CISA冲刺考试六Word格式.docx

1、004.Java applets and ActiveX controls are distributed executable programs that execute in the background of a web browser client. This practice is considered reasonable when the source of the executable file is certain.005.In large corporate networks having supply partners across the globe network t

2、raffic may continue to rise. The infrastructure components in such environments should be scalable. The appliance firewall architecture limits future scalability.006.Transmission media,fiberoptic cable,provide the best security against unauthorized access.007.Review the parameter settings is the bes

3、t audit procedure to determine if a firewall is configured in compliance with an organizations security policy.008.To determine how data are accessed across different platforms in a heterogeneous environment, an IS auditor should first review application services.009.An organization has outsourced i

4、ts help desk. The best indicator to include in the service level agreement（SLA）: percentage of incidents solved in the first call.010.A review of wide area network（WAN） usage discovers that traffic on one communication line between sites, synchronously linking the master and standby database, peaks

5、at 96 percent of the line capacity. An IS auditor should conclude that analysis is required to determine if a pattern emerges that results in a service loss for a short period of time.011.During the requirements definition phase for a database application, performance is listed as a top priority. To

6、 access the DBMS files, storage area network（SAN） should be recommended for optimal I/O performance.012.The best way to minimize the risk of communication failures in an e-commerce environment would be to use leased asynchronous transfer mode lines.013.An IS auditor reviewing an organizations data f

7、ile control procedures finds that transactions are applied to the most current files, while restart procedures use earlier versions. The IS auditor should recommend the implementation of versions usage control.014.The purpose of code signing is to provide assurance that the software has not been sub

8、sequently modified.015.An IS auditor analyzing the audit log of a database management system（DBMS） finds that some transactions were partially executed as a result of an error, and are not rolled back. In this case, atomicity has been violated.016.Reverse proxy technology for web servers should be d

9、eployed if http servers address must be hidden.017.Clustering technique best limits the impact of server failures in a distributed environment.018.When reviewing a hardware maintenance program, an IS auditor should assess whether the parogram is validated against vendor specifications.019.An IS audi

10、tor should recommend the use of library control software to provide reasonable assurance that program changes have been authorized.020.When auditing a proxy-based firewall, an IS auditor should verify that the filters applied to services such as HTTP are effective.021.Address Resolution Protocol（ARP

11、） provides dynamic address mapping between an IP address and hardware address.022.The primary objective of service-level management（SLM） is to define,agree,record and manage the required levels of service.023.From an IS auditors perspective, the primary objective of auditing the management of servic

12、e providers should be to determine if the services that were requested were provided in a way that is acceptable,seamless and in line with contractual agreements.024.IT best practices for the availability and continuity of IT services should provide reasonable assurance that agreed upon obligations

13、to customers can be met.025.An organization has recently installed a security patch, which crashed the production server. To minimize the probability of this occurring again, an IS auditor should ensure that a good change management process is in place.026.During maintenance of a relational database

14、, several values of the foreign key in a transaction table of a relational database have been corrupted. The consequence is that the detail of involved transactions may no longer be associated with master data, causing errors when these transactions are processed.027.In a relational database with re

15、ferential integrity, the use of foreign key would prevent deletion of a row from a customer table as long as the customer number of that row is stored with live orders on the orders table.028.A postincident review examines both the cause and response to an incident. The lessons learned from the revi

16、ew can be used to improve internal controls. Understanding the purpose and structure of postincident reviews and follow-up procedures enables the information security manager to continuously improve the security program.029.An IS auditor examing the configuration of an operating system to verify the

17、 controls should review the parameter settings.030.The computer security incident response team（CSIRT） of an organization disseminates detailed descriptions of recent threats. An IS auditors greatest concern should be that the users might use this information to launch attacks.031.In order to ensure

18、 an adequate segregation of duties between IS and end users, the application owner should be responsible for authorizing access to data.032.Accountability for the maintenance of appropriate security measures over information assets resides with the data and system owners.033.The greatest risk when e

19、nd users have access to a database at its system level, instead of through the application, is that the users can make unauthorized changes to the database directly, without an audit trail.034.To determine who has been given permission to use a particular system resource, an IS auditor should review

20、 access control lists.035.When granting temporary access to vendors, the most effective control:User accounts are created with expiration dates and are based on services provided.036.During a logical access controls review, an IS auditor observes that user accounts are shared. The greatest risk resu

21、lting from this situation is that user accountablility may not be established.037.A two-factor user authentication: A smart card requring the users PIN.038.Access control software is the most effective method of preventing unauthorized use of data files.039.Logical access control is the primary safe

22、guard for securing software and data within an information processing facility.040.Provides an audit trail is a benefit of using a callback device.041.When reviewing an organizaions logical access security,an IS auditor should be most concerned : Password files are not encrypted.042.Passwords should

23、 be assigned by the security administrator for first time logon.043.Deletion of transaction data files should be a function of the application support team, not operations staff.044.The most appropriate control to prevent unauthorized entry is to terminate connction after a specified number of attem

24、pts.045.An IS auditor conducting an access control review in a client-server environment discovers that all printiing options are accessible by all users. In this situation, the IS auditor is most likely to conclude that exposure is greater, since information is available to unauthorized users.046.S

25、ign-on procedures include the creation of a unique user ID and password. However, an IS auditor discovers that, in many cases, the username and password are the same. The best control to mitigate this risk is to build in validations to prevent this during user creation and password change.047.The pr

26、imary objective of a logical control review is to ensure that access is granted per the organizaions authorities.048.Naming conventions for system resoureces are important for access control because thery reduce the number of rules required to adequately protect resources.049.Line grabbing will enable eavesdropping, thus allowing unauthorized data access.