TBChap 011

Chapter 11
Information Security and Computer Fraud
True / False Questions
1. Fraud triangle includes incentive, opportunity and an attitude to rationalize the fraud.
True False
2. The goal of information security management is to maintain confidentiality, integrity and

availability of a firm's information.
True False
3. Encryption is a preventive control ensuring data confidentiality and privacy during transmission
and for storage.
True False
4. Asymmetric-key encryption is suitable for encrypting large data sets or messages.
True False
5. Key distribution and key management are problematic under the symmetric-key encryption.
True False
6. Symmetric-key encryption method is used to authenticate users.
True False
11-1
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
7. Certificate Authority (CA) issues digital certificates to bond the subscriber with a public key and a
private key.
True False
8. A company's audit committee is responsible for fraud risk assessments.
True False
9. One type of fault tolerance is using redundant units to provide a system the ability to continue
functioning when part of the system fails.
True False
10. Disaster recovery planning and business continuity management are preventive controls.
True False
11. Information security is a critical factor in maintaining systems integrity.
True False
12. The goal of information security management is to enhance the confidence, integrity and authority
(CIA) of a firm's management.
True False
13. Virus is a self-replicating, self-propagating, self-contained program that uses networking

mechanisms to spread itself.
True False
14. Spam is a self-replicating program that runs and spreads by modifying other programs or files.
True False
11-2
15. Encryption and hashing are similar process to maintain data confidentiality.
True False
Multiple Choice Questions
16. Integrity of information means the information is:
A. Accurate
B. Complete
C. Accessible
D. A and B are correct.
17. Which of the following statements is incorrect about digital signature?
A. A digital signature can ensure data integrity.

B. A digital signature also authenticates the document creator.
C. A digital signature is an encrypted message digest.
D. A digital signature is a message digest encrypted using the document creator's public key.
18. What is the primary objective of data security controls?
A. To establish a framework for controlling the design, security, and use of computer programs
throughout an organization.
B. To ensure that data storage media are subject to authorization prior to access, change, or
destruction.
C. To formalize standard, rules, and procedures to ensure the organization's control are properly
executed.
D. To monitor the use of system software to prevent unauthorized access to system software and
computer programs.
11-3
19. An entity doing business on the internet most likely could use any of the following methods to
prevent unauthorized intruders from accessing proprietary information except:
A. Password management.
B. Data encryption.
C. Digital certificates.
D. Batch processing.
20. When client's accounts payable computer system was relocated, the administrator provided
support through a dial-up connection to server. Subsequently, the administrator left the company.
No changes were made to the accounts payable system at that time. Which of the following
situations represents the greatest security risk?
A. User passwords are not required to the in alpha-numeric format.

B. Management procedures for user accounts are not documented.
C. User accounts are not removed upon termination of employees.
D. Security logs are not periodically reviewed for violations.
21. Which of the following statement present an example of a general control for a computerized
system?
A. Limiting entry of sales transactions to only valid credit customers.

B. Creating hash totals from social security number for the weekly payroll.
C. Restricting entry of accounts payable transactions to only authorized users.
D. Restricting access to the computer center by use of biometric devices.
11-4
22. Which of the following outcomes is a likely benefit of information technology used for internal
control?
A. Processing of unusual or nonrecurring transactions.

B. Enhanced timeliness of information.
C. Potential loss of data.
D. Recording of unauthorized transactions.
23. In a large multinational organization, which of the following job responsibilities should be assigned
to be network administrator?
A. Managing remote access.

B. Developing application programs.
C. Reviewing security policy.
D. Installing operating system upgrades.
24. An information technology director collected the names and locations of key vendors, current
hardware configuration, names of team members, and an alternative processing location. What is
the director most likely preparing?
A. Data restoration plan.

