appropriate authority to know what action should be taken B. Handle the incident independently and follow it up if required C. Establish a formal incident response capability and centralise it with the key roles and responsibilities D. Plan and prepare a response system proactively in case of the occurrence of an incident Key: C C is correct - Establishing a formal incidence response capability and coordinating it within the organisation to include all key roles and responsibilities is the proper way to minimise damage from security incidents A and B are incorrect – These are some of the actions to be taken while addressing a security incident D is incorrect – This is the first phase of an incident response capability 708. Generating a higher level of compliance by creating realistic workable policies is one way of increasing compliance to security policies. Which guideline of implementation does this fall under? A. Simplify enforcement B. Increase Awareness C. Communicate Effectively D. Integrate Security with corporate culture Key: A A is correct – Simplifying enforcement means convincing employees to comply with every policy. Generating a higher level of compliance by creating realistic, workable policies shall help. B, C and D are incorrect – these are other guidelines to improve employee compliance of security policies 709. As part of auditing Information Security of a multinational bank, an auditor wants to assess the security of information in ATM facilities. Under which privacy policy should he look for details pertaining to security guards and CCTV surveillance of ATM’s? A. Acceptable use of Information Assets Policy B. Physical Access and Security Policy C. Asset Management Policy D. Business Continuity Management Policy Key: B B is correct - Physical security describes security measures that are designed to restrict unauthorized access to facilities, equipment and resources, and to protect personnel and property from damage or harm (such as espionage, theft, or terrorist attacks). Physical security involves the use of multiple layers of interdependent systems which include CCTV surveillance, security guards, Biometric access, RFID cards, access cards protective barriers, locks, access control protocols, and many other techniques. Module 4 Protection of Information Assets 247 A is incorrect - An acceptable use policy (AUP), also known as an Acceptable Usage policy or Fair Use policy, is a set of rules applied by the owner or manager of a network, website or large computer system that restrict the ways in which the network, website or system may be used. C is incorrect – This policy defines the requirements for Information Asset’s protection. It includes assets like servers, desktops, handhelds, software, network devices etc. Besides, it covers all assets used by an organization- owned or leased. D is incorrect – This policy defines the requirements to ensure continuity of business critical operations. It is designed to minimize the impact of an unforeseen event (or disaster) and to facilitate return of business to normal levels. 710. You work in a company which has strict Information Security Procedures. One of the requirements which you have to adhere to is setting a strong login password. Which of the following is an example of a strong password? A. Abcde B. Rosy98 C. 31567 D. qqbRqs$W Key: D D is correct - According to the password policy, Password length must be more than 8 characters, Password must be complex containing upper case, lower case, numeric and special characters. A, B, and C are incorrect – For the same reasons as mentioned above 711. The customer data for the loyalty card issued by a retail store is picked from a form filled by the customer. The data from the form is entered into software by data entry operators who report to a manager. In order to protect customer data, segregation of duties are built in the software in such a way that the operators have permission only to enter data. Any editing or modification can be done only by the manager. It so happens that the manager quits his employment and the store elevates the position of one of the operators to that of a manager. Who do you think is responsible for removing the permission of the exiting manager and changing that of the new manager? A. Information Owner B. New Manager C. System Administrator D. Information Owner Key: A A is correct - System Administrator is the one with administrative / root level privileges of the Operating systems like Windows, Unix etc. This means that they can add and remove permissions and set security configurations. A system administrator is responsible for: Module 4 Protection of Information Assets 248 B, C and D are incorrect – for reasons mentioned above 712. The retail store (mentioned in question 3) has branches in locations across India and the same process for collecting customer data for loyalty programs is followed in all the branches. This data is then consolidated into one database and is accessible across all branches. The persons who are assigned responsibilities with respect to this database are as follows:  Management as Information Owners  General Manager – Marketing: As custodian for the data  General Manager – Operations: as owner of the process  System Administrator  Branch Manager  Data Entry Operator Who, do you think, is responsible for processing the information that is received from the branches, checking it and circulating it? A. Management B. General Manager, Marketing C. General Manager, Operations D. Branch Manager Key: C C is correct - The system owner is responsible for one or more systems, each of which may process and store data owned by different information owners. Here a system refers to group of assets required for hosting one or more applications that support a business function. A is incorrect –The management as information custodian is assigned the task of implementing the prescribed protection defined by the security procedure and top level/Senior management decisions. B is incorrect –The General Manager, Marketing as Information Owner (also called Data Owners) is responsible for a company information asset. D is incorrect – Branch manager as the user manager is the immediate manager or reporting manager of an employee. 713. In the same case as mentioned in Questions 3 and 4, who, do you think is responsible for ensuring that the customer data is secure and running regular back ups? A. General Manager, Marketing B. General Manager, Operations C. Data Entry Operator D. System Administrator Key: A Module 4 Protection of Information Assets 249 A is correct –General Manager, Marketing, as Information custodian is assigned the task of implementing the prescribed protection defined by the security procedure and top level/Senior management decisions. He is usually an information technology or operations person, and is the system administrator for the Information Owner. Among other activities, information custodian also performs following activities: are approved by owners B, C and D are incorrect – for reasons stated above 714. You are an Information Systems Security Awareness Training Manager employed in a Multinational Bank. You have been part of a team that has created a security training program including classroom, online and web based trainings which is mandatory for all employees and third parties who have access to the bank’s sensitive information. How would you ensure that employees and third parties are continually updated on latest issues? A. By introducing them to the bank’s expectations with respect to Information Security B. By making Security Awareness training mandatory for the management C. By getting a written acknowledgement from employees that they have read and understood the policy D. By giving security awareness training to employees and third parties at least once a year Key: D D is correct - Training at Least Annually: Ensure that all employees and third parties (having access to company information and information systems) are given security awareness training at least once per year. This keeps all updated about the latest developments and issues in this area. A, B, and C are incorrect – These are the important considerations for a Security training program to ensure that all employees and third parties have attended the training and understood the policies. 715. A bank has outsourced certain processes related to its personal loans unit to a third party vendor. As an IS auditor of the bank, what would you look for to assure yourself that non- public business information accessed by the third party vendor is protected and not misused? A. A non -disclosure agreement signed by the vendor B. Check if all employees of the vendor are given enough training C. Verify if there are instances of data being misused earlier D. Check for a written acknowledgement from the vendor that they have read and understood the company’s policy Key: A Module 4 Protection of Information Assets 250 A is correct - A non-disclosure agreement (NDA), also known as a confidentiality agreement (CA), is a legal contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes, but wish to restrict access to or by third parties. It's a contract through which the parties agree not to disclose information covered by the agreement. An NDA creates a confidential relationship between the parties to protect any type of confidential and proprietary information or trade secrets. As such, an NDA protects non-public business information. B, C and D are incorrect – for reasons as mentioned above 716. Organisations have to identify the information that needs various levels of protection and put them in the appropriate ‘bucket’. Why can’t the entire information within an organisation be protected uniformly? A. There is a great dependence on information by organizations B. It provides a systematic approach to protecting information consistently C. Maintaining security in a network environment is complex D. It will be a massive task to protect all information uniformly Key: B B is correct - Information classification can provide organizations with a systematic approach to protecting information consistently across all parts of organization and for all versions of information (original, copies, discarded, outdated etc.) A, C and D are incorrect – though these are also reasons for classification, the primary reason is that the appropriate bucket can be protected as per the nature of information it contains 717. How must an organisation ensure that its information is adequately protected, i.e., neither over protected nor under protected. A. By training its employees who are using the information B. By ensuring that its information is not shared in any network C. By classifying its information and placing it in the appropriate bucket D. By not sharing information with third parties Key: C C is correct - Information classification can help in determining the risk associated in case of loss and thus prevent ‘over-protecting’ and/or ‘under-protecting’, ensuring that information is adequately protected (e.g. against unauthorized disclosure, theft and information leakage) A B and D are incorrect – An organization may want to: 1. Publish 2. Share with select entities and business partners 3. Made available to internal users and stakeholders 4.Should not be known for more than select few. A uniform protection may introduce unnecessary delay and sometimes create challenges for operations. The solution organization adopt is known identify the information that needs various levels of protection and put them in appropriate “bucket”. Now the bucket can be protected as per nature of information it contains. 718. Information classification ensures that security controls are only applied to information that requires such protection. What is the benefit of such an exercise? Module 4 Protection of Information Assets 251 A. Reduces operational costs of protecting information B. Helps the management access sensitive information C. Ensures that such information is not shared with third parties D. Ensures that such information is not accessible to employees Key: A A is correct - Information classification helps to ensure that security controls are only applied to information that requires such protection. This can help reduce the demand on resources and staff and ultimately reduce the cost of protecting information. B, C and D are incorrect – Classification of information labels information in such a way that it is shared only with the appropriate person 719. How does an organisation ensure that appropriate users gain access to appropriate files? A. By classifying users to groups B. By classifying and labeling information C. By not sharing information in the general network D. By having a supervisor for groups who controls access Key: B B is correct - Information classification can help enforce access control policies by using the classification label to determine if an individual can gain access to a piece of information (e.g. information labeled as Secret can only be accessed by individuals that have been granted a security clearance of Secret) A, C and D are incorrect – these options cannot effectively ensure that the appropriate information is used by the appropriate user. 720. What are the factors to be considered for determining the level of confidentiality of information? A. Relevancy to a business transaction B. Meeting particular compliance requirements C. Changes to the content and external conditions of information D. Appropriate User groups Key: C C is correct - Factors that should be considered when determining the level of confidentiality of information are: • Changes to the content of information • Changes to external conditions over time • Aggregation of individual pieces of information. Module 4 Protection of Information Assets 252 A, Band D are incorrect – these are the advantages of classifying information 721. An Information classification policy determines the accountability of Information Owners, custodians and users. Who is responsible for assigning classifications to information assets? A. System Owner B. Information Owner C. System administrator D. Process Owner Key: B B is correct - Information Owner (also called Data Owners) is responsible for a company information asset. The responsibilities are generally assigned to person/position that owns business process. Primary responsibilities are: meets the business requirements. implemented in accordance with the information classification. A, C and D are incorrect – These are some of the key roles in Information Security Management – system owner is responsible for the systems – which hold the information, a system administrator can set security configurations and a process owner for the implementation and management of a process. 722. Under what information category does widely distributed product brochures fall? A. Sensitive Information B. Client Confidential Information C. Unclassified/Public Information D. Company Confidential Information Key: C C is correct - Information is not confidential and can be made public without any implications for Company. A is incorrect –Does not require special precautions to ensure the integrity and confidentiality of the data by protecting it from unauthorized modification or deletion. It does not require higher than normal assurance of accuracy and completeness. B is incorrect – Is not Information received from clients in any form for processing in production by Company. D is incorrect – Is not information collected and used by Company in the conduct of its business to employ people, to log and fulfill client orders, and to manage all aspects of corporate finance. 723. Under what category does Company developed software codes fall? A. Sensitive Information Module 4 Protection of Information Assets 253 B. Client Confidential Information C. Company Confidential Information D. Unclassified/Public Information Key: A A is correct - It requires special precautions to ensure the integrity and confidentiality of the data by protecting it from unauthorized modification or deletion. It also requires higher than normal assurance of accuracy and completeness. B is incorrect – Is not Information received from clients in any form for processing in production by Company. C is incorrect – Is not information collected and used by Company in the conduct of its business to employ people, to log and fulfill client orders, and to manage all aspects of corporate finance. D is incorrect – Information is confidential and cannot be made public without any implications for Company. 724. Under what category does information received from clients fall? A. Client Confidential Information B. Company Confidential information C. Unclassified/Public Information D. Sensitive Information Key: A A is correct - Information received from clients in any form for processing in production by Company. The original copy of such information must not be changed in any way without written permission from the client. The highest possible levels of integrity, confidentiality, and restricted availability are vital. B is incorrect – Is not information collected and used by Company in the conduct of its business to employ people, to log and fulfill client orders, and to manage all aspects of corporate finance. C is incorrect – Information is confidential and cannot be made public without any implications for Company. D is incorrect – It does not requires special precautions to ensure the integrity and confidentiality of the data by protecting it from unauthorized modification or deletion. Does not require higher than normal assurance of accuracy and completeness. 725. What is Personally Identifiable Information (PII)? A. Personal Information of any person who needs to provide this to the organisation B. Information held by an organisation which can identify a stakeholder C. Personal Information pertaining to the employees of an organisation D. Personal Information pertaining to the third parties associated with the organisation Key: A A is correct - PI generally refers to personal information. This personal information can be related to any person or stake holders who need to provide this information to organization. For example Banks Module 4 Protection of Information Assets 254 may have to collect identification proofs, PAN card details, address, telephone numbers from the customers, and generates information like credit cards details, bank account numbers for customers. B, C and D are incorrect – These do not classify under personally identifiable information. 726. What is the standard that must be complied with by all those deals with credit/debit cards? A. PCIDSS B. Electronic Communications Privacy Act C. Information Technology Acct 2000 D. Regulations mandated by Reserve Bank Key: A A is correct - Pay-card industry data security standard: De-facto standard for card related information. Must be complied by all those deals with credit or debit cards which include banks, merchants, intermediately. Although there may not be regulatory or legal requirements as of now for compliance with PCIDSS, it has been accepted by industry. B is incorrect – Electronics Communications Privacy Act extends government restrictions on wire taps to include transmissions of electronic data. C is incorrect - Information technology Act 2000, (Amendment 2008): Provides that any organization is collecting PII shall be liable in case absence of reasonable security of such information results in identify theft. D is incorrect – These regulations have mandated processes for collecting, storing, securing data and information including PII. 727. What is the Act which mandates how financial institutions must deal with the private information of individuals? A. Information technology Act 2000 B. Video Privacy Protection Act C. Gramm-Leach-Bliley Act D. Electronic Communications Privacy Act Key: C C is correct - Gramm-Leach-Bliley Act: Mandates how financial institutions must deal with the private information of individuals. B is incorrect - Video Privacy Protection Act: Prevents wrongful disclosure of an individual's personally identifiable information stemming from their rental or purchase of audio-visual material. A is incorrect - Information technology Act 2000, (Amendment 2008): Provides that any organization is collecting PII shall be liable in case absence of reasonable security of such information results in identify theft. D is incorrect –Electronic Communications Privacy Act (ECPA): Extends government restrictions on wire taps to include transmissions of electronic data. 728. Which of the following does not classify under Personally identifiable Information? Module 4 Protection of Information Assets 255 A. Company advertisement information B. Medical information of patients C. Location information of clients D. Information collected by websites Key: A A is correct - This is public/unclassified information which is not sensitive and does not require any security B, C and D are incorrect – these are PII’s 729. How is information classification applied for information contained in a critical database? A. at the file or data level B. to the entire database C. to each individual document D. at column level at the discretion of the information owner Key: D D is correct - For critical databases, classification may apply to column level, at the discretion of the information owner A is incorrect - For server-based systems, classification will be done at the file or data level; B is incorrect - For information in a database, the classification will normally apply to the entire database; C is incorrect – For paper documents, including output from systems, classification will apply to each individual document 730. How can critical data be protected during transmission, processing and storing? A. By keeping the information physically secured B. By encrypting C. By controlling access D. By taking a backup Key: B B is correct - By encrypting critical information, we ensure that such information is accessible only to the appropriate person A, C and D are incorrect – these do not apply to information that is being transmitted, stored and processed. 731. What are the solutions referred to under DLP (Data Leak Prevention)? A. Protecting data based on the rule set and classification B. Expecting creator of data file to choose who shall access data C. Authenticating users out of the organisation Module 4 Protection of Information Assets 256 D. Working at data base level and managing the access rights Key: A A is correct - The solutions generally referred under popular acronym DLP (Data leak prevention/ Data loss prevention/ Data leak protection) provide few capabilities to be implemented independently e.g. there are solutions that focuses on protecting data passing through networks based on the rule-set and classification. B and C are incorrect – solutions referred by acronym DRM (Digital rights Management) that can be applied to data files. The solutions expects creator of data file to decide who shall access the data and need to add in central user list. Sometimes this becomes impractical when such files are meant for users out of organization and they need to be authenticated by DRM server. D is incorrect - DAM (Digital access management) that works at data base level and manages the access rights while providing data to applications, based on rules and classification. 732. What is the pre requisite for successful implementation of data protection tools like DLP, DRM and DAM? A. Identifying information resources B. Creating an information risk profile C. Creating appropriate rule set and classification based on impact of risks D. Establishing a process for data classification Key: C C is correct - A prerequisite for successful implementation of these tools is appropriate rule set and data classification based on impact of risks associated with data leak. A, B and D are incorrect – These are steps that have to be followed to create appropriate rule set and classification 733. Which of the following is a risk associated with Portable Devices? A. Users can access Company’s internal information from anywhere B. It is prone to physical security problems because of availability within the workplace C. Unauthorised users may access hard copy of electronic data D. Its overall security is dependent on the physical security of the work stations Key: A A is correct - Portable devices: Can be an organization’s security nightmare. Although issuing laptops and PDAs to employees facilitates flexibility and productivity in an organization, it poses several serious risks with regard to physical security. Besides, more and more organizations are adopting Bring Your Own Device (BYOD) policy which further makes the portable device and the corporate network vulnerable. With users accessing the company’s internal information systems from anywhere, a breach in physical security on one of these devices could undermine an organization’s information security. Extreme care must be taken with this class. B is incorrect - Workstations: Usually located in more open or accessible areas of a facility. Because of their availability within the workplace, workstations can be prone to physical security problems if used carelessly. Module 4 Protection of Information Assets 257 C is incorrect - Printers: Although the data is stored on electronic for the purpose. The reports, letters, communications etc. have to be printed. Organizations deploy printers. In order to optimize use of printer most organization deploy network based printers shared among group of users. D is incorrect – Servers: Servers are the most physically secure class of systems. This is due to the common practice of placing them in a location that has better access and environmental control. Although this class may be the most physically secure, their overall security is dependent on the physical security of the workstations and portable devices that access them. 734. What are network devices? A. Device in which all data in a network is placed B. Devices deployed for establishing communication C. Devices installed by telecom companies to facilitate mobile communication D. Devices that facilitate accessing data from anywhere Key: B B is correct - Network devices: devices deployed for establishing communication which includes routers, switches, firewalls, cables, wireless devices and other network monitoring tools. A is incorrect – Devices in which all the data in a network is placed is a server C is incorrect – Devices installed by telecom companies to facilitate mobile communication are towers D is incorrect – Devices that facilitate accessing data from anywhere are portable devices 735. In order to ensure the privacy of personal information of an individual, a company has to: A. Write policies and procedures B. Define roles and responsibilities C. Implement an effective privacy program D. Define incident response plans Key: C C is correct - It is important that the organization implements an effective privacy program in order to ensure the privacy of the personal information of an individual A, Band D are incorrect – These are the steps to be taken to implement a successful privacy program 736. An auditor need not involve in one of the following while evaluating an organisation’s privacy framework. Which is it? A. Liaise with in-house legal counsel to understand legal implications B. Design Incident response plans C. Liaise with information technology specialists to understand security implications D. Understand internal policies and guidelines Key: B B is correct - This is done by the organisations governing body A, C and D are incorrect – These are the roles of an internal auditor Module 4 Protection of Information Assets 258 737. An insurance company is in the process of classifying its information according to its sensitivity. If you formed a part of the team responsible for this classification, how would you classify personal information pertaining to insurance holders as? A. Unclassified/Public Information B. Sensitive Information C. Client Confidential data D. Company Confidential data Key: C C is correct - Information received from clients in any form for processing in production by Company. The original copy of such information must not be changed in any way without written permission from the client. The highest possible levels of integrity, confidentiality, and restricted availability are vital. A, B and D are incorrect – Sensitive Information recd from clients cannot be placed under these categories. 738. You head a data processing center which handles an outsourced activity of employee medical reimbursements of a multinational. You have employed professionals who have developed the required software for the activity and who maintain the same. Under which of the following would you classify the software codes? A. Client Confidential Data B. Company Confidential Data C. Sensitive Information D. Unclassified data Key: C C is correct - All company developed software codes whether used internally or sold to clients and know how used to process client information should be classified as Sensitive Information A, B and D are incorrect – for reason mentioned above 739. The personal loans department of a bank maintains a database of personal information of its customers who have availed loans. This database is used for various purposes by the bank. As an IS auditor you find that there are security breaches related to this information. Under what Act would the company be liable? A. PCIDSS B. Information Technology Act 2000 C. Gramm Leach Bliley Act D. Video Privacy Protection Act Key: B Module 4 Protection of Information Assets 259 B is correct - Information technology Act 2000, (Amendment 2008): Provides that any organization is collecting PII shall be liable in case absence of reasonable security of such information results in identify theft. A is incorrect – PCIDSS: Pay-card industry data security standard: De-facto standard for card related information. Must be complied by all those deals with credit or debit cards which include banks, merchants, intermediately. Although there may not be regulatory or legal requirements as of now for compliance with PCIDSS, it has been accepted by industry. C is incorrect – Gramm-Leach-Bliley Act: Mandates how financial institutions must deal with the private information of individuals. D is incorrect - Video Privacy Protection Act: Prevents wrongful disclosure of an individual's personally identifiable information stemming from their rental or purchase of audio-visual material. 