Professional Documents
Culture Documents
1. Fraud triangle includes incentive, opportunity and an attitude to rationalize the fraud.
True False
True False
3. Encryption is a preventive control ensuring data confidentiality and privacy during transmission
and for storage.
True False
True False
5. Key distribution and key management are problematic under the symmetric-key encryption.
True False
True False
11-1
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
7. Certificate Authority (CA) issues digital certificates to bond the subscriber with a public key and a
private key.
True False
True False
9. One type of fault tolerance is using redundant units to provide a system the ability to continue
functioning when part of the system fails.
True False
10. Disaster recovery planning and business continuity management are preventive controls.
True False
True False
12. The goal of information security management is to enhance the confidence, integrity and authority
(CIA) of a firm's management.
True False
True False
14. Spam is a self-replicating program that runs and spreads by modifying other programs or files.
True False
11-2
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
15. Encryption and hashing are similar process to maintain data confidentiality.
True False
A. Accurate
B. Complete
C. Accessible
D. A and B are correct.
A. To establish a framework for controlling the design, security, and use of computer programs
throughout an organization.
B. To ensure that data storage media are subject to authorization prior to access, change, or
destruction.
C. To formalize standard, rules, and procedures to ensure the organization's control are properly
executed.
D. To monitor the use of system software to prevent unauthorized access to system software and
computer programs.
11-3
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
19. An entity doing business on the internet most likely could use any of the following methods to
prevent unauthorized intruders from accessing proprietary information except:
A. Password management.
B. Data encryption.
C. Digital certificates.
D. Batch processing.
20. When client's accounts payable computer system was relocated, the administrator provided
support through a dial-up connection to server. Subsequently, the administrator left the company.
No changes were made to the accounts payable system at that time. Which of the following
situations represents the greatest security risk?
21. Which of the following statement present an example of a general control for a computerized
system?
11-4
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
22. Which of the following outcomes is a likely benefit of information technology used for internal
control?
23. In a large multinational organization, which of the following job responsibilities should be assigned
to be network administrator?
24. An information technology director collected the names and locations of key vendors, current
hardware configuration, names of team members, and an alternative processing location. What is
the director most likely preparing?
11-5
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
25. Bacchus, Inc. is a larger multinational corporation with various business units around the world.
After a fire destroyed the corporation headquarters and largest manufacturing site, plans for which
of the following would help Bacchus ensure a timely recovery?
A. Daily backup.
B. Network security.
C. Business continuity.
D. Backup power.
26. Which of the following statements regarding authentication in conducting e-business is incorrect?
A. It is a process that establishes the origin of information or determines the identity of a user,
process, or device.
B. One key is used for encryption and decryption purposes in the authentication process.
C. Successful authentication can prevent repudiation in electronic transactions.
D. We need to use asymmetric-key encryption to authenticate the sender of a document or data
set.
27. Which of the following is not included in the remediation phrase for vulnerability management?
28. Which of the following does not represent a viable data backup method?
11-6
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
29. Which of the following statements about asymmetric-key encryption is correct?
A. When using asymmetric-key encryption method, a total of two keys are necessary in electronic
communication between two parties.
B. Employees in the same company share the same public key.
C. Most companies would like to manage the private keys for their employees.
D. Most companies would like to use a Certificate Authority to manage the public keys of their
employees.
E. Two of the above are correct.
A. A fraud prevention program starts with a fraud risk assessment across the entire firm.
B. The audit committee typically has an oversight role in risk assessment process.
C. Communicating a firm's policy file to employees is one of the most important responsibilities of
management.
D. A fraud prevention program should include an evaluation on the efficiency of business
processes.
31. A disaster recovery approach should include which of the following elements:
A. Encryption.
B. Firewalls.
C. Regular backups.
D. Surge protectors.
A. Go2Ca!ifornia4fun
B. language
C. jennyjenny
D. pass56word
11-7
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
33. Which of the following is a password security weakness?
A. Users are assigned passwords when accounts are created, but do not change them.
B. Users have accounts on several systems with different passwords.
C. Users write down their passwords on a note paper, and carry it with them.
D. Users select passwords that are not part of online password dictionary.
34. To prevent invalid data input, a bank added an extra number at the end of each account number
and subjected the new number to an algorithm. This technique is known as:
A. A validation check.
B. check digit verification.
C. A dependency check.
D. A format check.
35. Which of the following security controls would best prevent unauthorized access to a firm's
internal network?
36. Why do Certificate Authority (CA) play an important role in a company's information security
management?
11-8
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
37. When computer programs or files can be accessed from terminals, users should be required to
enter a(n)
A. Parity check.
B. Password as a personal identification code.
C. Check digit.
D. Echo check.
38. Which of the following controls would most likely assure that a company can reconstruct its
financial records?
39. Why would companies want to use digital signatures when conducting e-business?
A. It is cheap.
B. It is always the same so it can be verified easily.
C. It is more convenient than requiring a real signature.
D. It can authenticate the document sender and maintain data integrity.
11-9
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Essay Questions
41. A magnetic tape used to store data backups was lost while it was being transported to an offsite
storage location. The data on the tape includes customers' credit card and personal information.