B. Disaster recovery plan.
C. System security policy.
D. System hardware policy.
11-5
25. Bacchus, Inc. is a larger multinational corporation with various business units around the world.
After a fire destroyed the corporation headquarters and largest manufacturing site, plans for which
of the following would help Bacchus ensure a timely recovery?
A. Daily backup.
B. Network security.
C. Business continuity.
D. Backup power.
26. Which of the following statements regarding authentication in conducting e-business is incorrect?
A. It is a process that establishes the origin of information or determines the identity of a user,
process, or device.
B. One key is used for encryption and decryption purposes in the authentication process.
C. Successful authentication can prevent repudiation in electronic transactions.
D. We need to use asymmetric-key encryption to authenticate the sender of a document or data
set.
27. Which of the following is not included in the remediation phrase for vulnerability management?
A. Risk Response Plan

B. Policy and procedures for remediation
C. Vulnerability Prioritization
D. Control Implementation
28. Which of the following does not represent a viable data backup method?
A. Disaster recovery plan

B. Redundant arrays of independent drives
C. Virtualization
D. Cloud computing
11-6
29. Which of the following statements about asymmetric-key encryption is correct?
A. When using asymmetric-key encryption method, a total of two keys are necessary in electronic
communication between two parties.
B. Employees in the same company share the same public key.
C. Most companies would like to manage the private keys for their employees.
D. Most companies would like to use a Certificate Authority to manage the public keys of their
employees.
E. Two of the above are correct.
30. Which of the following statements is incorrect?
A. A fraud prevention program starts with a fraud risk assessment across the entire firm.
B. The audit committee typically has an oversight role in risk assessment process.
C. Communicating a firm's policy file to employees is one of the most important responsibilities of
management.
D. A fraud prevention program should include an evaluation on the efficiency of business
processes.
31. A disaster recovery approach should include which of the following elements:
A. Encryption.
B. Firewalls.
C. Regular backups.
D. Surge protectors.
32. Which of the following passwords would be most difficult to crack?
A. Go2Ca!ifornia4fun
B. language
C. jennyjenny
D. pass56word
11-7
33. Which of the following is a password security weakness?
A. Users are assigned passwords when accounts are created, but do not change them.
B. Users have accounts on several systems with different passwords.
C. Users write down their passwords on a note paper, and carry it with them.
D. Users select passwords that are not part of online password dictionary.
34. To prevent invalid data input, a bank added an extra number at the end of each account number
and subjected the new number to an algorithm. This technique is known as:
A. A validation check.
B. check digit verification.
C. A dependency check.
D. A format check.
35. Which of the following security controls would best prevent unauthorized access to a firm's
internal network?
A. Use of a screen saver with a password.

B. Use of a firewall.
C. Encryption of data files.
D. Automatic log-off of inactive users.
36. Why do Certificate Authority (CA) play an important role in a company's information security
management?
A. Using a CA is required by SOX in managing information security.

B. Most companies use CA to manage their employees' public keys.
C. CA creates and maintains both the public and private keys for a company's employees.
D. None of the above is correct.
11-8
37. When computer programs or files can be accessed from terminals, users should be required to
enter a(n)
A. Parity check.
B. Password as a personal identification code.
C. Check digit.
D. Echo check.
38. Which of the following controls would most likely assure that a company can reconstruct its
financial records?
A. Security controls such as firewalls

B. Backup data are tested and stored safely
C. Personnel understand the data very well
D. Paper records
39. Why would companies want to use digital signatures when conducting e-business?
A. It is cheap.
B. It is always the same so it can be verified easily.
C. It is more convenient than requiring a real signature.
D. It can authenticate the document sender and maintain data integrity.
40. Select a correct statement regarding encryption methods?
A. To use symmetric-key encryption, each user needs two different keys.

B. Most companies prefer using symmetric-key encryption than asymmetric-key encryption
method.
C. Both symmetric-key and asymmetric-key encryption methods require the involvement of a
certificate authority.
D. When conducting e-business, most companies use both symmetric-key and asymmetric-key
encryption methods.
11-9
Essay Questions
41. A magnetic tape used to store data backups was lost while it was being transported to an offsite
storage location. The data on the tape includes customers' credit card and personal information.
Which preventive control(s) should have been used to minimize the potential loss?
42. List the following steps regarding computer fraud risk assessments in sequence.
(a) Assessing the likelihood and business impact of a control failure and/or a fraud incident.
(b) Mapping existing controls to potential fraud schemes and identifying gaps.
(c) Identifying potential IT fraud schemes and prioritizing them based on likelihood and impact.
(d) Identifying relevant IT fraud risk factors.
(e) Testing operating effectiveness of fraud prevention and detection controls.
11-10
43. Describe the process of using asymmetric-key encryption to authenticate the trading partner
involved in e-business.
44. What are the two prerequisites for vulnerability management?
45. Describe the framework for vulnerability assessment and vulnerability management.
11-11
46. What are included in disaster recovery planning and business continuity management? Are these
concepts related?
47. What is a digital signature? How could a digital signature ensure data integrity when conducting e-
business?
11-12
Chapter 11 Information Security and Computer Fraud Answer Key
True / False Questions
1. Fraud triangle includes incentive, opportunity and an attitude to rationalize the fraud.
TRUE
AACSB: Reflective Thinking

AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 11-03 Describe computer fraud and misuse of AIS and corresponding risk-mitigation techniques.
Source: Original
Topic: Computer fraud and abuse
2. The goal of information security management is to maintain confidentiality, integrity and

availability of a firm's information.
TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 11-01 Describe the risks related to information security and systems integrity.
Source: Original
Topic: Information security and systems integrity
3. Encryption is a preventive control ensuring data confidentiality and privacy during transmission
and for storage.
TRUE

AICPA BB: Industry
11-13
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 11-02 Understand the concepts of encryption and authentication.
Source: Original
4. Asymmetric-key encryption is suitable for encrypting large data sets or messages.
FALSE

AICPA BB: Industry
Blooms: Understand
Source: Original
5. Key distribution and key management are problematic under the symmetric-key encryption.
TRUE

AICPA BB: Industry
Blooms: Understand
Source: Original
6. Symmetric-key encryption method is used to authenticate users.
FALSE

AICPA BB: Industry
Blooms: Understand
Source: Original
11-14
7. Certificate Authority (CA) issues digital certificates to bond the subscriber with a public key and
a private key.
TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
8. A company's audit committee is responsible for fraud risk assessments.
FALSE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
9. One type of fault tolerance is using redundant units to provide a system the ability to continue
functioning when part of the system fails.
TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 11-05 Explain issues in system availability; disaster recovery; and business continuity.
Source: Original
Topic: System availability, disaster recovery and business continuity
11-15
10. Disaster recovery planning and business continuity management are preventive controls.
FALSE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
11. Information security is a critical factor in maintaining systems integrity.
TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
12. The goal of information security management is to enhance the confidence, integrity and
authority (CIA) of a firm's management.
TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
11-16
13. Virus is a self-replicating, self-propagating, self-contained program that uses networking
mechanisms to spread itself.
FALSE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
14. Spam is a self-replicating program that runs and spreads by modifying other programs or files.
FALSE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
15. Encryption and hashing are similar process to maintain data confidentiality.
FALSE

AICPA BB: Industry
Blooms: Understand
Source: Original
11-17
Multiple Choice Questions
16. Integrity of information means the information is:
A. Accurate
B. Complete
C. Accessible
D. A and B are correct.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
17. Which of the following statements is incorrect about digital signature?
A. A digital signature can ensure data integrity.

B. A digital signature also authenticates the document creator.
C. A digital signature is an encrypted message digest.
D. A digital signature is a message digest encrypted using the document creator's public key.

AICPA BB: Industry
Blooms: Understand
Source: Original
11-18
18. What is the primary objective of data security controls?
A. To establish a framework for controlling the design, security, and use of computer programs
throughout an organization.
B. To ensure that data storage media are subject to authorization prior to access, change, or
destruction.
C. To formalize standard, rules, and procedures to ensure the organization's control are
properly executed.
D. To monitor the use of system software to prevent unauthorized access to system software
and computer programs.

AICPA BB: Industry
Blooms: Understand
Learning Objective: 11-04 Define vulnerabilities; and explain how to manage and assess vulnerabilities.
Source: CPA 2011 Examination, adapted
Topic: Vulnerability management and assessments
19. An entity doing business on the internet most likely could use any of the following methods to
prevent unauthorized intruders from accessing proprietary information except:
A. Password management.
B. Data encryption.
C. Digital certificates.
D. Batch processing.

AICPA BB: Industry
Blooms: Understand
11-19
20. When client's accounts payable computer system was relocated, the administrator provided
support through a dial-up connection to server. Subsequently, the administrator left the
company. No changes were made to the accounts payable system at that time. Which of the
following situations represents the greatest security risk?
A. User passwords are not required to the in alpha-numeric format.

B. Management procedures for user accounts are not documented.
C. User accounts are not removed upon termination of employees.
D. Security logs are not periodically reviewed for violations.

