Chapter 7 Test Bank

Multiple-Choice Questions

1. Ricky is reviewing security logs to independently assess security controls. Which

security review process is Ricky engaging in?

A. Monitor
B. Audit
C. Improve
D. Secure

Answer: B Reference: Security Controls Address Risk

Explanation: During the audit phase of a security review, professionals review the logs
and overall environment to provide independent analysis of how well the security policy
and controls work.

Type: Multiple Choice Difficulty: Medium Category: Understand

2. Christopher is designing a security policy for his organization. He would like to use an
approach that allows a reasonable list of activities but does not allow other activities.
Which permission level is he planning to use?

A. Promiscuous
B. Permissive
C. Prudent
D. Paranoid

Answer: C Reference: Permission Levels

Explanation: The prudent permission level allows a reasonable list of activities to take
place and prohibits all other activities. This permission level is suitable for most
businesses.

Type: Multiple Choice Difficulty: Medium Category: Apply

3. Jacob is conducting an audit of the security controls at an organization as an

independent reviewer. Which question would NOT be part of his audit?
A. Is the level of security control suitable for the risk it addresses?
B. Is the security control in the right place and working well?
C. Is the security control effective in addressing the risk it was designed to address?
D. Is the security control likely to become obsolete in the near future?

Answer: D Reference: Purpose of Audits

Explanation: The purpose of an audit is to check whether controls are appropriate,

installed correctly, and addressing their purpose. Audits do not attempt to determine
the expected lifetime of controls.

Type: Multiple Choice Difficulty: Hard Category: Understand

4. Which regulatory standard would NOT require audits of companies in the United
States?

A. Sarbanes-Oxley Act (SOX)

B. Personal Information Protection and Electronic Documents Act (PIPEDA)
C. Health Insurance Portability and Accountability Act (HIPAA)
D. Payment Card Industry Data Security Standard (PCI DSS)

Answer: B Reference: Purpose of Audits

Explanation: PIPEDA is a Canadian law and would not affect companies in the United
States.

Type: Multiple Choice Difficulty: Hard Category: Understand

5. Emily is the information security director for a large company that handles sensitive
personal information. She is hiring an auditor to conduct an assessment demonstrating
that her firm is satisfying requirements regarding customer private data. What type of
assessment should she request?

A. SOC 1
B. SOC 2
C. SOC 3
D. SOC 4
Answer: C Reference: Customer Confidence

Explanation: The SOC 3 report is commonly required for the customers of SOC 2 service
providers to verify and validate that the organization is satisfying customer private data
and compliance law requirements.

Type: Multiple Choice Difficulty: Hard Category: Understand

6. Which item is an auditor least likely to review during a system controls audit?

A. Resumes of system administrators

B. Incident records
C. Application logs
D. Penetration test results

Answer: A Reference: Defining the Scope of the Plan

Explanation: While auditors are entitled to review any documentation or records

relevant to the audit, they are much more likely to review logs, incident records, and
penetration test results than the resumes of system administrators.

Type: Multiple Choice Difficulty: Easy Category: Understand

7. What is a set of concepts and policies for managing IT infrastructure, development,

and operations?

A. ISO 27002
B. Control Objectives for Information and related Technology (COBIT)
C. IT Infrastructure Library (ITIL)
D. NIST Cybersecurity Framework (CSF)

Answer: C Reference: Auditing Benchmarks

Explanation: ITIL is a set of concepts and policies for managing IT infrastructure,

development, and operations. ITIL is published in a series of books, each covering a
separate IT management topic.

Type: Multiple Choice Difficulty: Easy Category: Remember

8. Which audit data collection method helps ensure that the information-gathering
process covers all relevant areas?

A. Checklist
B. Interviews
C. Questionnaires
D. Observation

Answer: A Reference: Audit Data Collection Methods

Explanation: Auditors use checklists to ensure that they have covered all of the relevant
information items during their data collection process.

Type: Multiple Choice Difficulty: Easy Category: Remember

9. Curtis is conducting an audit of an identity management system. Which question is

NOT likely to be in the scope of his audit?

A. Does the organization have an effective password policy?

B. Does the firewall properly block unsolicited network connection attempts?
C. Who grants approval for access requests?
D. Is the password policy uniformly enforced?

Answer: B Reference: Control Checks and Identity Management

Explanation: When auditing an identity management system, you should focus on three
key questions. First, who grants approval for access requests? Second, which
mechanisms are used for specific security requirements? Finally, does the organization
have an effective password policy and is it uniformly enforced? Firewalls are not
generally in scope for an identity management system audit.

Type: Multiple Choice Difficulty: Medium Category: Analyze

10. What information should an auditor share with the client during an exit interview?

A. Draft copy of the audit report

B. Final copy of the audit report
C. Details on major issues
D. The auditor should not share any information with the client at this phase
Answer: C Reference: Exit Interview

Explanation: During the exit interview, the auditor should alert key personnel of major
issues and recommendations that will come later in the audit report. This enables
management to respond quickly and act on serious issues. Aside from these early alerts,
auditors should not provide details before the final report.

