You are on page 1of 14

Accounting Information Systems, 12e (Romney/Steinbart)

Chapter 8 Information Systems Controls for System ReliabilityPart 1: Information Security


1) The Trust Services Framework reliability principle that states that users must be able to enter, update,
and retrieve data during agreed-upon times is known as
A) availability.
) security.
!) maintainability.
") integrity.
Answer# A
$age %e&# ''1
(b)ective# *earning (b)ective 1
"i&&iculty # +asy
AA!S# Analytic
') ,hich o& the &ollowing is not a use&ul control procedure to control access to system outputs-
A) Allowing visitors to move through the building without supervision
) !oding reports to re&lect their importance
!) %e.uiring employees to log out o& applications when leaving their desk
") %estricting access to rooms with printers
Answer# A
$age %e&# ''/
(b)ective# *earning (b)ective 0
"i&&iculty # +asy
AA!S# Analytic
0) According to the Trust Services Framework, the reliability principle o& integrity is achieved when the
system produces data that
A) is available &or operation and use at times set &orth by agreement.
) is protected against unauthori1ed physical and logical access.
!) can be maintained as re.uired without a&&ecting system availability, security, and integrity.
") is complete, accurate, and valid.
Answer# "
$age %e&# ''1
(b)ective# *earning (b)ective 1
"i&&iculty # +asy
AA!S# Analytic
2) ,hich o& the &ollowing is not one o& the three &undamental in&ormation security concepts-
A) 3n&ormation security is a technology issue based on prevention.
) Security is a management issue, not a technology issue.
!) The idea o& de&ense-in-depth employs multiple layers o& controls.
") The time-based model o& security &ocuses on the relationship between preventive, detective and
corrective controls.
Answer# A
$age %e&# '''-''2
(b)ective# *earning (b)ective '
"i&&iculty # +asy
AA!S# Analytic
1
!opyright 4 '51' $earson +ducation, 3nc. publishing as $rentice 6all
7) ,hich o& the &ollowing is not one o& the essential criteria &or success&ully implementing each o& the
principles that contribute to systems reliability, as discussed in the Trust Services Framework-
A) "eveloping and documenting policies
) +&&ectively communicating policies to all outsiders
!) "esigning and employing appropriate control procedures to implement policies
") 8onitoring the system and taking corrective action to maintain compliance with policies
Answer#
$age %e&# ''0
(b)ective# *earning (b)ective '
"i&&iculty # +asy
AA!S# Analytic
9) 3& the time an attacker takes to break through the organi1ation:s preventive controls is greater than the
sum o& the time re.uired to detect the attack and the time re.uired to respond to the attack, then security
is
A) e&&ective.
) ine&&ective.
!) overdone.
") undermanaged.
Answer# A
$age %e&# ''2
(b)ective# *earning (b)ective '
"i&&iculty # 8oderate
AA!S# Analytic
;) <eri&ying the identity o& the person or device attempting to access the system is
A) authentication.
) authori1ation.
!) identi&ication.
") threat monitoring.
Answer# A
$age %e&# ''9
(b)ective# *earning (b)ective 0
"i&&iculty # +asy
AA!S# Analytic
=) %estricting access o& users to speci&ic portions o& the system as well as speci&ic tasks, is
A) authentication.
) authori1ation.
!) identi&ication.
") threat monitoring.
Answer#
$age %e&# ''=
(b)ective# *earning (b)ective 0
"i&&iculty # +asy
AA!S# Analytic
'
!opyright 4 '51' $earson +ducation, 3nc. publishing as $rentice 6all
/) ,hich o& the &ollowing is an e>ample o& a preventive control-
A) +ncryption
) *og analysis
!) 3ntrusion detection
") +mergency response teams
Answer# A
$age %e&# ''=
(b)ective# *earning (b)ective 0
"i&&iculty # +asy
AA!S# Analytic
15) ,hich o& the &ollowing is an e>ample o& a detective control-
A) $hysical access controls
) +ncryption
!) *og analysis
") +mergency response teams
Answer# !
