CISA Practice Questions – information systems auditing concepts, cybersecurity, and
certification exam revision material
In a public key infrastructure (PKI), which of the following may be relied upon to prove that an
online transaction was authorized by a specific customer?
Correct A. Nonrepudiation
B. Encryption
C. Authentication
D. Integrity
. - correct answer ✔✔You are correct, the answer is A.
A. Nonrepudiation, achieved through the use of digital signatures, prevents the senders from
later denying that they generated and sent the message.
B. Encryption may protect the data transmitted over the Internet, but may not prove that the
transactions were made.
C. Authentication is necessary to establish the identification of all parties to a communication.
D. Integrity ensures that transactions are accurate but does not provide the identification of the
customer
,Which of the following BEST ensures the integrity of a server's operating system (OS)?
A. Protecting the server in a secure location
B. Setting a boot password
Correct C. Hardening the server configuration
D. Implementing activity logging - correct answer ✔✔You are correct, the answer is C.
A. Protecting the server in a secure location is a good practice, but does not ensure that a user
will not try to exploit logical vulnerabilities and compromise the operating system (OS).
B. Setting a boot password is a good practice, but does not ensure that a user will not try to
exploit logical vulnerabilities and compromise the OS.
C. Hardening a system means to configure it in the most secure manner (install latest security
patches, properly define access authorization for users and administrators, disable insecure
options and uninstall unused services) to prevent nonprivileged users from gaining the right to
execute privileged instructions and, thus, take control of the entire machine, jeopardizing the
integrity of the OS.
D. Activity logging has two weaknesses in this scenario—it is a detective control (not a
preventive one), and the attacker who already gained privileged access can modify logs or
disable them.
The IS auditor is reviewing an organization's human resources (HR) database implementation.
The IS auditor discovers that the database servers are clustered for high availability, all default
,database accounts have been removed and database audit logs are kept and reviewed on a
weekly basis. What other area should the IS auditor check to ensure that the databases are
appropriately secured?
A. Database digital signatures
Incorrect B. Database encryption nonces and other variables
C. Database media access control (MAC) address authentication
D. Database initialization parameters - correct answer ✔✔You answered B. The correct answer
is D.
A. Digital signatures are used for authentication and nonrepudiation, and are not commonly
used in databases. As a result, this is not an area in which the IS auditor should investigate.
B. A nonce is defined as a "parameter that changes over time" and is similar to a number
generated to authenticate one specific user session. Nonces are not related to database security
(they are commonly used in encryption schemes).
C. A media access control (MAC) address is the hardware address of a network interface. MAC
address authentication is sometimes used with wireless local area network (WLAN) technology,
but is not related to database security.
D. When a database is opened, many of its configuration options are governed by initialization
parameters. These parameters are usually governed by a file ("init.ora" in the case of Oracle
DBMS), which contains many settings. The system initialization parameters address many
"global" database settings, including authentication, remote access and other critical security
, areas. To effectively audit a database implementation, the IS auditor must examine the database
initialization parameters.
Which of the following processes will be MOST effective in reducing the risk that unauthorized
software on a backup server is distributed to the production server?
A. Manually copy files to accomplish replication.
B. Review changes in the software version control system.
Incorrect C. Ensure that developers do not have access to the backup server.
D. Review the access control log of the backup server. - correct answer ✔✔You answered C. The
correct answer is B.
A. Even if replication is be conducted manually with due care, there still remains a risk to
copying unauthorized software from one server to another.
B. It is common practice for software changes to be tracked and controlled using version control
software. An IS auditor should review reports or logs from this system to identify the software
that is promoted to production. Only moving the versions on the version control system (VCS)
program will prevent the transfer of development or earlier versions.
C. If unauthorized code was introduced onto the backup server by developers, controls on the
production server and the software version control system should mitigate this risk.
