ISA 3.0 ICAI QUESTION BANK

Question explanation : The correct answer is B
When a breach is first discovered, in the containment phase, the Incident Response team after having gathered the information and gained an understanding of the incident, will begin to combat the threat by taking actions to prevent further damage, such as closing ports or blocking IPs. Hence Option B is the correct answer.

Question explanation: The correct answer is A
Incident response program can be broken down into four broad phases: (1) Preparation; (2) Detection and Analysis; (3) Containment, Eradication, and Recovery; and (4) Post- Event Activity. Hence Option A Prepare, Respond, and follow up, are in correct order. Options B, C and D are incomplete.

Question explanation : The correct answer is C
Without clear executive support, a SOC may be ineffective, and its value will not be realized. Creating an effective SOC requires support to establish a clear mandate for the SOC and a long-term strategy, and also a strong SOC leader to drive organizational change and develop a culture of security. The SOC leader shall take care of Risks and Quality.

Question explanation : The correct answer is A
Incident Response Management Program aims to manage the lifecycle of all Incidents (unplanned interruptions or reductions in quality of IT services). The primary objective of this program is to identify, assess, analyze, and correct the incidents to prevent a future re-occurrence and to make available the IT service to users as quickly as possible.

Question explanation : The correct answer is B
A Security Operation Centre (SOC) is a centralized function within an organization employing people, processes, and technology to continuously monitor and improve an organization's security posture while preventing, detecting, analyzing, and responding to security incidents. Reporting is not the part of SOC.

Question explanation : The correct answer is A
An organization's computer security incident response team (CSIRT) should disseminate recent threats, security guidelines and security updates to the users to assist them in understanding the security risk of errors and omissions. However, this introduces the risk that the users may use this information to launch attacks, directly or
indirectly. An IS auditor should ensure that the CSIRT is actively involved with users to assist them in mitigation of risk arising from security failures and to prevent additional security incidents resulting from the same threat. Option B Forwarding the security alert is not harmful to the organization. Option C Implementing individual solutions is unlikely and inefficient, but not a serious risk. Option D Users failing to understand the threat would not be a serious concern.

Question explanation : The correct answer is B
A privileged user with some knowledge on the internal structure of the SIEM data can easily delete logs, backdate logs, or modify existing logs. Hashing log files or log entries and storing the hash on disk for future verification ensuring integrity and completeness of the logs. For encryption, signing and time stamping you need a well-managed public key infrastructure (PKI) with secure hardware storage for keys.

Question explanation: The correct answer is D
Normalization is a database design technique that organizes tables in a manner that reduces redundancy and dependency of data. Normalization divides larger tables into smaller tables and links them using relationships. Option D is not part of SIEM applications.

Question explanation: The correct answer is C
SIEM is defined as a complex set of technologies to provide real-time event collection, monitoring, correlating, and analyzing events across disparate sources, making it easier to monitor and troubleshoot IT infrastructure in real time. An Agent is third party tool for supporting devices. Options A, B and D are part of SIEM tools.

Question explanation: The correct answer is D
Log correlation is about constructing rules that look for sequences and patterns in log events that are not visible in the individual log sources. The basic function of an SIEM is to correlate logs online and perform analysis that would otherwise be done by repetitive human analysis.

Question explanation: The correct answer is B.
An IS auditor must review the change management process, including patch management procedures, and verify that the process has adequate controls and make suggestions accordingly. The other choices are part of a good change management process but are not an IS auditor's responsibility.

Question explanation: The correct answer is D
Given the extensiveness of the patch and its interfaces to external systems, system testing is most appropriate. System testing will test all the functionality and interfaces between modules. Option A Stress testing relates to capacity and availability and does not apply in these circumstances. Option B Black box testing would be performed on the individual modules, but the entire system should be tested because more than one module was changed. Option C Interface testing would test the interaction with external systems, but would not validate the performance of the changed system.

Question explanation : The correct answer is C
It is isolation not insulation. A transaction in a database should be designed in such a way that, it satisfies ACID property. A is Atomicity, C is Consistency, I is Isolation and D is Durability. This means that, when a programmer or DA defines a transaction (such as Insert or Update), it should be defined in such a way that it will satisfy the ACID test i.e. the transaction will be atomic (not divisible further), when completed it will keep the database in consistent state, it will be isolated while it is executing and it will be written on a persistent (permanent) storage such as secondary storage.

