Audit Charter

The audit charter should state management’s objectives for and delegation of authority to IS audit.
Should be approved at the highest levels of management, and should outline the overall authority
scope, and responsibilities of the audit function. Should not significantly change over time.

IT Balanced Scorecard

An IT business governance tool aimed at monitoring IT performance evaluation indicators OTHER THAN
financial results. It considers other key success factors such as customer satisfaction, innovation
capacity, and processing.

Stop or Freezing Point during New System Design

Requires that changes made after that point be evaluated for cost-effectiveness. Used to allow for a
review of the cost-benefits and the payback period.

Clustered Server Setup

Makes the entire network vulnerable to natural disasters or other disruptive events. Not recommended
for high-availability network configurations.

Logical Access Controls

A
The PRIMARY safeguard for securing software and data within an information processing facility.

The most important criterion when selecting a location for an offsite storage facility for IS backup files.

The offsite facility must be PHYSICALLY SEPARATED from the data center and not subject to the same
risks as the primary data center.

Attribute Sampling

The primary sampling method used for compliance testing. AS is used to estimate the rate of occurance
of a specific quality (attribute) AND is used in compliance testing to confirm whether the quality exists.

Monitoring an outsourced provider’s performance.

The MOST important function to be performed by IS management when a service has been outsourced.
This is critical to ensure that services are delivered to the company as required.

Parallel Run

The system and data conversion strategy that provides the GREATEST redundancy. The safest and the
most expensive approach.

10

Q
Adequate and most appropriate compensating control to track after-hours database changes.

Use the DBA user account to make changes. Log the changes and review the change log the following
day.

11

Intrusion Detection System (IDS)

Gathers evidence on intrusive attack or penetration attempt activity.

12

Business Continuity Plan (BCP) covers only critical processes. The IT auditor should:

Revisit and/or update the Business Impact Analysis (BIA) to assess the risk of not covering all processes
in the plan.

13

Audit Planning : Assessment of Risk

Should be made to provide REASONABLE ASSURANCE that the audit will cover MATERIAL items.

14

Training provided on a regular basis to all current and new employees.

The MOST LIKELY element of a security awareness program.

15
Q

Function Point Analysis

An indirect method of measuring the size of an application by considering the number and complexity of
its inputs, outputs, and files. Is useful for evaluating complex applications.

16

PERT (Program evaluation review technique)

A project management technique that helps with both planning and control.

17

SLOC (Counting source lines of code)

A direct measure of program size. Does NOT allow for the complexity that may be caused by having
multiple, linked modules and a variety of inputs and outputs.

18

White Box Testing

Involves a detailed review of the behavior of program code, and is a quality assurance technique suited
to simpler applications during the design and build stage of development.

19

Security patch installations

Should always be part of a good change management process.

20

Degaussing obsolete magnetic tapes

The best way to remove data from magnetic tapes. Leaves a very low residue of magnetic induction.
Overwriting or erasing tapes may cause magnetic errors but may not remove the data completely. Tape
label initialization does not remove the data that follows the label.

21

The MOST important concern when auditing backup, recovery, and the offsite storage vault

That the data files stored in the vault are synchronized.

22

When evaluating the collective effort of preventive, detective, or corrective controls within a process, an
IS auditor should be aware of:

The point at which controls are EXERCISED as data flow through the system.

23

The BEST audit technique to use to determine whether there have been unauthorized program changes
since the last authorized program update

Automated code comparision: automated, efficient technique to determine whether the two versions
correspond. Test data runs only allow for processing verification. Code review will only detect potential
errors or inefficient statements.

24

Q
IT Control Objectives

The statement of the desired result or purpose to be achieved by implementing control procedures in a
particular IT activity.

25

The PRIMARY purpose for conducting parallel testing is:

To ensure that the implementation of a new system will meet user requirements.

26

An analysis of peaking/saturated WAN links should result in:

Analysis to establish whether this is a regular pattern and what causes this behavior before expenditure
on a larger line capacity is recomended.

27

Immunizers

Defends against viruses by appending sections of themselves to files. They continuously check the file
for changes and report changes as possible viral behavior.

28

Behavior blockers

Focus on detecting potentially abnormal behavior, such as writing to the boot sector or MBR, or making
changes to EXEs.
29

CRCs (Cyclical Redundancy Checkers)

Compute a binary number on a known virus-free program that is then stored in a database file. When
that program is subsequently called to be executed, the checkers look for changes to the files, compare
them to the database, and report possible infection if changes have occurred.

