1. The extent to which data will be collected during an IS audit should be determined based on the:
A. availability of critical and required information.
B. auditors familiarity with the circumstances.
C. auditees ability to find relevant evidence.
D. purpose and scope of the audit being done.
2. Which of the following ensures a senders authenticity and an e-mails confidentiality?
A. Encrypting the hash of the message with the senders private key and thereafter encrypting the hash of the message with the receivers public key
B. The sender digitally signing the message and thereafter encrypting the hash of the message with the senders private key
C. Encrypting the hash of the message with the senders private key and thereafter encrypting the message with the receivers public key
D. Encrypting the message with the senders private key and encrypting the message hash with the receivers public key
3. Which of the following is the GREATEST advantage of elliptic curve encryption over RSA encryption?
A. Computation speed
B. Ability to support digital signatures
C. Simpler key distribution
D. Greater strength for a given key length
4. Which of the following controls would provide the GREATEST assurance of database integrity?
A. Audit log procedures
B. Table link/reference checks
C. Query/table access time checks
D. Rollback and rollforward database features
5. A benefit of open system architecture is that it:
A. facilitates interoperability.
B. facilitates the integration of proprietary components.
C. will be a basis for volume discounts from equipment vendors.
D. allows for the achievement of more economies of scale for equipment.
1. ANSWER: D
NOTE: The extent to which data will be collected during an IS audit should be related directly to the scope and purpose of the audit. An audit with a narrow purpose and scope would result most likely in less data collection, than an audit with a wider purpose and scope. The scope of an IS audit should not be constrained by the ease of obtaining the information or by the auditors familiarity with the area being audited. Collecting all the required evidence is a required element of an IS audit, and the scope of the audit should not be limited by the auditees ability to find relevant evidence.
2. ANSWER: C
NOTE: To ensure authenticity and confidentiality, a message must be encrypted twice: first with the senders private key, and then with the receivers public key. The receiver can decrypt the message, thus ensuring confidentiality of the message. Thereafter, the decrypted message can be decrypted with the public key of the sender, ensuring authenticity of the message. Encrypting the message with the senders private key enables anyone to decrypt it.
3. ANSWER: A
NOTE: The main advantage of elliptic curve encryption over RSA encryption is its computation speed. This method was first independently suggested by Neal Koblitz and Victor S. Miller. Both encryption methods support digital signatures and are used for public key encryption and distribution. However, a stronger key per se does not necessarily guarantee better performance, but rather the actual algorithm employed.
4. ANSWER: B
NOTE: Performing table link/reference checks serves to detect table linking errors (such as completeness and accuracy of the contents of the database), and thus provides the greatest assurance of database integrity. Audit log procedures enable recording of all events that have been identified and help in tracing the events. However, they only point to the event and do not ensure completeness or accuracy of the databases contents. Querying/monitoring table access time checks helps designers improve database performance, but not integrity. Rollback and rollforward database features ensure recovery from an abnormal disruption. They assure the integrity of the transaction that was being processed at the time of disruption, but do not provide assurance on the integrity of the contents of the database.
5. ANSWER: A
NOTE: Open systems are those for which suppliers provide components whose interfaces are defined by public standards, thus facilitating interoperability between systems made by different vendors. In contrast, closed system components are built to proprietary standards so that other suppliers systems cannot or will not interface with existing systems.