AICPA BB: Industry
Blooms: Understand
21. Which of the following statement present an example of a general control for a computerized
system?
A. Limiting entry of sales transactions to only valid credit customers.

B. Creating hash totals from social security number for the weekly payroll.
C. Restricting entry of accounts payable transactions to only authorized users.
D. Restricting access to the computer center by use of biometric devices.

AICPA BB: Industry
Blooms: Understand
11-20
22. Which of the following outcomes is a likely benefit of information technology used for internal
control?
A. Processing of unusual or nonrecurring transactions.

B. Enhanced timeliness of information.
C. Potential loss of data.
D. Recording of unauthorized transactions.

AICPA BB: Industry
Blooms: Understand
23. In a large multinational organization, which of the following job responsibilities should be
assigned to be network administrator?
A. Managing remote access.

B. Developing application programs.
C. Reviewing security policy.
D. Installing operating system upgrades.

AICPA BB: Industry
Blooms: Understand
11-21
24. An information technology director collected the names and locations of key vendors, current
hardware configuration, names of team members, and an alternative processing location. What
is the director most likely preparing?
A. Data restoration plan.

B. Disaster recovery plan.
C. System security policy.
D. System hardware policy.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
25. Bacchus, Inc. is a larger multinational corporation with various business units around the world.
After a fire destroyed the corporation headquarters and largest manufacturing site, plans for
which of the following would help Bacchus ensure a timely recovery?
A. Daily backup.
B. Network security.
C. Business continuity.
D. Backup power.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
11-22
26. Which of the following statements regarding authentication in conducting e-business is
incorrect?
A. It is a process that establishes the origin of information or determines the identity of a user,
process, or device.
B. One key is used for encryption and decryption purposes in the authentication process.
C. Successful authentication can prevent repudiation in electronic transactions.
D. We need to use asymmetric-key encryption to authenticate the sender of a document or
data set.

AICPA BB: Industry
Blooms: Understand
Source: Original
27. Which of the following is not included in the remediation phrase for vulnerability
management?
A. Risk Response Plan

B. Policy and procedures for remediation
C. Vulnerability Prioritization
D. Control Implementation

AICPA BB: Industry
Blooms: Understand
Source: Original
11-23
28. Which of the following does not represent a viable data backup method?
A. Disaster recovery plan

B. Redundant arrays of independent drives
C. Virtualization
D. Cloud computing

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
29. Which of the following statements about asymmetric-key encryption is correct?
A. When using asymmetric-key encryption method, a total of two keys are necessary in
electronic communication between two parties.
B. Employees in the same company share the same public key.
C. Most companies would like to manage the private keys for their employees.
D. Most companies would like to use a Certificate Authority to manage the public keys of their
employees.
E. Two of the above are correct.

AICPA BB: Industry
Blooms: Apply
Difficulty: 3 Hard
Source: Original
11-24
30. Which of the following statements is incorrect?
A. A fraud prevention program starts with a fraud risk assessment across the entire firm.
B. The audit committee typically has an oversight role in risk assessment process.
C. Communicating a firm's policy file to employees is one of the most important
responsibilities of management.
D. A fraud prevention program should include an evaluation on the efficiency of business
processes.

AICPA BB: Industry
Blooms: Understand
Source: Original
31. A disaster recovery approach should include which of the following elements:
A. Encryption.
B. Firewalls.
C. Regular backups.
D. Surge protectors.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
11-25
32. Which of the following passwords would be most difficult to crack?
A. Go2Ca!ifornia4fun
B. language
C. jennyjenny
D. pass56word

AICPA BB: Industry
Blooms: Apply
Difficulty: 3 Hard
Source: Original
33. Which of the following is a password security weakness?
A. Users are assigned passwords when accounts are created, but do not change them.
B. Users have accounts on several systems with different passwords.
C. Users write down their passwords on a note paper, and carry it with them.
D. Users select passwords that are not part of online password dictionary.

AICPA BB: Industry
Blooms: Understand
Source: Original
11-26
34. To prevent invalid data input, a bank added an extra number at the end of each account
number and subjected the new number to an algorithm. This technique is known as:
A. A validation check.
B. check digit verification.
C. A dependency check.
D. A format check.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
35. Which of the following security controls would best prevent unauthorized access to a firm's
internal network?
A. Use of a screen saver with a password.

