Chapter 1 - Organizational Policy
|
1.
|
A good manager will know the types and forms of information generated and how the information is used by the business before planning how to manage it. T F 7
|
|
|
|
|
2.
|
In designing and implementing risk-management procedures and controls the manager is not responsible for: 7
|
|
  Identifying the risks and evaluating the risks
|
|
|
Installing appropriate controls
|
|
|
Designing the security hardware and software
|
|
|
Preparing a contingency plan and continually monitoring the controls against the plan
|
|
|
|
|
3.
|
Optional security policy that defines the limit of acceptable behavior should include: 9
|
|
|
No playing unauthorized games on the corporate computers
|
|
|
No visiting adult web sites
|
|
|
No use of pirated software
|
|
|
All the above
|
|
|
|
|
4.
|
The responsibility of the risk-manager does not include: 7
|
|
|
Identify the risk
|
|
|
Evaluate the risk
|
|
|
Security guards
|
|
|
Install appropriate controls
|
|
|
|
|
5.
|
Not every organization need define security policies and acceptable behavior. T F 9
|
|
|
|
|
6.
|
Proper security safeguards includes all except: 11
|
|
|
turn over employees to prevent over familiarization
|
|
|
revoke passwords as soon as an employee is terminated
|
|
|
use lists of authorized personnel to control entry into system
|
|
|
constantly monitor logs generated by computer system
|
|
|
|
|
7.
|
A security policy includes: 9
|
|
|
No playing computer games on corporate computers
|
|
|
No visiting adult web sites
|
|
|
Prohibits taking copies of corporate electronic documents out of the office
|
|
|
All of the above
|
|
|
|
|
8.
|
For a security policy to succeed, it is not necessary for all individuals or departments to participate. T F 11
|
|
|
|
|
Chapter 2 - Physical Security and Data Preservation
|
9.
|
The first line of defense for a computer system is to protect it physically: the plant, the equipment, and the personnel. T F 13
|
|
|
|
|
10.
|
Safeguards that help protect computer facilities from accidents and disaster like floods and fire include all except: 14
|
|
|
Adequate lighting for safe evacuation
|
|
|
Open windows for ventilation
|
|
|
Fireproof containers to protect media (disks, tapes)
|
|
|
User manuals for equipment and software for proper operations
|
|
|
|
|
11.
|
Maintenance and preventive care logs should not contain: 16
|
|
|
Type of equipment serviced
|
|
|
Date of service
|
|
|
Controlling access to the equipment
|
|
|
Service performed and results of diagnostic tests
|
|
|
|
|
12.
|
Computer facilities are rarely susceptible to damage from environmental factors. T F 15
|
|
|
|
|
13.
|
Computer facilities are susceptible to damage from a variety of environmental factors except: 15
|
|
|
Heat
|
|
|
Water
|
|
|
Air conditioning
|
|
|
Humidity
|
|
|
|
|
14.
|
Simple precautions to minimize static electricity do not include: 17
|
|
|
Using shag carpeting on the floors
|
|
|
Using anti-static sprays
|
|
|
Grounding computer equipment
|
|
|
Use anti-static floor and table mats
|
|
|
|
|
15.
|
Data that is no longer needed must be destroyed. T F 18
|
|
|
|
|
16.
|
Computer and terminal controls should include the: 20
|
|
|
Manufacturer's name
|
|
|
Automatic shut-off, call-back, and time locks
|
|
|
Model number of the hardware
|
|
|
Date of purchase and date that the warranty expires
|
|
|
|
|
17.
|
Special fasteners can be used to protect RAM chips and internal components using cover locks on all except: 24
|
|
|
Lock the computer
|
|
|
Block access to the disk drive
|
|
|
Block access to the mouse
|
|
|
Block access to the cd-rom
|
|
|
|
|
Chapter 3 - Hardware Security
|
18.
|
Software security depends on hardware security. T F 30
|
|
|
|
|
19.
|
Which of the following is not one of the most common hardware problems: 30
|
|
|
Equipment can be stolen or replaced
|
|
|
Security can be circumvented
|
|
|
Having a key or password protected configuration set up
|
|
|
Systems can be booted by unauthorized users
|
|
|
|
|
20.