Which preventive control(s) should have been used to minimize the potential loss?
42. List the following steps regarding computer fraud risk assessments in sequence.
(a) Assessing the likelihood and business impact of a control failure and/or a fraud incident.
(b) Mapping existing controls to potential fraud schemes and identifying gaps.
(c) Identifying potential IT fraud schemes and prioritizing them based on likelihood and impact.
(d) Identifying relevant IT fraud risk factors.
(e) Testing operating effectiveness of fraud prevention and detection controls.
11-10
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
43. Describe the process of using asymmetric-key encryption to authenticate the trading partner
involved in e-business.
45. Describe the framework for vulnerability assessment and vulnerability management.
11-11
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
46. What are included in disaster recovery planning and business continuity management? Are these
concepts related?
47. What is a digital signature? How could a digital signature ensure data integrity when conducting e-
business?
11-12
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Chapter 11 Information Security and Computer Fraud Answer Key
1. Fraud triangle includes incentive, opportunity and an attitude to rationalize the fraud.
TRUE
TRUE
3. Encryption is a preventive control ensuring data confidentiality and privacy during transmission
and for storage.
TRUE
11-13
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 11-02 Understand the concepts of encryption and authentication.
Source: Original
Topic: Information security and systems integrity
FALSE
5. Key distribution and key management are problematic under the symmetric-key encryption.
TRUE
FALSE
11-14
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Topic: Information security and systems integrity
7. Certificate Authority (CA) issues digital certificates to bond the subscriber with a public key and
a private key.
TRUE
FALSE
9. One type of fault tolerance is using redundant units to provide a system the ability to continue
functioning when part of the system fails.
TRUE
11-15
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
10. Disaster recovery planning and business continuity management are preventive controls.
FALSE
TRUE
12. The goal of information security management is to enhance the confidence, integrity and
authority (CIA) of a firm's management.
TRUE
11-16
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
13. Virus is a self-replicating, self-propagating, self-contained program that uses networking
mechanisms to spread itself.
FALSE
14. Spam is a self-replicating program that runs and spreads by modifying other programs or files.
FALSE
15. Encryption and hashing are similar process to maintain data confidentiality.
FALSE
11-17
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Multiple Choice Questions
A. Accurate
B. Complete
C. Accessible
D. A and B are correct.
11-18
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
18. What is the primary objective of data security controls?
A. To establish a framework for controlling the design, security, and use of computer programs
throughout an organization.
B. To ensure that data storage media are subject to authorization prior to access, change, or
destruction.
C. To formalize standard, rules, and procedures to ensure the organization's control are
properly executed.
D. To monitor the use of system software to prevent unauthorized access to system software
and computer programs.
19. An entity doing business on the internet most likely could use any of the following methods to
prevent unauthorized intruders from accessing proprietary information except:
A. Password management.
B. Data encryption.
C. Digital certificates.
D. Batch processing.
11-19
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
20. When client's accounts payable computer system was relocated, the administrator provided
support through a dial-up connection to server. Subsequently, the administrator left the
company. No changes were made to the accounts payable system at that time. Which of the
following situations represents the greatest security risk?
21. Which of the following statement present an example of a general control for a computerized
system?
11-20
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
22. Which of the following outcomes is a likely benefit of information technology used for internal
control?
23. In a large multinational organization, which of the following job responsibilities should be
assigned to be network administrator?
11-21
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
24. An information technology director collected the names and locations of key vendors, current
hardware configuration, names of team members, and an alternative processing location. What
is the director most likely preparing?
25. Bacchus, Inc. is a larger multinational corporation with various business units around the world.
After a fire destroyed the corporation headquarters and largest manufacturing site, plans for
which of the following would help Bacchus ensure a timely recovery?
A. Daily backup.
B. Network security.
C. Business continuity.
D. Backup power.
11-22
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
26. Which of the following statements regarding authentication in conducting e-business is
incorrect?
A. It is a process that establishes the origin of information or determines the identity of a user,
process, or device.
B. One key is used for encryption and decryption purposes in the authentication process.
C. Successful authentication can prevent repudiation in electronic transactions.
D. We need to use asymmetric-key encryption to authenticate the sender of a document or
data set.
27. Which of the following is not included in the remediation phrase for vulnerability
management?
11-23
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
28. Which of the following does not represent a viable data backup method?
A. When using asymmetric-key encryption method, a total of two keys are necessary in
electronic communication between two parties.
B. Employees in the same company share the same public key.
C. Most companies would like to manage the private keys for their employees.
D. Most companies would like to use a Certificate Authority to manage the public keys of their
employees.
E. Two of the above are correct.
11-24
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
30. Which of the following statements is incorrect?
A. A fraud prevention program starts with a fraud risk assessment across the entire firm.
B. The audit committee typically has an oversight role in risk assessment process.
C. Communicating a firm's policy file to employees is one of the most important
responsibilities of management.
