What type of cryptosystem is characterized by data being encrypted by the sender using the recipient's public key, and the data then being decrypted using the recipient's private key?
Correct Answer: B
Explanation/Reference: With public key encryption or asymmetric encryption, data is encrypted by the sender using the recipient's public key; the data is then decrypted using the recipient's private key.
Question 287
An IS auditor finds that application servers had inconsistent security settings leading to potential vulnerabilities. Which of the following is the BEST recommendation by the IS auditor?
Correct Answer: B
Section: The process of Auditing Information System
Question 288
When installing an intrusion detection system (IDS), which of the following is MOST important?
Correct Answer: A
Proper location of an intrusion detection system (IDS) in the network is the most important decision during installation. A poorly located IDS could leave key areas of the network unprotected. Choices B, C and D are concerns during the configuration of an IDS, but if the IDS is not placed correctly, none of them would be adequately addressed.
Question 289
An IS auditor is reviewing a contract for the outsourcing of IT facilities. If missing, which of the following should present the GREATEST concern to the auditor?
Correct Answer: B
Explanation The missing access control requirements should present the greatest concern to the IS auditor when reviewing a contract for the outsourcing of IT facilities. Access control requirements are essential for ensuring the confidentiality, integrity, and availability of the outsourced IT resources and data. They specify the roles, responsibilities, and permissions of the outsourcing vendor and its staff, as well as the client and its users, in accessing and managing the IT facilities. They also define the security policies, standards, and procedures that the outsourcing vendor must follow to protect the IT facilities from unauthorized or malicious access, use, modification, or disclosure. Without clear and comprehensive access control requirements, the outsourcing contract may expose the client to significant risks of data breaches, compliance violations, service disruptions, or reputational damage. Hardware configurations, help desk availability, and perimeter network security diagram are important aspects of an outsourcing contract, but they are not as critical as access control requirements. Hardware configurations describe the technical specifications and performance of the IT equipment that the outsourcing vendor will provide and maintain. Help desk availability defines the service levels and support channels that the outsourcing vendor will offer to the client and its users. Perimeter network security diagram illustrates the network architecture and security measures that the outsourcing vendor will implement to protect the IT facilities from external threats. These aspects can be verified or modified during the implementation or operation phases of the outsourcing contract, but access control requirements need to be established and agreed upon before signing the contract. References: ISACA, CISA Review Manual, 27th Edition, Chapter 5: Protection of Information Assets, Section 5.3: Logical Access1 CIO.com, 7 tips for managing an IT outsourcing contract2 Brainhub.eu, 8 Tips for Managing an IT Outsourcing Contract
Question 290
In a public key infrastructure (PKI), which of the following may be relied upon to prove that an online transaction was authorized by a specific customer?
Correct Answer: A
Explanation/Reference: Explanation: Nonrepudiation, achieved through the use of digital signatures, prevents the claimed sender from later denying that they generated and sent the message. Encryption may protect the data transmitted over the Internet, but may not prove that the transactions were made. Authentication is necessary to establish the identification of all parties to a communication. Integrity ensures that transactions are accurate but does not provide the identification of the customer.
