REVIEWER/QUIZZER ON IT CONTROLS PART 2 SECURITY AND ACCESS –

QUESTIONS

1) The task of the operating system includes

a. translating high-level languages into the machine-level language.
b. allocating computer resources to user applications.
c.managing the tasks of job scheduling and multiprogramming.
d. all of the above.

2) Language translation modules of the operation system that convert one line of logic
at a time are known as
a. compilers.
b. interpreters.
c. converters.
d. inverters.

3) Operating system must

a.be protected from its environment.
b.be protected from itself.
c. protect itself from users.
d.all of the above.

4) Key information about the user, including user ID, password, user group, and
privileges granted to the user are contained in
a. log-on procedure.
b. access token.
c. access control list.
d. discretionary access privilege.

5) Privileged personnel abusing their authority is a threat on operating system integrity

pertaining to
a. accidental threats.
b. accidental system failures.
c. intentional threats.
d. errors in user application.

6) Audit procedures relating to access privileges include

a. reviewing privileges of a sample of user groups and individuals.
b reviewing users’ permitted log-on times.
c. both a and b.
d. none of the above.

7) Which of the following statements about password and password controls is most
correct?
a. A password is a code, usually shared with others, entered by the user to gain
access to data files.
b A reusable password is a network password that constantly changes.
c. Reviewing that all users are required to have passwords is an audit objective
relating to passwords.
d. None. All of the above statements are incorrect.
8) An audit procedure relating to malware includes
 a. determining that personnel are ignorant and unaware of practices that can spread
viruses and other malicious programs.
b verifying that new software is tested after its implementation.
c. verifying up-to-date antiviral software.
d. all of the above.

9) When the auditor uses the audit log viewer to scan for unusual activity, the auditor
should focus on
a. authorized or active users.
b log-on and log-off times.
c. successful log-on attempts
d. all of the above.

10) Which controls ensure that in the event of data loss due to unauthorized access,
equipment failure, or physical disaster, the organization can recover its files and
databases?
a. Back-up controls
b. Access controls
c. Audit trail controls
d. Controls against malware

11) Data encryption

a. is the use of an algorithm to scramble selected data, making it unreadable to an
intruder browsing the database.
b. is a set of data that a particular user needs to achieve his or her assigned tasks.
c. allows the user to create a personal security program or routine to provide more
positive user identification than a password.
d. is a device that measure various personal characteristics, such as finger, voice, or
retina prints, or other signature characteristics to allow access

12) The whole contents of the database is known as the

a. schema.
b. subschema.
c. user view.
d. database authorization table.

13) Audit objectives relating to database include

a. ensuring that authorized users are denied access to the database.
b. ensuring that unauthorized users are limited to accessing data needed to perform
duties.
c. both a and b.
d. none of the above.

14) Selecting a sample of users and verifying the appropriateness of access privileges is
an audit procedure pertaining to
a. appropriate access authority.
b. biometric controls.
c. encryption controls.
d. none of the above.

15) Recovery module

a. is automatic and should be done at least daily.
 b. is a listing of transactions that provides an audit trail of all processed events.
c. a feature that suspends all data processing while the system reconciles the
transaction log and the database change log against the database.
d. uses the logs and backup files to restart the system after a failure.

16) Which of the following statements about backup controls is most correct?
a. The audit objective relating to database backup is to ensure that controls are
adequate in the event of a loss.
b. An audit procedure relating to database backup is to verify that databases are
copied at regular intervals and that the backup copies are stored off-site to support
disaster recovery procedures.
c. Both a and b.
d. None of the above.

17) The technology of network communications are subject to:

a. Risks from subversive threats
b. Risks from equipment failure
c. Risk of loss of strategic advantage
d. Both a and b

18) Which type of firewall provides higher level customizable network security but add
overhead to connectivity?
a. Network-level firewall
b. Screen router
c. Application-level firewall
d. None of the above

19) In a distributed denial of service attack,

a. the victim’s site becomes inundated with messages from thousands of zombie sites
that are distributed across the internet.
b. the sender sends hundreds of messages, receives the SYN/ACK packet, but does
not respond with an ACK packet.
c. Although the attack may actually be coming from single disguised site, the victim’s
host computer views these transmissions as coming from all over the internet.
d. The targeted organization can program its firewall to ignore all communication from
the attacking site, once the attacker’s IP address is determined.

20) A type of encryption that uses a single key known to both the sender and the receiver
of the message refers to
a. Private key encryption or the advanced encryption standard (AES)
b. Triple Data Encryption Standard (DES)
c. EEE3 and EDE3
d. Public key encryption

21) Which of the following is used in conjunction with a public key encryption to
authenticate the sender of a message?
a. Digital signature
b. Digest
c. Digital certificate
d. Certification authority
22) A call-back device
a. is a sequence number inserted in each message to foil any attempt by an intruder
in the communications channel to delete a message from a stream of messages,
change the order of messages received, or duplicate a message.
b. is a log in which all incoming and outgoing messages, as well as attempted (failed)
access, should be recorded.
c. is a technique in which a control message from the sender and a response from
the sender are sent at periodic synchronized intervals.
d. is a hardware component that asks the dial-in caller to enter a password and then
breaks the connection to perform a security check.
23) Audit objectives relating to subversive threats include verifying the security and
integrity of financial transactions by determining network controls can:
a. prevent and detect legal internal and Internet network access.
b. render any data captured by a perpetrator useful.
c. preserve integrity and physical security of data connected to the network.
d. all of the above.

