The Federal Information Processing Standards (FIPS) are primarily for use by (Choose two.):
Correct Answer: A,B
Section: Protection of Information Assets Explanation: Federal Information Processing Standards (FIPS) are publicly announced standards developed by the United States Federal government for use by all nonmilitary government agencies and by government contractors. Many FIPS standards are modified versions of standards used in the wider community.
Question 397
There are several types of penetration tests depending upon the scope, objective and nature of a test. Which of the following describes a penetration test where you attack and attempt to circumvent the controls of the targeted network from the outside, usually the Internet?
Correct Answer: A
Explanation/Reference: External testing refers to attack and control circumvention attempts on a target's network perimeter from outside the target's system, usually the Internet. For the CISA exam you should know penetration test types listed below: External Testing -Refers to attack and control circumvention attempts on a target's network perimeter from outside the target's system, usually the Internet Internal Testing - Refers to attack and control circumvention attempt on target from within the perimeter. The objective is to identify what would occur if the external perimeter was successfully compromised and/ or an authorized user from within the network wanted to compromise security of a specific resource on a network. Blind Testing -Refers to the condition of testing when the penetration tester is provided with limited or no knowledge of the target's information systems. Such testing is expensive, since penetration tester have to research the target and profile it based on publicly available information. Double Blind Testing -It is an extension of blind testing, since the administrator and security staff at the target are also not aware of test. Such a testing can effectively evaluate the incident handling and response capability of the target and how well managed the environment is. Targeted Testing - Refers to attack and control circumvention attempts on the target, while both the target's IT team and penetration tester are aware of the testing activities. Penetration testers are provided with information related to target and network design. Additionally, they are also provided with a limited privilege user account to be used as a starting point to identify privilege escalation possibilities in the system. The following were incorrect answers: Internal Testing - Refers to attack and control circumvention attempt on target from within the perimeter. The objective is to identify what would occur if the external perimeter was successfully compromised and/ or an authorized user from within the network wanted to compromise security of a specific resource on a network. Blind Testing -Refers to the condition of testing when the penetration tester is provided with limited or no knowledge of the target's information systems. Such a testing is expensive, since penetration tester have to research the target and profile it based on publicly available information. Targeted Testing - Refers to attack and control circumvention attempts on the target, while both the target's IT team and penetration tester are aware of the testing activities. Penetration testers are provided with information related to target and network design. Additionally, they are also provided with a limited privilege user account to be used as a starting point to identify privilege escalation possibilities in the system. Following reference(s) were/was used to create this question: CISA review manual 2014 Page number 369
Question 398
Digital signatures require the:
Correct Answer: B
Digital signatures are intended to verify to a recipient the integrity of the data and the identity of the sender. The digital signature standard is a public key algorithm. This requires the signer to have a private key and the receiver to have a public key.
Question 399
Which of the following is an example of a preventive control in an accounts payable system?
Correct Answer: A
Section: Information System Operations, Maintenance and Support
Question 400
Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated?
Correct Answer: D
Explanation/Reference: Explanation: Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated. Overlapping controls are two controls addressing the same control objective or exposure. Since primary controls cannot be achieved when duties cannot or are not appropriately segregated, it is difficult to install overlapping controls. Boundary controls establish the interface between the would-be user of a computer system and the computer system itself, and are individual-based, not role-based, controls. Access controls for resources are based on individuals and not on roles.