740. As an employee of the HR department of a multinational company, you are required to send through email, sensitive data pertaining to the employees of your organisation to a data centre for processing. Though there is approval from the management that the data centre can have access to this data, there is a precautionary measure that you should take while transmitting this data. Which of the following is it? A. Encrypting the data before sending B. Taking a back up before sending C. Sending information only on a need to know basis D. Setting strong access controls at the vendors site Key: A A is correct - Encryption of information during transmission ensures that it is not misused by any third party B, C and D are incorrect – though these are important security considerations, they are not mandatory for this case 741. Which of the following is not a part of Physical Access Control? A. Preventing unauthorised physical access to resources B. Protection of information in stored, transit and processing stages C. Control entry during and after normal business hours D. Identification checks Key: B B is correct - This is a part of Logical Access Control A, C and D are incorrect – Physical access controls encompass securing physical access to computing equipment as well as facilities housing the IS computing equipment and supplies. The choice of safeguard should be such that they prevent unauthorized physical access but at the same time cause the least inconvenience to authorized users. All the three options form a part of Physical Access Control. Module 4 Protection of Information Assets 260 742. Which of the following is an information asset that need not be included in physical access control? A. Information in transit through mail B. Primary computer facilities C. Micro computers D. Printers Key: A A is correct - Information in transit through mail cannot be restricted physically. B, C and D are incorrect – These are assets that should be included under Physical Access Control 743. Which of the following is not a physical access control? A. Manual doors or cipher key locks B. Protecting data with passwords C. Controlling the reception area D. Logging in visitors Key: B B is correct - Protecting data with passwords is part of logical access control A, C and D are incorrect – Physical access controls may include – manual door or cipher key locks, photo Ids and security guards, entry logs, perimeter intrusion locks etc. Physical controls should also include: Pre-planned appointments, Identification checks, controlling the reception area, Logging in visitors, Escorting visitors while in sensitive areas etc. 744. Threats to Information Assets like computing equipment, media and people are known as: A. Cyber threats B. Environmental Threats C. Physical Threats D. Logical Access Threats Key: C C is correct - Physical threats to information system assets comprises of threats to computing equipment, facilities which house the equipment, media and people. A is incorrect - Cyber threats are threats due to exposure of information in the world wide web B is incorrect – Environment threats are undesired or unintentional or intentional alteration in the environment in which computing resources function can result in threats to availability of information systems and integrity of information. D is incorrect – Logical access threat arising where unauthorized persons tried to get information useful for breaking into organization system. Module 4 Protection of Information Assets 261 745. “Preventing modification of data by unauthorised personnel” falls under which core principle of Information Safety? A. Integrity B. Confidentiality C. Availability D. Security Key: A A is correct - Confidentiality, Integrity and Availability (CIA Triad) are the core principles of information safety. Integrity: Prevent modification of data by unauthorized personnel. B and C are incorrect – Confidentiality: Preventing disclosure of information to unauthorized individuals or systems, Availability: Information must be available when it is needed. D is incorrect – This Is not a part of the CIA Triad 746. Under what category of Physical Security threat does poor handling and cabling of electronic equipments fall? A. Electrical B. Environmental C. Maintenance D. Hardware Key: C C is correct - Maintenance: These threats are due to poor handling of electronic components, which cause ESD (electrostatic discharge), the lack of spare parts, poor cabling, poor device labelling, etc. A is incorrect - Electrical vulnerabilities are seen in things such as spikes in voltage to different devices and hardware systems, or brownouts due to an insufficient voltage supply. Electrical threats also come from the noise of unconditioned power and, in some extreme circumstances like total power loss. B is incorrect – interference of natural disasters such as fires, hurricanes, tornados, and flooding, fall under the realm of environmental threat. D is incorrect - It has the threat of physical damage to corporate hardware or its theft. 747. Which of the following is not a source of Physical Security threat? A. Uncontrolled/Unconditioned Power, Low voltage B. Physical Access to IS resources by unauthorised personnel C. Discontented or disgruntled employees D. Interested or Informed outsiders Key: A A is correct - This is not a source of physical security threat, it is a source of environmental threat B, C and D are incorrect – These are sources of physical security threats 748. In an organisation there are instances of employees using the internet for personal purposes. Under what threat is this classified? Module 4 Protection of Information Assets 262 A. Logical access threat B. Environment threat C. Improper physical access threat D. Electrical threat Key: C C is correct - Threats from improper physical access usually are human-induced. Some examples are: access to computer terminal of purchases department, thereby viewing list of authorized suppliers and rates being displayed on the screen during data entry. room. purposes. embarrassing information. A, B and D are incorrect – This is neither a logical access, environmental or electrical threat 749. Viewing or copying of sensitive information by visitors who have gained unauthorised access to the same is: A. An Improper Physical Access Exposure B. An Unintentional or Accidental Exposure C. A Deliberate Exposure D. An Environmental Exposure Key: A A is correct - Improper physical access to IS resources may result in losses to organization which can result in compromising one or any of the following: Confidentiality of organizational information or knowledge of protected organizational resources. Example: unauthorized access to systems containing sensitive information may be viewed or copied by visitors accidentally gaining access to such systems. Integrity of information by improper manipulation of information or data contained on systems or media. Example: Unauthorized access to record rooms or databases may result in modification or deletion of file content. Availability of information. Improper access to IS resources may be used to adversely impact availability of IS resources’ ultimately preventing or delaying access to organizational information and business applications. Example: A disgruntled bank employee may switch of power to information servers thus sabotaging operations. B is incorrect - Authorized personnel or unauthorized personnel unintentionally gaining physical access to IS resources result in accidentally or inadvertently causing loss or damage to the organization. Module 4 Protection of Information Assets 263 C is incorrect - Unauthorized personnel may deliberately gain access or authorized personnel may deliberately gain access to IS resources, for which they are not permitted or possess rights of access. This may result in the perpetrator achieving his objective of causing loss or damage to the organization or gain personal monetary benefits or otherwise. D is incorrect – Environmental exposure are not human induced and caused by nature 750. If windows exist in a data centre, they must be translucent and shatterproof. Why? A. To avoid data leakage through electromagnetic radiation B. To prevent anyone from peeping and viewing data C. To avoid environmental threats to physical systems D. To avoid theft of physical assets Key: A A is correct - Windows are normally not acceptable in a data centre to avoid data leakage through electromagnetic radiation emitted by monitors. If they do exist, however, they must be translucent (semi-transparent, i.e. allowing light without being able to view things clearly) and shatterproof or monitors should not be facing them. B, C and D are incorrect – There is a negligible chance of these threats due to the presence of windows 751. Why audit trials and control are logs important for Security Management? A. To know where access attempts occurred and who attempted them B. To reduce unauthorised access to sensitive information C. To prevent modification or deletion of file content D. To prevent unintentional physical access Key: A A is correct - With respect to physical security, audit trails and access control logs are vital because management needs to know where access attempts occurred and who attempted them. The audit trails or access logs must record the following: o The date-and time of the access attempt o Whether the attempt was successful or not o Where the access was granted (which door, for example) o Who attempted the access o Who modified the access privileges at the supervisor level B, C and D are incorrect – These have no relevance to maintenance of audit logs 752. What is the first step once an unauthorised event is detected? A. Process owner should investigate and take action B. The incident should be reported to the appropriate authority C. Security administrator should effect modifications to the security policy D. Should be effectively handled to mitigate losses Module 4 Protection of Information Assets 264 Key: B B is correct - Once an unauthorised incident is detected, the first step is to report the same. Appropriate procedures should be in place to enable reporting of such incidents A, C and D are incorrect – These are subsequent steps 753. Which of the following is not a Human Resource Control? A. Providing identity cards B. Providing training in Physical Security C. Locking system screens when not in seat D. Monitoring behavior Key: C C is correct - Locking screens forms part of logical access control A, B and D are incorrect – These are examples of human resources control 754. The most important human resource control is: A. Providing access cards to employees B. Assigning responsibilities to employees C. Provide training to employees D. Escort terminated or resigned/retired employees Key: A A is correct - One of most important control is process of providing access cards to employees, vendor personnel working onsite and visitors. The process should aim in preventing generation of false cards, modifying contents of cards, accounting for lost cards and reconciliation of cards to detect missing/lost cards. In addition a process to grant, change and revoke access must be in place. B, C and D are incorrect – These controls are other human resource controls 755. Which of the following is a perimeter security? A. Screen savers B. Passwords C. Access cards D. Guards Key: D D is correct - Guards are commonly deployed in perimeter control, depending on cost and sensitivity of resource to be secured. While guards are capable of applying subjective intelligence, they are also subject to the risks of social engineering. They are useful whenever immediate, discriminating judgment is required. A is incorrect – Screen savers are used to lock screens when not in use B is incorrect – Passwords are used to prevent unauthorised access to sensitive data Module 4 Protection of Information Assets 265 C is incorrect – Access cards are used as a physical security measure 756. Which of the following is not a perimeter security? A. Compound walls and Fencing B. Lighting exteriors C. Encrypting data in transit D. Bolting door locks Key: C C is correct - Encrypting data in transit is a logical access security A,B and D are incorrect – thee are examples of perimeter security 757. What perimeter security is used to reduce the risk of piggy backing? A. Dead man doors B. Bolting door locks C. Combination or Cipher locks D. Compound walls Key: A A is correct - Also called as Mantrap systems. These are typically used to secure entrance to sensitive computing facilities or storage areas. This technique involves a pair of doors and the space between the doors is enough to accommodate just one person. Such doors reduce the risk of piggybacking, in which an unauthorized person could enter the secured facility by closely following an authorized person which may or may not be monitored by a guard. B is incorrect - This is the most commonly used means to secure against unauthorized access to rooms, cabins, closets. These use metal locks and keys and access can be gained by any person having physical possession of the key. This is cheap yet a reasonably effective technique, however control over physical custody and inventory of keys is required. C is incorrect - To gain entry, a person presses a four digit number in a particular pre-determined sequence which disengages the levers for a pre-set interval of time. D is incorrect – A common method of securing against unauthorized boundary access to the facility. It helps in deterring casual intruders but is ineffective against a determined intruder. 758. The advantages of Electronic door locks do not include: A. Distinguishing between various categories of users B. Most secure locks since they enable access based on individual features such as finger prints C. Restricting individual access through the special internal code D. Deactivation of card entry from a central electronic control mechanism Key: B B is correct - The feature pertains to Biometric door locks A, C and D are incorrect – These are the advantages of Electronic Door locks Module 4 Protection of Information Assets 266 759. Which of the following is a disadvantage of a Biometric Door lock? A. Easy duplication B. Is not as sophisticated as electronic door locks C. High cost of acquisition, implementation and maintenance D. They are not very secure Key: C C is correct - While these devices are considered highly secure, they suffer from the following disadvantages: secure sensitive installations. a and fingerprint scanners. a false acceptance. A, B and D are incorrect – Biometric locks are sophisticated and highly secure. Duplication of biometrics is not possible. 760. A device which creates a grid of visible white light or invisible infra red light, which when broken activates an alarm is: A. Photo electric sensors B. Dry contact switches C. Video cameras D. Identification badges Key: A A is correct - Photoelectric sensors receive a beam of light from a light-emitting device, creating a grid of either visible white light, or invisible infrared light, which when broken activates an alarm. B is incorrect - Dry contact switches and tape are probably the most common types of perimeter detection. This can consist of metallic foil tape on windows or metal contact switches on doorframes to detect when a door or window has been opened. C is incorrect – Cameras provide preventive and detective control. Closed-Circuit Television (CCTV) cameras have to be supplemented by security monitoring and guards for taking corrective action. D is incorrect - Special identification badges such as employee cards, privileged access pass, visitor passes etc. enable tracking movement of personnel. These can also be cards with signature and/or photo identity. 761. The process requiring all visitors to sign a visitors log at the time of entry/exit is known as A. Electronic logging B. Manual logging C. Controlled visitor access D. Controlled single point access Module 4 Protection of Information Assets 267 Key: B B is correct - Manual Logging: All visitors to the premises are prompted to sign a visitor’s log recording the date and time of entry/exit, name of entrant, organization, purpose etc. The visitor may also be required to authenticate his identity by means of a business card, photo identification card, driver’s license etc. A is incorrect - Electronic Logging: Electronic card users may be used to record the date and time of entry/exit of the card holder by requiring the person to swipe the card both time of entry and exit. This is a faster and more reliable method for restricting access to employees and pre-authorized personnel only. These devices may use electronic/biometric security mechanisms. C is incorrect - Controlled single point access: Physical access to the facility is granted though a single guarded entry point. Multiple entry points may dilute administration of effective security. D is incorrect – Controlled Visitor access: A pre-designated responsible employee or security staff escorts all visitors such as maintenance personnel, contract workers, vendors, consultants for a specified time period 762. A card reader that senses the card in possession of a user in the general area and enables faster access is: A. Wireless proximity readers B. Motion detectors C. Cable locks D. Identification Badges Key: A A is correct - A proximity reader does not require physical contact between the access card and the reader. The card reader senses the card in possession of a user in the general area (proximity) and enables faster access. B is incorrect - Alarm Systems/Motion detectors. Alarm systems provide detective controls and highlight security breaches to prohibited areas, access to areas beyond restricted hours, violation of direction of movement e.g. where entry only/exit only doors are used. Motion detectors are used to sense unusual movement within a predefined interior security area and thus detect physical breaches of perimeter security, and may sound an alarm. C is incorrect - A cable lock consists of a plastic-covered steel cable that chains a PC, laptop or peripherals to the desk or other immovable objects. D is incorrect – Special identification badges such as employee cards, privileged access pass, visitor passes etc. enable tracking movement of personnel. 763. Lockable switches that prevent a key board from being used is: A. Switch controls B. Biometric Mouse C. Laptop security D. Peripheral switch controls Key: D Module 4 Protection of Information Assets 268 D is correct - Peripheral switch controls: These types of controls are lockable switches that prevent a keyboard from being used. A is incorrect - A switch control is a cover for the on/off switch, which prevents a user from switching of the file server’s power. B is incorrect - Biometric Mouse: The input to the system uses a specially designed mouse, which is usable only by pre-determined/pre-registered person based on the fingerprint of the user. C is incorrect – Cable locks, biometric mice/fingerprint/iris recognition and encryption of the file system are some of the means available to protect laptops and their data. 764. A smart card used for access control is also called a security access card. Which of the following is not a type of smart card? A. Identification cards B. Photo Image Cards C. Digital coded cards D. Wireless proximity readers Key: A A is correct - Special identification badges such as employee cards, privileged access pass, visitor passes etc. enable tracking movement of personnel. B is incorrect - Photo-image cards are simple identification cards with the photo of the bearer for identification. C is incorrect - Digitally encoded cards contain chips or magnetically encoded strips (possibly in addition to a photo of the bearer). D is incorrect – A proximity reader does not require the user to physically insert the access card. 765. Which of the following is not a biometric characteristic? A. Finger prints B. Retina scans C. Passport photo D. Palm scans Key: C C is correct - Passport photo does not have a biometric characteristic A, B and D are incorrect – All these are typical biometric characteristics used to uniquely identify or authenticate an individual 766. Name the performance measure in biometrics which is the percentage of invalid subjects that are falsely accepted. A. False Rejection Rate (FRR) B. False Acceptance Rate (FAR) C. Crossover Error Rate (CER) D. Throughput rate Key: B Module 4 Protection of Information Assets 269 B is correct - False acceptance rate (FAR), or Type II error: The percentage of invalid subjects that are falsely accepted. FAR is more critical than FRR. A is incorrect - False rejection rate (FRR), or Type I error: The percentage of valid subjects that are falsely rejected C is incorrect - Crossover error rate (CER): The percent at which the FRR equals the FAR. In most cases, the sensitivity of the biometric detection system can be increased or decreased. If the system’s sensitivity is increased, such as in an airport metal detector, the system becomes increasingly selective and has a higher FRR. Conversely, if the sensitivity is decreased, the FAR will increase. D is incorrect – There is no such measure as throughput rate in biometrics 767. With respect to biometrics evaluation, how is the time taken to register with a system referred as? A. Enrolment time B. Throughput rate C. Acceptability D. Registration time Key: A A is correct - Enrolment time is the time it takes to initially register with a system by providing samples of the biometric characteristic to be evaluated. B is incorrect - The throughput rate is the rate at which individuals, once enrolled, can be processed and identified or authenticated by a system. C is incorrect - Acceptability refers to considerations of privacy, invasiveness, and psychological and physical comfort when using the system. D is incorrect – there is no such evaluation as registration time with respect to biometrics 768. With respect to audit of physical access controls, what does controls assessment mean? A. Ensuring that the risk assessment procedure adequately covers periodic and timely assessment of all assets B. Evaluating whether physical access controls are in place C. Examining relevant documentation such as the security policy and procedures, premises plans, building plans, etc D. Reviewing physical access controls for their effectiveness. Key: B B is correct - Controls Assessment: The auditor based on the risk profile evaluates whether physical access controls are in place and adequate to protect the IS assets against the risks. A is incorrect – This procedure is risk assessment C is incorrect – This procedure is review of documentation D is incorrect – This procedure is testing of controls 769. The review of physical access controls by an auditor need not include: A. Observing safeguards and Physical access procedures Module 4 Protection of Information Assets 270 B. Interviewing personnel to get information of procedures C. Authorising special access D. Touring organisational facilities Key: C C is correct - This is the role of the manager/management, not of an auditor A,B and D are incorrect – These are the roles of an auditor 770. What should an auditor check for in case of employee termination? A. The employees tenure and his conduct during the same B. Withdrawal and deactivation of access rights C. Whether appropriate rights have been granted to the replacement D. Whether there is any due from the employee to the organisation Key: B B is correct - Employee termination procedures should provide withdrawal of rights such as retrieval of physical devices such as smart cards, access tokens, deactivation of access rights and its appropriate communication to relevant constituents in the organization. A, C and D are incorrect – these are not the concerns of an auditor 771. What is the review procedure that should be adopted by an auditor to ensure that there is adequate security at entrance and exits? A. Review physical layout diagrams , risk analysis, procedure for removal and return of storage media, knowledge and awareness of emergency procedures by employees B. Inspect guard procedures and practices, and facility surveillance system apart from assessing vehicle and pedestrian traffic around high risk facility C. Review security policies and procedures at enterprise level and system level are aligned with business stated objectives D. Review employee and visitor entry logs, entry/exit procedures used by management, documentation of logs Key: D D is correct A is incorrect – these procedures are to review that physical safeguards are commensurate with the risks of physical damage or access B is incorrect – These procedures are to review the perimeter security C is incorrect – These procedures are to review whether security control policies and procedures are properly documented 772. From the perspective of environmental exposures and controls, how are computer rooms, server rooms and printer rooms categorised? A. Information System supporting infrastructure or facilities Module 4 Protection of Information Assets 271 B. Hardware and Media C. Documentation D. Supplies Key: A A is correct - Information Systems Supporting Infrastructure or Facilities: This typically includes the following: Printer Rooms, Remote facilities and Storage Areas B is incorrect - Hardware and Media: Includes Computing Equipment, Communication equipment, and Storage Media C is incorrect - Documentation: Physical and geographical documentation of computing facilities with emergency excavation plans and incident planning procedures. D is incorrect – Supplies: The third party maintenance procedures for say air-conditioning, fire safety, and civil contractors whose entry and assess with respect to their scope of work assigned are to be monitored and logged. 773. Which of the following is a natural environmental threat? A. War action and Bomb threats B. Air conditioning failure C. Earthquakes D. Undesired activities in computer facilities such as smoking Key: C C is correct - Earthquake is a natural environmental threat A, B and D are incorrect – These are man made environmental threats 774. Which of the following is a man-made environmental threat? A. Extreme variations in temperature B. Static Electricity C. Humidity, vapors, smoke and suspended particles D. Fire due to negligence and human action Key: D D is correct - This is a man- made threat A,B and C are incorrect – These are natural threats Module 4 Protection of Information Assets 272 775. Given below are some examples of exposures. Which of these do not pertain to violation of environmental controls? A. The possibility of a fire destroying valuable computer equipment due to use of inflammable material for construction of server cabin B. The possibility of Unauthorised access to sensitive data through hacking C. The possibility of a fire due to poor cabling D. The possibility of damage of keyboards and other devices due to accidental dropping of beverages Key: B B is correct - This is an example of exposure due to violation of physical access A, C and D are incorrect – these are examples of exposure due to violation of environmental controls 776. What is a sudden rise in in voltage in the power supply known as? A. Surge B. Blackout C. Sag/dip D. Transient Key: A A is correct - Surge is a sudden rise in voltage in the power supply. A strong power surge can easily harm unprotected computers and other microprocessor circuits. It also puts a stress on anything else powered by the electric supply, from air conditioning motors to light bulbs. B is incorrect – Blackout is a complete loss of commercial power C is incorrect – Sag or dip is a short period of low voltage D is incorrect – Transient is line noise or disturbance superimposed on the supply circuit and can cause fluctuations in electrical power. 777. Which of the following need not be considered while choosing a safe site? A. Probability of natural disasters B. Transportation C. Proximity to other like companies D. External services like police, fire, hospital etc Key: C C is correct - This is not a factor to be considered while choosing a safe site A, B, and D are incorrect – These are some of the factors to be considered while choosing a safe site 778. While designing a site, it is important that the location of media libraries is: A. Fungi Resistant and heat resistant B. Easily accessible C. Not easily accessible D. Outside the work area Module 4 Protection of Information Assets 273 Key: A A is correct - Media Protection: Location of media libraries, fire proof cabinets, kind of media used (fungi resistant, heat resistant). B, C and D are incorrect – These are not important considerations for storing media 779. The organisation should consider newer environmental threats like generator installation by a neighbor or sudden changes in climate as part of: A. Facilities planning B. Choosing a site C. Designing a site D. Documentation Key: A A is correct - The risk profile of the organization should take into consideration newer environmental threats. A few examples of threats to be considered are given below: environment. ation and flooring by a neighbor causing change in the flow of rainwater. B, C and D are incorrect – The aspect need not be considered at these levels 780. New employee induction programs should be conducted as part of: A. Documentation B. Facilities planning C. People Responsibility and training D. Emergency plan Key: C C is correct - Responsibility and accountability for environmental controls planning and management should be fixed and should be expressly communicated as part of job description. New employee induction programs should include informing and educating employees on environmental control procedures, prohibited activities (eating, smoking, drinking inside IPF), and maintaining secrecy and confidentiality. A, B and D are incorrect – Induction programs are not part f any of these. 781. An effective emergency plan of an organisation should include: A. Detailed analysis of third party and outsourced vendors/suppliers B. Evaluation of effectiveness and efficiency of environmental facilities Module 4 Protection of Information Assets 274 C. Preventive maintenance plans D. Control Action, Evacuation plan and paths Key: D D is correct - Disasters result in increased environmental threats e.g. smoke from a fire in the neighborhood or in some other facility of the organization would require appropriate control action, evacuation plan should be in place and evacuation paths should be prominently displayed at strategic places in the organization. A, B and C are incorrect – These are parts of Vendors/Suppliers security and Maintenance plans 782. How can an organisation reduce Mean Time to Repair/recover/respond/restore (MTTR)? A. By stocking spare parts on site B. By planning for environmental controls C. By identifying, parameterizing and documenting risks of utility failure D. By evaluating alternatives with low MTBF Key: A A is correct - Stocking spare parts on site and training maintenance personnel can reduce MTTR. B, C and D are incorrect – Failure modes of each utility, risks of utility failure, should be identified, parameterized and documented. This includes estimating the MTBF (Mean Time between Failures) and MTTR (Mean-Time to Repair/recover/respond/ restore). Planning for Environmental controls would need to evaluate alternatives with low MTBF or installing redundant units. 783. Listed below are some of the controls to ensure uninterrupted supply of clean power. Out of these which is the equipment which cleanses the incoming power supply of problems such as spikes, sags, etc.? A. Generators B. Electrical surge protectors/line conditioners C. Uninterruptible power supply (UPS) D. Power leads from two substations Key: B B is correct - Power supply from external sources such a grid and generators are subject to many quality problems such as spikes, surges, sag and brown outs, noise, etc. Surge protectors, spike busters and line conditioners are equipment which cleanses the incoming power supply of such quality problems and delivery clean power for the equipment. A, C and D are incorrect – UPS generally is a good solution in case of applications enabling their proper closure of processing and systems. In respect of continuous process equipment, UPS may fail to meet the purpose if regular power supply is not available for a prolonged period of time. Diesel or kerosene generators could also be used, but they require some time to be switched on and the power from generators has to be cleansed before delivery to computer systems. Module 4 Protection of Information Assets 275 D is incorrect - To protect against such exposures, redundant power lines from a different grid supply should be provided for. Interruption of one power supply should result in the system immediately switching over to the stand-by line. 784. How does a smoke/fire detector function? A. Activate audible alarms on sensing a particular degree of smoke or fire B. Activate audible alarms and are linked to monitoring stations within and outside the organisation C. Activate an audible alarm on detecting water D. Switches off power in case of emergency situations like fire etc. Key: A A is correct - Smoke and fire detectors activate audible alarms or fire suppression systems on sensing a particular degree of smoke or fire. Such detectors should be placed at appropriate places, above and below the false ceiling, in ventilation and cabling ducts. B is incorrect - By manual operation of switch or levers, these devices activate an audible alarm and may be linked to monitoring stations both within and/or outside the organization. C is incorrect - When necessity of immediate power shutdown arises during situations such as computer facility fire or emergency evacuation, emergency power-off switches should be provided. D is incorrect – Risks to IPF equipment from flooding and water logging can be controlled by use of water detectors placed under false flooring or near drain hole. Water detectors should be placed on all unattended or unmanned facilities. Water detectors on detecting water activate an audible alarm. 