B. Use of a firewall.
C. Encryption of data files.
D. Automatic log-off of inactive users.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
11-27
36. Why do Certificate Authority (CA) play an important role in a company's information security
management?
A. Using a CA is required by SOX in managing information security.

B. Most companies use CA to manage their employees' public keys.
C. CA creates and maintains both the public and private keys for a company's employees.
D. None of the above is correct.

AICPA BB: Industry
Blooms: Understand
Source: Original
37. When computer programs or files can be accessed from terminals, users should be required to
enter a(n)
A. Parity check.
B. Password as a personal identification code.
C. Check digit.
D. Echo check.

AICPA BB: Industry
Blooms: Understand
Source: Original
11-28
38. Which of the following controls would most likely assure that a company can reconstruct its
financial records?
A. Security controls such as firewalls

B. Backup data are tested and stored safely
C. Personnel understand the data very well
D. Paper records

AICPA BB: Industry
Blooms: Understand
Source: Original
39. Why would companies want to use digital signatures when conducting e-business?
A. It is cheap.
B. It is always the same so it can be verified easily.
C. It is more convenient than requiring a real signature.
D. It can authenticate the document sender and maintain data integrity.

AICPA BB: Industry
Blooms: Understand
Source: Original
11-29
40. Select a correct statement regarding encryption methods?
A. To use symmetric-key encryption, each user needs two different keys.

B. Most companies prefer using symmetric-key encryption than asymmetric-key encryption
method.
C. Both symmetric-key and asymmetric-key encryption methods require the involvement of a
certificate authority.
D. When conducting e-business, most companies use both symmetric-key and asymmetric-key
encryption methods.

AICPA BB: Industry
Blooms: Understand
Source: Original
Essay Questions
41. A magnetic tape used to store data backups was lost while it was being transported to an
offsite storage location. The data on the tape includes customers' credit card and personal
information. Which preventive control(s) should have been used to minimize the potential loss?
The tape needs to be encrypted and password protected.

AICPA BB: Industry
Blooms: Apply
Difficulty: 3 Hard
Source: Original
11-30
42. List the following steps regarding computer fraud risk assessments in sequence.
(a) Assessing the likelihood and business impact of a control failure and/or a fraud incident.
(b) Mapping existing controls to potential fraud schemes and identifying gaps.
(c) Identifying potential IT fraud schemes and prioritizing them based on likelihood and impact.
(d) Identifying relevant IT fraud risk factors.
(e) Testing operating effectiveness of fraud prevention and detection controls.
d, c, b, e, a

AICPA BB: Industry
Blooms: Apply
Difficulty: 3 Hard
Source: Original
43. Describe the process of using asymmetric-key encryption to authenticate the trading partner
involved in e-business.
To authenticate a trading partner (TP), the contact person (CP) of a company sends a challenge
message to TP. TP uses her private key to encrypt the challenge message and send it to CP. If
CP is able to use TP's public key to decrypt and get the plaintext of the challenge message, CP
has authenticated TP successfully.

AICPA BB: Industry
Blooms: Apply
Difficulty: 3 Hard
Source: Original
11-31
44. What are the two prerequisites for vulnerability management?
First, determine the main objectives of its vulnerability management. In some case, the firm
should determine which laws, regulations, and standards it should comply with. Second, a firm
should assign roles and responsibilities for vulnerability management. The management may
designate a team to be responsible for developing and implementing the vulnerability
management program.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
45. Describe the framework for vulnerability assessment and vulnerability management.
The components of vulnerability assessment include identification and risk assessment.
Identification process: identifying all critical IT assets, threats and vulnerabilities.

Risk assessment process: assessing vulnerabilities and prioritizing vulnerability issues.
The components of vulnerability management include remediation and maintenance.
Remediation process: making a risk response plan, preparing the policy and requirements
for remediation, as well as control implementation.
Maintenance: monitoring, ongoing assessment and continuous improvement.

AICPA BB: Industry
Blooms: Understand
11-32
Source: Original
46. What are included in disaster recovery planning and business continuity management? Are
these concepts related?
Disaster recovery planning (DRP) must include a clearly defined and documented plan that
covers key personnel, resources including IT infrastructure and applications, and actions
required to be carried out in order to continue or resume the systems for critical business
functions within planned levels of disruption. Business continuity management (BCM) includes
the activities required to keep a firm running during a period of displacement or interruption of
normal operations. DRP is a key component of the BCM. BCM is broader than DRP and is
concerned about the entire business processes rather than particular assets, such as IT
infrastructure and applications.