|
Data integrity can be ensured by: 32
|
|
|
Human error
|
|
|
Backing up data regularly
|
|
|
Software bugs or viruses
|
|
|
Natural disasters, fires and floods
|
|
|
|
|
21.
|
Data integrity is as important to protect as actual hardware. T F 32
|
|
|
|
|
22.
|
According to computer crime surveys the biggest dollar loss occurs by: 31
|
|
|
Denial of services
|
|
|
Sabotage
|
|
|
Unauthorized insider access
|
|
|
System penetration
|
|
|
|
|
23.
|
Major computer vendors offering security products to safeguard user hardware and software are: 37
|
|
|
Smart cards, preset locks
|
|
|
IBM, HP, DELL
|
|
|
Firewalls, anti-virus software
|
|
|
All of the above
|
|
|
|
|
24.
|
Major vendors offer the following security features except: 37
|
|
|
Smart Card Security Kits (IBM)
|
|
|
Hard drive password feature (DELL)
|
|
|
Fingerprint identification technology (COMPAQ)
|
|
|
Centralized management of hardware
|
|
|
|
|
25.
|
The banks use smart card systems for computer security because they are not vulnerable to high-risk attacks. T F 40
|
|
|
|
|
26.
|
Smart Card vulnerabilities do not include: 40
|
|
|
Attacks by the cardholder against the terminal
|
|
|
Attacks by the cardholder against the data owner
|
|
|
Attacks against single sign-on employees
|
|
|
Attacks by cardholders against the software manufacturers
|
|
|
|
|
27.
|
A biometric product that is created by sound waves generated by an individual speaking a given phrase or password is a: 44
|
|
|
Handwritten acoustic emission
|
|
|
Palm print
|
|
|
Voice print
|
|
|
Iris
|
|
|
|
|
Chapter 4 - Software Security
|
28.
|
A computer virus is a clinically injected organism into a computer system. T F 60
|
|
|
|
|
29.
|
A program that replicates itself but does not infect other programs is a: 60
|
|
|
Trojan horse
|
|
|
Worm
|
|
|
Dropper
|
|
|
Bomb
|
|
|
|
|
30.
|
Viruses remain free to spread into other programs because most common viruses give off no symptoms of their infection. T F 61
|
|
|
|
|
31.
|
The top information security products and services now in use do not include: 59
|
|
|
Virus protection
|
|
|
Backup storage
|
|
|
Access controls
|
|
|
Electrical avoidance shockers
|
|
|
|
|
32.
|
Which of the following is not a type of viruses: 61
|
|
|
Boot sector viruses
|
|
|
File infectors or parasitic viruses
|
|
|
Animal viruses
|
|
|
Macro-viruses
|
|
|
|
|
33.
|
Firewalls do not: 65
|
|
|
Protect against malicious insiders
|
|
|
Protect against unauthorized entry from outside and inside
|
|
|
Protect against completely new threats
|
|
|
Protect against viruses
|
|
|
|
|
34.
|
A system that enforces an access control policy between two networks is a: 65
|
|
|
Web shield
|
|
|
Firewall
|
|
|
Net shield
|
|
|
Group shield
|
|
|
|
|
35.
|
Encryption is the transmission of data into secret code. T F 71
|
|
|
|
|
36.
|
Which one of the following is not a practical application of Security Socket Layer (SSL)? 80
|
|
|
Client/server systems û securing database access
|
|
|
Financial û develop remote banking programs
|
|
|
Information systems û create remote access and administration applications
|
|
|
Under water activities û control water pressure
|
|
|
|
|
Chapter 5 - Personnel Security
|
37.
|
It is not necessary to screen or pre-screen potential employees because their resumes guarantee their qualifications and honesty. T F 91
|
|
|
|
|
38.
|
when checking and screening for pre-employment backgrounds you do not have to check: 92
|
|
|
Applicants previous addresses and employers
|
|
|
Professional and bank references
|
|
|
Applicant's acquaintances and relatives
|
|
|
Credit history
|
|
|
|
|
39.
|
Companies should insist that new employees in sensitive jobs sign employment agreements with non-disclosure provisions. T F 93
|
|
|
|
|
40.
|
Formal performance evaluations should be used to routinely assess employees’ performance and skill level. T F 94
|
|
|
|
|
41.