Question explanation: The correct answer is A
Normalization is a database design technique that organizes tables in a manner that reduces redundancy and dependency of data. Normalization divides larger tables into smaller tables and links them using relationships. The purpose of Normalization is to eliminate redundant (useless) data and ensure data is stored logically. The main idea with this is that a table should be about a specific topic and only supporting topics included. By limiting a table to one purpose you reduce the number of duplicate data contained within your database. This eliminates some issues stemming from database modifications.

Question explanation: The correct answer is D
Foreign key. Primary key does not represent relation, it is the same key in another table and represents relation with table where it is the primary key.

Question explanation: The correct answer is A
Tuple. Record is called tuple. Choice B, C and D does not represent a record. Choice B is many rows and not a single row.

Question explanation: The correct answer is A
A system downtime log provides information regarding the effectiveness and adequacy of computer preventive maintenance programs. The log is a detective control, but because it is validating the effectiveness of the maintenance program, it is validating a preventive control. Option B Vendor’s reliability figures are not an effective measure of a preventive maintenance program. Option C Reviewing the log is a good detective
control to ensure that maintenance is being done; however, only the system downtime will indicate whether the preventive maintenance is actually working well. Option D A schedule is a good control to ensure that maintenance is scheduled and that no items are missed in the maintenance schedule; however, it is not a guarantee that the work is actually being done.

Question explanation: The correct answer is D
Referential integrity in a relational database refers to consistency between linked tables. Referential integrity is usually enforced by the combination of a primary key and a foreign key. For referential integrity to hold, any field in a table that is declared a foreign key should contain only values from a parent table’s primary key. Option A Field definitions describe the layout of the table, but are not directly related to referential integrity. Option B Master table definition describes the structure of the database, but is not directly related to referential integrity. Option C Composite keys describe how the keys are created, but are not directly related to referential integrity.

Question explanation: The correct answer is A
Integration testing is a level of software testing where individual units are combined and tested as a group. The purpose of this level of testing is to expose faults in the interaction between integrated units. Option B is module testing, while C is complete system testing and Option D is testing of internal logic as well.

Question explanation: The correct answer is C

Acceptance testing is a testing technique performed to determine whether or not the software system has met the requirement specifications. The main purpose of this test is to evaluate the system's compliance with the business requirements and verify if it is has met the required criteria for delivery to end users. Choices A, B and D are not the focus of acceptance testing.

Question explanation: The correct answer is B
Atomicity is either a complete transaction or a failed transaction. It does not permit transient stage or partially complete transactions. Choice A, C and D are not correct.

Question explanation: The correct answer is B
Projects receive multiple change requests and these must be evaluated by the change control board. A change control board is a group of individuals responsible for reviewing and analyzing change requests and recommending or making decisions on requested changes to the baselined work. Poor change control can significantly impact the project in terms of scope, cost, time, risk, and benefits. Choice A, C and D do not have
authority to approve or reject major changes.

Question explanation: The correct answer is B
Version Control. Choice A and cCare steps before version control

Question explanation: The correct answer is B
Level 0, because it is self-service. Choice A, C and D are those, where help desk operator would help the user.

Question explanation: The correct answer is C
Asset Management is a process used to keep track of the equipment and inventory vital to day-to-day operation of the business. Asset management requirements should be aligned with the business objectives. Choice A and B may assist in selection of an appropriate system based on the needs of the organization but are not top priority requirements.

Question explanation: The correct answer is D
Software Configuration Management is defined as a process to systematically manage, organize, and control the changes in the software programs, documents, codes, and other entities during the Software Development Life Cycle. Any change in the software configuration Items will affect the final product. Therefore, changes to configuration items need to be controlled and managed. Hence all the options are important.

Question explanation: The correct answer is C
Auditors certainly will question if they find that users have greater privileges than they need to perform their jobs, but the real risk is that a disgruntled user could abuse their elevated privileges, so C is the right answer and not A, B and D.

