Strayer CIS 349 Information Technology Audit and Control, Final Exam, for Auditing IT Infrastructures for Compliance.
Question 1 are the components, including people, information, and conditions, that support business objectives.
Acceptable use policies
What is meant by business drivers?
The process of dividing roles and responsibilities so a single individual can’t undermine a critical process.
The components, including people, information, and conditions, that support business objectives.
Mechanisms that keep an undesired action from happening, such as locked doors or computer access controls.
Mechanisms that recognize when an undesired action has occurred, such as motion detectors or usage log analysis tools.
Download Now(sent via email)
Which type of access control defines permissions based on roles, or groups, and allows object owners and administrators to grant access rights at their discretion?
Discretionary access control (DAC)
Mandatory access control (MAC)
Attribute-based access control (ABAC)
None of the above
Which law defines national standards for all consumer reports, including background checks?
Fair Credit Reporting Act
Health Insurance Portability and Accountability Act
An organization wants to determine how well it adheres to its security policy and determine if any “holes” exist. What type of analysis or assessment does it perform?
Business impact analysis
What is meant by availability?
A user who has complete control of an object, including the right to grant access to other users or groups.
The process of providing user credentials or claiming to be a specific user.
The assurance that information is available to authorized users in an acceptable time frame when the information is requested.
The ongoing attention and care an organization places on security and compliance.
___________ is the process of providing additional credentials that match the user ID or username.
There are two main approaches for authorizing users to access objects. One method uses _____________ which are lists of access permissions that define what each user or security group can do to each object.
access control lists
The following are LAN Domain controls except:
Backup and recovery plan
Software patch management
Which control is used in the LAN Domain to protect the confidentiality of data?
A proxy server
A security awareness program
Which of the following is not a step to ensuring only authorized users can see confidential data in the LAN Domain?
Identify confidential data.
Require positive identification for all access requests.
Password-protect all stored data.
Use encryption to transfer all confidential data.
Which of the following is not typically a LAN Domain component?
Cabling that connect computers to the internal network
Here is a common flow a penetration tester follows to develop attacks: This step collects as much information about the target environment as possible. At this stage, the attacker is collecting both technical and nontechnical information. Both types of information can help the attacker determine how the organization operates, where it operates, and which characteristics the organization and its customers’ value. This is:
Scanning and enumeration
Which LAN-to-WAN Domain control frequently samples network traffic flow metrics, allowing you to look for unusual activity?
Service exception auditing
Configuration change control
Operating system patching
A nonintrusive penetration test ____________.
validates the existence of a vulnerability
results in damage
is always performed by an internal employee
are always performed on test environments
The __________ is a generic description for how computers use seven layers of protocol rules to communicate across a network.
TCP/IP reference model
OSI reference model
Although __________ are not optimal for high bandwidth, large-volume network transfers, they work very well in most environments where you need to maintain connections between several other networks.
You have the least amount of control over who accesses data in the ______ Domain.
The Remote Access Domain server components also generally reside in the ___________ environment, even though they still belong to the Remote Access Domain.
You want to configure devices to send an alert to the network manager when remote users connect to your network. Which protocol is the best choice for monitoring network devices?
Secure Sockets Tunneling Protocol (SSTP)
Layer 2 Tunneling Protocol (L2TP)
Layer 2 Forwarding (L2F)
Simple Network Management Protocol (SNMP)
The most common control for protecting data privacy in untrusted environments is encryption. There are three main strategies for encrypting data to send to remote users. One strategy does not require any application intervention or changes at all. The connection with the remote user handles the encryption. The most common way to implement system connection encryption is by setting up a secure virtual private network (VPN). This is:
System connection encryption
Application connection encryption
Application data encryption
Application header encryption
Which plan would address steps to take when a water main break interrupts water flow to your main office?
Both A and B
Neither A nor B
Security controls in the System/Application Domain generally fall into salient categories. The need to create backup copies of data or other strategies to protect the organization from data or functionality loss.
Limit access to data
Protect data from loss through redundancy
Configure the data
From the perspective of application architectures, which of the following is generally not considered a critical application resource?
What name is given to an IIA certification that tests audit knowledge unique to the public sector?
Certified Internal Auditor (CIA)
Common Body of Knowledge (CBK)
Ethics Working Group
Certified Government Auditing Professional (CGAP)