lOMoARcPSD|6851183
Chapter 8 solution manual accounting information systems
accounting information system (‫)ةرهاقلا ةعماج‬
Studocu is not sponsored or endorsed by any college or university
Downloaded by YAHIA ADEL (yahiaadels.x1000@gmail.com)
lOMoARcPSD|6851183
Accounting Information Systems, 13e (Romney/Steinbart)
Chapter 8 Controls for Information Security
8.1 Explain how information security affects information systems reliability.
1) The Trust Services Framework reliability principle that states that users must be able to enter,
update, and retrieve data during agreed-upon times is known as
A) availability.
B) security.
C) maintainability.
D) integrity.
Answer: A
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytic
2) According to the Trust Services Framework, the reliability principle of integrity is achieved
when the system produces data that
A) is available for operation and use at times set forth by agreement.
B) is protected against unauthorized physical and logical access.
C) can be maintained as required without affecting system availability, security, and integrity.
D) is complete, accurate, and valid.
Answer: D
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytic
3) Kuzman Jovan called a meeting of the top management at Jovan Capital Management.
Number one on the agenda was computer system security. "The risk of security breach incidents
has become unacceptable," he said, and turned to the Chief Information Officer. "What do you
intend to do?" Which of the following is the best answer?
A) Evaluate and modify the system using COBOL.
B) Evaluate and modify the system using the CTC checklist.
C) Evaluate and modify the system using the Trust Services framework
D) Evaluate and modify the system using the COSO Internal Control Framework.
Answer: C
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic
1
Copyright © 2015 Pearson Education, Inc.
Downloaded by YAHIA ADEL (yahiaadels.x1000@gmail.com)
lOMoARcPSD|6851183
4) Which of the following is not one of the three fundamental information security concepts?
A) Information security is a technology issue based on prevention.
B) Security is a management issue, not a technology issue.
C) The idea of defense-in-depth employs multiple layers of controls.
D) The time-based model of security focuses on the relationship between preventive, detective
and corrective controls.
Answer: A
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytic
5) Which of the following is not one of the essential criteria for successfully implementing each
of the principles that contribute to systems reliability, as discussed in the Trust Services
Framework?
A) developing and documenting policies
B) effectively communicating policies to all outsiders
C) designing and employing appropriate control procedures to implement policies
D) monitoring the system and taking corrective action to maintain compliance with policies
Answer: B
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytic
6) If the time an attacker takes to break through the organization's preventive controls is greater
than the sum of the time required to detect the attack and the time required to respond to the
attack, then security is
A) effective.
B) ineffective.
C) overdone.
D) undermanaged.
Answer: A
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic
2
Copyright © 2015 Pearson Education, Inc.
Downloaded by YAHIA ADEL (yahiaadels.x1000@gmail.com)
lOMoARcPSD|6851183
7) It was 8:03 A.M. when Jiao Jan, the Network Administrator for South Asian Technologies,
was informed that the intrusion detection system had identified an ongoing attempt to breach
network security. By the time that Jiao had identified and blocked the attack, the hacker had
accessed and downloaded several files from the company's server. Using the notation for the
time-based model of security, in this case
A) D > P
B) P > D
C) P > C
D) C > P
Answer: A
Objective: Learning Objective 1
Difficulty: Difficult
AACSB: Analytic
8) There are "white hat" hackers and "black hat" hackers. Cowboy451 was one of the "black hat"
hackers. He had researched an exploit and determined that he could penetrate the target system,
download a file containing valuable data, and cover his tracks in eight minutes. Six minutes into
the attack he was locked out of the system. Using the notation of the time-based model of
security, which of the following must be true?
A) P < 6
B) D = 6
C) P = 6
D) P > 6
Answer: D
Objective: Learning Objective 1
Difficulty: Difficult
AACSB: Analytic
9) Identify a party below who was involved with developing the Trust Services Framework.
A) FASB
B) United States Congress
C) AICPA
D) IMA
Answer: C
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic
10) Information security procedures protect information integrity by
A) preventing fictitious transactions.
B) reducing the system cost.
C) making the system more efficient.
D) making it impossible for unauthorized users to access the system.
Answer: A
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic
3
Copyright © 2015 Pearson Education, Inc.
Downloaded by YAHIA ADEL (yahiaadels.x1000@gmail.com)
lOMoARcPSD|6851183
11) Identify one aspect of systems reliability that is not a source of concern with regards to a
public cloud.
