a. Log

b. Hash totals

c. Batch totals

d. Check-digit control

142. a. A log, preferably a computer log, records the actions or inactions of an individual during his access to a computer system or a data file. If any abnormal activities occur, the log can be used to trace them. The purpose of a compensating control is balancing weak controls with strong controls. The other three choices are examples of application system-based specific controls not tied to an individual action, as a log is.

143. When an IT auditor becomes reasonably certain about a case of fraud, what should the auditor do next?

a. Say nothing now because it should be kept secret.

b. Discuss it with the employee suspected of fraud.

c. Report it to law enforcement officials.

d. Report it to company management.

143. d. In fraud situations, the auditor should proceed with caution. When certain about a fraud, he should report it to company management, not to external organizations. The auditor should not talk to the employee suspected of fraud. When the auditor is not certain about fraud, he should talk to the audit management.

144. An effective relationship between risk level and internal control level is which of the following?

a. Low risk and strong controls

b. High risk and weak controls

c. Medium risk and weak controls

d. High risk and strong controls

144. d. There is a direct relationship between the risk level and the control level. That is, high-risk situations require stronger controls, low-risk situations require weaker controls, and medium-risk situations require medium controls. A control is defined as the policies, practices, and organizational structure designed to provide reasonable assurance that business objectives will be achieved and that undesired events would be prevented or detected and corrected. Controls should facilitate accomplishment of an organization’s objectives.

145. Incident handling is not closely related to which of the following?

a. Contingency planning

b. System support

c. System operations

d. Strategic planning

145. d. Strategic planning involves long-term and major issues such as management of the computer security program and the management of risks within the organization and is not closely related to the incident handling, which is a minor issue.

Incident handling is closely related to contingency planning, system support, and system operations. An incident handling capability may be viewed as a component of contingency planning because it provides the ability to react quickly and efficiently to disruptions in normal processing. Broadly speaking, contingency planning addresses events with the potential to interrupt system operations. Incident handling can be considered that portion of contingency planning that responds to malicious technical threats.

146. In which of the following areas do the objectives of systems auditors and information systems security officers overlap the most?

a. Determining the effectiveness of security-related controls

b. Evaluating the effectiveness of communicating security policies

c. Determining the usefulness of raising security awareness levels

d. Assessing the effectiveness of reducing security incidents

146. a. The auditor’s objective is to determine the effectiveness of security-related controls. The auditor reviews documentation and tests security controls. The other three choices are the sole responsibilities of information systems security officers.

147. Which of the following security control techniques assists system administrators in protecting physical access of computer systems by intruders?

a. Access control lists

b. Host-based authentication

c. Centralized security administration

d. Keystroke monitoring

147. d. Keystroke monitoring is the process used to view or record both the keystrokes entered by a computer user and the computer’s response during an interactive session. It is usually considered a special case of audit trails. Keystroke monitoring is conducted in an effort to protect systems and data from intruders who access the systems without authority or in excess of their assigned authority. Monitoring keystrokes typed by intruders can help administrators assess and repair any damage they may cause.

Access control lists refer to a register of users who have been given permission to use a particular system resource and the types of access they have been permitted. Host-based authentication grants access based upon the identity of the host originating the request, instead of the identity of the user making the request. Centralized security administration allows control over information because the ability to make changes resides with few individuals, as opposed to many in a decentralized environment. The other three choices do not protect computer systems from intruders, as does the keystroke monitoring.

148. Which of the following is not essential to ensure operational assurance of a computer system?

a. System audits

b. System changes

c. Policies and procedures

d. System monitoring

148. b. Security is not perfect when a system is implemented. Changes in the system or the environment can create new vulnerabilities. Strict adherence to procedures is rare over time, and procedures become outdated. Thinking risk is minimal, users may tend to bypass security measures and procedures. Operational assurance is the process of reviewing an operational system to see that security controls, both automated and manual, are functioning correctly and effectively.

To maintain operational assurance, organizations use three basic methods: system audits, policies and procedures, and system monitoring. A system audit is a one-time or periodic event to evaluate security. Monitoring refers to an ongoing activity that examines either the system or the users. In general, the more real time an activity is, the more it falls into the category of monitoring. Policies and procedures are the backbone for both auditing and monitoring.

System changes drive new requirements for changes. In response to various events such as user complaints, availability of new features and services, or the discovery of new threats and vulnerabilities, system managers and users modify the system and incorporate new features, new procedures, and software updates. System changes by themselves do not assure that controls are working properly.

149. What is an example of a security policy that can be legally monitored?

a. Keystroke monitoring

b. Electronic mail monitoring

c. Web browser monitoring

d. Password monitoring

149. d. Keystroke monitoring, e-mail monitoring, and Web browser monitoring are controversial and intrusive. These kinds of efforts could waste time and other resources due to their legal problems. On the other hand, examples of effective security policy statements include (i) passwords shall not be shared under any circumstances and (ii) password usage and composition will be monitored.