785. How are fires caused by flammable liquids and gases suppressed? A. Water or soda acid B. Dry powder C. Carbon dioxide, soda acid or FM200 D. Gas based systems Key: C C is correct - Fires caused by flammable liquids and gases are classed as Class B and are suppressed by Carbon Dioxide (CO), soda acid, or FM200. A is incorrect - Fires caused by common combustibles (like wood, cloth, paper, rubber, most plastics) are classed as Class A and are suppressed by water or soda acid (or sodium bicarbonate). B is incorrect - Electrical fires are classified as Class C fires and are suppressed by Carbon Dioxide (CO), or FM200. Fire caused by flammable chemicals and metals (such as magnesium and sodium) are classed as Class D and are suppressed by Dry Powder (a special smothering and coating agent). D is incorrect – This is a classification of suppression systems 786. Which of the following is a gas based fire suppression system? A. Wet pipe sprinklers B. FM 200 C. Dry pipe sprinklers Module 4 Protection of Information Assets 276 D. Pre action Key: B B is correct - FM200 is an inert gas, does not damage equipment as water systems do and does not leave any liquid or solid residues, however it is not safe for humans as it reduces the levels of oxygen. A, C & DF are incorrect – These are water based fire suppression systems 787. How does an auditor ensure that there are safeguards against the risks of heating, ventilation and air-conditioning systems? A. Review heating, ventilation and air-conditioning design B. Review any shielding strategies C. Verify critical systems and emergency power supplies D. Interview officials and review planning documents Key: A A is correct - The auditor has to review a heating, ventilation and air-conditioning design to verify proper functioning within an organization in order to ensure safeguards against risks of heating, ventilation and air-conditioning B is incorrect – This is done to check control of radio emissions effect on computer systems C is incorrect – This is done to establish adequate interior security based on risk D is incorrect – This is done to adequately protect against emerging threats 788. How does an auditor ensure that adequate environmental controls have been implemented? A. Interview security personnel to ensure their awareness and responsibilities B. Verify critical systems and emergency power supplies C. Interview staff, determine humidity, temperature and voltage are within acceptable levels D. Interview officials and review planning documents and review training records and documentation Key: C C is correct - To ensure adequate environmental controls have been implemented, an auditor has to: Interview managers and scrutinize that operations staff are aware of the locations of fire alarms, extinguishers, shut-off power switches, air -ventilation apparatus and other emergency devices. Determine that humidity, temperature and voltage are controlled within the accepted levels. Check cabling, plumbing, room ceiling smoke detectors, water detectors on the floor are installed and in proper working order. A is incorrect –This is done to ensure that Staff has been trained to react to emergencies B is incorrect – This is done to establish adequate interior security based on risk D is incorrect – This is done to adequately protect against emerging threats 789. Which of the following is not a component in the information systems infrastructure between the user and the Data Base? Module 4 Protection of Information Assets 277 A. Network operating systems B. Application software C. Physical documents D. Data Base Management System Key: C C is correct - Physical documents do not form a component in the information systems infrastructure between the user and the database A, B and D are incorrect – These are components in the information systems infrastructure which have to be subjected to appropriate means of security 790. What is the task of an auditor when evaluating the risks associated with hardware components? A. Consider vulnerabilities of different communication channels and devices like workstations, peripherals etc. B. Ensure that logical access to system software are controlled to detect changes in system configuration C. Evaluate the access security enforced by the DBMS D. Focus on the effectiveness of boundary controls and I/O controls Key: A A is correct - Hardware includes computer workstations, terminal devices, communication devices, peripherals etc., constituting the physical interface with the users. Here the auditor should consider vulnerabilities of different communication channels and devices specifically (e.g. modems, network interface cards) connected to computers. Software B, C and D are incorrect – These are the auditors tasks when auditing systems software, Database Management System and Application software respectively. 791. What are the tasks of an auditor while evaluating the vulnerabilities of a Data Base Management System (DBMS)? A. Evaluate access permissions configured in software B. Evaluating the access security enforced by the DBMS C. Ensure that logical access to system software are controlled to detect changes in system configuration D. Focus on the effectiveness of boundary controls and I/O controls Key: B B is correct - In environments involving voluminous data handling, a Database Management System (DBMS) manages the organisation of data in the databases. The auditor is required to evaluate the access security enforced by the DBMS, which could include schema definitions, access to data dictionary, directory services and scripts to restrict access implemented by the DBMS. Module 4 Protection of Information Assets 278 A, C and D are incorrect – These are the auditors tasks when auditing application software, systems software and access control software respectively 792. What is Masquerading? A. Disguising or Impersonation B. Using an unattended terminal C. Tapping a communication cable D. Flooding Memory buffers and communication ports Key: A A is correct - Masquerading means disguising or impersonation. The attacker pretends to be an authorized user of a system in order to gain access to or to gain greater privileges than they are authorized for. A masquerade may be attempted through the use of stolen logon IDs and passwords, through finding security gaps in programs, or through bypassing the authentication mechanism. B is incorrect - Unauthorized access to information by using a terminal that is already logged on with an authorized ID (identification) and left unattended is called Piggy backing C is incorrect - Tapping a communication cable to collect information being transmitted is called Wire trapping D is incorrect – In Denial of Service the perpetrator attempts to flood memory buffers and communication ports to prevent delivery of normal services. 793. What is Phishing? A. Requesting personal details over phone posing as an originator B. Sending a mail posing as an originator (ex. bank) requesting to provide information by clicking a link C. Installing software that captures user information like login id and password D. Specially design programs that captures and transmits information Key: B B is correct - Phishing: User receives a mail requesting to provide authentication information by clicking on link provided. The mail and link appears to be actual originator e.g. Bank. Unaware users click on link and provide confidential information. The most popular attacks on banking systems in the recent times, they target gullible victims, using a combination of social engineering, e-mail and fake websites to con the victim to click on a link embedded in an apparent authentic mail from a reputed bank. The link takes the victim (generally a customer of the bank) to a look-alike Bank website that gets the personal details of the victim including details such as PIN and internet banking password, which is then exploited by the hacker. A is incorrect – The above technique used over phone is called Impersonating C is incorrect – This technique is Key logging: Perpetrator installs software that captures the key sequence used by user including login information. Key logger can be sent thru mail or infected pen drive like virus or other malware. There are hardware key loggers available that are connected to system where key board is attached. D is incorrect – These programs are called Malware. 794. What are malicious codes that attaches to a host program and propogates when an infected program is executed? Module 4 Protection of Information Assets 279 A. Worms B. Trojan Horses C. Viruses D. Logic Bombs Key: C C is correct - Viruses are malicious code that attaches to a host program and propagates when an infected program is executed? The perpetrator’s objective is to multiply and spread the code. However they are dependent on another program or human action to replicate or to activate their payload. They are not capable of self-actuating. A is incorrect – Worms are malicious programs that attack a network by moving from device to device and create undesirable traffic. B is incorrect – These are malicious code which hides inside a host program that does something useful. Once these programs are executed, the hidden malicious code is released to attack the workstation, server, or network or to allow unauthorized access to those devices. D is incorrect – These are legitimate programs, to which malicious code has been added. Their destructive action is programmed to “blow up” on occurrence of a logical event such as time or a logical event as number of users, memory/disk space usage, etc. 795. What is a macro virus? A. A virus that infects Microsoft Word or similar applications B. A virus that hides itself from anti virus software C. A virus which encrypts itself and is very hard to detect D. Software that tracks the internet activities of the user Key: A A is correct - A macro virus is a computer virus that "infects" a Microsoft Word or similar application and causes a sequence of actions to be performed automatically when the application is started or an event trigger. If a user accesses a document containing a viral macro and unwittingly executes this macro virus, it can then copy itself into that application's start-up files. B is incorrect - Polymorphic viruses are difficult to detect because they hide themselves from antivirus software by altering their appearance after each infection. Some polymorphic viruses can assume over two billion different identities. C is incorrect - Stealth viruses attempt to hide their presence from both the operating system and the antivirus software by encrypting themselves. They are similar to polymorphic viruses and are very hard to detect. D is incorrect – These are Adware and Spyware that often come with some commercial software, both packaged as well as shareware software. There is often a reference to the Adware and Spyware software in the license agreement. 796. Which of the following is not a characteristic of Logic Bombs? A. This blows up on the occurrence of a logical event B. These are programmed to open specific ports to allow access for exploitation C. This checks whether a particular condition has been met to execute the logic code Module 4 Protection of Information Assets 280 D. These are very difficult to detect as its destructive information set is known only after it is executed Key: B B is correct - This is the characteristic of a Trojan Horse A, C and D are incorrect – These are the characteristics of Logic Bombs. 797. Which of the following is not a characteristic of a Macro Virus? A. When executed unwittingly by a user, it copies itself to the applications start up files B. Its infection spreads to other machines on a network C. These are relatively harmless D. This can assume over two billion two billion different identities Key: D D is correct - This is the characteristic of a polymorphic virus A, B and D are incorrect – These are the characteristics of macro Viruses 798. User Registration is generally approved by: A. User himself B. IS Auditor C. User Manager D. System Administrator Key: C C is correct - User Registration is generally done based on the job responsibilities and confirmed by User manager. This must be approved by information owner. User registration process must answer: A, B, and D are incorrect – These people are not authorised to approve User Registration. 799. On what basis are access privileges assigned to a user? A. Seniority level B. Expertise and qualification C. Job requirements and responsibilities D. There is no basis. It is randomly assigned Key: C C is correct - Access privileges are to be aligned with job requirements and responsibilities. These are defined and approved by the information asset owner. Module 4 Protection of Information Assets 281 A, B and D are incorrect – Access privileges cannot be assigned based on these criteria 800. In password management, how can misuse of passwords by system administrators be prevented? A. Force change on first login by the user B. Secure communication of password to user C. By generating hash while storing D. By taking an undertaking from the system administrator Key: A A is correct - Force change on first login by the user so as to prevent possible misuse by system administrators B and C are incorrect – These are a few of the other password management functions D is incorrect – Taking an undertaking is not an appropriate method 801. Which of the following is not mandatory for good password management? A. All passwords should be authenticated B. Password expiry must be managed as per policy C. Every user’s password should be known to the user manager D. Users have to be educated and made responsible for their password Key: C C is correct - It is not necessary for the user manager to know the passwords of all the users A, B and D are incorrect – these are some of the functions of password management 802. How is it possible to detect excess rights due to changes in responsibilities, emergencies etc.? A. By assigning access privileges B. By getting the password of the user C. By a person who has administrative privileges D. By Periodic review of user’s access rights Key: D D is correct - Periodic review of user's access rights is essential process to detect possible excess rights due to changes in responsibilities, emergencies, and other changes. These reviews must be conducted by information owner and administrators facilitates by providing available accesses recorded in system. A, B and C are incorrect – excess rights due to changes in responsibilities cannot be detected by these methods 803. What must an IS auditor ensure while reviewing access controls related to user id and passwords of default users with administrative privileges? Module 4 Protection of Information Assets 282 A. They can remain but it should be known to the organisation B. These user ids should be disabled and passwords changed C. Default users cannot have a user id or password D. Default users should be educated about their responsibility Key: B B is correct - Applications, operating systems and databases purchased from vendor have provision for default users with administrative privileges required for implementation and/or maintenance of application, OS or database. The user ID and Passwords for these users are published by the vendor required for implementing. It is expected that these password must be changed immediately as soon as system is implemented. While reviewing these access controls IS auditor must ensure that these user ID are either disabled, or passwords have been changed and suitably controlled by the organization. A, C and D are incorrect – None of these options will ensure protection to information 804. What is segregation of networks with respect to network access control? A. Isolation of network from internet usage service availability B. Aligning internet service requirements with the business need policy C. Restriction of traffic between networks D. Specifying the exact path or route connecting the network Key: A A is correct - Based on the sensitive information handling function; say a VPN connection between a branch office and the head-office this network is to be isolated from the internet usage service availability for employees. B is incorrect - An enterprise wide applicable internet service requirements aligned with the business need policy based on business needs for using the Internet services is the first step for network access control. Selection of appropriate services and approval to access them will be part of this policy. The policy also specify the use on internet and internet based services while access internet using organization’s devices. C is incorrect – This is another feature of network access control – network connection and routing control - The traffic between networks should be restricted, based on identification of source and authentication access policies implemented across the enterprise network facility. The techniques of authentication and authorization as per access policy have been implemented across the organization’s network. D is incorrect – Enforced path - Based on risk assessment, it is necessary to specify the exact path or route connecting the networks; say for example internet access by employees will be routed through a firewall. And to maintain a hierarchical access levels for both internal and external user logging. An Internet connection exposes an organization to the entire world. This brings up the issue of benefits the organization should derive along with the precaution against harmful elements. 805. Name the control which helps in auditing and tracking of transactions along with date and time? A. Segregation of Networks B. Network connection and routing control C. Clock synchronisation Module 4 Protection of Information Assets 283 D. Enforced path Key: C C is correct - Clock synchronization is useful control to ensure that event and audit logs maintained across an enterprise are in synch and can be correlated. This helps in auditing and tracking of transactions along with date and time that is uniform across organization. In modern networks this function is centralized and automated. A is incorrect – Segregation of Networks - Based on the sensitive information handling function; say a VPN connection between a branch office and the head-office this network is to be isolated from the internet usage service availability for employees. B is incorrect - This is another feature of network access control – network connection and routing control - The traffic between networks should be restricted, based on identification of source and authentication access policies implemented across the enterprise network facility. The techniques of authentication and authorization as per access policy have been implemented across the organization’s network. D is incorrect – Enforced path - Based on risk assessment, it is necessary to specify the exact path or route connecting the networks; say for example internet access by employees will be routed through a firewall. And to maintain a hierarchical access levels for both internal and external user logging. An Internet connection exposes an organization to the entire world. This brings up the issue of benefits the organization should derive along with the precaution against harmful elements. 806. A user is allowed to access only those items he is authorised to access. How is access to information prevented in an application? A. By application specific menu interfaces B. System Access is monitored C. By Event logging D. By monitoring system use Key: A A is correct - The access to information is prevented by application specific menu interfaces, which limit access to system function. A user is allowed to access only to those items he is authorized to access. Controls are implemented on the access rights of users, For example, read, write, delete, and execute. And ensure that sensitive output is sent only to authorized terminals and locations. B is incorrect – This is a part of Sensitive system isolation - Based on the critical constitution of a system in an enterprise it may even be necessary to run the system in an isolated environment. Monitoring system access and use is a detective control, to check if preventive controls discussed so far are working. If not, this control will detect and report any unauthorized activities. C is incorrect - In Computer systems it is easy and viable to maintain extensive logs for all types of events. It is necessary to review if logging is enabled and the logs are archived properly. This is called event logging. Module 4 Protection of Information Assets 284 D is incorrect – Monitor system use - Based on the risk assessment a constant monitoring of some critical systems is essential. the details of types of accesses, operations, events and alerts that will be monitored. The extent of detail and the frequency of the review would be based on criticality of operation and risk factors. The log files are to be reviewed periodically and attention should be given to any gaps in these logs. 807. In operation system control, what is the use of system utilities? A. Ensures that a particular session can be initiated from a particular location B. Help manage critical functions of the operating system C. Provides means to alert authorities if users are forced to execute instructions D. Prevents unauthorised access by limiting time slot Key: B B is correct - System utilities are the programs that help to manage critical functions of the operating system—for example, addition or deletion of users. Obviously, this utility should not be accessible to a general user. Use and access to these utilities should be strictly controlled and logged. A is incorrect - Automated terminal identification helps to ensure that a particular session could only be initiated from a particular location or computer terminal. C is incorrect - Duress alarm to safeguard users: If users are forced to execute some instruction under threat, the system should provide a means to alert the authorities. An example could be forcing a person to withdraw money from the ATM. Many banks provide a secret code to alert the bank about such transactions. D is incorrect – Limitation of connection time: Define the available time slot. Do not allow any transaction beyond this time period. For example, no computer access after 8.00 p.m. and before 8.00 a.m.—or on a Saturday or Sunday. This is useful in preventing unauthorized accesses by authorized users. 808. Methods like Biometric Authentication or digital certificates are employed for which aspect of operating system control? A. Password Management B. Terminal log on procedures C. User identification and authentication D. Automated terminal identification Key: C C is correct - User identification and authentication: The users must be identified and authenticated in a fool proof manner. Depending on risk assessment, more stringent methods like Biometric Authentication or Cryptographic means like Digital Certificates should be employed. A is incorrect - An operating system could enforce selection of good passwords. Internal storage of password should use one-way encryption algorithms and the password file should not be accessible to users. Module 4 Protection of Information Assets 285 B is incorrect - Terminal log-on procedures: The log-on procedure does not provide unnecessary help or information, which could be misused by an intruder. D is incorrect – Automated terminal identification: This will help to ensure that a particular session could only be initiated from a particular location or computer terminal. 809. What are ‘Audit Trails’? A. History of transactions B. Record of system activities enabling examination of a transaction C. Attempts to gain unauthorised access to system D. Unauthorised privileges granted to users Key: B B is correct - Logs are also called ‘audit trail’. It is a record of system activities that enables the reconstruction and examination of the sequence of events of a transaction, from its inception to output of final results. Violation reports present significant, security-oriented events that may indicate either actual or attempted policy transgressions reflected in the audit trail. Violation reports should be frequently and regularly reviewed by information owner to identify any unauthorized change or access. A, C and D are incorrect – An audit associated with information system security searches for these activities that are obtained from Audit trails. 810. What is authentication with regard to Access Control Mechanism? A. Process by which user provides a claimed identity B. Process by which a user is allowed to perform a pre determined set of actions C. Prevention of unauthorised access by a user D. Mechanism through which user’s claim is verified Key: D D is correct - Authentication is a mechanism through which the user’s claim is verified. A is incorrect - process by which a user provides a claimed identity to the system such as an account number is called identification B is incorrect - The authenticated user is allowed to perform a pre-determined set of actions on eligible resources. This is called authorisation C is incorrect – The primary function of access control is to allow authorized access and prevent unauthorized access to information resources in an organization. 811. A physical/biometric comparison falls under which category of authentication factor? A. Something the user is B. Something the user knows Module 4 Protection of Information Assets 286 C. Something the user has D. Two factor authentication Key: A A is correct - Finger print, Biometric templates ect come under this category B is incorrect – Password, PIN entry etc come under this category C is incorrect – Identification Badge, Smart card, Bank card etc come under this category D is incorrect – Two-factor or dual factor authentication uses two factors and the three-factor authentication uses all the three factors. 812. Which is the authentication technique which allows the password to be based on changing input rather than just time? A. Passwords B. Challenge response C. PIN’s D. One time passwords Key: B B is correct - An alternative to one-time passwords is challenge response schemes. Instead of having the device just blindly generate a password, a user identifies himself to the server, usually by presenting his user ID. The server then responds with a challenge, which is usually a short phrase of letters and numbers. The user types the challenge into the device and, based on the challenge, the device responds with an output. The user then types that output in as his password to the server. This scheme is slightly more complicated, but it allows the password to be based on changing input rather than just time. A is incorrect - This is the most common authentication technique that depends on remembered information. The user, initially, identifies him using his login-id to the system and then provides the password information. Once the system is able to locate the match and is successful for both fields, the system authenticates the user and enables access to resources based on the authorization matrix. However if a match is not successful, the system returns a message (such as “Invalid User or password”) thus preventing access to resources. C is incorrect - PIN is a type of password, usually a 4-digit numeric value that is used in certain systems to gain access, and authenticate. The PIN should be such that a person or a computer cannot guess it in sufficient time by using a guess and check method, i.e. where it guesses the PIN, and checks for correctness by testing it on the system that the person is attempting to gain access to and the process is repeated with a different guess till access is obtained. PINs are commonly used for gaining access to Automatic Teller Machines (ATMs). D is incorrect – One-time passwords solve the problems of user-derived passwords. With one-time passwords, each time the user tries to log on he is given a new password. Even if an attacker intercepts the password, he will not be able to use it to gain access because it is good for only one session and predetermined limited time period. For example one time password for online card Module 4 Protection of Information Assets 287 transaction is provided by bank to user on registered mobile is valid for 10 minutes only. One-time passwords typically use a small hardware device or software that generates a new password every time. The server also has the same software running, so when a user types in his password, the server can confirm whether it is the correct password. Each time the user logs on he has a new password, so it is much more secure. 813. What is the attacking technique in which the attacker uses a malicious software to steal passwords and other information? A. Trojan attack B. Brute force C. Dictionary attack D. Spoofing attack Key: A A is correct - Trojan: A malicious software, which the attacker can use to steal access control lists, passwords or other information. B is incorrect - In this crude form of attack, the attacker tries out every possible combination to hit on the successful match. The attacker may also use various password cracking software that assist in this effort. C is incorrect - Dictionary attack: On the similar lines as brute force, this type of attack is based on the assumption that users tend to use common words as passwords, which can be found in a dictionary, hence the name. The “dictionary” simply consists of a list of words, including proper names (Raju, Ramesh, Ibrahim, etc.) and also that of mythological or religious names (Krishna, Jesus, Osiris, Buddha, etc.). D is incorrect – Spoofing attacks: In this technique, the attacker plants a Trojan program, which masquerades as the system’s logon screen, gets the logon and password information and returns control to the genuine access control mechanism. Once the information is obtained, the attacker uses the information to gain access to the system resources. 814. Automatic log out after a predetermined period of inactivity is a technique used against which type of attack? A. Spoofing attacks B. Dictionary attacks C. Piggy backing D. Trojan attack Key: C C is correct - Piggybacking: As stated earlier, an unauthorized user may wait for an authorised user to log in and leave a terminal unattended. The logical techniques that are used to secure against this attack are to automatically log out the session after a pre-determined period of inactivity or by using password-protected screen savers. Module 4 Protection of Information Assets 288 A Band D are incorrect – For these attacks other techniques are used 815. Which of the following is the feature of a Smart token only? A. Contains information such as name, identification no, photograph etc B. Contains a magnetic strip which stores information C. The user is required to key in remembered information D. Contains a processor chip which enables storing dynamic information Key: D D is correct - Smart Tokens: In this case, the card or device contains a small processor chip which enables storing dynamic information on the card. Besides static information about the user, the smart tokens can store dynamic information such as bank balance, credit limits etc., however the loss of such smart cards can have more serious implications. A B and C are incorrect – These are the features of a memory token also 816. In which of the following tokens does the card contain a bar code which is read when brought in proximity to the reader device? A. Processor based proximity reader B. Smart tokens C. Static proximity reader D. Memory tokens Key: C C is correct - In static tokens, the card contains a bar code, which has to be brought in proximity of the reader device. A is incorrect – In case of processor based tokens, the token device, once in the range of the reader, senses the reader and transmits a series of codes to the reader. B is incorrect - In this case, the card or device contains a small processor chip which enables storing dynamic information on the card. D is incorrect – In its most common form, the cards contain visible information such as name, identification number, photograph and such other information about the user and also a magnetic strip. 