$age %e&# '0;
(b)ective# *earning (b)ective 0
"i&&iculty # +asy
AA!S# Analytic
11) ,hich o& the &ollowing is an e>ample o& a corrective control-
A) $hysical access controls
) +ncryption
!) 3ntrusion detection
") 3ncident response teams
Answer# "
$age %e&# '0/
(b)ective# *earning (b)ective 0
"i&&iculty # +asy
AA!S# Analytic
1') ,hich o& the &ollowing is not a re.uirement o& e&&ective passwords-
A) $asswords should be changed at regular intervals.
) $asswords should be no more than = characters in length.
!) $asswords should contain a mi>ture o& upper and lowercase letters, numbers and characters.
") $asswords should not be words &ound in dictionaries.
Answer#
$age %e&# '';
(b)ective# *earning (b)ective 0
"i&&iculty # +asy
AA!S# Analytic
0
!opyright 4 '51' $earson +ducation, 3nc. publishing as $rentice 6all
10) 8ulti-&actor authentication
A) involves the use o& two or more basic authentication methods.
) is a table speci&ying which portions o& the systems users are permitted to access.
!) provides weaker authentication than the use o& e&&ective passwords.
") re.uires the use o& more than one e&&ective password.
Answer# A
$age %e&# ''=
(b)ective# *earning (b)ective 0
"i&&iculty # 8oderate
AA!S# Analytic
12) An access control matri>
A) does not have to be updated.
) is a table speci&ying which portions o& the system users are permitted to access.
!) is used to implement authentication controls.
") matches the user:s authentication credentials to his authori1ation.
Answer#
$age %e&# ''=
(b)ective# *earning (b)ective 0
"i&&iculty # +asy
AA!S# Analytic
17) $erimeter de&ense is an e>ample o& which o& the &ollowing preventive controls that are necessary to
provide ade.uate security-
A) Training
) !ontrolling physical access
!) !ontrolling remote access
") 6ost and application hardening
Answer# !
$age %e&# '05
(b)ective# *earning (b)ective 0
"i&&iculty # +asy
AA!S# Analytic
19) ,hich o& the &ollowing preventive controls are necessary to provide ade.uate security &or social
engineering threats-
A) !ontrolling remote access
) +ncryption
!) 6ost and application hardening
") Awareness training
Answer# "
$age %e&# ''9
(b)ective# *earning (b)ective 0
"i&&iculty # +asy
AA!S# Analytic
2
!opyright 4 '51' $earson +ducation, 3nc. publishing as $rentice 6all
1;) A special purpose hardware device or so&tware running on a general purpose computer, which &ilters
in&ormation that is allowed to enter and leave the organi1ation:s in&ormation system, is known as a?n)
A) demilitari1ed 1one.
) intrusion detection system.
!) intrusion prevention system.
") &irewall.
Answer# "
$age %e&# '05
(b)ective# *earning (b)ective 0
"i&&iculty # +asy
AA!S# Analytic
1=) This protocol speci&ies the procedures &or dividing &iles and documents into packets to be sent over
the 3nternet.
A) Access control list
) 3nternet protocol
!) $acket switching protocol
") Transmission control protocol
Answer# "
$age %e&# '01
(b)ective# *earning (b)ective 0
"i&&iculty # +asy
AA!S# Analytic
1/) This protocol speci&ies the structure o& packets sent over the internet and the route to get them to the
proper destination.
A) Access control list
) 3nternet protocol
!) $acket switching protocol
") Transmission control protocol
Answer#
$age %e&# '01
(b)ective# *earning (b)ective 0
"i&&iculty # +asy
AA!S# Analytic
'5) This network access control determines which 3$ packets are allowed entry to a network and which
are dropped.
A) Access control list
) "eep packet inspection
!) State&ul packet &iltering
") Static packet &iltering
Answer# A
$age %e&# '00
(b)ective# *earning (b)ective 0
"i&&iculty # 8oderate
AA!S# Analytic
7
!opyright 4 '51' $earson +ducation, 3nc. publishing as $rentice 6all
'1) !ompatibility tests utili1e a?n) @@@@@@@@, which is a list o& authori1ed users, programs, and data
&iles the users are authori1ed to access or manipulate.
