Student name:__________

ESSAY. Write your answer in the space provided or on a separate sheet of paper.
1) Describe the process of using asymmetric-key encryption to authenticate the trading
partner involved in e-business.

2) What are the two prerequisites for vulnerability management?

3) Describe the framework for vulnerability assessment and vulnerability management.

Version 1 1
4) What are included in disaster recovery planning and business continuity management?
Are these concepts related?

5) What is a digital signature? How could a digital signature ensure data integrity when
conducting e-business?

MULTIPLE CHOICE - Choose the one alternative that best completes the statement or
answers the question.
6) In general, the goal of information security management is to protect all of the following
except:

A) Confidentiality.
B) Integrity.
C) Availability.
D) Redundancy.

7) Which of the following statements is incorrect about digital signatures?

Version 1 2
 A) A digital signature can ensure data integrity.
B) A digital signature also authenticates the document creator.
C) A digital signature is an encrypted message digest.
D) A digital signature is a message digest encrypted using the document creator's public
key.

8) What is the primary objective of data security controls?

A) To establish a framework for controlling the design, security, and use of computer
programs throughout an organization.
B) To ensure that data storage media are subject to authorization prior to access,
change, or destruction.
C) To formalize standard, rules, and procedures to ensure the organization's control are
properly executed.
D) To monitor the use of system software to prevent unauthorized access to system
software and computer programs.

9) An entity doing business on the internet most likely could use any of the following
methods to prevent unauthorized intruders from accessing proprietary information except:

A) Password management.
B) Data encryption.
C) Digital certificates.
D) Batch processing.

10) When client's accounts payable computer system was relocated, the administrator
provided support through a dial-up connection to server. Subsequently, the administrator left the
company. No changes were made to the accounts payable system at that time. Which of the
following situations represents the greatest security risk?

Version 1 3
 A) User passwords are not required to the in alpha-numeric format.
B) Management procedures for user accounts are not documented.
C) User accounts are not removed upon termination of employees.
D) Security logs are not periodically reviewed for violations.

11) An information technology director collected the names and locations of key vendors,
current hardware configuration, names of team members, and an alternative processing location.
What is the director most likely preparing?

A) Data restoration plan.

B) Disaster recovery plan.
C) System security policy.
D) System hardware policy.

12) Bacchus, Inc. is a large multinational corporation with various business units around the
world. After a fire destroyed the corporation headquarters and largest manufacturing site, plans
for which of the following would help Bacchus ensure a timely recovery?

A) Daily backup.
B) Network security.
C) Business continuity.
D) Backup power.

13) Which of the following statements regarding authentication in conducting e-business is

incorrect?

Version 1 4
 A) It is a process that establishes the origin of information or determines the identity of
a user, process, or device.
B) Only one key is used for encryption and decryption purposes in the authentication
process.
C) Successful authentication can prevent repudiation in electronic transactions.
D) We need to use asymmetric-key encryption to authenticate the sender of a document
or data set.

14) Which of the following is not included in the remediation phase for vulnerability
management?

A) Risk Response Plan.

B) Policy and procedures for remediation.
C) Vulnerability Prioritization.
D) Control Implementation.

15) Which of the following does not represent a viable data backup method?

A) Disaster recovery plan.

B) Redundant arrays of independent drives.
C) Virtualization.
D) Cloud computing.

16) Which of the following statements about asymmetric-key encryption is correct?

Version 1 5
 A) When using asymmetric-key encryption method, a total of two keys are necessary in
electronic communication between two parties.
B) Employees in the same company share the same public key.
C) Most companies would like to manage the private keys for their employees.
D) Most companies would like to use a Certificate Authority to manage the public keys
of their employees.
E) Two of the above are correct.

17) Which of the following statements is incorrect?

A) A fraud prevention program starts with a fraud risk assessment across the entire firm

B) The audit committee typically has an oversight role in risk assessment process
C) Communicating a firm's policy file to employees is one of the most important
responsibilities of management
D) A fraud prevention program should include an evaluation on the efficiency of
business processes.

18) A disaster recovery approach should include which of the following elements?

A) Encryption.
B) Firewalls.
C) Regular backups.
D) Surge protectors.

19) Which of the following is a password security weakness?

Version 1 6
 A) Users are assigned passwords when accounts are created, but do not change them.

B) Users have accounts on several systems with different passwords.