Type: Multiple Choice Difficulty: Medium Category: Apply

11. What is NOT generally a section in an audit report?

A. Findings
B. System configurations
C. Recommendations
D. Timeline for Implementation

Answer: B Reference: Generation of Audit Report

Explanation: The audit report generally contains these broad sections: findings,
recommendations, timeline for implementation, level of risk, management response,
and follow-up

Type: Multiple Choice Difficulty: Easy Category: Understand

12. What type of security monitoring tool would be most likely to identify an
unauthorized change to a computer system?

A. Network IDS
B. System integrity monitoring
C. CCTV
D. Data loss prevention

Answer: B Reference: Security Monitoring for Computer Systems

Explanation: System integrity monitoring tools, such as Tripwire, enable you to watch
computer systems for unauthorized changes and report them to administrators in near
real time.

Type: Multiple Choice Difficulty: Medium Category: Apply

13. Gina is preparing to monitor network activity using packet sniffing. Which technology
is most likely to interfere with this effort if used on the network?

A. Transmission Control Protocol/Internet Protocol (TCP/IP)

B. Secure Sockets Layer (SSL)
C. Domain Name System (DNS)
D. Dynamic Host Configuration Protocol (DHCP)

Answer: B Reference: Monitoring Issues

Explanation: SSL is an application-level encryption technology that may interfere with

network monitoring by obscuring the contents of communications.

Type: Multiple Choice Difficulty: Medium Category: Apply

14. Anthony is responsible for tuning his organization's intrusion detection system. He
notices that the system reports an intrusion alert each time that an administrator
connects to a server using Secure Shell (SSH). What type of error is occurring?

A. Remote administration error

B. False positive error
C. Clipping error
D. False negative error

Answer: B Reference: Logging Anomalies

Explanation: A false positive error occurs when a system indicates malicious activity but
it is not a real security event. False alarms are distractions that waste administrative
effort.

Type: Multiple Choice Difficulty: Medium Category: Analyze

15. Isaac is responsible for performing log reviews for his organization in an attempt to
identify security issues. He has a massive amount of data to review. What type of tool
would best assist him with this work?

A. Security information and event management (SIEM)

B. Intrusion prevention system (IPS)
C. Data loss prevention (DLP)
D. Virtual private network (VPN)

Answer: A Reference: Types of Log Information to Capture

Explanation: SIEM systems help organizations manage the explosive growth of log files.
SIEMs provide a platform to capture and analyze logs from many different sources.

Type: Multiple Choice Difficulty: Medium Category: Apply

16. Which intrusion detection system strategy relies upon pattern matching?

A. Behavior detection
B. Traffic-based detection
C. Statistical detection
D. Signature detection

Answer: D Reference: Analysis Methods

Explanation: Signature detection systems use rule-based detection and rely upon pattern
matching to compare current traffic with activity patterns of known network attacks.

Type: Multiple Choice Difficulty: Easy Category: Understand

17. Which security testing activity uses tools that scan for services running on systems?

A. Reconnaissance
B. Penetration testing
C. Network mapping
D. Vulnerability testing

Answer: C Reference: A Testing Road Map

Explanation: Network mapping uses software tools that scan for services running on an
organization's systems and networks.

Type: Multiple Choice Difficulty: Medium Category: Understand

18. Fran is conducting a security test of a new application. She does not have any access
to the source code or other details of the application she is testing. What type of test is
Fran conducting?

A. Black-box test
B. White-box test
C. Grey-box test
D. Blue-box test

Answer: A Reference: Testing Methods

Explanation: In a black-box test, the assessor uses test methods that aren't directly
based on knowledge of a program's architecture or deign. The tester does not have the
source code.

Type: Multiple Choice Difficulty: Medium Category: Understand

19. When should an organization's managers have an opportunity to respond to the

findings in an audit?

A. Managers should write a report after receiving the final audit report.
B. Managers should include their responses to the draft audit report in the final audit
report.
C. Managers should not have an opportunity to respond to audit findings.
D. Managers should write a letter to the Board following receipt of the audit report.

Answer: B Reference: Generation of Audit Report

Explanation: Managers should review the draft audit report and have an opportunity to
provide a management response to each finding that will be included in the final copy of
the audit report.

Type: Multiple Choice Difficulty: Medium Category: Understand

20. Which activity is an auditor least likely to conduct during the information-gathering
phase of an audit?

A. Vulnerability testing
B. Report writing
C. Penetration testing
D. Configuration review

Answer: B Reference: Audit Data Collection Methods

Explanation: Auditors do not write reports during the information-gathering phase of an

audit. Instead, they collect information through interviews, configuration reviews,
penetration tests, vulnerability tests, and other techniques.

Type: Multiple Choice Difficulty: Medium Category: Understand

True/False Questions

1. Many jurisdictions require audits by law.

A. True
B. False

Answer: A Reference: Purpose of Audits

Explanation:

Type: True/False

2. An SOC 1 report primarily focuses on security.

A. True
B. False

Answer: B Reference: Customer Confidence

Explanation: An SOC 1 report primarily focuses on internal controls over financial

reporting.