A) validity test
) biometric matri>
!) logical control matri>
") access control matri>
Answer# "
$age %e&# ''=
(b)ective# *earning (b)ective 0
"i&&iculty # +asy
AA!S# Analytic
'') The process that screens individual 3$ packets based solely on the contents o& the source andAor
destination &ields in the packet header is known as
A) access control list.
) deep packet inspection.
!) state&ul packet &iltering.
") static packet &iltering.
Answer# "
$age %e&# '00
(b)ective# *earning (b)ective 0
"i&&iculty # 8oderate
AA!S# Analytic
'0) The process that maintains a table that lists all established connections between the organi1ation:s
computers and the 3nternet, to determine whether an incoming packet is part o& an ongoing
communication initiated by an internal computer is known as
A) access control list.
) deep packet inspection.
!) state&ul packet &iltering.
") static packet &iltering.
Answer# !
$age %e&# '00
(b)ective# *earning (b)ective 0
"i&&iculty # 8oderate
AA!S# Analytic
'2) The process that allows a &irewall to be more e&&ective by e>amining the data in the body o& an 3$
packet, instead o& )ust the header, is known as
A) deep packet inspection.
) state&ul packet &iltering.
!) static packet &iltering.
") an intrusion prevention system.
Answer# A
$age %e&# '00
(b)ective# *earning (b)ective 0
"i&&iculty # 8oderate
AA!S# Analytic
9
!opyright 4 '51' $earson +ducation, 3nc. publishing as $rentice 6all
'7) The security technology that evaluates 3$ packet tra&&ic patterns in order to identi&y attacks against a
system is known as
A) an intrusion prevention system.
) state&ul packet &iltering.
!) static packet &iltering.
") deep packet inspection.
Answer# A
$age %e&# '02
(b)ective# *earning (b)ective 0
"i&&iculty # 8oderate
AA!S# Analytic
'9) This is used to identi&y rogue modems ?or by hackers to identi&y targets).
A) ,ar chalking
) ,ar dialing
!) ,ar driving
") none o& the above
Answer#
$age %e&# '07
(b)ective# *earning (b)ective 0
"i&&iculty # +asy
AA!S# Analytic
';) The process o& turning o&& unnecessary &eatures in the system is known as
A) deep packet inspection.
) hardening.
!) intrusion detection.
") war dialing.
Answer#
$age %e&# '09
(b)ective# *earning (b)ective 0
"i&&iculty # +asy
AA!S# Analytic
'=) The most common input-related vulnerability is
A) bu&&er over&low attack.
) hardening.
!) war dialing.
") encryption.
Answer# A
$age %e&# '0;
(b)ective# *earning (b)ective 0
"i&&iculty # +asy
AA!S# Analytic
;
!opyright 4 '51' $earson +ducation, 3nc. publishing as $rentice 6all
'/) This creates logs o& network tra&&ic that was permitted to pass the &irewall.
A) 3ntrusion detection system
) *og analysis
!) $enetration test
") <ulnerability scan
Answer# A
$age %e&# '0=
(b)ective# *earning (b)ective 0
"i&&iculty # 8oderate
AA!S# Analytic
05) The process that uses automated tools to identi&y whether a system possesses any well-known
security problems is known as a?n)
A) intrusion detection system.
) log analysis.
!) penetration test.
") vulnerability scan.
Answer# "
$age %e&# '09
(b)ective# *earning (b)ective 0
"i&&iculty # 8oderate
AA!S# Analytic
01) This is an authori1ed attempt by an internal audit team or an e>ternal security consultant to attempt
to break into the organi1ation:s in&ormation system.
A) 3ntrusion detection system
) *og analysis
!) $enetration test
") <ulnerability scan
Answer# !
$age %e&# '0=
(b)ective# *earning (b)ective 0
"i&&iculty # 8oderate
AA!S# Analytic
0') A well-known hacker started his own computer security consulting business shortly a&ter being
released &rom prison. 8any companies pay him to attempt to gain unauthori1ed access to their network.