C) Users write down their passwords on a note paper, and carry it with them.
D) Users select passwords that are not part of an online password dictionary.

20) To prevent invalid data input, a bank added an extra number at the end of each account
number and subjected the new number to an algorithm. This technique is known as:

A) A validation check.
B) check digit verification.
C) A dependency check.
D) A format check.

21) Why do Certificate Authority (CA) play an important role in a company's information
security management?

A) Using a CA is required by SOX in managing information security.

B) A CA is responsible to generate session keys for encryption purposes.
C) Most companies use CA to manage their employees’ public keys.
D) CA creates and maintains both the public and private keys for a company’s
employees.

22) When computer programs or files can be accessed from terminals, users should be
required to enter a(n):

A) Parity check.
B) Password as a personal identification code.
C) Check digit.

Version 1 7
 D) Echo check.

23) Which of the following controls would most likely assure that a company can reconstruct
its financial records?

A) Security controls such as firewalls.

B) Backup data are tested and stored safely.
C) Personnel understand the data very well.
D) Paper records.

24) Why would companies want to use digital signatures when conducting e-business?

A) They are cheap.

B) They are always the same so it can be verified easily.
C) They are more convenient than requiring a real signature.
D) They can authenticate the document sender and maintain data integrity.

25) Select a correct statement regarding encryption methods?

A) To use symmetric-key encryption, each user needs two different keys.

B) Most companies prefer using symmetric-key encryption than asymmetric-key
encryption method.
C) Both symmetric-key and asymmetric-key encryption methods require the
involvement of a certificate authority.
D) When conducting e-business, most companies use both symmetric-key and
asymmetric-key encryption methods.

Version 1 8
26) Select a correct statement regarding a hashing process.

A) It is reversible.
B) The outcome is a message digest.
C) It is not necessary to use a hashing process in creating a digital signature.
D) It is used for authentication.

27) Which of the following IT controls would best prevent a developer from inappropriately
accessing the system?

A) Forced password changes.

B) Secondary code review.
C) Symmetric encryption.
D) Lack of authentication.

28) Which of the following IT controls would best prevent a currency trader from concealing
his/her trading errors?

A) End user access to source code.

B) Multifactor authentication.
C) Symmetric encryption.
D) Use of a private key.

29) Which of the following is not an example of a physical security vulnerability?

A) Unescorted visitors on the premises.

B) Poor choice of passwords.
C) Lack of a smoke detector in the room housing servers.

Version 1 9
 D) Lack of disaster recovery plan.

30) Which of the following is not an example of vulnerability within the process of IT
operations?

A) Software not patched.

B) Inappropriate data classification.
C) Ineffective training.
D) Poor firewall rules.

31) Which of the following is not an example of a vulnerability within an Information

System?

A) Outdated intrusion detection/prevention system.

B) Lack of a disaster recovery plan.
C) Improper system configuration.
D) Failure to audit and terminate unused accounts in a timely manner.

32) What could result from the failure to audit and terminate unused accounts in a timely
manner?

A) A disgruntled employee may send out phishing emails.

B) A SOC 1 report will be generated.
C) Computer hardware may be taken off premises.
D) A disgruntled employee may tamper with company applications.

Version 1 10
33) Which of the following describes the primary goals of the CIA approach to information
security management?

A) Controls, Innovation, Analysis.

B) Confidentiality, Integrity, Availability.
C) Convenience, Integrity, Awareness.
D) Confidentiality, Innovation, Availability.

34) Which of the following is not one of the common techniques for information security
risks and attacks?

A) Spam.
B) Botnet.
C) TraceRT.
D) Social Engineering.

35) Encryption is a control that changes plain text into which of the following?

A) Cyberspace.
B) Cryptext.
C) Mnemonic code.
D) Cyphertext.

36) Asymmetric-key encryption uses which of the following techniques to allow users to
communicate securely?

A) A message digest.
B) A 16-bit encryption key.
C) A public key and a private key.

Version 1 11
 D) A digital signature.

37) A Public Key Infrastructure (PKI) provides the ability to do which of the following?

A) Encrypt messages using a private key.

B) Enable debit and credit card transactions.
C) Read plaintext.
D) Issue, maintain, and revoke digital certificates.

38) Which of the following best illustrates the use of multifactor authentication?

A) Requiring password changes every 30, 60, or 90 days.

B) Requiring the use of a smart card and a password.
C) Requiring the use of upper case, lower case, numeric, and special characters for a
password.
D) The use of a fingerprint scanner for access to a device.

