208. a. It is during the system requirements definition phase that the project team identifies the required controls needed for the system. The identified controls are then incorporated into the system during the design phase. When there is a choice between the system requirements definition phase and the design phase, the auditor would benefit most by participating in the former phase. The analyst does not need to participate in the program development or testing phase.

209. What is a malicious unauthorized act that is triggered upon initiation of a predefined event or condition and resides within a computer program known as?

a. Logic bomb

b. Computer virus

c. Worm

d. NAK attack

209. a. A time bomb is a part of a logic bomb. A time bomb is a Trojan horse set to trigger at a particular time, whereas the logic bomb is set to trigger at a particular condition, event, or command. The logic bomb could be a computer program or a code fragment.

Computer virus is incorrect because it “reproduces” by making copies of it and inserting them into other programs. Worm is incorrect because it searches the network for idle computing resources and uses them to execute the program in small segments. NAK (negative acknowledgment character) attack is incorrect because it is a penetration technique capitalizing on a potential weakness in an operating system that does not handle asynchronous interrupts properly, thus leaving the system in an unprotected state during such interrupts. NAK uses binary synchronous communications where a transmission control character is sent as a negative response to data received. Here, negative response means data was not received correctly or that a command was incorrect or unacceptable.

210. What is the name of the malicious act of a computer program looking normal but containing harmful code?

a. Trapdoor

b. Trojan horse

c. Worm

d. Time bomb

210. b. A Trojan horse fits the description. It is a program that performs a useful function and an unexpected action as well as a form of virus.

Trapdoor is incorrect because it is an entry point built into a program created by programmers for debugging purposes. Worm is incorrect because it searches the network for idle computing resources and uses them to execute a program in small segments. Time bomb is incorrect because it is a part of a logic bomb, where a damaging act triggers at some period of time after the bomb is set.

211. In the software capability maturity model, continuous process improvement takes place in which of the following levels?

a. Managed level

b. Optimizing level

c. Defined level

d. Repeatable level

211. b. Continuous process improvements are expected in the optimizing level of the software capability maturity model. It is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies.

212. Which of the following tests identify vulnerabilities in application systems?

a. Functional test

b. Performance test

c. Stress test

d. Security test

212. d. The purpose of security testing is to assess the robustness of the system’s security capabilities (for example, physical facilities, procedures, hardware, software, and communications) and to identify security vulnerabilities. All the tests listed in the question are part of system acceptance tests where the purpose is to verify that the complete system satisfies specified requirements and is acceptable to end users.

Functional test is incorrect because the purpose of functional or black-box testing is to verify that the system correctly performs specified functions. Performance test is incorrect because the purpose of performance testing is to assess how well a system meets specified performance requirements. Examples include specified system response times under normal workloads (for example, defined transaction volumes) and specified levels of system availability and mean-times-to-repair. Stress test is incorrect because the purpose of stress testing is to analyze system behavior under increasingly heavy workloads (for example, higher transaction rates), severe operating conditions (for example, higher error rates, lower component availability rates), and, in particular, to identify points of system failure.

213. When does a major risk in application software prototyping occur?

a. The prototype becomes the finished system.

b. User’s expectations are inflated.

c. Too much attention is paid to cosmetic details.

d. The model is iterated too many times.

213. a. The application software prototype becoming the finished system is a major risk in prototyping unless this is a conscious decision, as in evolutionary prototyping where a pilot system is built, thrown away, another system is built, and so on. Inflated user expectations is a risk that can be managed with proper education and training. Paying attention to cosmetic details is not bad except that it wastes valuable time. The prototype model is supposed to be iterated many times because that is the best way to define and redefine user requirements and security features until satisfied.

214. Security planning is performed in which of the following phases of a system development life cycle (SDLC)?

a. Initiation

b. Development/acquisition

c. Implementation

d. Operations/maintenance

214. b. Security planning ensures that agreed-upon security controls, whether planned or in place, are fully documented. It is a task performed in the development/acquisition phase.

215. Security certification and accreditation is performed in which of the following phases of a system development life cycle (SDLC)?

a. Initiation

b. Development/acquisition

c. Implementation

d. Operations/maintenance

215. c. Security certification ensures that the controls are effectively implemented through established verification techniques and procedures and gives an organization confidence that the appropriate safeguards and countermeasures are in place to protect the organization’s information systems. Security accreditation provides the necessary security authorization of an information system to process, store, or transmit information that is required. Both security certification and accreditation tasks are performed in the implementation phase.

216. Which of the following actions is performed in the detailed design phase of a system development life cycle (SDLC) project?

a. Defining control, security, and audit requirements

b. Developing screen flows with specifications

c. Identifying major purpose(s) of the system

d. Developing system justification

216. b. A detailed design occurs after the general design is completed where known tasks are described and identified in a much more detailed fashion and are ready for program design and coding. This includes developing screen/program flows with specifications, input and output file specifications, and report specifications.