3& he is success&ul, he o&&ers advice as to how to design and implement better controls. ,hat is the name
o& the testing &or which the hacker is being paid-
A) $enetration test
) <ulnerability scan
!) "eep packet inspection
") u&&er over&low test
Answer# A
$age %e&# '0=
(b)ective# *earning (b)ective 0
"i&&iculty # 8oderate
AA!S# Analytic
=
!opyright 4 '51' $earson +ducation, 3nc. publishing as $rentice 6all
00) The @@@@@@@@ disseminates in&ormation about &raud, errors, breaches and other improper system
uses and their conse.uences.
A) chie& in&ormation o&&icer
) chie& operations o&&icer
!) chie& security o&&icer
") computer emergency response team
Answer# !
$age %e&# '25
(b)ective# *earning (b)ective 0
"i&&iculty # 8oderate
AA!S# Analytic
02) 3n '55;, a ma)or B.S. &inancial institution hired a security &irm to attempt to compromise its
computer network. A week later, the &irm reported that it had success&ully entered the system without
apparent detection and presented an analysis o& the vulnerabilities that had been &ound. This is an
e>ample o& a
A) preventive control.
) detective control.
!) corrective control.
") standard control.
Answer#
$age %e&# '0=
(b)ective# *earning (b)ective 0
"i&&iculty # +asy
AA!S# Analytic
07) 3t was /#5= A.8. when Ciao Can, the Detwork Administrator &or Folding S.uid Technologies, was
in&ormed that the intrusion detection system had identi&ied an ongoing attempt to breach network
security. y the time that Ciao had identi&ied and blocked the attack, the hacker had accessed and
downloaded several &iles &rom the company:s server. Bsing the notation &or the time-based model o&
security, in this case
A) $ E "
) " E $
!) ! E $
") $ E !
Answer#
$age %e&# ''2
(b)ective# *earning (b)ective '
"i&&iculty # "i&&icult
AA!S# Analytic
/
!opyright 4 '51' $earson +ducation, 3nc. publishing as $rentice 6all
09) ,hich o& the &ollowing is commonly true o& the de&ault settings &or most commercially available
wireless access points-
A) The security level is set at the &actory and cannot be changed.
) ,ireless access points present little danger o& vulnerability so security is not a concern.
!) Security is set to the lowest level that the device is capable o&.
") Security is set to the highest level that the device is capable o&.
Answer# !
$age %e&# '07
(b)ective# *earning (b)ective 0
"i&&iculty # 8oderate
AA!S# Analytic
0;) 3n recent years, many o& the attacks carried out by hackers have relied on this type o& vulnerability in
computer so&tware.
A) !ode mastication
) oot sector corruption
!) ,eak authentication
") u&&er over&low
Answer# "
$age %e&# '09
(b)ective# *earning (b)ective 0
"i&&iculty # +asy
AA!S# Analytic
0=) 8eaning&ul "iscussions is a social networking site that boasts over a million registered users and a
.uarterly membership growth rate in the double digits. As a conse.uence, the si1e o& the in&ormation
technology department has been growing very rapidly, with many new hires. +ach employee is provided
with a name badge with a photo and embedded computer chip that is used to gain entry to the &acility.
This is an e>ample o& a?an)
A) authentication control.
) biometric device.
!) remote access control.
") authori1ation control.
Answer# A
$age %e&# ''9
(b)ective# *earning (b)ective 0
"i&&iculty # +asy
AA!S# Analytic
15
!opyright 4 '51' $earson +ducation, 3nc. publishing as $rentice 6all
0/) ,hen new employees are hired by Folding S.uid Technologies, they are assigned user names and
appropriate permissions are entered into the in&ormation system:s access control matri>. This is an
e>ample o& a?an)
A) authentication control.
) biometric device.
!) remote access control.
") authori1ation control.
Answer# "
$age %e&# ''=
(b)ective# *earning (b)ective 0
"i&&iculty # +asy
AA!S# Analytic
25) ,hen new employees are hired by Folding S.uid Technologies, they are assigned user names and
passwords and provided with laptop computers that have an integrated &ingerprint reader. 3n order to log
in, the user:s &ingerprint must be recogni1ed by the reader. This is an e>ample o& a?an)
A) authori1ation control.