A) confidentiality
B) privacy
C) efficiency
D) availability
Answer: C
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic
12) Identify the primary means of protecting data stored in a cloud from unauthorized access.
A) authentication
B) authorization
C) virtualization
D) securitization
Answer: A
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic
13) Virtualization refers to the ability of
A) running multiple systems simultaneously on one physical computer.
B) eliminating the need for a physical computer.
C) using the Internet to perform all needed system functions.
D) using web-based security to protect an organization.
Answer: A
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic
14) True or False: Cloud computing can potentially generate significant cost savings for an
organization.
Answer: TRUE
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytic
15) True or False: Cloud computing is generally more secure than traditional computing.
Answer: FALSE
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytic
4
Copyright © 2015 Pearson Education, Inc.
Downloaded by YAHIA ADEL (yahiaadels.x1000@gmail.com)
lOMoARcPSD|6851183
16) The Trust Services Framework reliability principle that states sensitive information be
protected from unauthorized disclosure is known as
A) availability.
B) security.
C) confidentiality.
D) integrity.
Answer: C
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic
17) The Trust Services Framework reliability principle that states personal information should be
protected from unauthorized disclosure is known as
A) availability.
B) security.
C) privacy.
D) integrity.
Answer: C
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic
18) The Trust Services Framework reliability principle that states access to the system and its
data should be controlled and restricted to legitimate users is known as
A) availability.
B) security.
C) privacy.
D) integrity.
Answer: B
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic
8.2 Discuss how a combination of preventive, detective, and corrective controls can be
employed to provide reasonable assurance about the security of an organization's information
system.
1) Identify the statement below which is not a useful control procedure regarding access to
system outputs.
A) restricting access to rooms with printers
B) coding reports to reflect their importance
C) allowing visitors to move through the building without supervision
D) requiring employees to log out of applications when leaving their desk
Answer: C
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic
5
Copyright © 2015 Pearson Education, Inc.
Downloaded by YAHIA ADEL (yahiaadels.x1000@gmail.com)
lOMoARcPSD|6851183
2) Verifying the identity of the person or device attempting to access the system is an example of
A) authentication.
B) authorization.
C) identification.
D) threat monitoring.
Answer: A
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic
3) Restricting access of users to specific portions of the system as well as specific tasks, is an
example of
A) authentication.
B) authorization.
C) identification.
D) threat monitoring.
Answer: B
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic
4) ________ is/are an example of a preventive control.
A) Emergency response teams
B) Encryption
C) Log analysis
D) Intrusion detection
Answer: B
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic
5) ________ is/are an example of a detective control.
A) Physical access controls
B) Encryption
C) Emergency response teams
D) Log analysis
Answer: D
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic
6
Copyright © 2015 Pearson Education, Inc.
Downloaded by YAHIA ADEL (yahiaadels.x1000@gmail.com)
lOMoARcPSD|6851183
6) Which of the following is an example of a corrective control?
A) physical access controls
B) encryption
C) intrusion detection
D) incident response teams
Answer: D
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic
7) Which of the following is not a requirement of effective passwords?
A) Passwords should be changed at regular intervals.
B) Passwords should be no more than 8 characters in length.
C) Passwords should contain a mixture of upper and lowercase letters, numbers and characters.
D) Passwords should not be words found in dictionaries.
Answer: B
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic
8) Multi-factor authentication
A) involves the use of two or more basic authentication methods.
B) is a table specifying which portions of the systems users are permitted to access.
C) provides weaker authentication than the use of effective passwords.
D) requires the use of more than one effective password.
Answer: A
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic
9) Identify the best description of an access control matrix below.
A) does not have to be updated
B) is used to implement authentication controls
C) matches the user's authentication credentials to his authorization
D) is a table specifying which portions of the system users are permitted to access
Answer: D
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic
7
Copyright © 2015 Pearson Education, Inc.
Downloaded by YAHIA ADEL (yahiaadels.x1000@gmail.com)
lOMoARcPSD|6851183
10) Perimeter defense is an example of which of the following preventive controls that are
necessary to provide adequate security?
A) training
B) controlling physical access
C) controlling remote access
D) host and application hardening
Answer: C
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic
11) Which of the following preventive controls are necessary to provide adequate security for
social engineering threats?
