CISA Practice Verified Exam Questions
and Answers
In a public key infrastructure (PKI), which of the following may be relied upon to prove that an
online transaction was authorized by a specific customer?
Correct A. Nonrepudiation
B. Encryption
C. Authentication
D. Integrity
. - answerYou a...
In a public key infrastructure (PKI), which of the following may be relied upon to prove that an
online transaction was authorized by a specific customer?
Correct A. Nonrepudiation
B. Encryption
C. Authentication
D. Integrity
. - answer✔✔You are correct, the answer is A.
A. Nonrepudiation, achieved through the use of digital signatures, prevents the senders from later
denying that they generated and sent the message.
B. Encryption may protect the data transmitted over the Internet, but may not prove that the
transactions were made.
C. Authentication is necessary to establish the identification of all parties to a communication.
D. Integrity ensures that transactions are accurate but does not provide the identification of the
customer
Which of the following BEST ensures the integrity of a server's operating system (OS)?
A. Protecting the server in a secure location
B. Setting a boot password
Correct C. Hardening the server configuration
D. Implementing activity logging - answer✔✔You are correct, the answer is C.
A. Protecting the server in a secure location is a good practice, but does not ensure that a user
will not try to exploit logical vulnerabilities and compromise the operating system (OS).
B. Setting a boot password is a good practice, but does not ensure that a user will not try to
exploit logical vulnerabilities and compromise the OS.
C. Hardening a system means to configure it in the most secure manner (install latest security
patches, properly define access authorization for users and administrators, disable insecure
options and uninstall unused services) to prevent nonprivileged users from gaining the right to
execute privileged instructions and, thus, take control of the entire machine, jeopardizing the
integrity of the OS.
D. Activity logging has two weaknesses in this scenario—it is a detective control (not a
preventive one), and the attacker who already gained privileged access can modify logs or
disable them.
The IS auditor is reviewing an organization's human resources (HR) database implementation.
The IS auditor discovers that the database servers are clustered for high availability, all default
database accounts have been removed and database audit logs are kept and reviewed on a weekly
basis. What other area should the IS auditor check to ensure that the databases are appropriately
secured?
A. Database digital signatures
Incorrect B. Database encryption nonces and other variables
C. Database media access control (MAC) address authentication
D. Database initialization parameters - answer✔✔You answered B. The correct answer is D.
A. Digital signatures are used for authentication and nonrepudiation, and are not commonly used
in databases. As a result, this is not an area in which the IS auditor should investigate.
B. A nonce is defined as a "parameter that changes over time" and is similar to a number
generated to authenticate one specific user session. Nonces are not related to database security
(they are commonly used in encryption schemes).
C. A media access control (MAC) address is the hardware address of a network interface. MAC
address authentication is sometimes used with wireless local area network (WLAN) technology,
but is not related to database security.
D. When a database is opened, many of its configuration options are governed by initialization
parameters. These parameters are usually governed by a file ("init.ora" in the case of Oracle
DBMS), which contains many settings. The system initialization parameters address many
"global" database settings, including authentication, remote access and other critical security
areas. To effectively audit a database implementation, the IS auditor must examine the database
initialization parameters.
Which of the following processes will be MOST effective in reducing the risk that unauthorized
software on a backup server is distributed to the production server?
A. Manually copy files to accomplish replication.
B. Review changes in the software version control system.
Incorrect C. Ensure that developers do not have access to the backup server.
D. Review the access control log of the backup server. - answer✔✔You answered C. The
correct answer is B.
A. Even if replication is be conducted manually with due care, there still remains a risk to
copying unauthorized software from one server to another.
B. It is common practice for software changes to be tracked and controlled using version control
software. An IS auditor should review reports or logs from this system to identify the software
that is promoted to production. Only moving the versions on the version control system (VCS)
program will prevent the transfer of development or earlier versions.
C. If unauthorized code was introduced onto the backup server by developers, controls on the
production server and the software version control system should mitigate this risk.
D. Review of the access log will identify staff access or the operations performed; however, it
may not provide enough information to detect the release of unauthorized software.
A consulting firm has created a File Transfer Protocol (FTP) site for the purpose of receiving
financial data and has communicated the site's address, user ID and password to the financial
services company in separate email messages. The company is to transmit its data to the FTP site
after manually encrypting the data. The IS auditor's GREATEST concern with this process is
that:
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Brightstars. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $12.49. You're not tied to anything after your purchase.