817. In Biometrics, what is the Crossover Error rate (CER)? A. A very low FRR B. The point at which FRR equals FAR C. A very high FAR D. The point at which FAR and FRR are zero Key: B Module 4 Protection of Information Assets 289 B is correct - An overall metric used is the Crossover Error Rate (CER) which is the point at which FRR equals FAR. A, C and D are incorrect – False Rejection Rate (FRR) which is wrongfully rejecting a rightful user and False Acceptance Rate (FAR) which involves an unauthorized user being wrongfully authenticated as a right user. Ideally a system should have a low false rejection and low false acceptance rate. Most biometric systems have sensitivity levels which can be tuned. The more sensitive a system becomes, FAR drops while FRR increases. Thus, FRR and FAR tends to inversely related. 818. Which of the following is not a function of the operating system? A. Provides independent user and access privilege management mechanism B. Supports execution of applications and enforces and security constraints defined at that level C. Isolates processes from each other and protects permanent data stored in its files D. Provides controlled access to shared resources Key: A A is correct - This is not the function of an operating system, this is the function of an application B, C and D are incorrect – These are the functions of an operating system 819. The flexibility of a Pluggable authentication module allows to: A. Execute applications and support any security constraints B. Use multiple authentications for a given service C. Provide controlled access to shared resources D. Use physiological and behavioral characteristics to identify user Key: B B is correct - Applications enabled to make use of PAM can be plugged-in to new technologies without modifying the existing applications. This flexibility allows administrators to do the following: Select any authentication service on the system for an application independent of the authentication mechanism may be used A and C are incorrect – These are the functions of an operating system D are incorrect – This is the identification technique of biometrics 820. Most operating systems have at least three types of file permissions: read, write and execute. The least access that have to be given to users is: A. Write B. Execute Module 4 Protection of Information Assets 290 C. Read D. Read and Write Key: C C is correct - The users have to be given at least read access to many of the system files. A, B and D are incorrect – These accesses are given only to authorised users. 821. When a system receives a request, how does it determine access rights for the particular request? A. By authenticating the password entered by the user B. By using the access matrix C. By consulting a hierarchy of rules in the Access Control List D. By a challenge response Key: C C is correct - Access control enables one to protect a system or part of the system (directories, files, file types, etc.). When the system receives a request, it determines access by consulting a hierarchy of rules in the ACL. A– This is one of the authentication techniques B is incorrect – This is used by the operating system D is incorrect – This is one of the authentication techniques 822. What does an Access Control Entry in an ACL consist of? A. Name of the database and its path B. Name of the user and his reporting structure C. Name of the user and his group or role D. Name of users and their access privileges Key: D D is correct - ACL has one or more access control entries (ACEs), each consisting of the name of a user or a group of users. The user can also be a role name, such as programmer or tester. For each of these users, groups, or roles, the access privileges are stated in a string of bits called an access mask. Generally, the system, administrator or the object owner creates the access control list for an object. A, B and C are incorrect – These are not the constituents of an Access Control Entry 823. The core objective of an IdM system in a corporate setting is: A. One identity per individual B. One user per database C. One role per individual D. One user one group Key: A Module 4 Protection of Information Assets 291 A is correct - The core objective of an IdM system in a corporate setting is: one identity per individual. And once that digital ID has been established, it has to be maintained, modified and monitored throughout what is called the "User access lifecycle." B, C and D are incorrect – these are not the objectives of an IdM system. 824. Which of the following does not form a part of Identity Management? A. Controls User Access Provisioning Lifecycle B. Maintains the identity of a user and actions they are authorised to perform C. Determines which user can access which resource D. Manages descriptive information about the user Key: C C is correct - This is the attribute of Access Control Policies A B and D are incorrect – These are the tasks of Identity Management 825. System administrators/Network Administrators who have the powers to create or amend user profiles are: A. Privileged users B. Administrative users C. Special users D. Maintenance users Key: A A is correct - Privileged user is a user who has been allocated powers within the computer system, which are significantly greater than those available to the majority of users. Such persons will include, for example, the system administrator(s) and Network administrator(s) who are responsible for keeping the system available and may need powers to create new user profiles as well as add to or amend the powers and access rights of existing users. B, C and D are incorrect – There are no such user categories 826. A privileged user can use the user account that has privileged access for only: A. Normal business use B. Non privileged activities C. Privileged activities D. Logging in to a system Key: C C is correct - Privileged Users should be required to create strong passwords comprising of letters, numbers, and special characters. The user account that has privileged access should have a unique password that is different from all other accounts accessed by the User. Module 4 Protection of Information Assets 292 A, B and D are incorrect – All Users that have access to privileged accounts should be assigned their own user ID for normal business use. Privileged Users must use their personal user IDs for conducting non-privileged activities. Wherever possible the User must login to a system using their personal user ID prior to invoking a privileged account. 827. What is a ‘back door’ or ‘trap door’? A. Flaw that allows data to circumvent the encryption process B. Bypass which is a means of access for authorised access C. Flaw that allows an attacker to circumvent security mechanisms D. Mechanism put in place by an attacker Key: B B is correct - A bypass that is purposefully put in place as a means of access for authorized users is called a back door or a trap door. A is incorrect - A flaw that allows data to circumvent the encryption process and escape, unencrypted, as plaintext isa crypto by pass C and D are incorrect – These are definitions for bypass 828. What are the rows of an access control matrix called? A. Access Control lists B. Subjects C. Objects D. Capability lists Key: D D is correct - the rows are called capability lists. A, B and C are incorrect – A subject is an active entity that is seeking rights to a resource or object. A subject can be a person, a program, or a process. An object is a passive entity, such as a file or a storage resource. The columns of the access matrix are called Access Control Lists (ACLs) 829. What is the major concern of using group/generic ids? A. Fixing accountability of actions to individual B. It needs special approval C. It is not allowed in ERP packages D. It is not wise to share user id with others Key: A A is correct - The main concern in using group id is the fixing accountability of actions to individual. B, C and D are incorrect – These are all the conditions that have to be met in case group/generic ids are used Module 4 Protection of Information Assets 293 830. What is the specialty of a Single Sign On session? A. User ids and passwords are shared among select users B. A single user id and password to log on to all required applications C. Verifies that the users are whoever they claim to be D. Verifies that the network components used by the users are within their permission profile Key: B B is correct - In SSO, a user provides one ID and password per work session and is automatically logged on to all the required applications. A is incorrect - users Ids are created and password is shared among select users when generic/group id’s are used C and D are incorrect – These are the features of Kerberos 831. What is the function of Active Directory (AD) domain controller? A. Accesses and maintains distributed directory information services over an Internet Protocol network B. Plays an important role in developing intranet and internet applications by allowing the sharing of information by users C. Authenticates and authorises all users and computers in a Windows domain type network D. Verifies that users are who they claim to be and the network components they use are within their profile Key: C C is correct - AD is a directory service implemented by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. An AD domain controller authenticates and authorizes all users and computers in a Windows domain type network—assigning and enforcing security policies for all computers and installing or updating software. A and B are incorrect - The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.[1] Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. D is incorrect – This is the primary use of Kerberos - to verify that users are who they claim to be and the network components they use are contained within their permission profile. 832. Which authentication mechanism issues ‘tickets’ which have a limited life span and are stored in the users credential cache? A. AD B. LDAP C. Kerberos D. DNS Module 4 Protection of Information Assets 294 Key: C C is correct - The primary use of Kerberos is to verify that users are who they claim to be and the network components they use are contained within their permission profile. To accomplish this, a trusted Kerberos server issues “tickets” to users. These tickets have a limited life span and are stored in the user’s credential cache. A, B and D are incorrect – when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted password and determines whether the user is a system administrator or normal user. Active Directory makes use of Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's version of Kerberos, and DNS. 833. Which of following is an advantage of Single Sign On? A. Easier administration of changing or deleting passwords B. It can avoid a potential single point of failure issue C. Maintaining SSO is easy as it is not prone to human errors D. It protects network traffic Key: A A is correct - The advantages of SSO include having the ability to use stronger passwords, easier administration of changing or deleting the passwords, and requiring less time to access resources. B is incorrect – This is the advantage of Kerberos C and D are incorrect – These are not advantages of SSO. Maintaining SSO is atedious process and it is prone to human errors. It does not protect network traffic. 834. In a SSO system, once a user’s identity and authentication is established, on what basis are access criteria determined? A. All identified users are granted access B. Based on Roles, groups or network location C. All authenticated users are granted access D. It is not necessary to establish identity or authenticity Key: B B is correct - Once a user’s identity and authentication are established, authorization levels determine the extent of system rights that a user can hold. Access criteria types can be broken up into: A, C and D are incorrect – Only after identity and authenticity is established, authorisation comes into play 835. In a Single Sign On system, all access criteria should default to: Module 4 Protection of Information Assets 295 A. No access B. Full access C. Granting access to all identified users D. Granting access to all authenticated users Key: A A is correct - All access criteria should default to “no access” and authorizations should be granted on need to know basis. B, C and D are incorrect – Just because a subject has been identified and authenticated does not automatically mean they have been authorized. It is possible for a subject to be logged onto a network (i.e., identified and authenticated) but be blocked from accessing a file or printing to a printer (i.e., by not being authorized to perform that activity). Most users are authorized to perform only a limited number of activities on a specific collection of resources. Identification and authentication are all-or- nothing aspects of access control. Authorization has a wide range of variations between all or nothing for each individual object within the environment. A user may be able to read a file but not delete it, print a document but not alter the print queue, or log onto a system but not access any resources. 836. What should an access control mechanism ensure? A. Subjects should be identified before they are granted access B. All subjects that are authenticated should be authorised to access objects C. All Objects can be accessed by authorised subjects D. Subjects gain access to objects only if they are authorised to Key: D D is correct - The access control mechanism should ensure that subjects gain access to objects only if they are authorized to. A B and C are incorrect – Subject of operating systems are (active) entities that communicate with the system and use its resources. The best example for a subject is the user or a process. Objects on the other hand are entities of the operating system that are accessed (requested) by the subject. The access control mechanism should ensure that subjects gain access to objects only if they are authorized to. 837. This is a multi- level secure access control which defines a hierarchy of levels of security. A. Discretionary Access Control B. Mandatory Access Control C. Role Based Access Control D. Database Access Control Key: B B is correct - Mandatory Access Control- It is a multi-level secure access control mechanism. It defines a hierarchy of levels of security. A security policy defines rules by which the access is controlled. Module 4 Protection of Information Assets 296 A is incorrect - In this type of access control, every object has an owner. The owner (subject) grants access to his resources (objects) for other users and/or groups. C is incorrect - In role based systems, users get assigned roles based on their functions in that system. D is incorrect – This is not a type of access control mechanism 838. Which of the following is a feature of Role Based Access Control? A. Multilevel secure access control mechanism B. The Matrix defines the whole state of the system C. Systems are centrally administered and are nondiscretionary D. Access control lists are used to store the rights with object Key: C C is correct - Role Based Access Control- In some environments, it is problematical to determine who the owner of resources is. In role based systems, users get assigned roles based on their functions in that system. These systems are centrally administered, they are nondiscretionary. An example is a hospital. A is incorrect – This is the feature of Mandatory Access Control B and D are incorrect – These are the features of discretionary access control 839. Access to database can be controlled through permission settings. On what basis is this permission system designed? A. Principle of least privileges B. Permissible values or limits C. Approval by data owner D. Access levels Key: D D is correct - Each database has its own customizable permissions system. The permission system is based on access levels. A and B are incorrect – Relational Database works on the principles of tables and relations and allows rules of integrity and access to be specified. The principle of least privileges to data items can be enforced using views as against reads. Such rules can be restricted by a range of parameters such as permissible values or limits. C is incorrect - The access to data base can be Discretionary based on the approved by data owner (usually business process owner who is accountable for data stored in database) 840. What permissions does a user with ‘Manage’ access level have with regard to a database? A. View, Edit, Add and delete Module 4 Protection of Information Assets 297 B. View, add, edit and delete (only information added by them) C. View, Edit, Add, Delete and change database design D. Only view Key: C C is correct - Users can view, edit, add, and delete any information in the database and any aspect of the database design. They can also export any information to a file, and import information from a file. A member who has Manage access is called a Database Manager. This is a powerful permission level, so use it carefully. A, B and D are incorrect – Access levels are ‘Edit’, ‘Read and Add (own records only)’ and ‘Read’ respectively 841. When access to database is controlled through application software, how is maintenance of database done? A. Users are granted access for maintenance B. Direct access is granted to DBA C. Direct access is granted to system administrator D. User managers are granted access Key: B B is correct - Direct access to database level (also sometimes referred as backend access) are then restricted only to data base administrators (DBA) to perform maintenance work. It is possible to restrict DBA to access data. A, C and D are incorrect – When access to database is controlled, only DBA’s have direct access. 842. What is user access to applications with respect to their job responsibilities or logical access control called? A. User Password Management B. Equipment Management C. Privilege Management D. Network Management Key: C C is correct - Privileged user is a user who has been allocated powers within the computer system, which are significantly greater than those available to the majority of users. Such persons will include, for example, the system administrator(s) and Network administrator(s) who are responsible for keeping the system available and may need powers to create new user profiles as well as add to or amend the powers and access rights of existing users. A, B and D are incorrect – These are other aspects of access control Module 4 Protection of Information Assets 298 843. Which of the following operating system access control ensures a particular session is initiated from a particular location or computer terminal? A. Automated Terminal Identification B. Terminal Log On Procedures C. Password Management Stem D. User identification and Authentication Key: A A is correct - Automated terminal identification: This will help to ensure that a particular session could only be initiated from a particular location or computer terminal. B is incorrect – Terminal log-on procedures: The log-on procedure does not provide unnecessary help or information, which could be misused by an intruder. C is incorrect – Password management system: An operating system could enforce selection of good passwords. Internal storage of password should use one-way encryption algorithms and the password file should not be accessible to users. D is incorrect – User identification and authentication: The users must be identified and authenticated in a fool proof manner. Depending on risk assessment, more stringent methods like Biometric Authentication or Cryptographic means like Digital Certificates should be employed. 844. Which of the following is a process by which a user provides a claimed identity to access a system? A. User Authorisation B. User Registration C. User Identification D. User logging Key: C C is correct - Identification: Identification is a process by which a user provides a claimed identity to the system such as an account number. A is incorrect – Authorization: The authenticated user is allowed to perform a pre-determined set of actions on eligible resources. B and D are incorrect -These are not par the three step process of Access Control Mechanism 845. What are the three steps in the process of access control mechanism? A. Authorisation, information and identification B. Synchronisation, verification and authentication C. Identification, authentication and authorisation D. Synchronisation, identification and authentication Key: C Module 4 Protection of Information Assets 299 C is correct - Access control mechanism is actually a three step process – identification, authentication and authorisation A, B and D are incorrect – these are not the steps involved in access control mechanism 846. In _________ authentication techniques, the system authenticates the user and enables access to resources based on the authorisation matrix. A. Token or smart card B. Password C. Biometric comparison D. Personal Identification Number (PIN) Key: B B is correct – In password authentication technique, once the system is able to locate the match and is successful for both fields, the system authenticates the user and enables access to resources based on the authorization matrix A, C and D are incorrect – These are other types of authentication techniques 847. Which of the following is the weakness of the password logon mechanism? A. Periodic changing of password B. Encrypted password C. Repeated use of the same password D. One user one password Key: C C is correct - Repeated use of the same password makes it vulnerable to attacks A B and D are incorrect – these are techniques to protect passwords 848. _________________ is defined as automated mechanism, which uses physiological and behavioral characteristics to determine or verify identities. A. Biometrics B. Plastic cards C. Logon/password systems D. Smart Cards Key: A A is correct - Biometrics as the name suggests is based on certain physical characteristics or behavioral patterns identified with the individual, which are measurable. The International Biometric Group defines biometrics as automated mechanism which uses physiological and behavioral characteristics to determine or verify identity and further explains that the physiological biometrics are based on measurements and data derived from direct measurement of a part of the human body. B, C and D are incorrect – These are other types of authentication techniques Module 4 Protection of Information Assets 300 849. What is/are the error(s) caused by biometrics due to the complexity of data? A. False Rejection Rate (FRR) B. False Acceptance Rate (FAR) C. Crossover Error Rate (CER) D. FRR and FAR Key: D D is correct - However due to the complexity of data, biometrics suffer from two types of error viz. False Rejection Rate (FRR) which is wrongfully rejecting a rightful user and False Acceptance Rate (FAR) which involves an unauthorized user being wrongfully authenticated as a right user. A and B incorrect – False Rejection Rate (FRR) which is wrongfully rejecting a rightful user and False Acceptance Rate (FAR) which involves an unauthorized user being wrongfully authenticated as a right user. C is incorrect - An overall metric used is the Crossover Error Rate (CER) which is the point at which FRR equals FAR. 850. Facial scan, iris and retina scanning are used in _______________. A. Biometric security B. Smart tokens C. Bio direct security D. Backup security Key: A A is correct - Some of the biometric characteristics which are used are: B, C and D are incorrect – these are not security measures 851. Which of the following provides system administrators the ability to incorporate multiple authentication mechanisms into an existing system using pluggable modules? A. Personal Authentication Module B. Password Processing Module C. Pluggable Authentication Module D. Login identification Module Module 4 Protection of Information Assets 301 Key: C C is correct - The pluggable authentication module (PAM) framework provides system administrators with the ability to incorporate multiple authentication mechanisms into an existing system through the use of pluggable modules. Applications enabled to make use of PAM can be plugged-in to new technologies without modifying the existing applications. A, B and D are incorrect – Thee are not authentication modules 852. Access privileges of a user for two entities, A and B for read and write are maintained in the _____________ within an application. A. Actual access control list B. Access control list C. Acquired control entry D. Secret policy entry Key: B B is correct - ACL has one or more access control entries (ACEs), each consisting of the name of a user or a group of users. The user can also be a role name, such as programmer or tester. For each of these users, groups, or roles, the access privileges are stated in a string of bits called an access mask. A, C and D are incorrect 853. The characteristic of network that improves reliability and performance due to dynamic routings between two end points is better known as: A. Anonymity B. Automation C. Routing diversity D. Opaqueness Key: C C is correct - Routing diversity: To maintain or improve reliability and performance, routings between two endpoints are usually dynamic. That is, the same interaction may follow one path through the network the first time and a very different path the second time. In fact, a query may take a different path from the response that follows a few seconds later. A is incorrect - Anonymity: A network removes personal interaction i.e. most of the clues, such as appearance, voice, or context, by which we recognize acquaintances. B is incorrect – Automation: In some networks, one or both endpoints, as well as all intermediate points, involved in a given communication may be machines with only minimal human supervision. D is incorrect - Opaqueness: Because the dimension of distance is hidden, users cannot tell whether a remote host is in the room next door or in a different country. In the same way, users cannot distinguish whether they are connected to a node in an office, school, home, or warehouse, or whether the node’s computing system is large or small, modest or powerful. In fact, users cannot tell if the current communication involves the same machine with which they communicated the last time. Module 4 Protection of Information Assets 302 854. Network establishes communication among disperse users/machines. Which of the following is a disadvantage of this characteristic of networks? A. Risks like impersonation, intrusion, tapping B. Very fast communication speed C. Physically far end points D. Humans cannot tell the location of the remote site Key: A A is correct - Though networks makes it easier to establish communication among geographically dispersed users/machines, it also introduces risks like impersonation, intrusion, tapping. B, C and D are incorrect – Many networks connect endpoints that are physically far apart. Although not all network connections involve distance, the speed of communication is fast enough that humans usually cannot tell whether a remote site is near or far. These are not disadvantages but advantages of a network 855. What is the program that an attacker uses which reports to him which ports responds to messages and the vulnerabilities present in each port? A. Social Engineering B. Dumpster diving C. Port Scan D. Malware Key: C C is correct - Port Scan: An easy way to gather network information is to use a port scanner, a program that, for a particular IP address, reports which ports respond to messages and which of several known vulnerabilities seem to be present. A, B and D are incorrect – These are other methods used by an attacker 856. What does Social Engineering involve? A. Gathering bits of on formation from various sources B. Using social skills to persuade a victim C. Looking through items that have been discarded D. Eavesdropping Key: B B is correct - Social engineering involves using social skills and personal interaction to get someone to reveal security-relevant information and perhaps even to do something that permits an attack. A, C and D are incorrect – These methods of gathering information are classified under Reconnaissance Module 4 Protection of Information Assets 303 857. ‘Dumpster Diving’ is a commonly used ________________ technique. A. Reconnaissance B. Social Engineering C. Documentation D. Application fingerprint Key: A A is correct - One commonly used reconnaissance technique is “dumpster diving.” It involves looking through items that have been discarded in garbage bins or waste paper baskets. B, C and D are incorrect – Dumpster diving does not fall under any of these attacking techniques 858. The process by which an attacker comes to know about the commercial server on which an application is running, the version and operating system for the same is known as: A. Biometrics B. Protocol flaws C. Wiretapping D. OS and Application Fingerprinting Key: D D is correct - Operating System and Application Fingerprinting: Here the attacker wants to know which commercial server application is running, what version, and what the underlying operating system and version are. A is incorrect – This is a method of identification of system user B is incorrect – There are flaws in many of the commonly used protocols called protocol flaws. These flaws can be exploited by an attacker. C is incorrect – Wiretapping is the technique intercepting communications through some effort. 859. How does an attacker use Malware to gather information? A. Investigate a product that can be the target of an attack B. Search for additional information on systems, applications or sites C. Scavenge the system and receive information over network D. Post latest exploits and techniques Key: C C is correct - Malware: Attacker may use malware like virus or worms to scavenge the system and keep sending information to attacker over network without the knowledge of system user. Module 4 Protection of Information Assets 304 A is incorrect – Resource kits distributed by application vendors to other developers can also give attackers tools to use in investigating a product that can subsequently be the target of an attack. Here, the vendors themselves distribute information that is useful to an attacker. B and D are incorrect – Bulletin Boards and Chats: Underground bulletin boards and chat rooms support exchange of information among the hackers. Attackers can post their latest exploits and techniques, read what others have done, and search for additional information on systems, applications, or sites. 