31-60 CISA Domain V Questions Answer and Explanation

The biometric stores sensitive personal information, so the storage must be secure.

The users of a biometric device must first be enrolled in the device.

A user applying for access will be verified against the stored enrolled value.

The device captures a physical or behavioral image of the human, identifies the unique features and uses an algorithm to convert them into a string of numbers stored as a template to be used in the matching processes,

Back doors are computer programs left by hackers to exploit vulnerabilities.

Social engineering is based on the divulgence of private information through dialogues, interviews, inquiries, etc., in which a user may be indiscreet regarding their or someone else's personal data.

A sniffer is a computer tool to monitor the traffic in networks.

Trojan horses are computer programs that pretend to supplant a real program; thus, the functionality of the program is not authorized and is usually malicious in nature.

Biometric scanners are best located in restricted areas to prevent tampering, but video surveillance is an acceptable mitigating control. The greatest concern is lack of a securely encrypted tunnel between the scanners and the access control system.

The biometric risk analysis should be performed periodically, but an analysis performed three years ago is not necessarily a cause for concern.

Generally, virtual private network software provides a secure tunnel so that remote administration functions can be performed. This is not a concern.

Data transmitted between the biometric scanners and the access control system should use a securely encrypted tunnel to protect the confidentiality of the biometric data.

An IS auditor should not make changes to the system being audited; ensuring the deletion of the virus is a management responsibility.

The IS auditor is neither authorized nor capable in most cases of removing the virus from the network.

The first thing an IS auditor should do after detecting the virus is to alert the organization to its presence, then wait for their response.

Observing the response mechanism should be done after informing appropriate personnel. This will enable an IS auditor to examine the actual workability and effectiveness of the response system.

Use of two firewalls would not represent an effective defense in-depth strategy because the same attack could circumvent both devices. By using two different products, the probability of both products having the same vulnerabilities is diminished.

Having no physical signs on the outside of a computer center building is a single security measure known as security by obscurity.

Using two firewalls in parallel to check different types of incoming traffic provides redundancy but is only a single security mechanism and, therefore, no different than having a single firewall checking all traffic.

Defense in-depth means using different security mechanisms that back each other up. When network traffic passes the firewall unintentionally, the logical access controls form a second line of defense.

An audit trail is not effective if the details in it can be amended.

An audit trail must record the identity of the person or process involved in the logged activity to establish accountability. '

Data and time stamps should be recorded in the logs to enable the reconstruction and correlation of events on multiple systems.

Restricting the administrator to read-only access will protect the audit file from alteration.

A patch management process helps secure servers and may prohibit unauthorized disclosure of data; however, it does not affect the privacy of the data.

Data retention, backup and recovery are important controls; however, they do not guarantee data privacy.

When reviewing a third-party agreement, the most important consideration with regard to the privacy of the data is the clause concerning the return or secure destruction of information at the end of the contract.

Network and intrusion detection are helpful when securing the data, but on their own, they do not guarantee data privacy stored at a third-party provider.

Provision of physical and logical security for data is the responsibility of the security administrator.

It is the responsibility of owners to define the criticality (and sensitivity)levels of information assets.

Implementation of access rules is a responsibility of data custodians based on the requirements set by the data owner.

Implementation of information security within an application is the responsibility of the data custodians based on the requirements set by the data owner.

IT security, employees cannot be supervised in the traditional sense unless the supervisor were to monitor each keystroke entered on a workstation, which is obviously not a realistic option.

Retaining backups of the transaction logs does not prevent the files from unauthorized modification prior to backup.

Allowing IT security employees access to transaction logs is often unavoidable because having system administrator privileges is required for them to do their job. The best control in this case, to avoid unauthorized modifications of transaction logs, is to write the transaction logs to WORM drive media in real time. It is important to note that simply backing up the transaction logs to tape is not adequate because data could be modified prior (typically at night) to the daily backup job execution.

The log files themselves are the main evidence that an unauthorized change was made, which is a sufficient detective controL Protecting the log files from modification requires preventive cOntrols such as securely writing the logs.

Intrusion detection systems are used to detect irregular or abnormal traffic patterns.

Social engineering exploits human nature and weaknesses to obtain information and access privileges. By increasing employee awareness of security issues, it is possible to reduce the number of successful social engineering incidents.

An email monitoring policy informs users that all email in the organization is subject to monitoring; it does not protect the users from potential security incidents and intruders.

In most cases, social engineering incidents do not require the physical presence of the intruder. Therefore, increased physical security measures would not prevent the incident.

A race condition exploit involves the timing of two events and an action that causes one event to happen later than expected. The scenario given is not an example of a race condition exploit.

