75%(8)6 out of 8 people found this document helpful
This preview shows page 131 - 133 out of 325 pages.
282. An IS auditor discovers that programmers have update access to the live environment. In this situation, the IS auditor is LEAST likely to be concerned that programmers can:A. authorize transactions.B. add transactions directly to the database.C. make modifications to programs directly.D. access production and provide faster maintenance.The correct answer is:A. authorize transactions.Explanation:Authorizing transactions implies that transactions have been initiated by another person and hence would provide the least risk. The other situations, where programmers on their own can access data and make modifications or addtransactions to a database, all present a greater risk and would be of concern to the IS auditor.Area:4
283. An IS auditor performing a telecommunication access control review should be concerned PRIMARILYwith the:The correct answer is:B. authorization and authentication of the user prior to granting access to system resources.Explanation:The authorization and authentication of users is the most significant aspect in a telecommunications access control review as it is a preventive control. Weak controls at this level can affect all other aspects. The maintenance of access logs of usage of system resources is a detective control. The adequate protection of data being transmitted to and from servers by encryption or other means is a method of protecting information during transmission and is not an access issue. The accountability system and the ability to identify any terminal accessing system resources deal with controlling access through the identification of a terminal.Area:4284. An organization is introducing a single sign-on (SSO) system. Under the SSO system, users will be required to enter only one user ID and password for access to all application systems. Under the SSO system,unauthorized access:The correct answer is:C. will have a greater impact.Explanation:The impact will be greater since the hacker needs to know only one password to gain access to all systems and can, therefore, cause greater mischief than if only the password to one of the systems is known. Less likely would be thecorrect answer if the single sign-on system were to be introduced with a stronger form of authentication, such as a smart card/challenge response system. There is no indication that the probability of someone attempting to gain access to systems after introduction of single sign-on is greater than before. The impact can only be greater, not smaller, since the access gained is wider.