860. The process by which an attacker picks off the content of a communication passing in an unencrypted form is known as: A. Eavesdropping B. Wiretapping C. Microwave signal tapping D. Satellite signal interception Key: A A is correct - An attacker can pick off the content of a communication passing in unencrypted form. The term eavesdrop implies overhearing without expending any extra effort. For example, an attacker (or a system administrator) is eavesdropping by monitoring all traffic passing through a node. B is incorrect – wiretapping means intercepting communications through some effort. C is incorrect – Microwave signal tapping is a process by which an attacker can intercept a microwave transmission by interfering with the line of sight between sender and receiver. D is incorrect – The process of intercepting satellite communication 861. What is active wiretapping? A. Listening to communications intentionally B. Overhearing without extra effort C. Injecting something into the communication stream D. Placing an illegitimate antenna to intercept communication Key: C C is correct - Active wiretapping means injecting something into the communication stream. A and B are incorrect – These methods are classified under passive wiretapping or eavesdropping D is incorrect – This method is microwave signal tapping 862. The costs of intercepting satellite communications are very high because: A. All traffics passing through a node have to be monitored B. Neither the sender nor receiver should know that contents have been intercepted C. Satellite communications are heavily multiplexed Module 4 Protection of Information Assets 305 D. Cost of placing an illegitimate antenna is more Key: C C is correct - In satellite communication, the potential for interception is even greater than with microwave signals. However, because satellite communications are heavily multiplexed, the cost of extracting a single communication is rather high. A B and D are incorrect – These are not reasons for the high cost of satellite communication interception 863. A wireless signal can be picked up easily within 60 meters. Why? A. The signal is strong up to 60 meters B. The signal is weak up to 60 meters C. There is no signal up to 60 meters D. The signal is strong after 60 meters Key: A A is correct - A wireless signal is strong for approximately 30 to 60 meters. A strong signal can be picked up easily. B, C and D are incorrect – for the same reason as mentioned above 864. It is not possible to tap an optical system without detection. Why? A. Optical fiber carries electricity but does not emanate a magnetic field B. Optical fiber carries light energy which does not emanate a magnetic field C. An optical signal is not very strong and hence cannot be picked up D. An antenna needs to be placed to intercept which is detectible Key: B B is correct - It is not possible to tap an optical system without detection. Further optical fiber carries light energy, not electricity, which does not emanate a magnetic field as electricity docs. A ,C and D are incorrect – for the same reasons as mentioned above. 865. A term used for a virtual network of zombies used to launch attack on a system is: A. BOTnets B. Spam C. Malware D. Spoofing Key: A Module 4 Protection of Information Assets 306 A is correct - BOTnets is a term (robotic network) used for virtual network of zombies. BOTnet operator launches malware/virus on system that once activated remains on system and can be activated remotely. This malware helps the BOTnet operator use the compromised system (Zombie) remotely with to launch attack or collect information. For example Zombies have been used extensively to send e-mail spam. This allows spammers to avoid detection and presumably reduces their bandwidth costs, since the owners of zombies pay for their own bandwidth. B, C and D are incorrect – These are other methods of attack 866. An employee who is on leave reveals his authentication details to another in order to allow access to carry out urgent activities in his absence. It so happens that these details are passed on without encryption. How is the employee making his authentication information vulnerable to an impersonator? A. The impersonator can guess the identity by using common passwords B. The impersonator can exploit flaws and weaknesses of the operating system C. The attacker can circumvent or disable the authentication mechanism D. These details can be rescued by an impersonator by eavesdropping or wiretapping Key: D D is correct - Authentication foiled by eavesdropping or wiretapping: When the account and authentication details are passed on the network without encryption, they are exposed to anyone observing the communication on the network. These authentication details can be reused by an impersonator until they are changed. A is incorrect - Authentication foiled by guessing: Guess the identity and authentication details of the target, by using common passwords, the words in a dictionary, variations of the user name, default passwords, etc. B is incorrect - Authentication Foiled by Avoidance: A flawed operating system may be such that the buffer for typed characters in a password is of fixed size, counting all characters typed, including backspaces for correction. If a user types more characters than the buffer would hold, the overflow causes the operating system to by-pass password comparison and act as if a correct authentication has been supplied. Such flaws or weaknesses can be exploited by anyone seeking unauthorized access. C is incorrect – Non-existent Authentication: Here the attacker circumvents or disables the authentication mechanism at the target computer. If two computers trusts each other’s authentication an attacker may obtain access to one system through an authentication weakness (such as a guest password) and then transfer to another system that accepts the authenticity of a user who comes from a system on its trusted list. The attacker may also use a system that has some identities requiring no authentication. For example, some systems have “guest” or “anonymous” accounts to allow outsiders to access things the systems want to release to the public. These accounts allow access to unauthenticated users. 867. An organisation purchases 10 new systems which are installed by the seller using a test account without any password. However, authentications are put in Module 4 Protection of Information Assets 307 place and users access information after proper authentication. But the test account has not been deleted. How can an impersonator foil authentication in this case? A. Information can be accessed through session hijacking B. Information can be hijacked by intruding between two authenticated users C. Information becomes vulnerable through well- known test password D. Information can be accessed through spoofing or masquerading Key: C C is correct - Well-Known Authentication: Most vendors often sell computers with one system administration account installed, having a default password. Or the systems come with a demonstration or test account, with no required password. Some administrators fail to change the passwords or delete these accounts, creating vulnerability. A is incorrect - Session Hijacking: Session hijacking is intercepting and carrying on a session begun by another entity. In this case the attacker intercepts the session of one of the two entities that have entered into a session and carry it over in the name of that entity. For example, in an e-commerce transaction, just before a user places his order and gives his address, credit number etc. the session could be hijacked by an attacker. B is incorrect – Man-in-the-Middle Attack: A man-in-the-middle attack is a similar to session hijacking, in which one entity intrudes between two others. The difference between man-in-the-middle and hijacking is that a man-in-the-middle usually participates from the start of the session, whereas a session hijacking occurs after a session has been established. The difference is largely semantic and not particularly significant. D is incorrect - Spoofing attacks: In this technique, the attacker plants a Trojan program, which masquerades as the system’s logon screen, gets the logon and password information and returns control to the genuine access control mechanism. Once the information is obtained, the attacker uses the information to gain access to the system resources. 868. Not only is the message itself sensitive but the fact that a message exists is also sensitive. How can an attacker infer that sensitive messages exist between two confidential parties? A. Traffic flow analysis B. Using exposures as part of attack C. By modifying a destination address D. Taking advantage of mis-delivery due to congestion at network elements Key: A A is correct - Traffic Analysis (or Traffic Flow Analysis): Sometimes not only is the message itself sensitive but the fact that a message exists is also sensitive. For example, if a wartime enemy sees a large amount of network traffic between headquarters and a particular unit, the enemy may be able to infer that significant action is being planned involving that unit. In a commercial setting, messages sent from the president of one company to the president of a competitor could lead to speculation about a takeover or conspiracy to fix prices. Module 4 Protection of Information Assets 308 B is incorrect - Exposure: The content of a message may be exposed in temporary buffers, at switches, routers, gateways, and intermediate hosts throughout the network; and in the workspaces of processes that build, format, and present the message. A malicious attacker can use any of these exposures as part of a general or focused attack on message confidentiality. C and D are incorrect – Mis-delivery: Message mis-delivery happens mainly due to congestion at network elements which causes buffers to overflow and packets dropped. Sometimes messages are mis-delivered because of some flaw in the network hardware or software. Most frequently, messages are lost entirely, which is an integrity or availability issue. Occasionally, however, a destination address will be modified or some router or protocol will malfunction, causing a message to be delivered to someone other than the intended recipient. All of these “random” events are quite uncommon. More frequent than network flaws are human errors, caused by mistyping an address. 869. Which of the following amounts to compromising the integrity of messages? A. Mistyping an address so that it reaches the wrong recipient B. Mis-delivery of messages due to some flaw in the network hardware or software C. Exposure of messages in temporary buffers D. Combining pieces of different messages into one false message Key: D A, B and C are incorrect - These amount to message confidentiality threats D is correct – This amounts to compromising on the integrity of messages 870. It is easy for an attacker to obtain information necessary to attack the website. How? A. Website codes are downloaded and executed in the browser from which the information can be obtained B. The attacker exploits vulnerabilities in multiple machines and uses them to attack the target simultaneously. C. An attacker can monitor the communication between a browser and a server to see how changing a web page entry affects what the browser sends and reacts. D. attackers execute scripts in the victim’s browser which can hijack user sessions Key: A A is correct - Web site defacement is common not only because of its visibility but also because of the ease with which one can be done. Web sites are designed so that their code is downloaded and executed in the client (browser). This enables an attacker to obtain the full hypertext document and all programs and references programs embedded in the browser. This essentially gives the attacker the information necessary to attack the web site. Most websites have quite a few common and well known vulnerabilities that an attacker can exploit. B is incorrect – This is a Distributed Denial of Service Attack C is incorrect – This pertains to threats from scripts Module 4 Protection of Information Assets 309 D is incorrect – This is a form of Cross site scripting 871. What is ‘Ping of Death’? A. Sending more data that what a communication system can handle, thereby preventing receipt of legitimate data B. Crashing a large number of systems by sending a ping of certain size from a remote machine C. Corrupting the routing so that traffic can disappear D. corrupting a name server or causing it to cache spurious entries, thereby redirect the routing of any traffic Key: B B is correct - Ping of death: It is possible to crash, reboot or otherwise kill a large number of systems by sending a ping of a certain size from a remote machine. This is a serious problem, mainly because this can be reproduced very easily, and from a remote machine. Ping is an ICMP protocol which requests a destination to return a reply, intended to show that the destination system is reachable and functioning. Since ping requires the recipient to respond to the ping request, all the attacker needs to do is send a flood of pings to the intended victim. A is incorrect – Connection Flooding: This is the oldest type of attack where an attacker sends more data than what a communication system can handle, thereby preventing the system from receiving any other legitimate data. Even if an occasional legitimate packet reaches the system, communication will be seriously degraded. C is incorrect - Traffic Redirection: A router is a device that forwards traffic on its way through intermediate networks between a source host’s network and a destination’s. So if an attacker can corrupt the routing, traffic can disappear. D is incorrect - DNS Attacks: DNS attacks are actually a class of attacks based on the concept of domain name server. A domain name server (DNS) is a table that converts domain names like www.icai.org into network addresses like 202.54.74.130, a process called resolving the domain name or name resolution. By corrupting a name server or causing it to cache spurious entries, an attacker can redirect the routing of any traffic, or ensure that packets intended for a particular host never reach their destination. 872. What are the multiple machines that are used by an attacker for DdS attacks called? A. Cookies B. Routers C. Zombies D. FTP Key: C C is correct - In distributed denial of service (DDoS) attack more than one machine are used by the attacker to attack the target. These multiple machines are called zombies that act on the direction of the attacker and they don’t belong to the attacker. Module 4 Protection of Information Assets 310 A is incorrect - Cookies are data files created by the server that can be stored on the client machine and fetched by a remote server usually containing information about the user on the client machine. Anyone intercepting or retrieving a cookie can impersonate the cookie’s legitimate owner. B is incorrect – A router is a networking device, commonly specialized hardware, that forwards data packets between computer networks. D is incorrect - FTP is an application known to transmit communication including user id and password in plain text. 873. A code which can cause serious damage to a system because it is not screened for safety when it is downloaded and runs with the privileges of its invoking user is called: A. Hostile applet code B. Cookies C. Scripts D. Active X Key: A A is correct - A hostile applet is downloadable code that can cause harm on the client’s system. Because an applet is not screened for safety when it is downloaded and because it typically runs with the privileges of its invoking user, a hostile applet can cause serious damage. B is incorrect - Cookies are data files created by the server that can be stored on the client machine and fetched by a remote server usually containing information about the user on the client machine. Anyone intercepting or retrieving a cookie can impersonate the cookie’s legitimate owner. C is incorrect - Clients can invoke services by executing scripts on servers. A malicious user can monitor the communication between a browser and a server to see how changing a web page entry affects what the browser sends and then how the server reacts. D is incorrect – The popular types of active code languages are Java, JavaScript, VBScript and ActiveX controls. 874. A virus that is difficult to detect because it modifies itself and changes its identity thus hiding itself from antivirus software: A. MBR Virus B. Stealth Virus C. Polymorhic virus D. Macro Virus Key: C A is incorrect - Master Boot Record (MBR) Viruses: Affects the boot sector of storage device and further infects when the storage is accessed. Module 4 Protection of Information Assets 311 B is incorrect – Stealth viruses hide themselves by tampering the operating system to fool antivirus software into thinking that everything is functioning normally. C is correct - Polymorphic Viruses: Polymorphic viruses are difficult to detect because they can modify themselves and change their identity thus able to hide themselves from antivirus software D is incorrect – Macro Viruses: Macro viruses are the most prevalent computer viruses and can easily infect many types of applications, such as Microsoft Excel and Word. 875. What is a Trojan Horse? A. Virus that affects the boot sector of storage device B. Virus that affects applications like Microsoft Word and Excel C. Stand- alone viruses that are transmitted independently D. Malicious codes hidden under a legitimate program Key: D A is incorrect - MBR virus B is incorrect – Macro viruses C is incorrect – Worms D is correct. 876. Malicious codes added to an existing application to be executed at a later date is known as: A. Logic bomb B. Trojan Horse C. Polymorphic virus D. Stealth virus Key: A A is correct - Logic bombs are malicious code added to an existing application to be executed at a later date. These can be intentional or unintentional. For example Year2000 problem was an unintentional logic bomb. Every time the infected application is run, the logic bomb checks the date to see whether it is time to run the bomb. If not, control is passed back to the main application and the logic bomb waits. If the date condition is correct, the rest of the logic bomb’s code is executed and the result can be anything from a harmless message to a system crash. B, C and D are incorrect – These are different types of viruses. 877. What is the method used by most of the antivirus software to identify virus infections in a system? A. Monitoring traffic B. Signature detection C. Repair or quarantine D. Scan processes Module 4 Protection of Information Assets 312 Key: B A, C and D are incorrect - these are the types of controls of antivirus tools B is correct - Most of the antivirus software utilizes a method known as signature detection to identify potential virus infections on a system. Essentially, they maintain an extremely large database that contains the known characteristics (signatures) of all viruses. Depending upon the antivirus package and configuration settings, it can scan storage media periodically, check for any files that contain data matching those criteria. 878. When do injection flaws occur? A. When untrusted data is sent to an interpreter as part of a command or query B. When application functions related to authentication and session management are not implemented correctly C. When an application takes untrusted data and sends it to a web browser without proper validation D. When a developer exposes a reference to an internal implementation object Key: A A is correct - Injection (SQL Injection): Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. B is incorrect - Broken Authentication and Session Management: Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities. C is incorrect - Cross-Site Scripting (XSS): XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. D is incorrect - Insecure Direct Object References: A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. 879. What is a Cross Site Request Forgery Attack? A. It forces a logged on victim’s browser to send a forged HTTP request B. It forges request in order to access functionality without proper authorisation C. It helps steal or modify weakly protected data D. It facilitates serious loss or data takeover Key: A Module 4 Protection of Information Assets 313 A is correct - Cross-Site Request Forgery (CSRF): A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. B is incorrect - Missing Function Level Access Control: Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization. C is incorrect - Sensitive Data Exposure: Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. D is incorrect – Using Components with Known Vulnerabilities: Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts. 880. In case of advanced persistent threat why is an antivirus unable to detect the malware? A. The attack is on an identified subject B. Social engineering methods are used C. Malware is specifically written for this purpose D. The attack continues for a longer duration Key: C C is correct - In case of Advanced Persistent threat, since the malware is specifically written for this purpose, it cannot be detected by an antivirus A, B and D are incorrect – These are the other characteristics of advanced persistent threat 881. In order to limit the amount of damage a single vulnerability can allow, it is important to: A. All servers reside on a single segment B. There should be different segments for different servers C. Having a single web server D. Eliminating single points of failure Key: B Module 4 Protection of Information Assets 314 B is correct - Segmentation / Zoning: Segmentation / Zoning can limit the potential for harm in a network in two important ways. Segmentation reduces the number of threats, and it limits the amount of damage a single vulnerability can allow. A web server, authentication server, applications and database are residing on a single server or segment for facilitating electronic commerce transactions are a very insecure configuration. A more secure design will use multiple segments. Since the web server has to be exposed to the public, that server should not have other more sensitive, functions on it or residing on the same segment such as user authentication or access to the database. Separate segments and servers reduce the potential harm should any subsystem be compromised. A is incorrect – for the same reason as mentioned above C is incorrect – This is a redundancy vulnerability D is incorrect – This does not relate to segmentation 882. Where does encryption occur when data is encrypted in link encryption? A. Data link layer of the receiving host B. Network layer C. Data link layer in the OSI model D. In transit between two computers Key: C C is correct - In link encryption, data are encrypted just before the system places them on the physical communications link, that is, encryption occurs at the Data Link layer in the OSI model. A, B and D are incorrect – decryption occurs at the Data Link layer of the receiving host. Link encryption protects the message in transit between two computers, but the message is in plaintext inside the hosts (above the data link layer). Headers added by the network layer (which includes addresses, routing information and protocol) and above are encrypted, along with the message/data. The message is, however, exposed at the Network layer and thus all intermediate nodes through which the message passes can read the message. This is because all routing and addressing is done at the Network layer. Link encryption is invisible to user and appropriate when the transmission line is the point of greatest vulnerability. Link encryption provides protection against traffic analysis. Module 5 Systems Development-Acquisition, Maintenance and Implementation 315 883. Business application system/software is designed to support a specific organisational service, function or process, such as inventory management, payroll, market analysis or e-commerce. What is the goal of such a business application? A. To enhance the targets and goals of an organisation B. To deal with problems relating to business processes C. To enhance quality of services D. To turn data into information Key: D D is correct - The goal of an application system is to turn data into information. A, B and C are incorrect – These are situations under which the need for business development or acquisition of new applications may arise 884. What is the intent of SDLC? A. To process data of relevant business processes B. To enhance the targets and goals of an organisation C. To improve the quality of services D. To examine a business situation and improve it Key: D D is correct - SDLC refers to the process of examining a business situation with the intent of improving it through better procedures and methods. This is required when there is need to change business processes due to requirements arising out of customers/stakeholders expectations and business strategy. A, B, and C incorrect – These are situations under which the need for business development or acquisition of new applications may arise 885. Which of the following is the role of an IS Auditor in Phase 3 (System Analysis) of SDLC? A. Review cost justification/ benefits B. Review detailed requirement definition documents C. Verify that the management has approved the initiation and cost of the project D. Review existing data flow diagrams and other related specifications Key: C C is correct - Role of IS Auditor in system analysis phase: cover the true scope of the project and requirements of the users. Module 5 Systems Development-Acquisition, Maintenance and Implementation 316 Determine whether the application is appropriate for the user of an embedded audit routine and if so request may be made to incorporate the routine in conceptual design of the system. is correct - A is incorrect – This is the role of an IS Auditor in the feasibility phase B and D are incorrect – These are the roles of an IS auditor in the System Analysis phase 886. Which of the following is the role of an IS Auditor in the detailed design phase of SDLC? A. Analyse the justification for going in for a development or acquisition B. Review input, processing and output controls C. Ensure that the documentation is complete D. Review QA report on adopting coding standards by developers. Key: B B is correct - Role of IS Auditor in detailed design phase: flowcharts for adherence to the general design and processes for correctness and completeness. screen formats and output reports. dle invalid transactions. the defined requirements. developed. A is incorrect – This is the role of an IS Auditor in the feasibility phase C and D are incorrect – These are the roles of an IS Auditor in the development phase 887. What are the characteristics of a very well coded application program? A. Good coding standards, Accuracy and Speed B. Reliability, Robustness, Accuracy, Efficiency, Usability, Readability C. Flexibility, Speed, Coding Standards D. Reliability, Flexibility and Speed Key: B B is correct - A very well coded application program should have the following characteristics: Reliability: It refers to the consistency with which a program operates over a period of time. However, poor setting of parameters and hard coding of some data subsequently could result in the failure of a program after some time. Module 5 Systems Development-Acquisition, Maintenance and Implementation 317 Robustness: It refers to the applications’ strength to perform operations in adverse situations by taking into account all possible inputs and outputs of a program considering even the least likely situations. Accuracy: It refers not only to ‘what program is supposed to do’, but also the ability to take care of ‘what it should not do’. The second part is of great interest for quality control personnel and auditors. Efficiency: It refers to the performance per unit cost with respect to relevant parameters and it should not be unduly affected with the increase in input values. Usability: It refers to a user-friendly interface and easy-to-understand internal/external documentation. Readability: It refers to the ease of maintenance of program even in the absence of the program developer. A, C and D are incorrect – These are not the major characteristics of a well coded application program 888. What is the role of an IS Auditor in the testing phase of SDLC? A. Review the test plan for completeness and correctness B. Ensure test plans, test data nd test results are maintained for reference C. Verify that the system has been installed according to the organisation’s change control procedures. D. Review programmed procedure used for scheduling and running the system along with the system parameters are used in executing the production schedule. Key: A A is correct - Role of IS Auditor in testing phase: Review error reports for their precision in recognizing erroneous data and for resolution of errors. Verify cyclical processes for correctness( example: year-end process, quarter-end process) -users of the system for their understanding of new methods, procedures and operating instructions. -user documentation to determine its completeness and correctness. integrity of the data after conversion. ecurity is functioning as designed by developing and executing access tests. B, C and D are incorrect – These are the roles of an IS Auditor in the UAT or final testing phase 889. What are the security steps involved in the development phase of SDLC? A. To identify possible attacks and design controls B. To train developers on security coding practices. Module 5 Systems Development-Acquisition, Maintenance and Implementation 318 C. To ensure security requirements are tested during testing. D. To perform security scan of application after implementation. Key: B B is correct - Security steps involved during the development phase are: To develop and implement security coding practices such as input data validation and avoiding complex coding. To train developers on security coding practices. A, C and D are incorrect – These are security steps involved during the design, testing and implementation phases. 890. Which of the following is a mitigation plan for risk associated with compromising on quality and testing? A. Understand organisation baseline for infrastructure and incorporate in design. B. Ensure standard coding practices are adopted. C. Ensure completion of documentation along with design and development. D. Ensure documentation experts and technical writers are part of team. Key: B B is correct - The following are the mitigation plans for risk associated with compromising on quality and testing: Ensure standard coding practices are adopted. Provide enough time for building test cases to cover all function, performance and security requirements. Build test cases along with design. A is incorrect – This is a mitigation plan associated with the risk of inappropriate selection of platform C and D are incorrect – These are mitigation plans for risk associated with missing or inadequate documentation 891. What is the mitigation plan for risk associated with absence of skilled resources? A. Consider outsourcing or hiring skilled resources on contract. B. Develop and implement standard coding practices C. Perform scope base lining. D. Introduce change management process to evaluate and adopt changes in requirements Key: A A is correct - Mitigation plan for risk associated with absence of skilled resources is to consider outsourcing or hiring skilled resources on contract B, C and D are incorrect – these are mitigation plans for risks associated with poor coding techniques and lack of proper change control 892. Who is responsible for delivery of a project within the time and budget? Module 5 Systems Development-Acquisition, Maintenance and Implementation 319 A. Module/Team leader B. System Analyst C. Project Manager D. Database Administrator Key: C C is correct - A project manager is normally responsible for more than one project and liaisons with the client or the affected functions. This is a middle management function. The Project manager is responsible for delivery of the project within the time and budget. A is incorrect – A project is divided into several manageable modules and the development responsibility for each module is assigned to module leaders. B is incorrect - The system analyst also has a responsibility to understand existing problem/system/data flow and new requirements. System analysts convert the user’s requirements in the system requirements to design new system. D is incorrect – The data in a database environment has to be maintained by a specialist in database administration so as to support the application program. The database administrator handles multiple projects; and ensures the integrity and security of information stored in the database. 