A) controlling remote access
B) encryption
C) host and application hardening
D) awareness training
Answer: D
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic
12) A special purpose hardware device or software running on a general purpose computer,
which filters information that is allowed to enter and leave the organization's information system,
is known as a(n)
A) demilitarized zone.
B) intrusion detection system.
C) intrusion prevention system.
D) firewall.
Answer: D
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic
13) This protocol specifies the procedures for dividing files and documents into packets to be
sent over the Internet.
A) access control list
B) Internet protocol
C) packet switching protocol
D) transmission control protocol
Answer: D
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic
8
Copyright © 2015 Pearson Education, Inc.
Downloaded by YAHIA ADEL (yahiaadels.x1000@gmail.com)
lOMoARcPSD|6851183
14) This protocol specifies the structure of packets sent over the internet and the route to get
them to the proper destination.
A) access control list
B) Internet protocol
C) packet switching protocol
D) transmission control protocol
Answer: B
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic
15) This network access control determines which IP packets are allowed entry to a network and
which are dropped.
A) access control list
B) deep packet inspection
C) stateful packet filtering
D) static packet filtering
Answer: A
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic
16) Compatibility tests utilize a(n) ________, which is a list of authorized users, programs, and
data files the users are authorized to access or manipulate.
A) validity test
B) biometric matrix
C) logical control matrix
D) access control matrix
Answer: D
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic
17) The process that screens individual IP packets based solely on the contents of the source and/
or destination fields in the packet header is known as
A) access control list.
B) deep packet inspection.
C) stateful packet filtering.
D) static packet filtering.
Answer: D
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic
9
Copyright © 2015 Pearson Education, Inc.
Downloaded by YAHIA ADEL (yahiaadels.x1000@gmail.com)
lOMoARcPSD|6851183
18) The process of maintaining a table listing all established connections between the
organization's computers and the internet to determine whether an incoming packet is part of an
ongoing communication initiated by an internal computer is known as
A) stateful packet filtering.
B) deep packet inspection.
C) access control list.
D) static packet filtering.
Answer: A
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic
19) The process that allows a firewall to be more effective by examining the data in the body of
an IP packet, instead of just the header, is known as
A) deep packet inspection.
B) stateful packet filtering.
C) static packet filtering.
D) an intrusion prevention system.
Answer: A
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic
20) The security technology that evaluates IP packet traffic patterns in order to identify attacks
against a system is known as
A) an intrusion prevention system.
B) stateful packet filtering.
C) static packet filtering.
D) deep packet inspection.
Answer: A
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic
21) This is used to identify rogue modems (or by hackers to identify targets).
A) war chalking
B) war dialing
C) war driving
D) none of the above
Answer: B
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic
10
Copyright © 2015 Pearson Education, Inc.
Downloaded by YAHIA ADEL (yahiaadels.x1000@gmail.com)
lOMoARcPSD|6851183
22) The process of turning off unnecessary features in the system is known as
A) deep packet inspection.
B) hardening.
C) intrusion detection.
D) war dialing.
Answer: B
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic
23) The most common input-related vulnerability is
A) buffer overflow attack.
B) hardening.
C) war dialing.
D) encryption.
Answer: A
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic
24) Which of the below keeps a record of the network traffic permitted to pass through a
firewall?
A) intrusion detection system
B) vulnerability scan
C) log analysis
D) penetration test
Answer: A
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic
25) The process that uses automated tools to identify whether a system possesses any wellknown security problems is known as a(n)
A) intrusion detection system.
B) log analysis.
C) penetration test.
D) vulnerability scan.
Answer: D
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic
11
Copyright © 2015 Pearson Education, Inc.
Downloaded by YAHIA ADEL (yahiaadels.x1000@gmail.com)
lOMoARcPSD|6851183
26) This is an authorized attempt by an internal audit team or an external security consultant to
attempt to break into the organization's information system.
A) log analysis
B) intrusion detection system
C) penetration test
D) vulnerability scan
Answer: C
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic
27) A well-known hacker started his own computer security consulting business shortly after
being released from prison. Many companies pay him to attempt to gain unauthorized access to
their network. If he is successful, he offers advice as to how to design and implement better
controls. What is the name of the testing for which the hacker is being paid?