24) Audit procedures relating to subversive threats include

a. reviewing firewall adequacy in achieving balance between control and convenience.
b. checking data encryption security procedures and encryption process.
c. reviewing message transaction logs.
d. all of the above.

25) Which of the following statements about controlling risks from equipment failure is
least correct?
a. Most common problem in data communications is data loss due to line errors from
communications noise.
b. A line error is an error caused when the bit structure of the message is corrupted
through noise on the communications lines.
c. Two techniques to detect and correct such data errors are echo and parity check.
d. Parity check only includes horizontal parity.

26) Which of the following statements about controlling risks from equipment failure is
most correct?
a. Audit objectives relating to equipment failure include ensuring and verifying the
integrity of the electronic commerce transactions by determining that controls are
in place to detect and correct message loss due to equipment failure.
b. An audit procedure relating to equipment failure include selecting a sample of
messages, examining them for garbled content and verifying that all corrupted
messages were successfully retransmitted.
c. Both a and b.
d. None of the above.

27) The absence of human intervention in this process of electronic data interchange
presents a unique twist to traditional control problems, including:
a. ensuring that transactions are authorized and valid.
b. allowing unauthorized access to data files.
c. Both a and b.
d. None of the above.
28) Under transaction authorization and validation of EDI, both the customer and the
supplier must establish that the transaction being processed is to (or from) a valid
trading partner and is authorized. This can be done using the following scenario(s):
a. Some VANs have the capability of validating passwords and user ID codes for the
vendor by matching these against a valid customer file.
b. Before being converted, the translation software can validate the trading partner’s
ID and password against a validation file in the firm’s database.
c. Before processing, the trading partner’s application software references the valid
customer and vendor files to validate the transaction.
d. All of the above.

29) Which of the following statements under access control of EDI is the least correct?
a. EDI trading partners must permit a degree of access to public data files that would
be forbidden in a traditional environment.
b. The trading partner agreement will determine the degree of access control in place.
c. To guard against unauthorized access, each company must establish valid vendor
and customer files.
d. None. All of the above statements are equally correct.

30) A technique in restoring audit trail for EDI transactions is

a. to execute a trading partner agreement to determine the degree of access control
in place.
b. to maintain a control log which records the transaction’s flow through each phase
of the EDI system.
c. to have VANs capable of validating passwords and user ID codes for the vendor by
matching these against valid customer file.
d. all of the above.

31) A trojan horse

a. captures IDs and passwords from unsuspecting users.
b. allows unauthorized access to a system without normal log-on procedures.
c. is a software program that burrows into computer’s memory and replicates itself
into areas of idle memory.
d. is a program that attaches itself to a legitimate program to penetrate the operating
system and destroy application programs, data files and the operating system
itself.

32) A company has recently installed a new computer network. The operating
philosophy adopted by the new network administrator was to establish an open
system that would foster work group data sharing, flexible access, and minimal
inconvenience to the network users. To accomplish this objective, the data
administrator assigned employee access privileges to data based on department and
functional affiliated rather than specific tasks.

Which of the following actions will directly address the issue on the scenario above?
a. Network and data administrator should assign privileges consistent with job
descriptions.
b. Terminated employees should not be allowed to continue working for the company.
 c. Antivirus software should be in place on the network server to prevent any files
from being uploaded before they are checked for viruses.
d. All users should have been required to change their passwords immediately.

33) Stephanie Baskill, an unemployed accounting clerk, took a low profile position as a
cleaning woman in Cleaver Manufacturing Company. By being the janitress in the
company, it gave her access to all areas in the building. While working, Stephanie
snooped through offices, watched people who were working late type in their
passwords, and guessed passwords. She ultimately printed out lists of user IDs and
passwords using a Trojan horse virus, thus obtaining all the necessary passwords
to set herself up as a supplier, customer, systems operator, and systems librarian.

Which of the following is a major or obvious weakness in the scenario of Cleaver

Manufacturing Company?
a. The company has no background checks for low level positions.
b. The company uses a one-time password system.
c. The company has inadequate application control for financial materiality
thresholds.
d. The company has inadequate security software such as virus protection software.

34) You are currently the Database Administrator AKA Inc. You are tasked to create
the database authorization table for the accounts payable clerk. The following
tables are available for AKA Inc., as follows:
➢ Customer Table
➢ Sales Invoice (AR) Table
➢ Inventory Table
➢ Cash Receipts Table
➢ Vendor Table
➢ Purchase Order Table
➢ Receiving Report Table
➢ Vendor Invoice Table (AP)
➢ Cash Disbursement Table

Which of the following is an appropriate access to be given to the AP clerk?

a) Read and insert access to the Purchase Order and Receiving Report tables and
read and insert access to the Vendor Invoice Table
b) Read access to the Purchase Order and Receiving Report tables and read and
insert access to the Vendor Invoice Table
c) Read and insert access to the Cash Disbursement Table and read and insert
access to the Vendor Invoice Table
d) Read and insert access to the Sales Invoice and Inventory Tables and read and
insert access to the Vendor Invoice Table