893. Which of the following is the role of a programmer? A. Approve, supervise and direct IT projects B. Convert design into programs by coding C. Checking compliance with SDLC standards D. Testing programs and sub programs Key: B B is correct - Programmers convert design into programs by coding using programming language. They are also referred to as coders or developers A is incorrect - This is the role of a steering committee C is incorrect – this is the role of the quality assurance team D are incorrect – This is the role of testers 894. The technical feasibility study for automating a business process using information technology includes which of the following? A. Is the cost of hardware and software for the class of applications being considered. B. Are the benefits derived from new application such as improved efficiency, reduced costs, business growth, and customer and user satisfaction. C. Is the cost of conducting a full systems development/acquisition, implementation and operation. D. Is system scalable and can it handle the expected business and data growth? Key: D Module 5 Systems Development-Acquisition, Maintenance and Implementation 320 D is correct - The technical feasibility includes evaluation of the following factors: software? If currently the organisation is not using an automated solution, they may have to invest in acquiring technology and solution. oposed system provide adequate responses to inquiries, regardless of the number or location of users? Currently there are many organisations that have deployed such solutions and hence we can conclude that the technical solutions can be made available to meet the response requirements. training courses and those can be deployed using scalable infrastructure. red while developing or acquiring solution. However since many organisations have already implemented similar solution, the required security can be embedded. A, B, C are incorrect – These factors are evaluated by the study of economic feasibility. 895. The business case is a key element of the decision making process throughout the life cycle of project. What information does a business case provide to an organisation? A. decide whether the SDLC project should be undertaken B. Explore solutions and make a recommendation C. Develop a new application system D. Outline and calculate of benefits Key: A A is correct - A business case is normally derived from the benefit realization plan and feasibility study. A business case provides the information required for an organisation to decide whether the SDLC project should be undertaken and if approved, becomes the basis for a project execution and assessment. B is incorrect – this is the objective of a feasibility study C and D are incorrect – these are also the objectives of a feasibility study 896. What does study of history, structure and culture of information involve? A. Identifying stakeholder expectations B. Types of useful systems, issues that have not been addressed and require attention C. Identifying how the system needs to interact with its environment D. Study of business processes, underlying activities, and actors that perform these activities Key: B B is correct - The study of the history of systems in an organisation gives an idea about the types of systems that have been extremely useful, issues that have not been addressed over a period and new Module 5 Systems Development-Acquisition, Maintenance and Implementation 321 issues that require attention. It is essential to understand organisational structure and culture as the solutions that are not consistent with the culture often fail. A and C are incorrect – These are the activities that come under understanding requirements D is incorrect – These is an activity associated with the study of information flows 897. t is important to record requirements after they have been analysed. Under which phase of requirement Engineering does this fall? A. Elicitation B. Analysis and Negotiation C. Documentation D. Validation Key: C C is correct - Documentation: Once the requirements have been analyzed, it is important to record them in order to make them formal through proper specification mechanism. During this phase, the team organizes the requirements in such a way that ascertains their clarity, consistency, and traceability etc. This phase is extremely important because often ‘the document produced during specification is what the rest of the development stages will be based upon’. A is incorrect – Elicitation: The RE process is normally considered as the process of finding out ‘what are the real needs of the customers as well as of the system’. It also includes activities to explore ‘how the software can meet the stakeholders’ goals’ and ‘what alternatives might exist’. B is incorrect - Analysis and Negotiation: This phase consists of a set of activities aimed to discover problems within the system requirements and achieve agreement on changes to satisfy all system stakeholders. If an analyst discovers some problems with the requirements during the analysis phase, such requirements are referred back to the elicitation phase. This process is related to the requirements that are incomplete, ambiguous and/or conflicting. Negotiation part is known as ‘the process of discussing conflicts in requirements and finding some compromise which all of the stakeholders can live with’. The principle of this process should be objective, where the judgments and the compromise for the system requirements should be based on technical and organisational needs. All the conflict requirements identified during the analysis process should be negotiated and discussed individually with the stakeholders in order to resolve the conflicts. D is incorrect – Validation: This phase ensures that models and documentation accurately express the stakeholders’ needs along with checking the final draft of requirements document for conflicts, omissions and deviations from different standards. 898. Which aspect related to Project Planning does process of handing over deliverables come under? A. Project execution B. Project execution C. Project monitoring and controlling Module 5 Systems Development-Acquisition, Maintenance and Implementation 322 D. Project closing Key: D D is correct - Project closing has processes for handing over deliverables or terminating project. A is incorrect – Project planning consists of processes related to developing project execution plan, finalizing requirements, defining work breakdown structure and modules to be developed, estimating efforts and cost, resource planning, risk management, procurement planning and plan for communications with stakeholders. B is incorrect - Project execution consists of processes related to direct project teams, ensuring quality assurance and testing, managing requirements and changes in requirements, ensuring timely procurements and manage resources. C is incorrect - Project controlling and monitoring consists of processes related to monitoring risks, scope creeps, quality of deliverables, costs and budgets, performance reporting. 899. What does Work Breakdown Structure (WBS) represent? A. The project in terms of manageable and controllable units of work B. Detailed specifications with objectives C. Assigned responsibilities and deadlines D. Work documents containing the start and finish dates Key: A A is correct - A commonly accepted approach to define project objectives is to start with a work breakdown structure (WBS) with each work module having its own objectives derived from main objectives. The WBS represents the project in terms of manageable and controllable units of work and forms the baseline for cost and resource planning. B, C and D are incorrect – Detailed specifications regarding the WBS can be used to develop work packages (WP). Each WP must have a distinct owner and a list of main objectives, and may have a list of additional objectives. The WP specifications should include dependencies on other WPs and a definition of how to evaluate performance and goal achievement. A task list is a list of actions to be carried to complete each work package and includes assigned responsibilities and deadlines. The task list aids the individual project team members in operational planning and scheduling, that when merged together forms a project schedule. Project schedules are work documents containing the start and finish dates, percentage completed, task dependencies, and resource names of individuals planned to work on tasks. 900. Half way through a project development, on which phase should an IS auditor focus in order to ensure that there is no deviation from the primary objectives of the projects? A. Project Planning B. Project Controlling C. Resource Management D. Risk Management Module 5 Systems Development-Acquisition, Maintenance and Implementation 323 Key: B B is correct - During mid-term project review IS auditor should focus on project planning and controlling activities to ensure that these are not deviating from primary objectives of the project. A is incorrect – A and C are incorrect – These phases do not require much review during this stage. D is incorrect – Focus on risk management process provides detailed insight on the effectiveness of the project management 901. What is the tool used to verify that deployed resources are capable of finishing a task within the set time limit and with the expected quality level? A. Earned value analysis B. Work Breakdown structure C. Work Package D. Qualitative Analysis of Risks Key: A A is correct - Earned Value Analysis consists of comparing expected budget till date, actual cost, estimated completion date and actual completion at regular intervals during the project. B and C are incorrect – A commonly accepted approach to define project objectives is to start with a work breakdown structure (WBS) with each work module having its own objectives derived from main objectives. The WBS represents the project in terms of manageable and controllable units of work and forms the baseline for cost and resource planning. Detailed specifications regarding the WBS can be used to develop work packages (WP). Each WP must have a distinct owner and a list of main objectives, and may have a list of additional objectives. The WP specifications should include dependencies on other WPs and a definition of how to evaluate performance and goal achievement. A task list is a list of actions to be carried to complete each work package and includes assigned responsibilities and deadlines. The task list aids the individual project team members in operational planning and scheduling, that when merged together forms a project schedule. Project schedules are work documents containing the start and finish dates, percentage completed, task dependencies, and resource names of individuals planned to work on tasks. D is incorrect – Qualitative Analysis of Risks is a part of project planning. 902. During risk management process, how is risk assessed and evaluated? A. Creating an inventory of possible risk B. Quantify the likelihood and impact of risk C. Create a risk management plan D. Discover risk that materializes Key: B Module 5 Systems Development-Acquisition, Maintenance and Implementation 324 B is correct - Assess and evaluate risk: Quantify the likelihood (expressed as a percentage) and the impact of the risk (expressed as an amount of money). The “insurance policy” (total impact) that needs to be in the project budget is calculated as the likelihood multiplied by the impact. A is incorrect – This step is to identify the risk\ C is incorrect – This is a part of managing the risk after it has been assessed D is incorrect – This forms a part of monitoring the risk process 903. Which of the following is the feature of a waterfall model? A. The designers create an initial base model and give little or no consideration to internal controls, but instead emphasize system characteristics such as simplicity, flexibility, and ease of use. B. Project is divided into sequential phases, with some overlap and splash back acceptable between phases. C. This is an iterative model where each iteration helps in optimizing the intended solution. D. This model of development helps to ease the traumatic effect of introducing completely new system all at once Key: B B is correct - The characterizing features of the waterfall model have influenced the development community in big way. Some of the key characteristics are: phases. phasis is on planning, time schedules, target dates, budgets and implementation of an entire system at one time. documentation, as well as through formal reviews and approval/signoff by the user and information technology management occurring at the end of most phases before beginning the next phase. A, C and D are incorrect – These are the features of prototype model, spiral model and the incremental model respectively. 904. In this model, a series of mini-waterfalls are performed, where all phases of the waterfall development model are completed for a small part of the system, before proceeding to the next increment. What SDLC model is this? A. Waterfall model B. Prototype model C. Spiral model D. Incremental model Key: D D is correct - A few pertinent features of incremental model are listed as follows: A series of mini-waterfalls are performed, where all phases of the waterfall development model are completed for a small part of the system, before proceeding to the next increment. Module 5 Systems Development-Acquisition, Maintenance and Implementation 325 – Waterfall development of individual increments of the system. defined using the Waterfall approach, followed by iterative Prototyping, which culminates in installation of the final prototype (i.e. working system). B, C and D are incorrect – This is not a feature of any of these models. 905. This model is especially useful for resolving unclear objectives and requirements; developing and validating user requirements; experimenting with or comparing various design solutions, or investigating both performance and the human computer interface. A. Waterfall model B. Prototyping model C. Spiral Model D. Incremental model Key: B B is correct - Strengths of Prototyping Model: stakeholders. ements; developing and validating user requirements; experimenting with or comparing various design solutions, or investigating both performance and the human computer interface. later iterations are developed. des for quick implementation of an incomplete, but functional, application. traditional systems development approach. y required to develop and start experimenting with a prototype. This short time period allows system users to immediately evaluate proposed system changes. errors are hopefully detected and eliminated early in the developmental process. As a result, the information system ultimately implemented should be more reliable and less costly to develop than when the traditional systems development approach is employed. A, C and D are incorrect – this is not strength of any of these models 906. Which of the following is a weakness of the spiral model? A. It is criticized to be Inflexible, slow, costly, and cumbersome due to significant structure and tight controls. B. Approval process and control are not formal. C. Sometimes there are no firm deadlines, cycles continue till requirements are clearly identified. Module 5 Systems Development-Acquisition, Maintenance and Implementation 326 D. Problems may arise pertaining to system architecture because not all requirements are gathered up front for the entire software life cycle. Key: C C is correct – Weaknesses of the spiral model are: the iterations around the Spiral. A skilled and experienced project manager is required to determine how to apply it to any given project. there are no firm deadlines, cycles continue till requirements are clearly identified. Hence has an inherent risk of not meeting budget or schedule. A, B and D are incorrect – These are the weaknesses of the waterfall model, prototype model and incremental model respectively 907. Which of the following is a key feature of Rapid Application Development? A. fast development and delivery of a high quality system at a relatively low investment cost, B. Use of small, time-boxed subprojects or iterations where each iteration forms basis for planning next iteration. C. Customer satisfaction by rapid delivery of useful software; D. Key: A A is correct - The key features of RAD are: lopment and delivery of a high quality system at a relatively low investment cost, more ease-of-change during the development process. high quality systems quickly, primarily through the use of iterative Prototyping (at any stage of development), active user involvement, and computerized development tools like Graphical User Interface (GUI) builders, Computer Aided Software Engineering (CASE) tools, Database Management Systems (DBMS), Fourth generation programming languages, Code generators and object-oriented techniques. lesser importance. project starts to slip, emphasis is on reducing requirements to fit the time box, not in increasing the deadline. design, either through consensus building in structured workshops, or through electronically facilitated interaction. B, C and D are incorrect – These are the key features of Agile Software development methodology Module 5 Systems Development-Acquisition, Maintenance and Implementation 327 908. Which of the following is the weakness of the Agile Software development methodology? A. Fast speed and lower cost may affect adversely the system quality. B. The project may end up with more requirements than needed (gold-plating). C. Potential for feature creep where more and more features are added to the system during development. D. There is lack of emphasis on necessary designing and documentation due to time management and generally is left out or incomplete. Key: D D is correct - Weaknesses of Agile methodology: sess the efforts required at the beginning of the System Development life cycle. generally is left out or incomplete. usiness continuity and knowledge transfer due to verbal communication and weak documentation. -work and due to the lack of long-term planning and the lightweight approach to architecture. ck if the customer representative is not clear about the requirements and final outcome. A, B and C are incorrect – These are the weaknesses of RAD 909. This is the process of studying and analyzing an application, a software application or a product to see how it functions and to use that information to develop a similar system. A. Software Reengineering B. Reverse Engineering C. Agile processes D. Rapid Application Development Key: B B is correct - Reverse engineering is the process of studying and analyzing an application, a software application or a product to see how it functions and to use that information to develop a similar system. A, C and D are incorrect – This is not part of any of these processes 910. How is a product for which software is available and can be implemented without customisation classified as? A. Generic products without customisation B. Commercial product with customisation C. Outsourced development Module 5 Systems Development-Acquisition, Maintenance and Implementation 328 D. Commercial product without customisation Key: A A is correct - Generic products without customization: Software is available and can be implemented without customization. These products are also known as Plug-and-play or COTS (Commercial of the shelf) for example MS Office, MS projects etc. B is incorrect – Commercial product with customization: Software needs to be customized like ERP or core banking products or at lower level customization like Tally. C is incorrect – Outsourced development: Ready-made software as required is not available. Hence, the organisation intends to outsource development activities based on cost benefit analysis. D is incorrect – There is no such classification 911. In achieving the objectives of requirement analysis, the process of understanding the present system and its related problems comes under which of the following steps? A. Fact finding B. Analysis C. Requirements of proposed systems D. Identifying rationale and objectives Key: B B is correct - Analysis to understand Present process: Understanding present system and its related problems helps in confirming the requirements from new application/software. A is incorrect – Fact Finding: Application system focuses on two main types of requirements. The first one is service delivery and second one is operational requirements. These may include lower operational costs, better information for managers, smooth operations for users or better levels of services to customers. To assess these needs, the analysts often interact extensively with stakeholders, to determine ‘detail requirements’. The fact-finding techniques/tools used by the system analyst include document verification, interviews, questionnaire and observation. C is incorrect - Requirements for Proposed Systems: Analysis of functional area and process, the proposed expectations can be clearly defined considering the issues and objectives. D is incorrect – Analysis also include identifying rationale and objectives, inputs and data sources, decision points, desired outcomes from application, mandatory and discretionary controls. 912. The process of allotting weight-age for each requirement and then allotting score to the software that meets that requirement is called as: A. Point scoring Analysis B. Agenda based presentations C. Public evaluation reports Module 5 Systems Development-Acquisition, Maintenance and Implementation 329 D. Benchmarking solutions Key: A A is correct - Point-Scoring Analysis (Functional gap analysis): Point-scoring analysis provides an objective means of selecting software. This is performed by allotting weight-age for each requirement and then allotting score to the software that meets that requirement. B is incorrect - The agenda-based presentations are scripted business scenarios that are designed to show how the software will perform certain critical business functions. Vendors are typically invited to demonstrate their product and follow the sample business scenarios given to them to prepare. C is incorrect – Public Evaluation Reports: Organisation may refer to independent agencies that evaluate various software products of different vendors and publish comparison along with rating based on various predefined parameters including survey of current users. (For example, magic quadrant for similar software product by Gartner, Forester etc.). This method has been frequently and usefully employed by several buyers in the past. D is incorrect – Proof of Concept (PoC) or Benchmarking Solutions: Organisations may request vendor to provide a proof of concept (by implementing product in small pilot area within organisation) that the software meets the expected requirements. This helps organisation in evaluating best product that meets the requirements. This is particularly useful for products that has high-cost and requires high level of efforts that it may not be possible to roll back. 913. While preparing the request for proposal, what should an organisation do to ensure vendor viability and financial stability? A. Compare product functionalities against requirements B. Validate vendor claims about their product performance C. Get feedback from existing customers of the vendor on supporting documents of the vendor D. Evaluate what king of support the vendor provides Key: C C is correct - Evaluate the vendor's viability with reference to period for which the vendor is in operation, the period for which the desired product is being used by the existing customers and the Vendor's financial stability on the basis of the market survey and the certification from the customers and on certain supporting documentation from the Vendor A is incorrect – This is part of software and system requirements B is incorrect – This is part of customer references D is incorrect – This is part of vendor support 914. Out of the tests performed on a program unit, what does a performance test check? A. whether programs do, what they are supposed to do or not Module 5 Systems Development-Acquisition, Maintenance and Implementation 330 B. verify the expected performance criteria of program C. determines the stability of a given system or entity D. examines the internal processing logic of a software system Key: B B is correct - Performance tests are designed to verify the expected performance criteria of program. A, C and D are incorrect – These are the functions of a function test, stress test and structural test respectively 915. Which of the following is a feature of top down integration? A. The testing will start from opening login screen and then login, then selecting function one by one B. It is the traditional strategy used to integrate the components of a software system starting from smallest module/function/program. C. It consists of unit testing, followed by sub-system testing. D. Bottom-up testing is easy to implement as at the time of module testing, tested subordinate modules are available. Key: A A is correct - Top-down Integration: This starts with the main routine followed by the stubs being substituted for the modules which are directly subordinate to the main module. Considering above example, the testing will start from opening login screen and then login, then selecting function one by one. An incomplete portion of a program code is put under a function (called stub) to allow the function. Here a stub is considered as black box and assumed to perform as expected, which is tested subsequently. Once the main module testing is complete, stubs are substituted with real modules one by one, and these modules are tested. This process continues till the atomic (smallest) modules are reached. Since decision-making processes are likely to occur in the higher levels of program hierarchy, the top-down strategy emphasizes on major control decision points encountered in the earlier stages of a process and detects any error in these processes. The difficulty arises in the top-down method, because the high-level modules are tested with stubs and not with actual modules. B, C and D are incorrect – These are the features of bottom up integration 916. With respect to System testing, what is the objective of performance testing? A. To assess how well the application is able to recover from crashes, hardware failures and other similar problems B. To determine that an Information System protects data and maintains functionality as intended. C. to determine the stability of a given system or entity based on the requirements D. to assess various parameters like response time, speed of processing, effectiveness use of a resources (RAM, CPU etc.), network, etc. Key: D D is correct - Performance Testing: Software performance testing is performed on various parameters like response time, speed of processing, effectiveness use of a resources (RAM, CPU etc.), Module 5 Systems Development-Acquisition, Maintenance and Implementation 331 network, etc. This testing technique compares the new system's performance with that of similar systems using available industry benchmarks. A,B, C are incorrect – These are the objectives of Recovery Testing, Security testing and Stress testing respectively. 917. What does User Acceptance Testing focus on? A. Ensuring that the system is production-ready and satisfies all accepted (baselined) requirements B. Conforming to the quality standards of the organisation accepted before development C. Documenting specifications, technology employed, use of coding standards D. Controlling the execution of tests and the comparing of actual outcomes with predicted outcomes Key: A A is correct - User Acceptance Testing (UAT): It is a user extensive activity and participation of functional user is a primary requirement for UAT. The objective of UAT is to ensure that the system is production-ready and satisfies all accepted (baseline) requirements. B and C are incorrect – These are the features of Quality Assurance Testing D is incorrect – This is the feature of automated testing 918. In this strategy, implementation can be staged with conversion to the new system taking place gradually. A. Phased Changeover B. Abrupt Changeover C. Pilot Changeover D. Parallel Changeover Key: A A is correct - Phased Changeover: With this strategy, implementation can be staged with conversion to the new system taking place gradually. This is done based on business operations. For example, converting one function (e.g. marketing) on new system, wait for the same be stabilized and then take another function (Finance/HR/production etc.) B is incorrect – Cut-off or Direct Implementation / Abrupt Change-Over: This is achieved through an abrupt takeover – an all or no approach. With this strategy, the changeover is done in one operation, completely replacing the old system in one go. Fig 6.1 depicts Direct Implementation, which usually takes place on a set date, often after a break in production or a holiday period so that time can be used to get the hardware and software for the new system installed without causing too much disruption. C is incorrect – Pilot Changeover: With this strategy, the new system replaces the old one in one operational area or with smaller scale. Any errors can be rectified and new system is stabilized in pilot area, this stabilized system is replicated in operational areas throughout the whole system. For example converting banking operations to centralized systems are done at one branch and stabilized. The same process is replicated across all branches. Module 5 Systems Development-Acquisition, Maintenance and Implementation 332 D is incorrect – Parallel Changeover: This is considered the most secure method, time and resource consuming implementation. The new systems is implemented, however the old system also continues to be operational. The output of new system is regularly compared with old system. If results matches over period of time and issues observed with new system are taken care of, the old system is discontinued. 919. Which of the following is a requirement to be considered with respect to cloud computing and sourcing options? A. The development team needs to define backup procedures B. Client needs to be tested for all known browsers C. Evaluation of vendors for acquisition of tools and software D. Developers to test their code before releasing to testing team Key: B B is correct - The lists of requirements that must be considered are discussed below: Deployment of services may happen in phased manner, the project manager may consider agile development method to develop and deploy services. nt is executed using internet browsers like internet explorer, Google chrome, Mozilla etc. and hence need to be tested for all known browsers. It is necessary to consider security while developing the software, users may or may not use security settings in their browsers. Also not all browsers offer same level of security settings. application. -functional requirements of performance and response have to be considered while developing the software. middleware are complex and should be considered. A, C and D are incorrect – These are the characteristics for virtualisation 920. Which of the following is a risk with respect to security of big data? A. When an employee leaves the company, data may still be present on their employees’ device. B. Requires data to be stored in denormalized form i.e. schema-less in distributed environments C. Propagation of malware resulting in data leakage, data corruption and non-availability of required data. D. Possibility of fraud through remote access and inability to prevent/detect it. Key: B B is correct - Big data requires data to be stored in denormalized form i.e. schema-less in distributed environments, where data from multiple sources can be joined and aggregated in arbitrary ways, make it challenging to establish access controls • As the big data consist of high volume, high variety and high velocity data, it makes difficult to ensure data integrity Module 5 Systems Development-Acquisition, Maintenance and Implementation 333 • Since it is aggregation of data from across the organisation, it also includes sensitive data • Most existing data security and compliance approaches will not scale to handle big data security. A, C and D are incorrect – These are the disadvantages of using mobile devices in SDLC 921. Which of the following is the role of an IS Auditor during post implementation review? A. suggest appropriate controls to be included in proposed solution B. Interview project team and stakeholders to understand expectations C. Ensure ‘what project control standards are to be complied with D. Evaluation of system for information security and privacy controls Key: D D is correct - Information Security: System should also need to be evaluated for information security and privacy controls. This aspect of system evaluation is based on the security requirements documented during information gathering, security of infrastructure on which the application is hosted (e.g. hardware baselining, network security, access controls and vulnerability scanning). Evaluation may also include the availability aspect required for continuity (e.g. in case of high availability requirements redundant infrastructure in cluster or replication and readiness of alternate site, updating of BCP documents etc.) A, B, C are incorrect – These are the reviews to be done by the auditor as a team member and during mid project Module 6 Business Application Software Audit 334 922. In an organisation, business processes and related controls are put in place through: A. Business Applications B. Control Structure C. Business Cycle D. Business Model Key: A A is correct - “Business Application”, may be defined as applications (meaning computerized software) used by organisation to run its business. The consideration is whether the said application covers / incorporates the key business processes of the organisation. Another important consideration is whether the control structure as available in the Business Application is appropriate to help organisation achieve its goals. Business applications are where the necessary controls needed to run business are put in place. The business processes and related controls are put in place through business applications used by an organisation. B, C and D are incorrect – Each business cycle used by an organisation has a defined control structure that has a direct co- relation to the business model used. Organisations have to document business processes and identify key control points. Organisations have to ensure that the key control points are configured in system. 