Question explanation: The correct answer is A
The principle of least privilege is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work. The users are granted permission to read, write or execute only the files or resources they need to do their jobs, or restricting access rights for applications, systems, processes and devices to only those permissions required to perform authorized activities. Enforcing least privilege plays a key role in limiting (containing) the damage that malicious users may cause. Choice B, C and D do not indicate the principle of least privilege.

Question explanation: The correct answer is D
Without understanding what logging capabilities, the organization has (or doesn't have) and what information is needed from those logs, it's impossible to implement an effective log management program. Choice A, B and C may help in selection of the vendor but are not the starting points.

Question explanation: The correct answer is D
Log management systems provide insight into a variety of incidents / issues with systems and devices, as well as being a compliance requirement under many regulations. For all of the above reasons, log management is a necessity for enterprise security.

Question explanation: The correct answer is D.
Personally, identifiable information (PII) is any information about an individual that can be used to distinguish or trace an individual's identity, such as name, PAN, Aadhaar Number, date and place of birth, mother's maiden name, or biometric records. The HRM System stores PII of all employee data. Choices A, B, C do not store or process employee personal information, they have operations or transaction data.

Question explanation : The correct answer is A.
Operational level manager is the lowest level of manager and engaged in day-to-day activities, which require detailed information. Hence the decision-making environment is required to be structured. For administrative and top management, the decision-making environment is semi structured and unstructured respectively.

Question explanation: The correct answer is C
Management should ensure that all information assets (data and systems) have an appointed owner who makes decisions about classification and access rights. System owners typically delegate day-to-day custodianship to the systems delivery / operations group and security responsibilities to a security administrator. Owners, however, remain accountable for the maintenance of appropriate security measures.

Question explanation: The correct answer is B
When individuals serve multiple roles, this represents a separation of duties problem and is associated with risk. Security administrators should not be system programmers, due to the associated rights of both functions. A person with both security and programming rights could do almost anything on a system. The other combinations of roles are valid from a separation of duties perspective. Ideally, network administrators should not be responsible for quality assurance because they could approve their own work. However, that is not as serious as the combination of security and programming, which would allow nearly unlimited abuse of privilege. In some distributed environments, especially with small staffing levels, users may also manage security. While a database administrator is a very privileged position and it would not be in conflict with the role of a systems analyst.

Question explanation : The correct answer is A
The main challenge while choosing outsourcing data processing is data confidentiality. Companies feel comfortable in sharing data, only with employees whom they trust or who are bounded by the contractual commitments to keep the data undisclosed. Majority of the outsourcing firms sign a strict non disclosure agreement with the companies which assures that the data would be kept confidential and any breach on
the agreement would be punishable under the law. Choices B and D are advantages of outsourcing. Data integrity is the overall completeness, accuracy and consistency of data. Data integrity although very important but does not pose a greater challenge than data confidentiality.

Question explanation: The correct answer is D.

The data owner has the ability to create, edit, modify, share and restrict access to the data. Data ownership also defines the data owner’s ability to assign, share or surrender all of these privileges to a third party. The IT Department acts as the Data Custodian, responsible for the safe custody, transport, storage of the data and implementation of business rules. System Owner is a person or department having responsibility for the
development, procurement, integration, modification, operation and maintenance, and/or final disposition of an information system. Process Owner is a person, who is accountable for the performance of the process and manages the process on a daily basis.

Question explanation: The correct answer is B.
Agility is the organization's ability to quickly or proactively react to technological changes. Choices A, C, and D are based on the need of the organization and not necessarily due to change in technology or the environment in which the organization operates.

Question explanation: The correct answer is A.
E-learning is a learning environment which uses information and communication technologies (ICT's) as a platform for teaching and learning activities. Rest of the trainings require in person attendance and cannot be done from the office desk.

Question explanation: The correct answer is C
Approval of the Policy is responsibility of the Governing Board of the organization. All other options are the functions of the HRM.

Question explanation: The correct answer is C
An Acceptable use policy is a set of rules applied by the owner, creator or administrator of a network, website, or service, that restrict the ways in which the network, website or system may be used and sets guidelines as to how it should be used. It must be abided by all employees of the organization. Choices A, B, and D are not common to all policies.