ISA 3.0 ICAI QUESTION BANK

Question explanation : D is correct answer. Worms are self-executable. Rest of the options use system resources for execution of malicious codes.

Question explanation : D is correct answer. Social engineering attack is attack on human and hence no technology can prevent it. Awareness training best prevents it.

Question explanation : A is correct answer. Most web application attacks like SQL injection can be prevented by validating input, which can reject the attackers input that can exploit vulnerability. Encryption may or may not prevent an attack. Penetration test shall provide input on vulnerability that must be closed. Access controls may prevent some attacks.

Question explanation : B is correct answer. It is most essential to get consent from affected asset owners before performing test, so that they can ensure that operations are not affected. Maintaining secrecy shall depend upon type of test. Report must be kept confidential and accessed only by select few. Test generally is performed when it will have least impact, but is not most important.

Question explanation : C is correct answer. Intrusion detection detects the possible intrusion attempt. It does not prevent or corrects it. It is a control implemented using technology.

Question explanation : C is correct answer. Primary function of SOC is to collect and monitor logs based on identified rules. It also defines correlation between various logs and identifies possible incidents, which are communicated to respective asset owners. A is role of security manager; B and D are roles of network team.

Question explanation : B is correct answer. Checksum is a type of hash that is used to check integrity of data after communication. It is different that parity bit that adds an extra bit for each byte and word.

Question explanation : B is correct answer. Network segmentation or zoning is first control to implement network security. Other controls depend upon segmentation.

Question explanation : C is correct answer. Message digest is a hash function that helps in confirming integrity
of data communicated over network.

Question explanation : A is correct answer. Other methods are active attacks on network after getting information about networks.

Question explanation : C is correct answer. Primary objective of implementing access controls is to restrict access to authorized people. Fixing accountability of actions is the primary objective of audit trail. Others are means to implement access controls not objectives.

Question explanation : D is correct answer. In Social engineering attacks, the weakest link is unsuspecting human user. Attacker uses techniques to compel users to reveal passwords and other confidential information. For example, in Phishing. Other options are technology-based attacks and can be detected or controlled.

Question explanation : A is correct answer. Strength of one-time password is that it is active for short time, if user does not login during that time the one-time password expires. One-time password is unique for each session and user; however, it is not a strength. It can be communicated by suitable means.

Question explanation : C is correct answer. Review of log for password configuration may disclose the compliance of policy because policy is configured in the system through password configuration. This may also detect unwarranted changes made by a malicious user (who obtains administrative access) in the password configuration. However, option A and D may provide assurance for compliance of password policy configurations in the system, not the policy itself. Option D is not relevant.

Question explanation : D is correct answer. Periodic user access review helps in ensuring that all users have appropriate level of accesses. This happens due to changes in internal environment like role, emergency, resignation and retiring of employees. In such situations sometimes revocation of accesses is missed out, which can be corrected during review.

Question explanation : B is correct answer. Password sharing by user is most difficult to get evidence for or detect. Others can be monitored or enforced using technology.

Question explanation : C is correct answer. Single point of failure is a major concern. One password if compromised, all accesses for that user are available to perpetrator.

Question explanation : B is correct answer. Mandatory accesses are those controls that are to be applied uniformly across organization and are defined by information security policy. D is discretionary access controls. B and C generally do not specify such requirements.

Question explanation : A is correct answer. Identification of user is first and primary requirement of granting access. Next will be authentication method to be established and finally finding authorization levels based on role that also addresses need to know.

Question explanation : D is correct answer. The three factors are what a user knows (PIN, Password, and Passphrase), what user possesses (Access card, Token) and what unique characteristics of user (Biometric). Use of any two factors for authentication is called two factors. Option A, B and C use only one factor.

Question explanation : A is the correct answer. Mobile devices can be connected to servers, resulting in unauthorized changes. Other concerns are secondary.

Question explanation: D is the correct answer. Top floor and basement have risk of seepage and flooding. Ground floor has risk of easy attack.

Question explanation: B is the correct answer. Best policy is to keep door open and appoint guard temporarily for monitoring accesses. Keeping doors locked shall be a problem in evacuation in case of emergency. Finding root cause can be done independently. Arranging Battery backup after power failure is not right policy.

Question explanation: C is the correct answer. High humidity can cause corrosion, and low humidity can cause excessive static electricity. Static electricity can short out devices or cause loss of information.

Question explanation: D is the correct answer. Automated environmental controls must be tested periodically by expert and provide report on effective performance of equipment. Simulated tests may not be possible for all controls. AMC is a contract; periodic testing is performance of contract.