39) Both ISACA and the GTAG define vulnerability. Which of the following does not
represent one of these definitions?

A) The nature of IT resources that can be exploited by a threat to cause damage.

B) An organizations’ exposure to disaster.
C) Weaknesses or exposures in IT assets that may lead to business, compliance, or
security risk.
D) All of the other items represent the definitions of vulnerability stated by ISACA and
the GTAG.

Version 1 12
40) Which of the following statements is true regarding risk management and vulnerability
management?

A) They both have the objective of reducing the likelihood that detrimental events
occur.
B) Risk management is often conducted using an IT asset-based approach.
C) Vulnerability management is more complex and strategic.
D) Both approaches involve processes that typically take many months or years to
complete.

41) Which of the following describes the recommended prerequisites for managing
vulnerabilities?

A) Implement the COSO ERM framework, and identify key vulnerabilities.

B) Determine the main objective of vulnerability management, and assign roles and
responsibilities.
C) Identify the key vulnerabilities, and implement appropriate controls to minimize the
vulnerabilities.
D) Implement suitable controls, and assess those controls for potential vulnerabilities.

42) Which of the following is not one of the main components of vulnerability management
and assessment?

A) Identification.
B) Remediation.
C) Internalization.
D) Maintenance.

Version 1 13
43) For businesses considering a cloud computing solution, which of the following should
they ask the cloud vendor to provide before entering into a contract for critical business
operations?

A) FASB 51 Report.
B) Audit Report.
C) SAS 3 Report.
D) SOC 2 Report.

44) Which of the following statements is most accurate with regard to business continuity
management (BCM) and disaster recovery planning (DRP)?

A) DRP is an important component of BCM.

B) BCM and DRP should be considered independently of each other.
C) BCM is an important component of DRP.
D) DRP should be considered as optional, while BCM should be considered as
necessary.

45) A RAID array implemented in a data center is an example of which of the following?

A) Virtualization.
B) Uninterruptible power supply.
C) Fault tolerance.
D) SOC 3.

SHORT ANSWER. Write the word or phrase that best completes each statement or
answers the question.
46) A magnetic tape used to store data backups was lost while it was being transported to an
offsite storage location. The data on the tape includes customers’ credit card and personal
information. Which preventive control(s) should have been used to minimize the potential loss?

Version 1 14
47) List the following steps regarding computer fraud risk assessments in sequence.(a)
Assessing the likelihood and business impact of a control failure and/or a fraud incident.(b)
Mapping existing controls to potential fraud schemes and identifying gaps.(c) Identifying
potential IT fraud schemes and prioritizing them based on likelihood and impact.(d) Identifying
relevant IT fraud risk factors.(e) Testing operating effectiveness of fraud prevention and
detection controls.

TRUE/FALSE - Write 'T' if the statement is true and 'F' if the statement is false.
48) The fraud triangle includes incentive, opportunity and an attitude to rationalize the fraud.

⊚ true
⊚ false

49) The goal of information security management is to maintain confidentiality, integrity and
availability of a firm's information.

⊚ true
⊚ false

Version 1 15
50) Encryption is a preventive control ensuring data confidentiality and privacy during
transmission and for storage.

⊚ true
⊚ false

51) Asymmetric-key encryption is suitable for encrypting large data sets or messages.

⊚ true
⊚ false

52) Key distribution and key management are problematic under the symmetric-key
encryption.

⊚ true
⊚ false

53) The symmetric-key encryption method is used to authenticate users.

⊚ true
⊚ false

Version 1 16
54) A Certificate Authority (CA) issues digital certificates to bond the subscriber with a
public key and a private key.

⊚ true
⊚ false

55) A company’s audit committee is solely responsible for fraud risk assessments.

⊚ true
⊚ false

56) One type of fault tolerance is using redundant units to provide a system the ability to
continue functioning when part of the system fails.

⊚ true
⊚ false

57) Disaster recovery planning and business continuity management are unrealted.

⊚ true
⊚ false

58) Information security is a critical factor in maintaining systems integrity.

Version 1 17
 ⊚ true
⊚ false

59) The goal of information security management is to enhance the confidence, integrity and
authority (CIA) of a firm's information.

⊚ true
⊚ false

60) A Trojan Horse is a self-replicating, self-propagating, self-contained program that uses

networking mechanisms to spread itself.

