An organization is considering connecting a critical PC-based system to the Internet. Which of the following would provide the BEST protection against hacking?
Correct Answer: A
Section: Protection of Information Assets Explanation: An application-level gateway is the best way to protect against hacking because it can define with detail rules that describe the type of user or connection that is or is not permitted, it analyzes in detail each package, not only in layers one through four of the OSI model but also layers five through seven, which means that it reviews the commands of each higher-level protocol (HTTP, FTP, SNMP, etc.). For a remote access server, there is a device (server) that asks for a username and password before entering the network. This is good when accessing private networks, but it can be mapped or scanned from the Internet creating security exposure. Proxy servers can provide protection based on the IP address and ports. However, an individual is needed who really knows how to do this, and applications can use different ports for the different sections of the program. Port scanning works when there is a very specific task to complete, but not when trying to control what comes from the Internet, or when all the ports available need to be controlled. For example, the port for Ping (echo request) could be blocked and the IP addresses would be available for the application and browsing, but would not respond to Ping.
Question 522
Which of the following is MOST important to consider when developing a service level agreement (SLAP)?
Correct Answer: B
Question 523
Which of the following processes should an IS auditor recommend to assist in the recording of baselines for software releases?
Correct Answer: D
The configuration management process may include automated tools that will provide an automated recording of software release baselines. Should the new release fail, the baseline will provide a point to which to return. The other choices do not provide the processes necessary for establishing software release baselines and are not related to software release baselines.
Question 524
An IS auditor finds that, at certain times of the day, the data warehouse query performance decreases significantly. Which of the following controls would it be relevant for the IS auditor to review?
Correct Answer: C
Explanation/Reference: Explanation: User spool limits restrict the space available for running user queries. This prevents poorly formed queries from consuming excessive system resources and impacting general query performance. Limiting the space available to users in their own databases prevents them from building excessively large tables. This helps to control space utilization which itself acts to help performance by maintaining a buffer between the actual data volume stored and the physical device capacity. Additionally, it prevents users from consuming excessive resources in ad hoc table builds (as opposed to scheduled production loads that often can run overnight and are optimized for performance purposes), in a data warehouse, since you are not running online transactions, commitment and rollback does not have an impact on performance. The other choices are not as likely to be the root cause of this performance issue.
Question 525
Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor's BEST recommendation for a compensating control?
Correct Answer: A
Explanation Requiring written authorization for all payment transactions is the IS auditor's best recommendation for a compensating control in an environment where segregation of duties (SoD) cannot be enforced in an accounts payable system. SoD is a principle that requires different individuals or functions to perform different tasks or roles in a business process, such as initiating, approving, recording and reconciling transactions. SoD reduces the risk of errors, fraud and misuse of resources by preventing any single person or function from having excessive or conflicting authority or responsibility. A compensating control is a control that mitigates or reduces the risk associated with the absence or weakness of another control. Requiring written authorization for all payment transactions is a compensating control that provides an independent verification and approval of each transaction before it is processed by the accounts payable system. This control can help to detect and prevent unauthorized, duplicate or erroneous payments, and to ensure compliance with policies and procedures. The other options are not as effective as option A, as they do not provide an independent verification or approval of payment transactions. Restricting payment authorization to senior staff members is a control that limits the number of people who can authorize payments, but it does not prevent them from initiating or processing payments themselves, which could violate SoD. Reconciling payment transactions with invoices is a control that verifies that the payments match the invoices, but it does not prevent unauthorized, duplicate or erroneous payments from being processed by the accounts payable system. Reviewing payment transaction history is a control that monitors and analyzes the payment transactions after they have been processed by the accounts payable system, but it does not prevent unauthorized, duplicate or erroneous payments from occurring in the first place. References: CISA Review Manual (Digital Version) , Chapter 5: Protection of Information Assets, Section 5.2: Logical Access.
