CIS 349 Final Exam

Strayer CIS 349 Information Technology Audit and Control, Final Exam, for Auditing IT Infrastructures for Compliance.
Question 1 are the components, including people, information, and conditions, that support business objectives.
Acceptable use policies
Corrective controls
Business drivers
Security policies

Question 2
What is meant by business drivers?
The process of dividing roles and responsibilities so a single individual can’t undermine a critical process.
The components, including people, information, and conditions, that support business objectives.
Mechanisms that keep an undesired action from happening, such as locked doors or computer access controls.
Mechanisms that recognize when an undesired action has occurred, such as motion detectors or usage log analysis tools.

Download Now
(sent via email)

Question 3
Which type of access control defines permissions based on roles, or groups, and allows object owners and administrators to grant access rights at their discretion?
Discretionary access control (DAC)
Mandatory access control (MAC)
Attribute-based access control (ABAC)
None of the above

Question 4
Which law defines national standards for all consumer reports, including background checks?
Sarbanes-Oxley Act
Fair Credit Reporting Act
Health Insurance Portability and Accountability Act
Gramm-Leach-Bliley Act

Question 5
An organization wants to determine how well it adheres to its security policy and determine if any “holes” exist. What type of analysis or assessment does it perform?
Gap analysis
Business impact analysis
Risk assessment
Vulnerability assessment
Question 6
What is meant by availability?
A user who has complete control of an object, including the right to grant access to other users or groups.
The process of providing user credentials or claiming to be a specific user.
The assurance that information is available to authorized users in an acceptable time frame when the information is requested.
The ongoing attention and care an organization places on security and compliance.

Question 7
___________ is the process of providing additional credentials that match the user ID or username.
Question 8
There are two main approaches for authorizing users to access objects. One method uses _____________ which are lists of access permissions that define what each user or security group can do to each object.
access permissions
security classifications
access control lists

Question 9
The following are LAN Domain controls except:
Backup and recovery plan
VPN encryption
Anti-malware software
Software patch management

Question 10
Which control is used in the LAN Domain to protect the confidentiality of data?
A proxy server
A security awareness program
Wireless connections

Question 11
Which of the following is not a step to ensuring only authorized users can see confidential data in the LAN Domain?
Identify confidential data.
Require positive identification for all access requests.
Password-protect all stored data.
Use encryption to transfer all confidential data.
Question 12
Which of the following is not typically a LAN Domain component?
Cabling that connect computers to the internal network
Proxy server
File server

Question 13
Here is a common flow a penetration tester follows to develop attacks: This step collects as much information about the target environment as possible. At this stage, the attacker is collecting both technical and nontechnical information. Both types of information can help the attacker determine how the organization operates, where it operates, and which characteristics the organization and its customers’ value. This is:
Scanning and enumeration
Vulnerability identification

Question 14
Which LAN-to-WAN Domain control frequently samples network traffic flow metrics, allowing you to look for unusual activity?
Service exception auditing
Performance monitoring
Configuration change control
Operating system patching
Question 15
A nonintrusive penetration test ____________.
validates the existence of a vulnerability
results in damage
is always performed by an internal employee
are always performed on test environments
Question 16
The __________ is a generic description for how computers use seven layers of protocol rules to communicate across a network.
LAN-to-WAN domain
secure VPN
TCP/IP reference model
OSI reference model

Question 17
Although __________ are not optimal for high bandwidth, large-volume network transfers, they work very well in most environments where you need to maintain connections between several other networks.
MPLS networks
Metro Ethernets
dedicated lines

Question 18
You have the least amount of control over who accesses data in the ______ Domain.
Question 19
The Remote Access Domain server components also generally reside in the ___________ environment, even though they still belong to the Remote Access Domain.
WAN Domain
LAN Domain
LAN-to-WAN Domain
Workstation domain
Question 20
You want to configure devices to send an alert to the network manager when remote users connect to your network. Which protocol is the best choice for monitoring network devices?
Secure Sockets Tunneling Protocol (SSTP)
Layer 2 Tunneling Protocol (L2TP)
Layer 2 Forwarding (L2F)
Simple Network Management Protocol (SNMP)

Question 21
The most common control for protecting data privacy in untrusted environments is encryption. There are three main strategies for encrypting data to send to remote users. One strategy does not require any application intervention or changes at all. The connection with the remote user handles the encryption. The most common way to implement system connection encryption is by setting up a secure virtual private network (VPN). This is:
System connection encryption
Application connection encryption
Application data encryption
Application header encryption

Question 22
Which plan would address steps to take when a water main break interrupts water flow to your main office?
Both A and B
Neither A nor B

Question 23
Security controls in the System/Application Domain generally fall into salient categories. The need to create backup copies of data or other strategies to protect the organization from data or functionality loss.
Limit access to data
Protect data from loss through redundancy
Isolate data
Configure the data

Question 24
From the perspective of application architectures, which of the following is generally not considered a critical application resource?
Data storage
Data access
Cloud computing
Business logic

Question 25
What name is given to an IIA certification that tests audit knowledge unique to the public sector?
Certified Internal Auditor (CIA)
Common Body of Knowledge (CBK)
Ethics Working Group
Certified Government Auditing Professional (CGAP)