923. The ICAI has issued standards on Internal Audit in Information Technology Environment. According to this, an auditor has to: A. Consider subject matter guidance or direction, as afforded through legislation, regulations, rules, directives and guidelines issued by government or industry. B. Establish the expected degree of reliance to be placed on internal control; C. Determine the nature, timing, and extent of the audit procedures to be performed; and D. Consider the extent to which the IT environment is used to record, compile, process and analyse information Key: D D is correct - SIA 14, on INTERNAL AUDIT IN INFORMATION TECHNOLOGY ENVIRONMENT, as issued by ICAI, states that; “The internal auditor should consider the effect of an IT environment on the internal audit engagement, inter alia: a. the extent to which the IT environment is used to record, compile, process and analyse information; and b. The system of internal control in existence in the organisation with regard to: the flow of authorised, correct and complete data to the processing centre; the processing, analysis and reporting tasks undertaken in the installation”. A, B and C are incorrect – ISACA Standards ISACA ITAF, 1201 “Engagement Planning”, identifies risk assessment as one of the key aspects and states that IS audit and assurance professionals, have to; Module 6 Business Application Software Audit 335 e activity being audited. The extent of the knowledge required should be determined by the nature of the enterprise, its environment, areas of risk, and the objectives of the engagement. legislation, regulations, rules, directives and guidelines issued by government or industry. covered during the engagement. Audit strategies, materiality levels and resource requirements can then be developed. that activities remain on track and within budget. ICAI Standards SA 200 “Overall Objectives of the Independent Auditor and the conduct of an audit in accordance with standards on Auditing”, Issued by ICAI, requires an auditor to plan an audit and get following information: “The auditor should plan his work to enable him to conduct an effective audit in an efficient and timely manner. Plans should be based on knowledge of the client’s business. Plans should be made to cover, among other things: a. Acquiring knowledge of the client’s accounting system, policies and internal control procedures; b. Establishing the expected degree of reliance to be placed on internal control; c. Determining and programming the nature, timing, and extent of the audit procedures to be performed; and d. Coordinating the work to be performed. The first step to by an IS auditor is to obtain knowledge about the business of the organisation, do risk assessment and decide on the specific and additional audit procedures to complete the audit. 924. What is control risk with respect to risk assessment for a business application? A. Relates to business risks, country risks and contract risks B. Failure of a control to prevent or detect a material error that exists in system. C. risk arising without taking into account a planned action by management D. failure of an audit procedure to detect an error that might be material Key: B B is correct - Control risk is defined as failure of a control to prevent, detect a material error that exists in system. A, C and D are incorrect – Subject matter risk, relates to business risk, country risk, contract risks. These are important for an IS auditor to consider but merged with inherent risk (discussed later). 2. Audit risk, is define as auditor reaching incorrect conclusion after an audit. The components of audit risk being control risk, inherent risk and detection risk. reduce the risk. Simply said it related to nature of transaction / business. individually or in combination of other errors. Module 6 Business Application Software Audit 336 925. Business applications used by entities to manage resources optimally and to maximize economy, efficiency and effectiveness of business operations is known as: A. Accounting Applications B. Banking Applications C. ERP Applications D. Payroll Application Key: C C is correct - ERP Application: These have been created a separate category of business application systems, due to their importance for an organisation. These software called as enterprise resource planning software are used by entities to manage resources optimally and to maximize E^3 i.e. economy, efficiency and effectiveness of business operations. A is incorrect - Accounting Applications: Applications like TALLY, TATA EX, UDYOG, used by business entities for purpose of accounting for day to day transactions, generation of financial information like balance sheet, profit and loss account, cash flow statements, are classified as accounting applications. B is incorrect – Banking Application: Today all public sector banks, private sector banks, and including regional rural banks have shifted to core banking business applications (referred to as CBS). Reserve Bank of India guidelines mandating all co-operative banks also to shift to core banking applications by December 013, means 95% plus Indian banks use CBS. CBS used by Indian banks include, FINACLE (by Infosys Technologies Ltd.), FLEXCUBE (By Oracle Financial Services Software Limited, formerly called i-flex Solutions Limited), TCS BaNCS (By TCS Limited), and many more CBS. D is incorrect – Payroll Application: Many companies across the world are outsourcing these activities to professionals. In India also many CA firms are doing good job on payroll outsourcing. TALLY has a payroll application built into it. ICAI, has made available for its members a payroll application. 926. Key business requirements for information specify ‘integrity’ as a parameter that needs to be present in information generated. By integrety we mean: A. protection of sensitive information from unauthorised disclosure B. accuracy and completeness of information as well as its validity C. information being available when required D. information being delivered in a timely, correct, consistent and usable manner Key: B B is correct - Integrity: Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations A is incorrect – Confidentiality: Concerns the protection of sensitive information from unauthorised disclosure Module 6 Business Application Software Audit 337 C is incorrect - Availability: Relates to information being available when required by the process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities. D is incorrect – Effectiveness: Deals with information being relevant and pertinent to the process as well as being delivered in a timely, correct, consistent and usable manner 927. COBIT defines six control objectives for application controls. Under which of the following objectives does validating input data classify? A. Data collection and entry B. Completeness and Authenticity checks C. Processing integrity and validity D. Transaction Authentication and Integrity Key: B B is correct - Accuracy, Completeness and Authenticity Checks: Ensure that transactions are accurate, complete and valid. Validate data that were input, and edit or send back for correction as close to the point of origination as possible. A is incorrect - Source Data Collection and Entry: Ensure that data input is performed in a timely manner by authorised and qualified staff. Correction and resubmission of data that were erroneously input should be performed without compromising original transaction authorisation levels. Where appropriate for reconstruction, retain original source documents for the appropriate amount of time. C is incorrect - Processing Integrity and Validity: Maintain the integrity and validity of data throughout the processing cycle. Detection of erroneous transactions does not disrupt the processing of valid transactions. D is incorrect – Transaction Authentication and Integrity: Before passing transaction data between internal applications and business/operational functions (within or outside the enterprise), check the data for proper addressing, authenticity of origin and integrity of content. Maintain authenticity and integrity during transmission or transport 928. Neural Networks and Fuzzy Logics are classified under which category of Artificial intelligence? A. Cognitive Science B. Robotics C. Natural Sciences D. Virtual Reality Key: A A is correct - Cognitive Science: This is an area based on research in disciplines such as biology, neurology, psychology, mathematics and allied disciplines. It focuses on how human brain works and how humans think and learn. Applications of AI in the cognitive science are Expert Systems, Learning Systems, Neural Networks, Intelligent Agents and Fuzzy Logic Module 6 Business Application Software Audit 338 B, C and D are incorrect – Robotics: This technology produces robot machines with computer intelligence and human-like physical capabilities. This area includes applications that give robots visual perception, capabilities to feel by touch, dexterity and locomotion. iii. Natural Languages. Being able to 'converse' with computers in human languages is the goal of research in this area. Interactive voice response and natural programming languages, closer to human conversation, are some of the applications. Virtual reality is another important application that can be classified under natural interfaces. 929. What are decision support systems (DSS)? A. System used for getting valuable information for making management decisions B. systems that provide interactive information support to managers with analytical models C. system which allows buying and selling goods on the internet and involves information sharing, payment, fulfillment, service and support D. system intended to capture data at the time and place of a transaction Key: B B is correct - DSS are information systems that provide interactive information support to managers with analytical models. DSS are designed to be ad hoc systems for specific decisions by individual- managers. These systems answer queries that are not answered by the transactions processing systems. A, C and D are incorrect – Data warehousing system is used for getting valuable information for making management decisions. Other than buying and selling goods on the Internet, E Commerce (Electronic Commerce) involves information sharing, payment, fulfillment and service and support. a PoS is intended to capture data at the time and place of transaction which is being initiated by a business user. It is often attached to scanners to read bar codes and magnetic cards for credit card payment and electronic sales. 930. Which of the following should an IS auditor consider while auditing data warehousing systems? A. Network capacity for speedy access B. Accuracy and correctness of outputs generated C. Validation of receivers details for correctness and completeness D. Review of exceptional transaction logs Key: A A is correct - IS Auditor should consider the following while auditing data warehouse: 1. Credibility of the source data 2. Accuracy of the source data 3. Complexity of the source data structure 4. Accuracy of extraction and transformation process 5. Access control rules 6. Network capacity for speedy access B is incorrect – IS Auditors role with respect to Decision Support System: Module 6 Business Application Software Audit 339 1. Credibility of the source data 2. Accuracy of the source data 3. Accuracy of extraction and transformation process 4. Accuracy and correctness of the output generated 5. Access control rules C is incorrect – The IS Auditors role with respect to EFT will be with respect to: 1. Authorisation of payment. 2. Validation of receivers details, for correctness and completeness. 3. Verifying the payment made. 4. Getting acknowledgement from the receiver, or alternatively from bank about the payment made. 5. Checking whether the obligation against which the payment was made has been fulfilled. D is incorrect – IS Auditors role for PoS systems: In case there is batch processing, the IS auditor should evaluate the batch controls implemented by the organization. 2. Check if they are in operation, 3. Review exceptional transaction logs. 4. Whether the internal control system is sufficient to ensure the accuracy and completeness of the transaction batch before updating? 5. The relevance of controls is more In the case of online updating system, the IS auditor will have to evaluate the controls for accuracy and completeness of transactions. 931. Why is IS Audit performed? A. It safeguards assets, maintains data integrity and achieves the organisations goals and objectives B. To ensure that the organisations computer systems are available for the business at all times when required C. Business processes have been integrated into system and decisions are being taken through this integrated system D. To ensure that the information provided by the system is accurate, reliable and timely Key: C C is correct - IS Audit is necessary in today’s business environment as business processes have been integrated into system and lot of decision is being taken through these integrated system. A, B and D are incorrect – These are the agenda to be followed for an IS Audit 932. While performing an IS audit which of the following comes under risk assessment and planning? A. conclusions on objective(s), scope, timeline and deliverables, compliance with applicable laws and professional auditing standards B. provide supervision to IS audit staff for whom they have supervisory responsibility, to accomplish audit objectives Module 6 Business Application Software Audit 340 C. use an appropriate risk assessment approach and supporting methodology to develop the overall IS audit plan D. obtain sufficient and appropriate evidence to achieve the audit objectives. Key: C C is correct - Risk Assessment in Planning: The IS audit and assurance function shall use an appropriate risk assessment approach and supporting methodology to develop the overall IS audit plan and determine priorities for the effective allocation of IS audit resources. IS audit and assurance professionals shall identify and assess risk relevant to the area under review, when planning individual engagements. IS audit and assurance professionals shall consider subject matter risk, audit risk and related exposure to the enterprise. A, B and D are incorrect – Engagement Planning: This includes conclusions on objective(s), scope, timeline and deliverables, compliance with applicable laws and professional auditing standards, use of a risk-based approach, where appropriate, engagement-specific issues, documentation and reporting requirements. Performance and Supervision: IS audit and assurance professionals shall conduct the work in accordance with the approved IS audit plan to cover identified risk and within the agreed-on schedule. IS audit and assurance professionals shall provide supervision to IS audit staff for whom they have supervisory responsibility, to accomplish audit objectives and meet applicable professional audit standards. IS audit and assurance professionals shall accept only tasks that are within their knowledge and skills or for which they have a reasonable expectation of either acquiring the skills during the engagement or achieving the task under supervision. IS audit and assurance professionals shall obtain sufficient and appropriate evidence to achieve the audit objectives. The audit findings and conclusions shall be supported by appropriate analysis and interpretation of this evidence. IS audit and assurance professionals shall document the audit process, describing the audit work and the audit evidence that supports findings and conclusions. IS audit and assurance professionals shall identify and conclude on findings. Evidence: IS audit and assurance professionals shall obtain sufficient and appropriate evidence to draw reasonable conclusions on which to base the engagement results. IS audit and assurance professionals shall evaluate the sufficiency of evidence obtained to support conclusions and achieve engagement objectives. 933. The type of CAAT which is written for special audit purposes or targeting specialized IT environments is known as: A. Specialised Audit Software B. Generalised Audit Software C. Utility Software D. Computer Audit Software Key: A A is correct - Specialised Audit software, unlike GAS, is written for special audit purposes or targeting specialized IT environments. Module 6 Business Application Software Audit 341 B, C and D are incorrect – Generalised Audit software refers to generalized computer programs designed to perform data processing functions such as reading data, selecting and analyzing information, performing calculations, creating data files and reporting in a format specified by the auditor. Utility software or utilities though not developed or sold specifically for audit are often extremely useful and handy for conducting audits. Computer audit software is also known as Generalised Audit Programs (GAS) 934. Which of the following pertains to an operation using GAS? A. Testing for UNIX controls B. Comparing an input file with a processed file C. Production of circularisation letters D. Random sampling plan Key: D D is correct - Typical operations using GAS include: Sampling Items are selected following a value based or random sampling plan. b. Extraction Items that meet the selection criteria are reported individually. c. Totaling the total value and number of items meeting selection criteria are reported. d. Ageing Data is aged by reference to a base date e. Calculation Input data is manipulated prior to applying selection criteria A, B and C are incorrect – Specialised Audit software, unlike GAS, is written for special audit purposes or targeting specialized IT environments. The objective of these software to achieve special audit procedures which may be specific to the type of business, transaction or IT environment e.g. testing for NPAs, testing for UNIX controls, testing for overnight deals in a Forex Application software etc. Such software may be either developed by the auditee or embedded as part of the client’s mission critical application software. Such software may also be developed by the auditor independently. Before using the organisation’s specialized audit software, the auditor should take care to get an assurance on the integrity and security of the software developed by the client... Utility software or utilities though not developed or sold specifically for audit are often extremely useful and handy for conducting audits. These utilities usually come as part of office automation software, operating systems, and database management systems or may even come separately. Utilities are useful in performing specific system command sequences and are also useful in performing common data analysis functions such as searching, sorting, appending, joining, analysis etc. Utilities are extensively used in design, development, testing and auditing of application software, operating systems parameters, security software parameters, security testing, debugging etc. a. File comparison: A current version of a file for example, is compared with the previous year’s version, or an input file is compared with a processed file. b. Production of circularisation letters. 935. What is continuous auditing? A. Process of obtaining evidence directly on the quality of the records produced and maintained in the system. B. Process of reviewing the computer logs generated at various points to build an audit trail C. Process through which an auditor evaluates the particular system(s) and thereby generates audit reports on real time basis. Module 6 Business Application Software Audit 342 D. Process of reviewing transactions as they are processed and select items according to audit criteria specified in the resident code Key: C C is correct - Continuous auditing is a process through which an auditor evaluates the particular system(s) and thereby generates audit reports on real time basis. Continuous auditing approach may be required to be used in various environments. Such environments usually involve systems that are 4*7 mission critical systems. A is correct – This forms part of selecting, implementing and using CAAT’s B and D are incorrect – These are different techniques of continuous auditing 936. Procedure of continuous auditing whereby digital pictures of procedures are saved and stored in the memory: A. Snapshot B. Integrated Test facility C. System activity file interrogation D. Embedded audit facilities Key: A A is correct - Most applications follow a standard procedure whereby, after taking in the user input they process it to generate the corresponding output. Snapshots are digital pictures of procedures of the console that are saved and stored in the memory. Procedures of the console refer to the application procedures that take input from the console i.e. from the keyboard or the mouse. These procedures serve as references for subsequent output generations in the future. Typically, snapshots are implemented for tracing application software and mapping it. The user provides inputs through the console for processing the data. Snapshots are means through which each step of data processing (after the user gives the input through) is stored and recalled. B is incorrect - Integrated Test Facility (ITF) is a system in which a test pack is pushed through the production system affecting “dummy” entities. Hence this requires dummy entities to be created in the production software. For example, the auditor would introduce test transactions that affect targeting dummy customer accounts and dummy items created earlier for this testing purpose. C is incorrect – Most computer operating systems provide the capability of producing a log of every event occurring in the system, both user and computer initiated. This information is usually written to a file and can be printed out periodically. As part of audit testing of general controls, it may be useful for the auditor to review the computer logs generated at various points to build an audit trail. Wherever possible, unauthorised or anomalous activity would need to be identified for further investigation. D is incorrect – Embedded audit facilities consist of program audit procedures, which are inserted into the client’s application programs and executed simultaneously. The technique helps review transactions as they are processed and select items according to audit criteria specified in the resident code, and automatically write details of these items to an output file for subsequent audit examination. 937. Compliance testing helps an auditor: Module 6 Business Application Software Audit 343 A. substantiate the integrity of actual processing and the outcome of compliance testing B. to test for monetary errors directly affecting financial statement balances C. To obtain evidence of the validity and propriety of accounting treatment of transactions D. Determine that controls are applied in a manner that complies with policies and procedures Key: D D is correct - Compliance tests are used to help determine the extent of substantive testing to be performed, as stated in Statement of Auditing Standards. Such tests are necessary if the prescribed procedures are to be relied upon in determining the nature, time or extent of substantive tests of particular classes of transactions or balances. Once the key control points are identified, the auditor seeks to develop a preliminary understanding of the controls to ensure their existence and effectiveness. B, C and D are incorrect – These are the features of Substantive Testing 938. While reviewing authorisation procedure before creating user rights, an IS auditor has to: A. Evaluate how the user rights have been granted and monitored B. Check who triggers the request for user rights creation C. Check Whether there is a proper cross check mechanism to validate the user rights D. Check Whether user right alteration process is linked to the job profile of the individual Key: B B is correct - Authorisation procedure before creating user rights? IS Auditor needs to check whether there is a formal user rights approval form/document. The question that need to be answered being a. Who triggers the request for user rights creation? Ideally this request has to be generated through HR department. b. Whether the form contains all relevant information for the specific user? c. Whether the form has been properly filled? d. Whether the form has valid authorisation? e. Whether forms are marked once user rights are created in system? A is incorrect – Who has the authority to create user rights? IS auditor is also concerned to know the person who has the authority to create users in system. IS auditor needs to evaluate the rights of persons doing this job and how these rights have been granted and monitored. C is incorrect - Validation of user rights created in system? IS Auditor needs to evaluate the process how user rights created at step (ii) are validated once they have been put in system. IS Auditor may seek answers to the following questions. a. Whether there is a proper cross check mechanism build in organisation to validate the user rights of employee once they have been created? b. Whether there is timely validation of user rights and user job profiles? For example this is a cyclical process to be done once each year to see whether the job profile of individual is appropriately reflected in his/her user rights? D is incorrect - Process of alteration of user rights? Module 6 Business Application Software Audit 344 IS Auditor is concerned with the process of alteration of rights. The IS Auditor seeks answers to the following questions. a. Whether the user right alteration process is linked to job profile of individual? b. Who triggers the request for user rights alteration? 939. This is the highest level of database abstraction which is of concern to the users is: A. Conceptual or global view B. Physical view C. Internal view D. External or user view Key: D D is correct - External or user view: It is at the highest level of the database abstraction. It includes only that portion of database or application programs which is of concern to the users. It is defined by the users or written by the programmers. It is described by the external schema. A is incorrect – Conceptual or global view: This is reflection of a database is viewed by database administrator. Single view represents the entire database. It describes all records, relationships and constraints or boundaries. Data description to render it independent of the physical representation. It is defined by the conceptual schema, B and C are incorrect – Physical or internal view: It is at the lowest level of database abstraction. It is closest to the physical storage method. It indicates how data will be stored, describes data structure, and the access methods. It is expressed by internal schema. 940. What control does a ‘view’ function offer with respect to database security? A. Segregation of duties B. Addresses conflicts relating to simultaneous access C. Enables data access limitations D. Ability to create and reuse SQL code Key: C C is correct - Views: Views enable data access limitations. A view is a content or context dependent subset of one or more tables. A, B and D are incorrect – Database Roles and Permissions • Segregation of duties • Roles & Permissions allow control of operations that a user can perform on database, Concurrency Control: Addresses conflicts relating to simultaneous accesses Stored Procedures: Database servers offer developers the ability to create & reuse SQL code through the use of objects called as Stored Procedures (Group of SQL statements). 941. User Creation and Access rights are done by _______________________. A. Application Programmers Module 6 Business Application Software Audit 345 B. Specialised Users C. Naïve Users D. Database Administrators Key: D D is correct - Normally, a database administrator first uses CREATE USER to create an account, then GRANT to define its privileges and characteristics. For Example in Oracle, The SYS and SYSTEM accounts have the database administrator (DBA) role granted to them by default. These are predefined all other users have to be created. There is a need to create user and assign some authentication mechanism like a Password. A, B, C are incorrect – These are different types of database users 942. Compliances specified in Section 17(2AA) of Companies Act 1956 which states that directors of the company are responsible to implement proper internal control relates to: A. Taxation related compliance B. Control related compliance C. XBRL Compliance D. Accounting Standard related compliance Key: B B is correct - Control Related: Those specified in: - Section 17(2AA) of Companies Act 1956 (old): Detailing Director’s Responsibility Statement, which specifies that directors of the company are responsible to implement proper internal controls. - CARO, 2003 (As amended in 2004), has many clauses where statutory auditor needs to comment upon the internal controls. - SOX compliance: Financial transaction analysis, for example aging analysis for debtors and inventory, capability to drill down un-usual financial transactions. A, C and D are incorrect – Taxation related: TDS, TCS, Excise Duty, Service Tax, VAT, PF, etc. XBRL compliance: Looking to the growth of XBRL compliance in India and governments intention to slowly increase the coverage area of eligible entities, XBRL compliance shall increase in India. Many business application vendors have already started making their software capable of generating XBRL reporting. Accounting Standard related: Accounting standards prescribing the accounting guidance to transactions. It is important that the business applications used are in compliance with the applicable accounting standards. 