What is the PRIMARY reason to adopt a risk-based IS audit strategy?
Correct Answer: C
Question 87
Which of the following should be of GREATEST concern to an IS auditor performing a review of information security controls?
Correct Answer: B
Question 88
In an environment where most IT services have been outsourced, continuity planning is BEST controlled by:
Correct Answer: C
Question 89
What is the MAIN objective when implementing security controls within an application?
Correct Answer: C
Question 90
Which of the following statement is NOT true about Voice-Over IP (VoIP)?
Correct Answer: A
Section: Protection of Information Assets Explanation: The NOT is a keyword used in the question. You need to find out invalid statement about VoIP. VoIP uses packet switching and not circuit switching. For your exam you should know below information about VoIP: Voice-Over-IP IP telephony, internet telephony, is the technology that makes it possible to have a voice conversation over the Internet or over any dedicated IP network instead of dedicated transmission lines. The protocol is used to carry the signal over the IP network are commonly referred as Voice-Over-IP (VoIP).VoIP is a technology where voice traffic is carried on top of existing data infrastructure. Sounds are digitalized into IP packets and transferred through the network layer before being decode back into the original voice. VoIP allows the elimination of circuit switching and the associated waste of bandwidth. Instead, packet switching is used, where IP packets with voice data are sent over the network only when data needs to be sent. It has advantages over traditional telephony: Unlike traditional telephony, VoIP innovation progresses at market rates rather than at the rates of multilateral committee process of the International Telecommunication Union (ITU) Lower cost per call or even free calls, especially for long distance call Lower infrastructure costs. Once IP infrastructure is installed, no or little additional telephony infrastructure is needed VoIP Security Issues With the introduction of VoIP, the need for security is more important because it is needed to protect two assets - the data and the voice. Protecting the security of conversation is vital now. In VoIP, packets are sent over the network from the user's computer or VoIP phone to similar equipment at other end. Packets may pass through several intermediate systems that are not under the control of the user's ISP.The current Internet architecture does not provide same physical wire security as phone line. The main concern of VoIP solution is that while, in the case of traditional telephones, if data system is disrupted, then the different sites of the organization could still be reached via telephone. Thus a backup communication facility should be planned for if the availability of communication is vital to organization. Another issue might arise with the fact that IP telephones and their supporting equipment require the same care and maintenance as computer system do. To enhance the protection of the telephone system and data traffic, the VoIP infrastructure should be segregated using Virtual Local Area Network (VLAN). In many cases, session border controllers (SBCs) are utilized to provide security features for VoIP traffic similar to that provided by firewalls. The following were incorrect answers: Lower cost per call or even free calls, especially for long distance call - This is a valid statement about VoIP. In fact it is an advantage of VoIP. Lower infrastructure cost - This is a valid statement and advantage of using VoIP as compare to traditional telephony system. VoIP is a technology where voice traffic is carried on top of existing data infrastructure - This is also valid statement about VoIP. Reference: CISA review manual 2014 Page number355