30

Active Monitors

Interpret DOS and ROM BIOS calls, looking for virus-like actions.

31

The DR/Continuity Plan component that provides the GREATEST assurance of post-disaster recovery:

That an alternate facility will be available until the original information processing facility is restored.

32

Email systems have become a useful source of litigation evidence BECAUSE:

Multiple cycles of backup files remain available, and documents that have been deleted could
potentially be recovered from these files.

33

By evaluating application development projects against the Capability Maturity Model (CMM), an IS
auditor should be able to verify that:
A

Stable, predictable software processes are being followed. However, CMM does NOT guarantee a
reliable product, nor does it evaluate technical processes, security requirements, or other application
controls.

34

The MOST IMPORTANT element for the successful implementation of IT governance is:

The identification of organizational strategies. This is necessary to ensure the alignment between IT and
corporate governance. The KEY objective of IT governance is to support the business.

35

Stress testing

Is carried out to ensure that a system can cope with production workloads. A test environment should
always be used to avoid damaging the production environment - testing should never take place in a
production enviroment. Live workloads should always be used, however, to ensure that the system was
stress tested adequately.

36

Periodic checking of hard drives.

The MOST effective way to detect and identify the loading of illegal software packages onto a network.

37

Which control best mitigates the risk of undetected and unauthorized program changes being made in
the production environment by developers?

A
Hash key generation. The matching of hash keys over time would allow detection of changes to files.

38

Naming conventions for system resources are important for access control because they:

Reduce the number of rules required to adequately protect resources. This facilitates security
administration and maintenance efforts, and allows for the grouping of resources and files by
application.

39

When faced with multiple minor control weaknesses, the IS auditor’s audit report should:

Record the observations and the risk arising from the COLLECTIVE effect of the weaknesses.

40

It IS appropriate for an IT auditor to request and review a copy of a BCP from each vendor that provides
outsourced services.

TRUE: An IS auditor will evaluate the adequacy of the service bureau’s BCP and assist their company in
implementing a complementary plan. The primary responsibility of an IS auditor is to assure that the
company assets are being safeguarded, even if the assets do not reside on the immediate premises.

41

The PRIMARY concern with using RFID (radio frequency identification) is:

Issues of privacy. The purchaser (P) may not be aware of the tags, and credit card purchases may be able
to be tied back to the identity of P. Because RFID can carry unique identifers, it could be possible for a
firm to track Ps who purchase items containing RFIDs.
42

A proprietary software application purchase contract SHOULD provide for:

A source code agreement that provides for the placement of the source code into escrow, ensuring that
the purchaser will have the opportunity to modify the software should the vendor cease to be in
business.

43

When faced with control weaknesses, the IS auditor should stress that:

A comprehensive system control framework is necessary. Ex. effective access controls may not
sufficiently compensate for other detective control weaknesses. The IS auditor has a FUNDAMENTAL
obligation to point out control weaknesses that give rise to unacceptable risks to the organization, and
work with management to have these corrected.

44

Simultaneous duplication of logs onto a write-once disk, helps to:

Study These Flashcards

Detect changes made by unauthorized intruders to systems/platforms.

45

Application-level Gateway

Study These Flashcards

Provides the BEST protection against hacking attempts. It can define with detail rules that describe the
type of user or connection that is or is not permitted. Analyzes ALL layers of the OSI. Remote Access
servers require a user name/password, but can still be mapped or scanned. Proxy servers provide
protection based on an IP adresses and ports, and can be complex or difficult to configure for multiple
applications. Port scanning doesn’t help with controlling Internet content, or when all ports need to be
controlled.

46

Which is the MOST effective and environmentally friendly method of supressing a fire in a data center?

Study These Flashcards

Dry-pipe water sprinkers, with an automatic power shut-off system. The pipes must be dry-pipe so as to
avoid leakage. Halon is efficient and doesn’t threaten human life, but it is environmentally damaging and
very expensive. Carbon Dioxide threatens human life (but is safe for the environment), and therefore
cannot be set to automatic release.

47

Which finding would be MOST critical during an audit of a BCP?

Study These Flashcards

Absence of a backup for the network backbone. This failure will impact the ability of all users to access
information on the network.

48

The SUCCESS of control self-assessment (CSA) depends highly on:

Study These Flashcards

Having line managers assume a portion of the responsibility for control monitoring. The primary
objective of a CSA program is to leverage the internal audit function by shifting some of the control
monitoring responsibilities to the functional area line managers.