Question explanation: B is the correct answer. False positive is a concern in biometric access security as it results in unauthorized access. Other option does not result in unauthorized access.

Question explanation: A is the correct answer. Human guard makes decisions and can address visitor’s requirement and direct them appropriately. Others are supplementary functions.

Question explanation: A is the correct answer. Primary purpose of all types of physical access control is to prevent unauthorized entry. Other objectives are secondary.

Question explanation: A is the correct answer. Unmanned data center requires strong physical access controls and environmental access controls too. However most essential are strong access controls. B, C and D are inappropriate controls. Halon is environmentally hazardous gas.

Question explanation: C is the correct answer. Life safety takes precedence. Although other answers are important steps human life always is a priority.

Question explanation: B is the correct answer. Training users on how to classify information as per definition provided in classification schema shall best help users in classifying the information. A. Number of classes shall depend upon organization’s objectives. C and D are performed after classification of information.

Question explanation: C is the correct answer. It helps in assessing the risks associated and determine the protection level i.e. class of information. A, B and C are determined based on classification.

Question explanation: C is the correct answer. Primary purpose of information classification is to provide appropriate level of protection to information assets. Options A, B and D are the secondary with respect to information classification.

Question explanation: B is the correct answer. Policy exceptions are temporary and must be reviewed and closed as per defined plan. Increased number of exceptions indicates that the policy provisions may not be appropriate and hence need to be reviewed. Other options are not concerning.

Question explanation: D is the correct answer. Without senior management’s support, information security cannot have a success. Senior management is involved many activities in effective information security initiative. Reviewing progress of information security in monthly meeting is one of them. Other options may or may not indicate unless there is more evidence to conclude.

Question explanation: C is the correct answer. Changes in environment introduce new risks. In order to address them it is necessary to review the information security policy based on assessment of new risks. Other options are secondary reasons.

Question explanation: C is the correct answer. Integrity primarily refers to reliability that is achieved by implementing controls to ensure accuracy and completeness of data.

Question explanation: C is the correct answer. Acceptable use policy that address the use of information assets by users is most common in all organizations that depends upon IT. Policies in other option depend upon organization’s use of BYOD or Encryption or Biometric.

Question explanation: B is the correct answer. Policies are vehicle to communicate management’s intent to all stakeholders. Information security practices are aligned with business objectives and not with the strategy. Information security policies are defined as outcome of risk assessment. Compliance with standard is not primary function of policies.

Question explanation: A is the correct answer. The primary objective of information security management is to provide adequate level of protection to information security assets.

Question explanation: A is the correct answer. Expressing IT risk in business terms i.e. as impact on business will help business in understating relevance of IT risks. Business impact analysis may be useful however, it may or may not help depending upon scope of project. Making chief risk officer accountable may help but best is A. Aligning IT strategy with business strategy shall help in defining better IT plan, but it is at higher level.

Question explanation: B is the correct answer. Accepted risk is where controls are not implemented is part of residual risk; Inherent risk is total risk before implementing controls. Current risk is residual risk at a point in time during control implementation.

Question explanation: D is the correct answer. Risk monitoring refers to review of identified and assed risks based on changes, incidents, and periodically. Other options are part of risk management framework.

Question explanation: C is the correct answer. Vendor decides to stop supporting existing software changes the market situation that will affect organization, since it has to take decision on replacing application. Release of new application though changes market; it may not affect the organization immediately as the organization may not need to take action. Options A and D are internal decisions and will be done after risk assessment and hence these are not risk factors.

Question explanation: B is the correct answer. Risk owner is primarily accountable for deciding and implementing on nature of controls. Generally, risk owner is process owner. Chief risk office guides risk owner, IT head is responsible for responding to risk owned by IT head. Although board of directors is ultimately accountable, for specific risk, risk owners are responsible.

Question explanation: C is the correct answer. Main use of risk register is to develop risk profile of the organization for management’s review and enable risk informed decisions.

Question explanation: A is the correct answer. It is the definition of risk appetite. Risk tolerance is capacity to tolerate down time due to risk materialization. Risk acceptance and risk mitigation are risk response decision based on risk appetite.

Question explanation: B is the correct answer. BY shifting location, the business has avoided the risk associated with Tsunami.

Question explanation: C is the correct answer. Of the four main risk response options accept, avoid, mitigate and transfer, Insurance cover is a risk response option of risk transfer.

Question explanation:  B is the correct answer. Other options i.e. location of asset, existing vulnerabilities in asset shall be covered during risk assessments. Inventory of threats only will not help; impact due to threat must be assessed.