) biometric device.
!) remote access control.
") de&ense in depth.
Answer#
$age %e&# '';
(b)ective# *earning (b)ective 0
"i&&iculty # +asy
AA!S# Analytic
21) 3n&ormation technology managers are o&ten in a bind when a new e>ploit is discovered in the wild.
They can respond by updating the a&&ected so&tware or hardware with new code provided by the
manu&acturer, which runs the risk that a &law in the update will break the system. (r they can wait until
the new code has been e>tensively tested, but that runs the risk that they will be compromised by the
e>ploit during the testing period. "ealing with these issues is re&erred to as
A) change management.
) hardening.
!) patch management.
") de&ense in depth.
Answer# !
$age %e&# '25
(b)ective# *earning (b)ective 0
"i&&iculty # 8oderate
AA!S# Analytic
11
!opyright 4 '51' $earson +ducation, 3nc. publishing as $rentice 6all
2') 8urray Snit1el called a meeting o& the top management at Snit1el !apital 8anagement. Dumber one
on the agenda was computer system security. FThe risk o& security breach incidents has become
unacceptable,F he said, and turned to the !hie& 3n&ormation (&&icer. FThis is your responsibilityG ,hat
do you intend to do-F ,hich o& the &ollowing is the best answer-
A) +valuate and modi&y the system using the Trust Services &ramework
) +valuate and modi&y the system using the !(S( 3nternal !ontrol Framework.
!) +valuate and modi&y the system using the !T! checklist.
") +valuate and modi&y the system using !((*.
Answer# A
$age %e&# ''1
(b)ective# *earning (b)ective 1
"i&&iculty # 8oderate
AA!S# Analytic
20) ,hich o& the &ollowing is the most e&&ective method o& protecting against social engineering attacks
on a computer system-
A) state&ul packet &iltering
) employee awareness training
!) a &irewall
") a demilitari1ed 1one
Answer#
$age %e&# ''9
(b)ective# *earning (b)ective 0
"i&&iculty # 8oderate
AA!S# Analytic
22) The most e&&ective way to protect network resources, like email servers, that are outside o& the
network and are e>posed to the 3nternet is
A) state&ul packet &iltering.
) employee training.
!) a &irewall.
") a demilitari1ed 1one.
Answer# "
$age %e&# '05
(b)ective# *earning (b)ective 0
"i&&iculty # 8oderate
AA!S# Analytic
27) All employees o& +.!. 6o>y are re.uired to pass through a gate and present their photo identi&ication
cards to the guard be&ore they are admitted. +ntry to secure areas, such as the 3n&ormation Technology
"epartment o&&ices, re.uires &urther procedures. This is an e>ample o& a?an)
A) authentication control.
) authori1ation control.
!) physical access control.
") hardening procedure.
Answer# !
$age %e&# ''/
(b)ective# *earning (b)ective 0
"i&&iculty # +asy
AA!S# Analytic
1'
!opyright 4 '51' $earson +ducation, 3nc. publishing as $rentice 6all
29) (n February 12, '55=, students enrolled in an economics course at Swingline !ollege received an
email stating that class would be cancelled. The email claimed to be &rom the pro&essor, but it wasn:t.
!omputer &orensic e>perts determined that the email was sent &rom a computer in one o& the campus
labs at /#12 A.8. They were then able to uni.uely identi&y the computer that was used by means o& its
network inter&ace card:s @@@@@@@@ address. Security cameras revealed the identity o& the student
responsible &or spoo&ing the class.
A) T!$A3$
) 8A!
!) "8H
") 3"S
Answer#
$age %e&# ''=
(b)ective# *earning (b)ective 0
"i&&iculty # "i&&icult
AA!S# Analytic
2;) There are Fwhite hatF hackers and Fblack hatF hackers. !owboy271 was one o& the Fblack hatF
hackers. 6e had researched an e>ploit and determined that he could penetrate the target system,
download a &ile containing valuable data, and cover his tracks in eight minutes. Si> minutes into the
attack he was locked out o& the system. Bsing the notation o& the time-based model o& security, which o&
the &ollowing must be true-
A) $ I 9
) " J 9
!) $ J 9
") $ E 9
Answer# "
$age %e&# ''2
(b)ective# *earning (b)ective '
"i&&iculty # "i&&icult
AA!S# Analytic
2=) 3denti&y three ways users can be authenticated and give an e>ample o& each.