⊚ true
⊚ false

61) Spam is a self-replicating program that runs and spreads by modifying other programs or
files.

⊚ true
⊚ false

62) Encryption and hashing are similar process to maintain data confidentiality.

⊚ true
⊚ false

Version 1 18
63) Hashing process can be reversed and it is used for maintaining data confidentiality.

⊚ true
⊚ false

64) When using asymmetric encryption algorithm, for two trading parties to conduct e-
business, they need to use two keys.

⊚ true
⊚ false

65) Symmetric-key encryption is rarely used today due to key distribution and key
management issues.

⊚ true
⊚ false

66) Most companies use both symmetric-key and asymmetric-key encryption methods when
conducting e-business.

⊚ true
⊚ false

Version 1 19
67) The purpose of using a digital signature is for authentication.

⊚ true
⊚ false

Version 1 20
Answer Key

Test name: Chapter 14 Test Bank

1) To authenticate a trading partner (TP), the contact person (CP) of a

company sends a challenge message to TP. TP uses her private key to
encrypt the challenge message and send it to CP. If CP is able to use
TP’s public key to decrypt and get the plaintext of the challenge
message, CP has authenticated TP successfully.

2) First, determine the main objectives of its vulnerability management.

In some case, the firm should determine which laws, regulations, and
standards it should comply with. Second, a firm should assign roles and
responsibilities for vulnerability management. The management may
designate a team to be responsible for developing and implementing the
vulnerability management program.

3) The components of vulnerability assessment include identification

and risk assessment.Identification process: identifying all critical IT
assets, threats and vulnerabilities.Risk assessment process: assessing
vulnerabilities and prioritizing vulnerability issues.The components of
vulnerability management include remediation and
maintenance.Remediation process: making a risk response plan,
preparing the policy and requirements for remediation, as well as control
implementation.Maintenance: monitoring, ongoing assessment and
continuous improvement.

Version 1 21
4) Disaster recovery planning (DRP) must include a clearly defined and
documented plan that covers key personnel, resources including IT
infrastructure and applications, and actions required to be carried out in
order to continue or resume the systems for critical business functions
within planned levels of disruption. Business continuity management
(BCM) includes the activities required to keep a firm running during a
period of displacement or interruption of normal operations. DRP is a
key component of the BCM. BCM is broader than DRP and is concerned
about the entire business processes rather than particular assets, such as
IT infrastructure and applications.

5) Digital signature is a message digest (MD) of a document (or data

file) that is encrypted using the document creator’s private key.1) Both
the sender (A) and receiver (B) use an asymmetric-key encryption
method to authenticate each other.2) Sender A makes a copy of the
document and uses SHA-256 to hash the copy and get an MD.3) Sender
A encrypts the MD using Sender A’s private key to get Sender A’s digital
signature.4) Sender A uses Receiver B’s public key to encrypt the
original document and Sender A’s digital signature (for
confidentiality).5) Sender A sends the encrypted package to Receiver
B.6) Receiver B receives the package and decrypts it using Receiver B’s
private key. Receiver B now has the document and Sender A’s digital
signature.7) Receiver B decrypts Sender A’s digital signature using
Sender A’s public key to get the sent-over MD. Receiver B also
authenticates that Sender A is the document creator.8) Receiver B makes
a copy of the received document and uses SHA-256 to hash the copy and
get a calculated MD.9) If the sent-over MD is the same as the calculated
MD, Receiver B ensures data integrity.

Version 1 22
6) D

7) D

8) B

9) D

10) C

11) B

12) C

13) B

14) C

15) A

16) D

17) D

18) C

19) A

Version 1 23
20) B

21) C

22) B

23) B

24) D

25) D

26) B

27) B

28) A

29) B

30) A

31) B

32) D

33) B

Version 1 24
34) C

35) D

36) C

37) D

38) B

39) B

40) A

41) B

42) C

43) D

44) A

45) C

46) The tape needs to be encrypted and password protected.

47) d, c, b, e, a

Version 1 25
48) TRUE

49) TRUE

50) TRUE

51) FALSE

52) TRUE

53) FALSE

54) TRUE

55) FALSE

56) TRUE

57) FALSE

58) TRUE

59) FALSE

60) FALSE

61) FALSE

Version 1 26
62) FALSE

63) FALSE

64) FALSE

65) FALSE

66) TRUE

67) FALSE

Version 1 27