D. A fraud prevention program should include an evaluation on the efficiency of business
processes.
31. A disaster recovery approach should include which of the following elements:
A. Encryption.
B. Firewalls.
C. Regular backups.
D. Surge protectors.
11-25
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
32. Which of the following passwords would be most difficult to crack?
A. Go2Ca!ifornia4fun
B. language
C. jennyjenny
D. pass56word
A. Users are assigned passwords when accounts are created, but do not change them.
B. Users have accounts on several systems with different passwords.
C. Users write down their passwords on a note paper, and carry it with them.
D. Users select passwords that are not part of online password dictionary.
11-26
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
34. To prevent invalid data input, a bank added an extra number at the end of each account
number and subjected the new number to an algorithm. This technique is known as:
A. A validation check.
B. check digit verification.
C. A dependency check.
D. A format check.
35. Which of the following security controls would best prevent unauthorized access to a firm's
internal network?
11-27
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
36. Why do Certificate Authority (CA) play an important role in a company's information security
management?
37. When computer programs or files can be accessed from terminals, users should be required to
enter a(n)
A. Parity check.
B. Password as a personal identification code.
C. Check digit.
D. Echo check.
11-28
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
38. Which of the following controls would most likely assure that a company can reconstruct its
financial records?
39. Why would companies want to use digital signatures when conducting e-business?
A. It is cheap.
B. It is always the same so it can be verified easily.
C. It is more convenient than requiring a real signature.
D. It can authenticate the document sender and maintain data integrity.
11-29
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
40. Select a correct statement regarding encryption methods?
Essay Questions
41. A magnetic tape used to store data backups was lost while it was being transported to an
offsite storage location. The data on the tape includes customers' credit card and personal
information. Which preventive control(s) should have been used to minimize the potential loss?
11-30
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Topic: Computer fraud and abuse
42. List the following steps regarding computer fraud risk assessments in sequence.
(a) Assessing the likelihood and business impact of a control failure and/or a fraud incident.
(b) Mapping existing controls to potential fraud schemes and identifying gaps.
(c) Identifying potential IT fraud schemes and prioritizing them based on likelihood and impact.
(d) Identifying relevant IT fraud risk factors.
(e) Testing operating effectiveness of fraud prevention and detection controls.
d, c, b, e, a
43. Describe the process of using asymmetric-key encryption to authenticate the trading partner
involved in e-business.
To authenticate a trading partner (TP), the contact person (CP) of a company sends a challenge
message to TP. TP uses her private key to encrypt the challenge message and send it to CP. If
CP is able to use TP's public key to decrypt and get the plaintext of the challenge message, CP
has authenticated TP successfully.
11-31
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
44. What are the two prerequisites for vulnerability management?
First, determine the main objectives of its vulnerability management. In some case, the firm
should determine which laws, regulations, and standards it should comply with. Second, a firm
should assign roles and responsibilities for vulnerability management. The management may
designate a team to be responsible for developing and implementing the vulnerability
management program.
45. Describe the framework for vulnerability assessment and vulnerability management.
Remediation process: making a risk response plan, preparing the policy and requirements
for remediation, as well as control implementation.
Maintenance: monitoring, ongoing assessment and continuous improvement.
11-32
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Learning Objective: 11-04 Define vulnerabilities; and explain how to manage and assess vulnerabilities.
Source: Original
Topic: Vulnerability management and assessments
46. What are included in disaster recovery planning and business continuity management? Are
these concepts related?
Disaster recovery planning (DRP) must include a clearly defined and documented plan that
covers key personnel, resources including IT infrastructure and applications, and actions
required to be carried out in order to continue or resume the systems for critical business
functions within planned levels of disruption. Business continuity management (BCM) includes
the activities required to keep a firm running during a period of displacement or interruption of
normal operations. DRP is a key component of the BCM. BCM is broader than DRP and is
concerned about the entire business processes rather than particular assets, such as IT
infrastructure and applications.
11-33
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
47. What is a digital signature? How could a digital signature ensure data integrity when
conducting e-business?
Digital signature is a message digest (MD) of a document (or data file) that is encrypted using
the document creator's private key.
1) Both the sender (A) and receiver (B) use an asymmetric-key encryption method to
authenticate each other.
2) Sender A makes a copy of the document and uses SHA-256 to hash the copy and get an
MD.
3) Sender A encrypts the MD using Sender A's private key to get Sender A's digital signature.
4) Sender A uses Receiver B's public key to encrypt the original document and Sender A's
digital signature (for confidentiality).
5) Sender A sends the encrypted package to Receiver B.
6) Receiver B receives the package and decrypts it using Receiver B's private key. Receiver B
now has the document and Sender A's digital signature.
7) Receiver B decrypts Sender A's digital signature using Sender A's public key to get the sent-
over MD. Receiver B also authenticates that Sender A is the document creator.
8) Receiver B makes a copy of the received document and uses SHA-256 to hash the copy and
get a calculated MD.
9) If the sent-over MD is the same as the calculated MD, Receiver B ensures data integrity.
11-34
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.