Which of the following would an IS auditor consider a weakness when performing an audit of an organization that uses a public key infrastructure (PKI) with digital certificates for its business-to-consumer transactions via the Internet?
A. Customers are widely dispersed geographically, but the certificate authorities (CAs) are not.
B. Customers can make their transactions from any computer or mobile device.
C. The CA has several data processing subcenters to administer certificates.
D. The organization is the owner of the CA.
- 1 Answers
- 2933 Views
- I also Faced
- E-Mail Answers
Answer / heather chatterjee
D is the Correct Answer.
A. It is common to use a single certificate authority (CA). They do not need to be geographically dispersed.
B. The use of public key infrastructure (PKI) and certificates allows flexible secure communications from many devices.
C. The CA will often have redundancy and failover capabilities to alternate data centers.
D. If the CA belongs to the same organization, this would pose a risk. The management of a CA must be based on trusted and secure procedures. If the organization has not set in place the controls to manage the registration, distribution and revocation of certificates this could lead to a compromise of the certificates and loss of trust.
| Is This Answer Correct ? | 5 Yes | 0 No |
One of the purposes of library control software is to allow: A. programmers access to production source and object libraries. B. batch program updating. C. operators to update the control library with the production version before testing is completed. D. read-only access to source code.
To reduce the possibility of losing data during processing, the FIRST point at which control totals should be implemented is: A. during data preparation. B. in transit to the computer. C. between related computer runs. D. during the return of the data to the user department.
When using public key encryption to secure data being transmitted across a network: A. both the key used to encrypt and decrypt the data are public. B. the key used to encrypt is private, but the key used to decrypt the data is public. C. the key used to encrypt is public, but the key used to decrypt the data is private. D. both the key used to encrypt and decrypt the data are private.
With reference to the risk management process, which of the following statements is correct? A. Vulnerabilities can be exploited by a threat. B. Vulnerabilities are events with the potential to cause harm to IS resources. C. Vulnerability exists because of threats associated with use of information resources. D. Lack of user knowledge is an example of a threat.
During an audit of a reciprocal disaster recovery agreement between two companies, the IS auditor would be PRIMARILY concerned about: A. the soundness of the impact analysis. B. hardware and software compatibility. C. differences in IS policies and procedures. D. frequency of system testing.
Good quality software is BEST achieved: A. through thorough testing. B. by finding and quickly correcting programming errors. C. determining the amount of testing by the available time and budget. D. by applying well-defined processes and structured reviews throughout the project.
During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that: A. assessment of the situation may be delayed. B. execution of the disaster recovery plan could be impacted. C. notification of the teams might not occur. D. potential crisis recognition might be delayed.
A LAN administrator normally would be restricted from: A. having end-user responsibilities. B. reporting to the end-user manager. C. having programming responsibilities. D. being responsible for LAN security administration.
What type of transmission requires modems? A. Encrypted B. Digital C. Analog D. Modulated
Which of the following reports should an IS auditor use to check compliance with a service level agreement (SLA) requirement for uptime? A. Utilization reports B. Hardware error reports C. System logs D. Availability reports
Which of the following is necessary to have FIRST in the development of a business continuity plan? A. Risk-based classification of systems B. Inventory of all assets C. Complete documentation of all disasters D. Availability of hardware and software
Which of the following is a substantive test?
Cisco Certifications 