49
Q

1. Non-existent 2. Initial 3. Repeatable 4. Defined 5. Managed [Link]

Study These Flashcards

These are rankings used by the Information Security Governance Maturity Model. When responsibilites
for IT security are clearly assigned and enforced, and an IT Security Risk and Impact Analysis is
consistently performed, it is said to be managed and measurable.

50

Which type of testing would confirm that a new or modified system can operate in its target
environment without adversely impacting EXISTING systems?

Study These Flashcards

SOCIABILITY testing. PARALLEL testing is the process of feeding data into 2 systems and comparing the
results. PILOT testing takes place first at one location and then is extended to other locations.
INTERFACE/INTEGRATION testing is a HW or SW test that evaluates the connection of 2 or more
components that pass info from one area to another.

51

Documentation of a business case used in an IT development project should be retained until:

Study These Flashcards

The end of the system’s life cycle.

52

Which type of firewall provides the GREATEST degree and granularity of control?

Study These Flashcards

A
The APPLICATION GATEWAY firewall - it has specific proxies for each TCP/IP service, and filters traffic
across OSI L3-L7. A Screening Router and a Packet Filter works at the protocol, service and/or port level
(L3-L4). A Circuit Gateway is based on a proxy or program that acts as an intermediary between external
and internal accesses (L3/L4).

53

To ensure message integrity, confidentiality, and nonrepudiation between 2 parties, the MOST effective
method would be to create a message digest by applying a cryptographic hashing algorithm against:

Study These Flashcards

The ENTIRE message, enciphering the MESSAGE DIGEST using the SENDER’S PRIVATE KEY
(nonrepudiation), enciphering the MESSAGE with a SYMMETRIC KEY, and enciphering the KEY by using
the RECEIVER’S PUBLIC KEY (confidentiality and receiver nonrepudiation).

54

What is the initial step in creating a firewall policy?

Study These Flashcards

Identification of network applications to be externally accessed.

55

In a BCP, the MAJOR risk with not defining the point at which a situation could be declared a crisis is:

Study These Flashcards

That execution of the DRP/BCP could be impacted.

56

A top-down approach to the development of operational policies will help ensure:

Study These Flashcards

That they are consistent across the organization. A bottom-up approach would be derived as a result of
risk assessment.

57

Which approach will BEST ensure the successful offshore development of business applications?

Study These Flashcards

Detailed and correctly applied specifications.

58

The FIRST step in managing the risk of a cyberattack is to:

Study These Flashcards

Identify critical information assets. After this, the next steps include identifying the threats and
vulnerabilities, and calculating potential damages.

59

Which component of network architecture acts as a decoy to detect active Internet attacks?

Study These Flashcards

HONEYPOTS - these are computer systems that are expressly set up to attract and trap individuals who
attempt to penetrate others individuals’ computer systems. They can provide data on methods used to
attack systems. FIREWALLS are basically preventative measures. TRAPDOORS create a vulnerability that
provides an opportunity for the insertion of unauthorized code into a system. TRAFFIC ANALYSIS is a
type of passive attack.

60
Q

NEURAL networks are effective in detecting FRAUD because they can:

Study These Flashcards

Attack problems that require consideration of a large number of input variables. They can capture
relationships and patterns, BUT NOT new trends. Neural networks will not work well at solving problems
for which sufficiently large and general sets of training data are not obtainable.

61

Which computers would be of the MOST concern to an IS auditor reviewing a VPN implementation?

Study These Flashcards

The at-home computers of employees who connect via VPN. These are least subject to corporate
security policies, and are, therefore, high-risk.

62

When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ENSURE
that:

Study These Flashcards

Vulnerabilities and threats are indentified. This will determine the areas to be audited and the extent of
coverage.

63

AFTER a review applications (assets) and making a vulnerability assessment, the next task(s) would be
to:

Study These Flashcards

A
(1) Identify threats, and (2) estimate the liklihood of a threat’s occurrence.

64

Which of the following backup techniques is the MOST appropriate where an organization requires
extremely granular data restore points, as defined by the recovery point objective (RPO)?

Study These Flashcards

Continuous data backup - this process happens online, and in real-time.

65

An organization is using an enterprise resource management (ERP) application. Which type of controls
would be the MOST effective?