Buffer overflows involve applications of actions that take advantage of a defect in the wayan application or system uses memory. By overloading the memory storage mechanism, the system will perform in unexpected ways. The scenario given is not an example of a buffer overflow exploit.

Impersonation attacks involve an error in the identification of a privileged user. The scenario given is not an example of this exploit.

A privilege escalation is a type of attack where higher-level system authority is obtained by various methods. In this example, the task scheduler service runs with administrator permissions, and a security flaw allows programs launched by the scheduler to run at the same permission level.

The use of a user ID by more than one individual precludes knowing who, in fact, used that ID to access a system; therefore, it is impossible to hold anyone accountable.

Using shared IDs would not pose an increased risk due to work effort required for managing access.

Shared user IDs do not necessarily have easily guessed passwords.

The ability of unauthorized users to use a shared 10 is more likely than of an individual ID-but the misuse of another person's ID is always a risk.

Piggybacking refers to unauthorized persons following, either physically or virtually, authorized persons into restricted areas. Masking the display of passwords would not prevent someone from tailgating an authorized person. .

Impersonation refers to someone acting as an employee in an attempt to retrieve desired information.

This policy only refers to "the display of passwords," not dumpster diving (looking through an organization's trash for valuable information).

Has a password is displayed on a monitor, any person or camera nearby could look over the shoulder 'of the user to obtain the password.

While a strong magnetic field can erase certain storage media, normally terminals are designed to limit these emissions; therefore, this is not normally a concern.

Emissions can be detected by sophisticated equipment and displayed, thus giving unauthorized persons access to data. TEMPEST is a term referring to the investigation and study of compromising emanations of unintentional intelligence-bearing signals that, if intercepted and analyzed, may reveal their contents.

Most electromagnetic emissions are low level and do not pose a significant health risk.

Electromagnetic emissions should not cause disruption of central processing units.

Security administration procedures require write access to access control tables to manage and update the privileges according to authorized business requirements.

Security administration procedures require read-only access to security log files to ensure that, once generated, the logs are not modified. Logs provide evidence and track suspicious transactions and activities.

The security administrator is often responsible for user-facing issues such as managing user roles, profiles and settings. This requires the administrator to have more than read-only access.

Logging options require write access to allow the administrator to update the way the transactions and user activities are monitored, captured, stored, processed and reported.

The passwords should not be shared, but this is less important than ensuring that the password files are encrypted.

When evaluating the technical aspects of logical security, unencrypted passwords represent the greatest risk because it would be assumed that remote access would be over an untrusted network where passwords could be discovered.

Checking for the redundancy of login IDs is essential but is less important than ensuring that the passwords are encrypted.

There may be business requirements such as the use of contractors that requires them to have system access, so this may not be a concern.

Untested CGIs can have security weaknesses that allow unauthorized access to private systems because CGIs are typically executed on publicly available Internet servers.

While untested CGIs can cause the end-user web application to be compromised, this is not likely to significantly impact system integrity.

While untested common gateway interfaces (eGIs) can cause the end-user web application to be compromised, this is not likely to make the system unavailable to other users.

Untested CGI scripts do not inherently lead to malware exposures.

While not having valid backups would be a concern, the more important concern would be a lack of a chain of custody policy. Data breach evidence is not normally retrieved from backups.

Having log servers segregated on a separate network might be a good idea because ensuring the integrity of log server data is important. However, it is more critical to ensure that the chain of custody policy is in place.

Organizations should have a policy in place that directs employees to follow certain procedures when collecting evidence that may be used in a court of law. Chain of custody involves documentation of how digital evidence is acquired, processed, handled, stored and protected, and who handled the evidence and why. If there is no policy in place, it is unlikely that employees will ensure that the chain of custody is maintained during any data breach investigation.

End users should be made aware of incident reporting procedures, but this is not likely to affect data integrity related to the breach. The IS auditor would be more concerned that the organization's policy exists and provides for proper evidence handling.

Programmers will develop the access control software that will regulate the ways that users can access the data (update, read, delete, etc.), but the programmers do not have responsibility for determining who gets access to data.

Data owners are responsible for the access to and use of data. Written authorization for users to gain access to computerized information should be provided by the data owners. Security administration with the owners' approval sets up access rules stipulating which users or group of users are authorized to access data or files and the level of authorized access(e.g., read or update).

The librarians enforce the access control procedures they have been given but do not determine who gets access.

Systems analysts work with the owners and programmers to design access controls according to the rules set by the owners.

The data owner may consult with the IS manager to set out access control rules, but the responsibility for appropriate access remains with the data owner.The IT department should set up the access control tables at the direction of the owner.