943. What is the responsibility of management with respect to accuracy and authenticity of reports? A. Prime responsibility of accuracy of reports generated B. Whether established controls ensure accuracy of reports C. Forming opinion based on such reports D. Respond appropriately to written representations Module 6 Business Application Software Audit 346 Key: A A is correct - The prime responsibility for accuracy of report generated from the business applications lies with the management. B, C and D are incorrect – These are the responsibilities of the internal and statutory auditor Module 7 Business Continuity Management 347 944. It is becoming increasingly important for businesses to have a business contingency plans for their Information systems. The criticality of the contingency plan will depend mainly upon _____________ A. The extent of investment in the organization on IT B. Likely level of impact due to failure or non-availability of IT C. The severity of the incident D. The extent of risk aversion of the organization Key B Justification The criticality of the contingency plan will depend upon the anticipated intensity of the impact of failure or non-availability of IT, as pointed out in Option B. The other factors indicated in other would not influence the criticality as much. 945. In terms of ascending order of severity / intensity, how would the terms incident, crisis, emergency & disaster be ordered ? A. Incident, crisis, emergency, disaster B. Incident, emergency, crisis, disaster C. Emergency, incident, crisis, disaster D. Emergency, crisis, incident, disaster KEY A Justification An incident is an event that can lead to losses for an organization &, if not managed properly, can lead to a crisis, emergency or disaster. A crisis is an event that is expected to lead to an emergency or disaster. A disaster is like an emergency, but of much larger scale. Hence, answer at Option A is correct. 946. An organization with extensive internet based business has its computer servers located in an area known for power outages at times for several hours a day. How is the organization’s exposure to this situation expressed in Business Continuity Management terms ? A. Risk B. Vulnerability C. Contingency D. Emergency Key B Module 7 Business Continuity Management 348 Justification The degree of exposure to any risk or the consequences of risk is termed vulnerability. The exposure is to a risk & the situation is described as vulnerability. A contingency expresses the possibility of exposure to risk and an emergency when the risk is actually likely to occur. Hence, answer at Option B only is correct. 947. What is Minimum Business Continuity Objective? A. Organization objective to continue doing business despite disruptions B. Organization objective to continue minimum level of business even during financial crisis C. Organization approach to reduce business operations to a minimum level during crises D. Minimum level of services/products acceptable during a disruption Key D Justification MBCO is the minimum level of services and/or products acceptable to the organization during a disruption, as brought out in Option D. The answers in the other options are factually wrong. 948. What is Maximum Acceptable Outage ? A. Maximum loss an organization can afford to absorb on account of a disruption B. Maximum loss of output an organization can afford on account of a disruption C. Maximum number of persons an organization can afford to shift out during an emergency D. Maximum period of time an organization can tolerate disruption of a critical business function Key D Justification MAO is the maximum period of time an organization can tolerate disruption of a critical business function, as brought out in Option D. The answers in the other options are factually wrong. 949. What is a Contingency Plan ? A. An overall process of preparing for unexpected events B. A list of contingencies that can strike an organization’s operations C. Plan of deployment of a contingent of officials involved with security D. Maximum number of persons an organization can afford to shift out during an emergency KEY A Justification A Contingency plan, as brought out in Option A, is an overall process of preparing for unexpected events. The answers in the other options are factually wrong. Module 7 Business Continuity Management 349 950. Preventive measures and corrective measures are two of the three basic strategies that encompass a disaster recovery plan. What is the third basic strategy ? A. Restoration phase B. Planning phase C. Stabilization phase D. Multiplication phase Key C Justification Detective measures are taken to identify the presence of unwanted events within the IT infrastructure. They are the third basic strategy involved in disaster recovery plans. Hence, answer in Option C is correct. 951. Distinguish between Business Continuity Plan (BCP) and Disaster Recovery plan (DRP)? A. BCP is to enable business to function normally in all respects whereas DRP is to have basic functions alone operating post an event B. BCP is to facilitate continuation of a business even after the death or disability of the promoter whereas DRP is preparation for facing natural disasters alone C. BCP is to ensure recovery of critical functions alone whereas DRP is to have all operations functioning post an event D. Both BCP and DRP are effectively the same; they are inter-changeable terminology Key C Justification BCP is to ensure recovery of critical functions alone whereas DRP is to have all operations functioning post an event. Thus, BCP may be the initial response to an event or disaster when some essential functions alone are revived. DRP, however, will cover resumption of full-fledged normal operations. The answers in other options are not correct and answer in Option C is correct. 952. Crisis phase, Emergency response phase & Recovery phase are three of the four phases that are typical of any disaster scenario. Which is the fourth phase ? A. Restoration phase B. Planning phase C. Multiplication phase D. Stabilization phase KEY A Justification The fourth phase of Disaster is the Restoration phase. This phase involves restoration of conditions to normal. Damages to equipment & facilities are normally repaired during this period. The answers in Options B to D are not correct and answer in Option A is correct. 953. What are the pre-requisites in developing a Business Continuity Plan (BCP) ? Module 7 Business Continuity Management 350 A. Planning for all phases & making it part of business process B. Testing of the BCP C. Waiting for one incident to learn from, before drawing up BCP D. Having the organization’s strategic long term plan ready KEY A Justification The major pre-requisites for developing a BCP include planning for all phases & making it a part of business process by assigning responsibility to specific business process owners. It will not be practicable to wait for one event or disaster to happen; we would have to depend upon the wisdom of the team members to brain storm, identify possible scenarios & plan corrective actions. While it would be good to have the organization’s strategic long term plan ready, it may not be an actual must. Testing of the BCP will be a subsequent step, post finalization of the BCP. Hence, answer at Option A is correct & the others wrong. 954. What are the key phases prior to development of a Business Continuity Plan (BCP) ? A. Maintenance of the BCP B. Business Impact Analysis & Risk Assessment C. Testing of the BCP D. Training & awareness of employees Key B Justification The key phases prior to development of a BCP are Business Impact Analysis & Risk Assessment. Training and awareness of the employees will happen subsequent to completion of the drafting of the BCP. Testing and maintenance, too, would happen only after the plan is ready. Hence, answer at Option B is correct & the others wrong. 955. What are the key phases post development of a Business Continuity Plan (BCP) ? A. Testing, training & awareness of employees & maintenance B. Appointing a project team and steering committee C. Risk assessment D. Business Impact analysis KEY A Justification Business impact analysis, risk assessment & appointment of a project team & steering committee are steps which precede the development of a BCP. Hence, they cannot handle work relating to post development of the BCP. Testing, training & awareness of employees and maintenance are the key phases to be implemented post development of a BCP. Module 7 Business Continuity Management 351 Hence, answer at Option A is correct & the others wrong. 956. A Business Impact Analysis (BIA) has the objective of estimating the financial & intangible operational impacts for each business unit, assuming a worst case scenario. What other objective does it have ? A. Address initiatives for speedy recovery from contingency B. Identify business unit processes & estimated recovery time for each C. Develop recovery management team D. Develop crisis management team Key B Justification The third major objective of the BIA would be to identify business unit processes & estimated recovery time for each of them, as indicated in Option A above. Initiatives towards recovery as also development of recovery/crisis management teams is not part of the BIA. Hence, answer at Option B is correct & the others wrong. 957. What is Recovery Time Objective (RTO) ? A. RTO is a measure of the user’s tolerance to downtime B. The time period the crisis is expected to last C. The time required for the team to stem further damage D. The time required for the crisis management team to respond KEY A Justification The RTO is a measure of the user’s tolerance to downtime. This is the amount of downtime of the business process that the business can tolerate and still remain viable. It is not any of the other aspects stated in Options B to D. Hence, answer at Option A is correct 958. What is Service Delivery Objective (SDO) ? A. Continuing to give services during a disaster B. The service level through alternate process till normality is restored C. Performing a service from an alternate site, owing to disaster D. Inter-departmental services supporting product deliveries to customers Key B Justification SDO is the service level through alternate process till normality is restored, as indicated in Option A above. The other answers are not factually correct. Hence, answer at Option B is correct. 959. What is Recovery Point Objective (RPO) ? A. The extent of acceptable data loss to a business owing to node failure B. The time by which the Crisis management team expects to achieve recovery C. The extent of data which can be recovered after a disaster D. The date by which lost data can be recovered by Recovery team Module 7 Business Continuity Management 352 KEY A Justification RPO is the extent of acceptable data loss to a business owing to node failure, as indicated in Option A above. The other answers are not factually correct. Hence, answer at Option A is correct. 960. What level of Recovery Time Objective (RTO) will a critical monitoring system have ? A. Very high RTO B. Close to a year C. Very low RTO, close to zero D. Medium level of RTO, close to 50 % Key C Justification The RTO is a measure of the user’s tolerance to downtime. This is the amount of downtime of the business process that the business can tolerate and still remain viable. In a critical monitoring system, it will be measured in hours or very close to zero hours. Hence, answer at Option C only is correct. 961. A Recovery Point Objective (RPO) will be deemed critical if it is ? A. Small B. Large C. Medium D. Depends upon business requirements KEY A Justification RPO is the extent of acceptable data loss to a business owing to node failure. Hence, the lower the extent of acceptable data loss, the more critical the situation. Answer in Option A, therefore, is the correct answer. Hence, answer at Option A is correct. 962. If the Recovery Point Objective (RPO) is close to zero, how will the overall cost of maintaining the environment for recovery be ? A. Low B. Medium C. Depends upon business requirements D. High Key D Justification RPO is the extent of acceptable data loss to a business owing to node failure. Hence, the lower the extent of acceptable data loss, the more critical the situation & the more expensive the cost of maintaining the environment. Answer in Option D therefore, is the correct answer. 963. What is the Maximum Tolerable Outage (MTO)? A. It is the maximum time an organization can support processing in alternate mode B. It is the maximum time an organization can afford to shut down operations Module 7 Business Continuity Management 353 C. It is the maximum loss of output an organization is able to afford D. It is the maximum loss of potential sales an organization can afford KEY A Justification MTO is the maximum time an organization can support processing in alternate mode, as indicated in Option A. The answers in other options are not correct. Answer in Option A, therefore, is the correct answer. 964. What happens when the Interruption Window is crossed by an organization in crisis ? A. A state of business continuity has been achieved B. Business Impact analysis can no longer be done or effective C. The progressive losses caused by the interruption become unaffordable D. The crisis no longer exists & the organization relaxes Key C Justification The Interruption window is the time the organization can wait from the point of failure to the point of critical services/applications restoration. Answer in Option C, therefore, is the correct answer. The answers in the other options are incorrect. 965. A company sells small furniture items exclusively over the Internet. It works with an Internet service provider for facilitating its online business. In house, it runs the operations with the bare minimum of manpower. Storage of information and recording of all transactions is carried out using the company’s IT network and very limited physical documentation is maintained. Their business is growing fast and their far sighted CEO has asked his managers to carry out a risk analysis to check and ensure preparedness in the face of any contingency. How would you rate this company’s tolerance to the risk of failure of the Internet services ? A. Vital B. Critical C. Sensitive D. Non-critical Key B Justification The Company is doing business exclusively online &, hence, dependence on the Internet is 100 %. It is also indicated that it goes in for very limited physical documentation of its business. Manning is also Spartan. Hence, the company’s tolerance to risk is critical. Answer at Option B, therefore, is correct. 966. An large Indian multinational company has its head office located at New Delhi. It has substantial investments made in this office, including large IT servers which cater to its global operations which are heavily dependent upon IT (assessed risk ranking 5). New Delhi happens to be in Seismic Zone 4 and is rated as a ‘High damage risk zone’ (assessed risk ranking 4). However, the actual occurrence of earthquakes has been rare (assessed risk ranking 2). What do you think could be Module 7 Business Continuity Management 354 the earthquake risk score for this establishment going by the standard formula for risk comparison ? A. 3.66 B. 2.50 C. 10.00 D. 13.33 KEY A Justification The risk score for this establishment would be 3.66 as per the formula (Asset cost + Likelihood + Vulnerability)/3. Answer at Option A, therefore, is correct. 967. The Head office of a large group of companies is located in a large metro city. With a view to testing its readiness to face the contingency of a fire, the organization very meticulously conducts fire drills at least once in a year at its Head office. It hires an independent professional agency to conduct the drill. Volunteers from within the organization act also assist in the process. The drill involves the initiation of a fire alarm, evacuation of all the offices, assembly at a common point, etc. The process and its outcome are carefully documented & learnings utilised for tweaking the organization’s safety processes. How would you classify this fire drill as an element of a Business Continuity Plan ? A. Structured walk through test B. Parallel test C. Unstructured walk through test D. Simulation test Key D Justification This would be classified as a simulation test since this is a mock practice session in response to a simulated disaster. Hence, answer at Option D is correct and the other answers are wrong. 968. Training in Disaster Recovery Planning (DRP) has two key objectives. One is to train recovery team participants who are expected to act in the event of a disaster. The other key objective would be _____________ A. To understand the calculation of the risk ratio B. To re-assess the value at risk C. To train key employees on awareness & disaster prevention D. To train the public at large as a public relations exercise Key C Justification The other key objective would be to train key employees on awareness & disaster prevention as also the need for DRP. The answers in Options B to D may not be totally irrelevant to the process but would definitely not be top of the mind for any normal process. Hence, answer at Option C is correct and the other answers are wrong. Module 7 Business Continuity Management 355 969. Scenario workshop & Walkthrough sessions are two of the major methods of training for disaster recovery & business continuity in general. What is the single, significant difference between both ? A. The workshop is preceded by a stipulated scenario & the walkthrough is based upon this scenario B. Scenario workshop is desktop activity whereas the walkthrough involves actual site visit C. Scenario workshop is for proposed businesses whereas Walkthrough sessions are for proven, old businesses D. Scenario workshops are for senior management whereas walkthrough sessions is for the rest of the organization KEY A Justification The key difference is that the workshop is preceded by a stipulated scenario & the walkthrough is based upon this scenario. Both are desktop activities. Both apply to all types of businesses & include all levels of managers. Hence, answer at Option A is correct and the other answers are wrong. 970. As IS Auditor, you are checking out the Business Continuity Plan (BCP) process in an organization. Apart from checking whether regular testing & updating of the BCP takes place, the other KEY Aspect that you will need to check is __________ A. Review the market dues of the organization & cash flows B. Check whether a succession plan is in place for key personnel C. Whether gaps identified in the past tests have been plugged subsequently D. Whether the organization has got itself certified under ISO Key C Justification The KEY Aspect that you will have to check is whether gaps identified in past tests have been plugged subsequently. Unless, gaps/drawbacks in the existing plan are corrected, the plan will gradually become ineffective. The answers in other options are not factually relevant to the situation. Hence, answer in Option C is the correct one. 971. State True or False. Incident Response Planning focuses exclusively on the Incident Response team preparedness, apt & timely response to incidents. a. False b. True KEY A Justification Incident Response Planning does not focus exclusively on the Incident Response Team’s preparedness. It also works on preventative measures which can help eliminate or reduce the occurrence of the incident. Hence, the statement in the stem is false and the answer in Option A above is correct. Module 7 Business Continuity Management 356 972. Complete the following statement. The three broad categories of incidents are definite, probable and ________________ A. Uncertain B. Possible C. Unfortunate D. Indefinite Key B Justification The third broad category of incidents is a possible incident &, hence, the answer in Option B above is correct. 973. Some possible actual IT incidents could be _____________ A. Presence of unfamiliar files B. Presence or Execution of unknown program or processes C. Unusual system crashes 974. Which one of the following could also be a possible actual incident ? A. Introduction of new software from accredited source B. Increase in number of licences C. Unusual consumption of computing resources D. Recruitment of a new software engineer Key C Justification Of the choices given, unusual consumption of computing resources could be a possible actual incident which can cause concern & trigger an incident response. Hence, the answer in Option C above is correct. 975. Which one of the following could also be a definite indicator of an incident ? A. Presence of unfamiliar files B. Presence of unknown programs C. Unusual consumption of computing resources D. Use of dormant accounts Key D Justification The use of dormant accounts is a definite indicator of an incident. The other choices given above could be owing to genuine reasons. Hence, the answer in Option D above is correct. 976. Which of the operating teams of contingency planning would conduct research on data that could lead to a crisis and develop actions that would adequately handle these threats ? Module 7 Business Continuity Management 357 A. Disaster Recovery team B. Incident Response team C. Contingency Planning team D. Administration team Key C Justification It is the Contingency planning team which would conduct research on data that could lead to a crisis and develop actions that would effectively handle these threats. The incident response team as well as the disaster recovery team would enter the arena only post the incident. Hence, the answer in Option C above is correct. 977. Which of the operating teams of contingency planning would be the first to arrive during the outbreak of an incident ? A. Incident Response team B. Contingency Planning team C. Disaster Recovery team D. Administration team KEY A Justification It is the Incident Response team which would appear first on the scene when an incident occurs. If this team is unable to make headway, the Disaster Recovery team is called in. If the Disaster Recovery team finds the impact of the crisis as very high, they draw in the Business Continuity Plan team in addition. Hence, the answer in Option A above is correct. 978. State True or False. The Disaster Recovery Plan should contain details about the Disaster Recovery Management Team and its sub-teams like Administration, Supplies, Public Relations, etc. as also their respective responsibilities. The idea is to decide on these well in advance and not waste precious time arriving at the right choice of people, roles and responsibilities at the time of the actual crisis. a. False b. True Key B Justification The very purpose of a Disaster Recovery Plan is to minimize the losses which a business may incur on account of a crisis. The single most important factor in such a situation is time and prior identification of the appropriate persons to take on the emergency roles is critical for speedy and effective disaster recovery efforts. Hence, the answer in Option B above is correct. 979. The Business Continuity Plan Manual comprises basically the _________ A. Business Continuity Plan alone B. Business Continuity Plan and the Disaster Recovery Plan Module 7 Business Continuity Management 358 C. Business Continuity Plan and the Incident Response Plan D. Business Continuity Plan and the Contingency Response Plan Key B Justification The BCP manual is expected to give reasonable reassurance to the senior management of the business’ capability to spring back from a disaster through a process of identifying potential crises as also plans for recovery from the crises. Hence, the BCP Manual comprises both the BCP and the DRP as indicated in Option B. The answers in the other Options are not factually correct. 980. Restoring from a Differential Back-up involves ________________ A. Restoring from last full back-up & then every incremental back-up B. Restoring from full back-up alone C. Restoring from last full back-up & then the differential back-up D. Restoring from differential back-up alone Key C Justification Restoring from a Differential Back-up involves restoring from the last full back-up and then the differential back-up, as indicated in Option C above. The other answers in other options are incorrect. 981. What is one of the most popular back up measures for wide-area data communication networks in an emergency ? A. Dial-up in lieu of the normal leased/broad band lines B. Circuit extension techniques C. Micro-wave communications D. On-demand carrier services KEY A Justification Dial-up facilities are one of the most popular back up measures for wide-area communication networks in the event of an emergency. The other options can also serve as back-up facilities but come with their own limitations / specialized uses. Eg. Circuit extension techniques are normally used with high speed leased lines, involving effective duplication of equipment/facilities. Similarly, on- demand services would depend upon the carrier’s capability & willingness. Hence, answer in Option A is correct. 982. A leading e-commerce provider is entering into the Indian market and is keen that the business is built on firm foundations to ensure its credibility to customers. Appreciating the importance of ensuring 100 % back-up for its Internet operations, it approaches a reputed vendor for advice on back-up facilities. The vendor analyses the customer’s requirements and comes up with a solution. The vendor offers the customer a ready-to-use back-up facility based upon subscription & membership. Module 7 Business Continuity Management 359 Virtually every equipment / facility which the customer has in his main facility, including air-conditioning, would be replicated at the vendor’s back-up location and it would be ready for instantaneous use in the case of an emergency, providing the customer the very dependable back-up facilities they seek but at a price. What is such a facility called ? A. Mirror site B. Cold site C. Hot site D. Cryogenic site Key C Justification Such a ready-to-use facility is termed a hot site as indicated in Option C. A mirror site, on the other hand, is a fully redundant facility maintained by an organization. A cold site is one which is not fully equipped and would require time to bring it on par with expectations. There is not facility called as cryogenic site in this context. 983. What is a Hybrid Online Backup ? A. Involves Local backup for recent data & Offsite backup for archived data B. Cryogenic site C. Back up through combination of manual as well as electronic storage D. Remote cloud as well as physical location storage KEY A Justification A Hybrid Online Backup involves a local backup which can be used for the most recent data as also an offsite back (perhaps on the cloud) for archived data which is not required to be accessed frequently. It does not refer to a combination of manual & electronic storage; nor does it relate to a remote cloud as well as physical location storage. The term cryogenic site has no relevance in this context. Hence, answer at Option A is the correct one. 984. What is database shadowing ? A. Maintenance of two parallel, independent databases B. Maintenance of a parallel database with the essential information alone C. Involves live processing of remote journaling D. Having a mirror database on the cloud Key C Justification Database shadowing is basically processing of remote journaling. i.e. parallel processing of all data at a remote location. The answer in Option C, hence, is correct. The other answers are incorrect. Module 7 Business Continuity Management 360 985. State True or false. Apart from covering losses on account of damage or loss of equipment, properties, additional costs incurred to meet the contingency etc., it is possible to get insurance cover for business interruption & consequent financial losses including customer claims, delayed cash flows, etc. a. False b. True Key B Justification Business interruption includes a situation involving failure of the IT system & consequent financial losses/expense incurred by the client. Hence, the answer in Option B is correct. 986. Which types of torts are excluded from liability insurance cover ? A. Negligent tort B. Product liability C. Intentional torts D. Service liability Key C Justification Intentional torts are excluded since it is assumed that they are foreseeable and can be avoided by the insurer. The other types of torts in Options A,B and D are insurable. Hence, the answer in Option C is correct. 987. What is an example of Errors and Omissions (E&O) insurance ? A. Professional liability insurance B. Marine insurance C. Business interruption insurance D. Motor vehicle insurance KEY A Justification E&O insurance is a form of insurance protecting the insured against liability arising from failure to meet appropriate standard of care for a given profession. Professional liability insurance is one form of E&O insurance. Marine, motor vehicle & business interruption insurance are not examples of E&O insurance since it does not fall within the limits of the definition given above . Hence, the answer in Option A is correct. 988. What is the primary goal of audit of a Business Continuity Plan (BCP)? A. Determining effectiveness of BCP & alignment with organizational goals B. Identify variations from laid down procedure & report to management C. Benchmark against practices prevailing in other organizations Module 7 Business Continuity Management 361 D. Compliance with laws & regulations KEY A Justification Any good auditor would obviously be required to note & report deviations from the stated norms. They are also expected to compare the processes involved with that of competitors / other organizations. Lastly, the IS auditor would also have to check for compliance with laws and regulations. While all these could be goals of an audit of a BCP, they would not be the primary one. On the contrary, determining effectiveness of BCP & alignment with organizational goals are critical goals which would address most of the other aspects covered in Options B to D. Hence, answer in Option A alone is the most appropriate one. 989. What is the first step in the BCP process ? A. Identifying the weaknesses in the organizations B. Testing the functioning of the process C. Checking for compliance with laws & regulations D. Identifying the mission/business-critical functions Key D Justification The aspects identified in Options A to C are, indeed, part of the BCP audit process. However, they do not constitute the critical step. This would basically be identification of mission / business-critical functions so that the adequacy of the BCP process for these selected functions are verified as part of the audit process. Hence, answer in Option D alone is the most appropriate one. 990. State True or False. While it is important to identify all critical missions and businesses in the business continuity plan, it should be understood that attempting to cover all the mission or business-critical functions would be a very expensive affair & not very feasible. It makes better sense to identify the priority areas which would impact most through their failure. A. True B. False KEY A Justification Practically speaking it would be best to go by the 80 20 rule as per which a few key issues of the journal would be available for consultation during the morning. Hence, answer in Option A alone is the more appropriate one. 991. State True or False. While validating the resources that support critical functions, the IS audit of the BCP process should restrict itself to computer-related matters which alone are the division’s responsibility. A. True B. False Module 7 Business Continuity Management 362 Key B Justification The audit has to cover all resources, whether IT related or not, that support critical functions. For, the failure of non-computer related resources could equally endanger the IT aspects of the business. Hence, answer in Option B alone is the most appropriate one. 992. State True or False. While validating the resources that support critical functions, the IS audit of the BCP process should restrict itself to computer-related matters which alone are the division’s responsibility. A. False B. True KEY A Justification The audit has to cover all resources, whether IT related or not, that support critical functions. For, the failure of non-computer related resources could equally endanger the IT aspects of the business. Hence, answer in Option A alone is the most appropriate one.