Study These Flashcards

Role-based access controls (RBAC). RBAC controls the system access by defining roles for a group of
users. Users are assigned to the various roles and the access is granted based on the user’s role. User-
level permissions would create larger administrative overhead. Fine-grained access control is difficult to
implement and maintain in large enterprises. Discretionary access control may create inconsistencies in
the access control management.

66

When reviewing an implementation of a VoIP system over a corporate WAN, an IS auditor should expect
to find:

Study These Flashcards

Traffic engineering. This is a statistical technique that helps to ensure that quality of service
requirements are achieved by minimizing packet loss, latency, and/or jitter.

67

Q
An IS auditor doing penetration testing during an audit of Internet connections would:

Study These Flashcards

Use tools and techniques available to a hacker.

68

The GREATEST advantage of using web services for the exchange of information between two systems
is:

Study These Flashcards

Efficient interfacing. Web services facilitate the exchange of information between two systems
regardless of the OS or progamming language used. Communication, however, will not necessarily
securer or faster, and there is no documentation benefit in using web services.

69

What reduces the potential impact of social engineering attacks?

Study These Flashcards

Security awareness programs.

70

Which of the following should an IS auditor review to gain an understanding of the effectiveness of
controls over the management of multiple projects?

Study These Flashcards

A project portfolio database. This is the basis for project portfolio management, and includes detailed
project data. Project portfolio management requires specific project portfolio reports.
71

Which of the following online auditing techniques is MOST effective for the early detection of errors or
irregularities?

Study These Flashcards

AUDIT HOOKS. The audit hook technique involves embedding code in application systems for the
examination of selected transactions. This helps the IS auditor to act before an error or an irregularity
gets out of hand. An EMBEDDED AUDIT MODULE involves embedding specially-written software in the
organization’s host application system so that application systems are monitored on a selective basis. An
INTEGRATED TEST FACILITY is used when it is not practical to use test data. SNAPSHOTS are used when
an audit trail is required.

72

If coding standards are not enforced and code reviews are rarely carried out, this will MOST increase the
likelihood of a successful:

Study These Flashcards

BUFFER OVERFLOW ATTACK (especially in web-based applications). BRUTE FORCE attacks are used to
crack passwords. DDOS attacks are used to flood and overwhelm its targets, preventing them from
responding to legitimate requests. WAR DIALING uses modem-scanning tools to hack PBXs.

73

A BENEFIT of open system architecture is that it:

Study These Flashcards

Facilitates operability between systems made by different vendors. Closed system components are, in
contrast, built to proprietary standards and cannot (or will not) interface with existing systems.

74
Q

Web and email filtering tools are PRIMARILY valuable to an organization because they:

Study These Flashcards

Protect the organization from viruses, spam, mail chains, recreational surfing and email, and other
nonbusiness materials.

75

The PRIMARY objective of service-level management (SLM) is to:

Study These Flashcards

Define, negotiate, agree, document and record, and manage the required levels of service in the manner
in which the customer requires those services. This doesn’t necessarily ensure high availability, or that
costs will be minimized.

76

An IS auditor performing a telecommunications access control review should be concerned PRIMARILY

with the:

Study These Flashcards

Preventative control of authorization and authentication of a user prior to granting access to system
resources. Weak controls at this level can affect all other aspects of the system.

77

Which IT governance best practice IMPROVES strategic alignment?

Study These Flashcards

A
Top management mediating between the imperatives of business and technology. Managing supplier
and partner risks is a RISK MANAGEMENT best practice. A knowledge base on customers, products,
markets and processes is an IT VALUE DELIVERY best practice. An infrastructure being provided to
facilitate the creation and sharing of business information is an IT VALUE DELIVERY and a RISK
MANAGEMENT best practice.

78

At the completion of a system development project, a postproject review SHOULD include:

Study These Flashcards

Identifying LESSONS LEARNED that may be applicable to future projects.

79

If no project risks have been identified during the early stages of a development project, the IS auditor
SHOULD:

Study These Flashcards

Stress the importance of spending time at THIS point in the project to consider and document risks, and
to develop contingency plans. The IS auditor has an obligation to the project sponsor and the
organization to advise on appropriate project management practices.

80

An IS auditor reviewing an organization’s data file control procedures finds that transactions are applied
to the most current data files, while restart procedures use earlier versions. The IS auditor should
recommend the implementation of:

Study These Flashcards

VERSION USAGE CONTROL when it is essential that the proper version of a file is used.