Type: True/False

3. An SOC 1 report is commonly implemented for organizations that must comply with
Sarbanes-Oxley (SOX) or the Gramm-Leach-Bliley Act (GLBA).
A. True
B. False

Answer: A Reference: Customer Confidence

Explanation:

Type: True/False

4. An auditing benchmark is the standard by which a system is compared to determine

whether it is securely configured.

A. True
B. False

Answer: A Reference: Auditing Benchmark

Explanation:

Type: True/False

5. During an audit, an auditor compares the current setting of a computer or device with
a benchmark to help identify differences.

A. True
B. False

Answer: A Reference: Auditing Benchmarks

Explanation:

Type: True/False

6. After audit activities are completed, auditors perform data analysis.

A. True
B. False
Answer: A Reference: Post-Audit Activities

Explanation:

Type: True/False

7. During the secure phase of a security review, you review and measure all controls to
capture actions and changes on the system.

A. True
B. False

Answer: B Reference: Security Controls Address Risk

Explanation: During the monitor phase, you review and measure all controls to capture
actions and changes on the system. In the secure phase, you ensure that new, and
existing, controls work together to protect the intended level of security.

Type: True/False

8. Regarding security controls, the four most common permission levels are poor,
permissive, prudent, and paranoid.

A. True
B. False

Answer: B Reference: Permission Levels

Explanation: The four most common permission levels are promiscuous, permissive,
prudent, and paranoid.

Type: True/False

9. SOC 2 reports are created for internal and other authorized stakeholders and are
commonly implemented for service providers, hosted data centers, and managed cloud
computing providers.

A. True
B. False

Answer: A Reference: Customer Confidence

Explanation:

Type: True/False

10. During the planning and execution phases of an audit, an auditor will most likely
review risk analysis output.

A. True
B. False

Answer: A Reference: Defining the Scope of the Plan

Explanation:

Type: True/False

11. Committee of Sponsoring Organizations (COSO) is a set of best practices for IT

management.

A. True
B. False

Answer: B Reference: Auditing Benchmarks

Explanation: COSO is a volunteer-run organization that gives guidance to executive

management and governance entities on critical aspects of organizational governance,
business ethics, internal control, enterprise risk management, fraud, and financial
reporting. Control Objectives for Information and related Technology (COBIT) is a set of
best practices for IT management.

Type: True/False

12. Performing security testing includes vulnerability testing and penetration testing.
A. True
B. False

Answer: A Reference: Audit Data Collection Methods

Explanation:

Type: True/False

13. In security testing data collection, observation is the input used to differentiate
between paper procedures and the way the job is really done.

A. True
B. False

Answer: A Reference: Audit Data Collection Methods

Explanation:

Type: True/False

14. A report indicates that a system's disk is 80 percent full is a good indication that
something is wrong with that system.

A. True
B. False

Answer: B Reference: Security Monitoring

Explanation: A report indicating that a system's disk is 80 percent full is not necessarily
an indication that something is wrong with that system. You need to know what normal
looks like on that system by establishing a baseline, so you know when something is
wrong.

Type: True/False

15. Data loss prevention (DLP) uses business rules to classify sensitive information to
prevent unauthorized end users from sharing it.
A. True
B. False

Answer: A Reference: Security Monitoring for Computer Systems

Explanation:

Type: True/False

16. Regarding log monitoring, false negatives are alerts that seem malicious but are not
real security events.

A. True
B. False

Answer: B Reference: Logging Anomalies

Explanation: False positives are alerts that seem malicious but are not real security
events. False negatives are the failure of the alarm system to detect a serious event.

Type: True/False

17. The four main types of logs that you need to keep to support security auditing
include event, access, user, and security.

A. True
B. False

Answer: B Reference: Types of Log Information to Capture

Explanation: The four main types of logs that you need to keep to support security
auditing include event, access, security, and audit.

Type: True/False

18. Anomaly-based intrusion detection systems compare current activity with stored
profiles of normal (expected) activity.
A. True
B. False

Answer: A Reference: Analysis Methods

Explanation:

Type: True/False

19. In security testing, reconnaissance involves reviewing a system to learn as much as

possible about the organization, its systems, and its networks.

A. True
B. False

Answer: A Reference: A Testing Road Map

Explanation:

Type: True/False

20. Regarding an intrusion detection system (IDS), stateful matching looks for specific
sequences appearing across several packets in a traffic stream rather than just in
individual packets.

A. True
B. False

Answer: A Reference: Analysis Methods

Explanation:

Type: True/False

True/False Question Stats

Total True/False Questions: 20
Multiple-Choice Question Stats
Total Multiple-Choice Questions: 20

Category Stats
Analyze: 2
Apply: 5
Evaluate: 0
Remember: 2
Understand: 11

Difficulty Stats
Easy: 5 Medium: 12 Hard: 3

Total Questions in Test Bank: 40