The data owner holds the privilege and responsibility for formally establishing the access rights. An IS administrator should then implement or update user authorization tables at the direction of the owner.

The data owner would not usually manage updates to the authorization tables.

The owner sets the rules and conditions for access, It is best to obtain approval before implementing the tables.

An advantage of VoIP telephone systems is that they use the same cable types and even network switches as standard PC network connections. Therefore, this would not be a concern.

Voice-over Internet Protocol (VoIP) telephone systems use standard network cabling and typically each telephone gets power over the network cable (power over Ethernet) from the wiring closet where the network switch is installed. H the local area network switches do not have backup power, the phones will lose power if there is a utility interruption and potentially not be able to make emergency calls.

While improper cabling can create reliability issues, the more critical Issue in this case would be the lack of power protection.

As long as the power and telephone equipment are separated, this would not be a significant risk.

Review of data communication access activity logs is a network control feature

General operating system access control functions include logging user activities, events, etc. Reviewing these logs may identify users performing activities that should not have been permitted.

Periodic review of changing data files is related to a change control process.

Verification of user authorization at the field level is a database- andlor an application-level access control function and not applicable to an operating system.

While changing the password annually is a concern, the risk is not as great as exposing the data to unauthorized individuals outside the organization.

Disabling the screen saver function increases the risk that sensitive data can be exposed to other employees; however, the risk is not as great as exposing the data to unauthorized individuals outside the organization.

Encrypting all outgoing email is expensive and is not common business practice,

There will always be human-error risk that staff members forget to type certain words in the subject field. The organization should have automated encryption set up for outgoing email for employees working with protected healthcare information (PHI) to protect sensitive information

The most significant risk in this case would be if the factory default passwords are not changed on critical network equipment. This could allow anyone to change the configurations of network equipment.

While mobile devices that are not password protected would be a risk, it would not be as significant as unsecured network devices.

The use of a web proxy is a good practice but may not be required depending on the enterprise.

Encryption is a good control for data security but is not appropriate to use for all communication links due to cost and complexity.

The policy is appropriate and does not require change. Changing the policy would not ensure compliance.

Having a requirement to periodically change passwords is good practice and should be in the password policy.

The use of an automated password management tool is a preventive control measure. The software would prevent repetition (semantic) and would enforce syntactic rules, thus making the passwords robust. It would also provide a method for ensuring frequent changes and would prevent the same user from reusing his/her old password for a designated period of time.

Security awareness training would not enforce compliance.

A content-filtering proxy server will effectively monitor user access to Internet sites and block access to unauthorized web sites.

When a client web browser makes a request to an Internet site, those requests are outbound from the corporate network. A reverse proxy server is used to allow secure remote connection to a corporate site, not to control employee web access.

While client software utilities do exist to block inappropriate content, installing and maintaining additional software on a large number of PCs is less effective than controlling the access from a single, centralized proxy server.

A firewall exists to block unauthorized inbound and outbound network traffic, Some firewalls can be used to block or allow access to certain sites, but the term firewall is generic-there are many types of firewalls, and this is not the best answer.

Data classification is necessary to define access rules based on a need-to-do and need-to- know basis. The data owner is responsible for defining the access rules; therefore, establishing ownership is the first step in data classification.

Input for a data dictionary is prepared from the results of the data classification process.

A criticality analysis is required to determine the appropriate levels of protection of data, according to the data classification.

Access rules are set up dependent on the data classification.

The service level agreement may have a provision for providing access, but this is not a control; it would merely define the need for access.

The most effective control is to ensure that the granting of temporary access is based on services to be provided and that there is an expiration date (automated is best) associated with each unique ill. The use of an identity management system enforces temporary and permanent access for users, at the same time ensuring proper accounting of their activities.

Vendors may require administrator access for a limited period during the time of service. However, it is important to ensure that the level of access granted is set according to least privilege and that access during this period is monitored.

Deleting these user IDs after the work is completed is necessary, but if not automated, the deletion could be overlooked. The access should only be granted at the level of work required.

The first step in implementing access controls is an inventory of IS resources, which is the basis for establishing ownership and classification.

Labeling resources cannot be done without first determining the resources' classifications.

The access control list would not be done without a meaningful classification of resources.

The first step in implementing access controls is an inventory of IS resources, which is the basis for classification.

DAC allows data owners to modify access, which is a normal procedure and is a characteristic of DAC.

While an IS auditor may consult with data owners regarding whether this access is allowed normal the IS auditor should not rely on the auditee to determine whether this is an issue.

Recommending mandatory access control is not correct because it is more appropriate for data owners to have discretionary access controls (DAC) in a low-risk application.

The use of DAC may not be an exception and, until confirmed, should not be reported as an issue.