81
Q

If an IS auditor finds that the risk of data being intercepted to and from remote sites is very high, the
MOST effective and secure control that he can recommend to reduce this exposure is:

Study These Flashcards

ENCRYPTION

82

If an IS auditor finds that conference rooms have active network ports, it is MOST important to ensure
that:

Study These Flashcards

That part of the network is ISOLATED from the corporate network.

83

Which represents the GREATEST risk created by a reciprocal agreement for disaster recovery between
two companies?

Study These Flashcards

That future developments may result in hardware and software incompatibility.

84

An Internet-based attack using password sniffing CAN:

Study These Flashcards

Be used to gain access to systems containing proprietary information. SPOOFING attacks can be used to
enable one party to act as if they are by another party. DATA MODIFICATION attacks can be used to
modify the contents of certain transactions. REPUDIATION OF TRANSACTIONS can cause major problems
with billing systems and transaction processing agreements.

85

What type of controls would an IS auditor look for in an environment where duties cannot be
appropriately segregated?

Study These Flashcards

COMPENSATING controls are internal controls that are intended to reduce the risk of an existing or
potential control weakness that may arise when duties cannot be appropriately segregated.
OVERLAPPING controls are two controls addressing the same control objective or exposure. BOUNDARY
controls establish the interface between the would-be user of a computer system and the computer
system itself, and are individual-based

86

Which of the following is a concern when data are transmitted through Secure Socket Layer (SSL)
encryption, implemented on a trading partner’s server?

Study These Flashcards

That the organization doesn’t have control over encryption. The SSL security protocol provides data
encryption, server authentication, message integrity, and optional client authentication. Simply installing
a digital certificate turns on SSL capabilities, and SSL encrypts the datum whicle it is being transmitted
over the Internet - there is no PW to remember b/c the encryption is done in the background.

87

Where a business system accesses a corporate database using a single ID and PW embedded in a
program, what would provide efficient access control over the organization’s data?

Study These Flashcards

A
The best compensating control would be role-based permissions within the application system to ensure
that access to data is granted based on a user’s role. The issue is with permissions, not authentication.

88

What would have the HIGHEST priority in a business continuity plan (BCP)?

Study These Flashcards

The resumption of critical processes has the highest priority since it enables business processes to begin
immediately after the interruption and not later than the declared mean time between failure (MTBF).

89

A company has decided to implement an electronic signature scheme based on PKI. The user’s private
key will be stored on the computer’s HDD and protected by a PW. The MOST significant risk of this
approach is:

Study These Flashcards

That a compromise of the PW would enable access to the signature, which could result in the
impersonation of the user by substitution of the user’s public key with another person’s public key.

90

If an IS auditor notes that an organization has adequate BCPs for each individual process, but not a
comprehensive BCP for the entire organization, the IS auditor should:

Study These Flashcards

Determine whether the BCPs are consistent with one another in order to provide a viable BCP strategy.

91

To protect a VoIP infrastructure against a DoS attack, it is MOST important to secure the:
Study These Flashcards

SESSION BORDER CONTROLLERS. SBCs enhance the security in the access network (AN) and in the core.
In the AN, they hide a user’s real addressand provide a managed public address. SBCs permit access to
clients behind FWs while maintaining the FW’s effectiveness. In the core, SBCs protect the users and the
[Link] hide network topology and user’s real addresses. They can also monitor bandwidth and
QoS.

92

A web server is attacked and compromised. What should be performed FIRST to handle the incident?

Study These Flashcards

Disconnect the web server from the network to contain the damage and prevent more actions by the
attacker.

93

When developing a BCP, which tools shoud be used to gain an understanding of the organization’s
business processes?

Study These Flashcards

RISK ASSESSMENT (RA) and BUSINESS IMPACT ASSESSMENT (BIA) are tools for understanding business-
for-business continuity planning. BUSINESS CONTINUITY SELF-AUDIT is a tool for evaluating the
adequacy of a BCP. RESOURCE RECOVERY ANALYSIS is a tool for identifying a business resumption
strategy. GAP ANALYSIS can be used to identify deficiencies in a BCP plan.

94

What would be a considered a weakness, with regard to an organzation that uses PKI with digital
certificates?

Study These Flashcards

A

If the organization is also the owner of the certificate authority (CA), this could potentially create a
perceived conflict of interest if customers wanted to allege fraud during a transaction repudiation.