D. Review of the access log will identify staff access or the operations performed; however, it
may not provide enough information to detect the release of unauthorized software.
certification exam revision material
In a public key infrastructure (PKI), which of the following may be relied upon to prove that an
online transaction was authorized by a specific customer?
Correct A. Nonrepudiation
B. Encryption
C. Authentication
D. Integrity
. - correct answer ✔✔You are correct, the answer is A.
A. Nonrepudiation, achieved through the use of digital signatures, prevents the senders from
later denying that they generated and sent the message.
B. Encryption may protect the data transmitted over the Internet, but may not prove that the
transactions were made.
C. Authentication is necessary to establish the identification of all parties to a communication.
D. Integrity ensures that transactions are accurate but does not provide the identification of the
customer
,Which of the following BEST ensures the integrity of a server's operating system (OS)?
A. Protecting the server in a secure location
B. Setting a boot password
Correct C. Hardening the server configuration
D. Implementing activity logging - correct answer ✔✔You are correct, the answer is C.
A. Protecting the server in a secure location is a good practice, but does not ensure that a user
will not try to exploit logical vulnerabilities and compromise the operating system (OS).
B. Setting a boot password is a good practice, but does not ensure that a user will not try to
exploit logical vulnerabilities and compromise the OS.
C. Hardening a system means to configure it in the most secure manner (install latest security
patches, properly define access authorization for users and administrators, disable insecure
options and uninstall unused services) to prevent nonprivileged users from gaining the right to
execute privileged instructions and, thus, take control of the entire machine, jeopardizing the
integrity of the OS.
D. Activity logging has two weaknesses in this scenario—it is a detective control (not a
preventive one), and the attacker who already gained privileged access can modify logs or
disable them.
The IS auditor is reviewing an organization's human resources (HR) database implementation.
The IS auditor discovers that the database servers are clustered for high availability, all default
,database accounts have been removed and database audit logs are kept and reviewed on a
weekly basis. What other area should the IS auditor check to ensure that the databases are
appropriately secured?
A. Database digital signatures
Incorrect B. Database encryption nonces and other variables
C. Database media access control (MAC) address authentication
D. Database initialization parameters - correct answer ✔✔You answered B. The correct answer
is D.
A. Digital signatures are used for authentication and nonrepudiation, and are not commonly
used in databases. As a result, this is not an area in which the IS auditor should investigate.
B. A nonce is defined as a "parameter that changes over time" and is similar to a number
generated to authenticate one specific user session. Nonces are not related to database security
(they are commonly used in encryption schemes).
C. A media access control (MAC) address is the hardware address of a network interface. MAC
address authentication is sometimes used with wireless local area network (WLAN) technology,
but is not related to database security.
D. When a database is opened, many of its configuration options are governed by initialization
parameters. These parameters are usually governed by a file ("init.ora" in the case of Oracle
DBMS), which contains many settings. The system initialization parameters address many
"global" database settings, including authentication, remote access and other critical security
, areas. To effectively audit a database implementation, the IS auditor must examine the database
initialization parameters.
Which of the following processes will be MOST effective in reducing the risk that unauthorized
software on a backup server is distributed to the production server?
A. Manually copy files to accomplish replication.
B. Review changes in the software version control system.
Incorrect C. Ensure that developers do not have access to the backup server.
D. Review the access control log of the backup server. - correct answer ✔✔You answered C. The
correct answer is B.
A. Even if replication is be conducted manually with due care, there still remains a risk to
copying unauthorized software from one server to another.
B. It is common practice for software changes to be tracked and controlled using version control
software. An IS auditor should review reports or logs from this system to identify the software
that is promoted to production. Only moving the versions on the version control system (VCS)
program will prevent the transfer of development or earlier versions.
C. If unauthorized code was introduced onto the backup server by developers, controls on the
production server and the software version control system should mitigate this risk.
D. Review of the access log will identify staff access or the operations performed; however, it
may not provide enough information to detect the release of unauthorized software.