Answer# Bsers can be authenticated by veri&ying# 1. something they know ?password). '. something
they have ?smart card or 3" badge). 0. Something they are ?biometric identi&ication o& &ingerprint).
$age %e&# ''9
(b)ective# *earning (b)ective 0
"i&&iculty # 8oderate
AA!S# Analytic
2/) "escribe &our re.uirements o& e&&ective passwords .
Answer# 1. Strong passwords should be at least = characters. '. $asswords should use a mi>ture o&
upper and lowercase letters, numbers and characters. 0. $asswords should be random and not words
&ound in dictionaries. 2. $asswords should be changes &re.uently.
$age %e&# '';
(b)ective# *earning (b)ective 0
"i&&iculty # +asy
AA!S# Analytic
10
!opyright 4 '51' $earson +ducation, 3nc. publishing as $rentice 6all
75) +>plain social engineering.
Answer# Social engineering attacks use deception to obtain unauthori1ed access to in&ormation
resources, such as attackers who post as a )anitor or as a legitimate system user. +mployees must be
trained not to divulge passwords or other in&ormation about their accounts to anyone who contacts them
and claims to be part o& the organi1ation:s security team.
$age %e&# ''9
(b)ective# *earning (b)ective 0
"i&&iculty # 8oderate
AA!S# Analytic
71) +>plain the value o& penetration testing.
Answer# $enetration testing involves an authori1ed attempt by an internal audit team or an e>ternal
security consultant to break into the organi1ation:s in&ormation system. This type o& service is provided
by risk management specialists in all the ig Four accounting &irms. These specialists spend more than
hal& o& their time on security matters. The team attempts to compromise the system using every means
possible. ,ith a combination o& systems technology skills and social engineering, these teams o&ten &ind
weaknesses in systems that were believed to be secure.
$age %e&# '0=
(b)ective# *earning (b)ective 0
"i&&iculty # 8oderate
AA!S# %e&lective Thinking
7') "escribe the &unction o& a computer incident response team ?!3%T) and the steps that a !3%T should
per&orm &ollowing a security incident.
Answer# A !3%T is responsible &or dealing with ma)or security incidents and breaches. The team should
include technical specialists and senior operations management. 3n response to a security incident, &irst
the !3%T must recogni1e that a problem e>ists. *og analysis, intrusion detection systems can be used to
detect problems and alert the !3%T. Second, the problem must be contained, perhaps by shutting down a
server or curtailing tra&&ic on the network. Third, the !3%T must &ocus on recovery. !orrupt programs
may need to be reinstalled and data restored &rom backups. Finally, the !3%T must &ollow-up to discover
how the incident occurred and to design corrective controls to prevent similar incidents in the &uture.
$age %e&# '0/
(b)ective# *earning (b)ective 0
"i&&iculty # 8oderate
AA!S# Analytic
70) 3denti&y si> physical access controls.
Answer# %e.uire visitors to sign in and receive a visitor badge be&ore being escorted by an employeeK
re.uire employees to wear photo 3" badges that are checked by security guardsK physical locks and
keysK storing documents and electronic media in a &ire-proo& sa&e or cabinetK restrict or prohibit cell
phones, i$ods and other portable devicesK set screen savers to start a&ter a &ew minutes o& inactivityK set
computers to lock keyboards a&ter a &ew minutes o& inactivityK utili1e screen protection devicesK use
biometric devices to authori1e access to spaces and e.uipmentK attach and lock laptops to immobile
ob)ectsK utili1e magnetic or chip cards to authori1e access to spaces and e.uipmentK limit or prohibit
windows and glass walls in sensitive areas.
$age %e&# ''/-'05
(b)ective# *earning (b)ective 0
"i&&iculty # 8oderate
AA!S# Analytic
12
!opyright 4 '51' $earson +ducation, 3nc. publishing as $rentice 6all