|
Effective performance appraisals will not detect: 94
|
|
|
Low quality or low production output
|
|
|
Complaints
|
|
|
Late arrivals
|
|
|
Warranted overtime
|
|
|
|
|
42.
|
When training new employees which one of the following should not be addressed: 95
|
|
|
What data can be used for personal use
|
|
|
The organization's data backup policy
|
|
|
The type of data that should be encrypted
|
|
|
How data encrypted keys are managed
|
|
|
|
|
43.
|
Employees can cause considerable damage if terminated except for: 95
|
|
|
Intentionally input erroneous data
|
|
|
Erase data files and destroy backups
|
|
|
Terminate access prior to informing an employee of termination
|
|
|
Make copies of data for personal use or competitors
|
|
|
|
|
Chapter 6 - Network Security
|
44.
|
An attacker that is able to read or copy confidential information has: 97
|
|
|
Denial of service
|
|
|
Write access
|
|
|
Read access
|
|
|
None of the above
|
|
|
|
|
45.
|
Most local area network or communication software packages contain encryption and security features. T F 96
|
|
|
|
|
46.
|
It is important to realize that simply keeping the telephone number secret is sufficient. T F 98
|
|
|
|
|
47.
|
Which of the following is not a tool used to implement the security plan: 97
|
|
|
Encryption tools
|
|
|
Route filtering
|
|
|
Firewalls
|
|
|
Powerpoint
|
|
|
|
|
48.
|
A saboteur’s tools do not include: 100
|
|
|
Piggybacking
|
|
|
Geographic dispersion
|
|
|
Data manipulation
|
|
|
Viruses
|
|
|
|
|
49.
|
Which one of the following is not a common type of network topologies: 103
|
|
|
Hierarchical topology (tree structure)
|
|
|
Horizontal topology (or bus topology)
|
|
|
Physical topology (surface elevations)
|
|
|
Star topology (data communication)
|
|
|
|
|
50.
|
Risks related to software bugs cannot easily be reduced by: 116
|
|
|
Keeping up-to-date on software fix patches
|
|
|
Using products that have been around a while
|
|
|
Using well known brand name products
|
|
|
Allowing services for internet users not authorized
|
|
|
|
|
Chapter 7 - Security Policy
|
51.
|
In formulating a policy you must first ask yourself the following questions except: 125
|
|
|
What resources need to be protected
|
|
|
Against whom must we protect our system
|
|
|
Why not take lack of protection and losses as part of doing business
|
|
|
How much can we spend to protect the system
|
|
|
|
|
52.
|
Computer security risk analysis and management does not involve: 128
|
|
|
Destruction of data or equipment
|
|
|
Security risk of system but not reliability of the system
|
|
|
Theft of data equipment
|
|
|
Malfunction of equipment or bugs in the software
|
|
|
|
|
53.
|
Which of the following is not an example of human factor threats: 129
|
|
|
Personnel incompetence
|
|
|
Indifference
|
|
|
Negligence
|
|
|
Distrust others, do not share
|
|
|
|
|
54.
|
An account administrator is not intended to ensure: 131
|
|
|
User is authorized
|
|
|
User has access privileges appropriate to the job
|
|
|
User should be threatened against illegal usage of system
|
|
|
User is not engaged in unauthorized activities
|
|
|
|
|
55.
|
Disruption in computer processing can be classified as all except: 135
|
|
|
Malfunction û minor disruption that affects hardware
|
|
|
Malfunction û that affects software or data files
|
|
|
Disasters û disruption to entire facility
|
|
|
Unknown risks
|
|
|
|
|
56.
|
Specialists inside and outside organizations who cannot suggest improvements and modifications in contingency planning are: 137
|
|
|
Professional hackers
|
|
|
Internal auditors
|
|
|
Finance and accounting departments
|
|
|
Security department
|
|
|
|
|
57.
|
Which of the following is not a part of contingency plans: 139
|
|
|
Documents and records likely to be needed first
|
|
|
Where vital records are stored
|
|
|
On-site storage of back-up records
|
|
|
Equipment and other resources that might be needed for recovery
|
|
|
|
|
58.
|
Systems and program documentation that should be backed-up do not include: 144
|
|
|
Source code for program
|
|
|
DSL telecommunication system
|
|
|
Flow charts
|
|
|
Program logic descriptions
|
|
|
|
|
59.