AICPA BB: Industry
Blooms: Understand
Source: Original
11-33
47. What is a digital signature? How could a digital signature ensure data integrity when
conducting e-business?
Digital signature is a message digest (MD) of a document (or data file) that is encrypted using
the document creator's private key.
1) Both the sender (A) and receiver (B) use an asymmetric-key encryption method to
authenticate each other.
2) Sender A makes a copy of the document and uses SHA-256 to hash the copy and get an
MD.
3) Sender A encrypts the MD using Sender A's private key to get Sender A's digital signature.
4) Sender A uses Receiver B's public key to encrypt the original document and Sender A's
digital signature (for confidentiality).
5) Sender A sends the encrypted package to Receiver B.
6) Receiver B receives the package and decrypts it using Receiver B's private key. Receiver B
now has the document and Sender A's digital signature.
7) Receiver B decrypts Sender A's digital signature using Sender A's public key to get the sent-
over MD. Receiver B also authenticates that Sender A is the document creator.
8) Receiver B makes a copy of the received document and uses SHA-256 to hash the copy and
get a calculated MD.
9) If the sent-over MD is the same as the calculated MD, Receiver B ensures data integrity.

AICPA BB: Industry
Blooms: Understand
Source: Original
11-34

TBChap 011

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

TBChap 011

Uploaded by

Copyright:

Available Formats

Chapter 11

Information Security and Computer Fraud

True / False Questions

2. The goal of information security management is to maintain confidentiality, integrity and

4. Asymmetric-key encryption is suitable for encrypting large data sets or messages.

6. Symmetric-key encryption method is used to authenticate users.

8. A company's audit committee is responsible for fraud risk assessments.

11. Information security is a critical factor in maintaining systems integrity.

13. Virus is a self-replicating, self-propagating, self-contained program that uses networking

Multiple Choice Questions

16. Integrity of information means the information is:

17. Which of the following statements is incorrect about digital signature?

A. A digital signature can ensure data integrity.

18. What is the primary objective of data security controls?

A. User passwords are not required to the in alpha-numeric format.

A. Limiting entry of sales transactions to only valid credit customers.

A. Processing of unusual or nonrecurring transactions.

A. Managing remote access.

A. Data restoration plan.

A. Risk Response Plan

A. Disaster recovery plan

30. Which of the following statements is incorrect?

32. Which of the following passwords would be most difficult to crack?

A. Use of a screen saver with a password.

A. Using a CA is required by SOX in managing information security.

A. Security controls such as firewalls

40. Select a correct statement regarding encryption methods?

A. To use symmetric-key encryption, each user needs two different keys.

44. What are the two prerequisites for vulnerability management?

True / False Questions

AACSB: Reflective Thinking

2. The goal of information security management is to maintain confidentiality, integrity and

AACSB: Reflective Thinking

AACSB: Reflective Thinking

4. Asymmetric-key encryption is suitable for encrypting large data sets or messages.

AACSB: Reflective Thinking

AACSB: Reflective Thinking

6. Symmetric-key encryption method is used to authenticate users.

AACSB: Reflective Thinking

AACSB: Reflective Thinking

8. A company's audit committee is responsible for fraud risk assessments.

AACSB: Reflective Thinking

AACSB: Reflective Thinking

AACSB: Reflective Thinking

11. Information security is a critical factor in maintaining systems integrity.

AACSB: Reflective Thinking

AACSB: Reflective Thinking

AACSB: Reflective Thinking

AACSB: Reflective Thinking

AACSB: Reflective Thinking

16. Integrity of information means the information is:

AACSB: Reflective Thinking

17. Which of the following statements is incorrect about digital signature?

A. A digital signature can ensure data integrity.

AACSB: Reflective Thinking

AACSB: Reflective Thinking

AACSB: Reflective Thinking

A. User passwords are not required to the in alpha-numeric format.

AACSB: Reflective Thinking

A. Limiting entry of sales transactions to only valid credit customers.

AACSB: Reflective Thinking

A. Processing of unusual or nonrecurring transactions.

AACSB: Reflective Thinking