95

The PRIMARY role of the certificate authority (CA) as a third party is to:

Study These Flashcards

Confirm the identity of an entity owning a certificate issued by that CA. The primary activity of a CA is to
issue certificates. The CA can contribute to authenticating communicating partners, but is not involved
in the communication stream itself.

96

An IS auditor reviewing wireless network security determines that DHCP is disabled at all WAPs. This
practice:

Study These Flashcards

Reduces the risk of unauthorized access to the network.

97

The PRIMARY objective of testing a BCP is to:

Study These Flashcards

Identify and provide evidence of any limitations of the current BCP.

98

What method might an IS auditor use to test wireless security at branch office locations?
Study These Flashcards

WAR DRIVING - this is a technique for locating and gaining access to wireless networks by driving or
walking with a wireless equipped computer around a building. WAR DIALING is a technique for gaining
access to a computer or network through the dialing of defined blocks of telephone numbers, with the
hope of getting an answer from a modem. SOCIAL ENGINEERING is a techniqueused to gather info that
can assist an attacker in gaining logical or physical access to data or resources. PASSWORD CRACKERS
are tools used to guess users’ PWs by trying combinations and dictionary words.

99

Confidentiality of data transmitted in a WLAN is BEST protected if the session is:

Study These Flashcards

Encrypted using DYNAMIC KEYS. With dynamic keys, the encryption key is changed frequently, thus
reducing the risk of key compromise and unauthorized message decryption.

100

DDoS attacks on Internet sites are typically evoked by hackers by using:

Study These Flashcards

TROJAN HORSES - these are malicious or damaging code hidden within an authorized computer
program. Hackers use Trojans to mastermind DDoS attacks from multiple ccomputers simultaneously.
LOGIC BOMBS are programs designed to destroy or modify data at a specific time in the future.
PHISHING is an attack, normally via email, pretending to be an authorized person or organization
requesting information. SPYWARE is a program that picks up information from PC drives by making
copies of their contents.

101

Which anti-spam filtering technique would BEST prevent a valid, variable-length email message
containing a heavily-weighted spam keyword from being labeled as spam?
Study These Flashcards

BAYESIAN (STATISTICAL) FILTERING - BF applies statistical modeling to messages by performing a

frequency analysis on each word within the message and then evaluating the message as a whole. It can
ignore a suspicious keyword if the entire message is within normal bounds. HEURISTIC FILTERING is less
effective since new exception rules may need to be defined when a valid message is labeled as spam.
SIGNATURE-BASED FILTERING is useless against variable-length messages because the calculated MD5
hash changes all the time. PATTERN MATCHING is actually a degraded rule-based technique where the
rules operate at the word level using wildcards, and not at higher levels.

102

When determining the ACCEPTABLE time period for the RESUMPTION of critical business processes:

Study These Flashcards

BOTH downtime AND recovery costs need to be evaluated. The outcome of a BIA should be a recovery
strategy that represents the optimal balance,

103

Where a mix of access points cannot be upgraded to stronger or more advanced wireless security, a
recommendation to replace the access points is BEST justified by the argument that:

Study These Flashcards

The organization’s security would only be as strong as its weakest points. Affordability, performance,
and product manageability is NOT the IS auditor’s concern in this situation.

104

From a control perspective, the PRIMARY objective of classifying information assets is to:

Study These Flashcards

A
Establish guidelines for the level of access controls that should be assigned. Information has varying
degrees of sensitivity and criticality in meeting business objectives. By assigning classes or levels of
sensitivity and criticality to information resources, management can establish guidelines for the level of
access controls that should be assigned. End user management and the security administrator will use
these classifications in their risk assessment (RA) process to assign a given class to each asset.

105

Which biometric has the HIGHEST RELIABILITY and the LOWEST FALSE-ACCEPTANCE RATE (FAR)?

Study These Flashcards

RETINA SCAN. Retina scan uses optical technology to map the capillary pattern of an eye’s retina. This is
highly reliable and has the lowest FAR among the current biometric methods. PALM SCANNING entails
placing a hand on a scanner where the palm’s physical characteristics are captured. HAND GEOMETRY
measures the physical characteristics of the user’s hands and fingers from a 3-D perspective. Both the
palm and hand biometric techniques lack uniqueness in the geometry data. With FACE RECOGNITION, a
reader analyzes the images captured for general facial characteristics. Though natural and friendly, face
biometrics lack uniqueness which means that people who look alike can fool the device.