|
Fire damage can be reduced by: 145
|
|
|
Storage safes
|
|
|
Smoke and ionization systems
|
|
|
Chemical extinguishing systems, automatic sprinklers
|
|
|
All of the above
|
|
|
|
|
Chapter 8 - Contingency Planning
|
Chapter 9 - Auditing and Legal Issues
|
60.
|
Security auditing by Information Technology (IT) auditors and financial auditors can enhance audit efficiency by all except: 152
|
|
|
Specialized computer audit techniques
|
|
|
Use of technical tools and expertise
|
|
|
Use for manual controls
|
|
|
Evaluates the adequacy and effectiveness of the central system
|
|
|
|
|
61.
|
IT auditors typically do not review the following: 153
|
|
|
System development standards
|
|
|
Size of building
|
|
|
Library control procedures
|
|
|
Network system and contingency plans
|
|
|
|
|
62.
|
Which one of the following is not a control technique at the environmental level: 156
|
|
|
Quality assurance review of vendor software
|
|
|
Segregation of duties
|
|
|
Ensuring that software is virus free
|
|
|
Recommending hardware and software products
|
|
|
|
|
63.
|
Basic EDI security risks do not encompass: 158
|
|
|
Access violations
|
|
|
Communication enhancement
|
|
|
Message modifications
|
|
|
Interruptions or delays
|
|
|
|
|
Chapter 10 - Computer Crime, Cyber fraud, and Recent Trends
|
64.
|
Penalties for violation of the U.S. Computer Fraud and Abuse Act include: 162
|
|
|
1 to 5 years in prison for a first offence
|
|
|
10 years for a second offence
|
|
|
20 years for three or more offences
|
|
|
All of the above
|
|
|
|
|
65.
|
Which one of the following statements is not included in the definition of The Association of Information Technology Professionals (ATIP) computer crime as? 162
|
|
|
Unauthorized modification of software, data, or network resources
|
|
|
Unauthorized distribution of freeware software
|
|
|
Unauthorized copying of software
|
|
|
Unauthorized release of information
|
|
|
|
|
66.
|
Hacking is the obsessive use of computers, or the unauthorized access and use of networked computer systems. Which of the following is not considered a hacker? 163
|
|
|
Outsiders who use the Internet to damage data
|
|
|
Company employees who use the Internet to steal data and programs
|
|
|
Company employees who use the Internet to damage data
|
|
|
Outsiders who use the Internet to view a company's website
|
|
|
|
|
67.
|
Many computer crimes involve the theft of money. In the majority of cases, they are: 163
|
|
|
ôInside jobsö that involve authorized network entry and fraudulent alteration of computer databases to cover the tracks of the employees involved
|
|
|
ôOutside jobsö that involve authorized network entry and fraudulent alteration of computer databases to cover the tracks of the employees involved
|
|
|
ôInside jobsö that involve unauthorized network entry and fraudulent alteration of computer databases to cover the tracks of the employees involved
|
|
|
ôOutside jobsö that involve unauthorized network entry and fraudulent alteration of computer databases to cover the tracks of the employees involved
|
|
|
|
|
68.
|
Which one of the following would not be considered as a way that a computer virus can enter a computer system? 163
|
|
|
E-mail and file attachments
|
|
|
Borrowed copies of software
|
|
|
Downloaded copies of shareware
|
|
|
Running antivirus programs
|
|
|
|
|
69.
|
The unauthorized use of private and confidential personal information has seriously damaged the privacy of individuals. Which of the following is an example of using the Internet to violate a person's privacy? 164
|
|
|
Accessing individuals' private e-mail conversations and computer records, and collecting and sharing information about individuals gained from their visits to Internet websites and newsgroups.
|
|
|
Always knowing where a person is, especially as mobile and paging services become more closely associated with people rather than places.
|
|
|
Using customer information gained from many sources to market additional business services.
|
|
|
Collecting telephone numbers, e-mail addresses, credit card numbers, and other personal information to build individual customer profiles.
|
|
|
|
|
70.
|
Individuals have been mistakenly arrested and jailed, and people have been denied credit because of their physical profiles. These are examples of: 164
|
|
|
Computer profiling and computer matching
|
|
|
Computer libel
|
|
|
Censorship
|
|
|
Privacy
|
|
|
|
|