A) penetration test
B) vulnerability scan
C) deep packet inspection
D) buffer overflow test
Answer: A
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic
28) The ________ disseminates information about fraud, errors, breaches and other improper
system uses and their consequences.
A) chief information officer
B) chief operations officer
C) chief security officer
D) computer emergency response team
Answer: C
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic
29) In 2007, a major U.S. financial institution hired a security firm to attempt to compromise its
computer network. A week later, the firm reported that it had successfully entered the system
without apparent detection and presented an analysis of the vulnerabilities that had been found.
This is an example of a
A) preventive control.
B) detective control.
C) corrective control.
D) standard control.
Answer: B
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic
12
Copyright © 2015 Pearson Education, Inc.
Downloaded by YAHIA ADEL (yahiaadels.x1000@gmail.com)
lOMoARcPSD|6851183
30) Which of the following is commonly true of the default settings for most commercially
available wireless access points?
A) The security level is set at the factory and cannot be changed.
B) Wireless access points present little danger of vulnerability so security is not a concern.
C) Security is set to the lowest level that the device is capable of.
D) Security is set to the highest level that the device is capable of.
Answer: C
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic
31) In recent years, many of the attacks carried out by hackers have relied on this type of
vulnerability in computer software.
A) code mastication
B) boot sector corruption
C) weak authentication
D) buffer overflow
Answer: D
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic
32) Noseybook is a social networking site that boasts over a million registered users and a
quarterly membership growth rate in the double digits. As a consequence, the size of the
information technology department has been growing very rapidly, with many new hires. Each
employee is provided with a name badge with a photo and embedded computer chip that is used
to gain entry to the facility. This is an example of a(n)
A) authentication control.
B) biometric device.
C) remote access control.
D) authorization control.
Answer: A
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic
13
Copyright © 2015 Pearson Education, Inc.
Downloaded by YAHIA ADEL (yahiaadels.x1000@gmail.com)
lOMoARcPSD|6851183
33) When new employees are hired by Pacific Technologies, they are assigned user names and
appropriate permissions are entered into the information system's access control matrix. This is
an example of a(n)
A) authentication control.
B) biometric device.
C) remote access control.
D) authorization control.
Answer: D
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic
34) When new employees are hired by Pacific Technologies, they are assigned user names and
passwords and provided with laptop computers that have an integrated fingerprint reader. In
order to log in, the user's fingerprint must be recognized by the reader. This is an example of a(n)
A) authorization control.
B) biometric device.
C) remote access control.
D) defense in depth.
Answer: B
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic
35) Information technology managers are often in a bind when a new exploit is discovered in the
wild. They can respond by updating the affected software or hardware with new code provided
by the manufacturer, which runs the risk that a flaw in the update will break the system. Or they
can wait until the new code has been extensively tested, but that runs the risk that they will be
compromised by the exploit during the testing period. Dealing with these issues is referred to as
A) change management.
B) hardening.
C) patch management.
D) defense in depth.
Answer: C
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic
14
Copyright © 2015 Pearson Education, Inc.
Downloaded by YAHIA ADEL (yahiaadels.x1000@gmail.com)
lOMoARcPSD|6851183
36) The most effective method for protecting an organization from social engineering attacks is
providing
A) a firewall.
B) stateful packet filtering.
C) a demilitarized zone.
D) employee awareness training.
Answer: D
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic
37) The most effective way to protect network resources that are exposed to the internet, yet
reside outside of a network is
A) a firewall.
B) employee training.
C) a demilitarized zone.
D) stateful packet filtering.
Answer: C
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic
38) All employees of E.C. Hoxy are required to pass through a gate and present their photo
identification cards to the guard before they are admitted. Entry to secure areas, such as the
Information Technology Department offices, requires further procedures. This is an example of
a(n)
A) authentication control.
B) authorization control.
C) physical access control.
D) hardening procedure.
Answer: C
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic
15
Copyright © 2015 Pearson Education, Inc.
Downloaded by YAHIA ADEL (yahiaadels.x1000@gmail.com)
lOMoARcPSD|6851183
39) On April 1, 2012, students enrolled in an economics course at Harvard University received
an e-mail stating that class would be cancelled. The e-mail claimed to be from the professor, but
it wasn't. Computer forensic experts determined that the e-mail was sent from a computer in one
of the campus labs at 6:32 A.M. They were then able to uniquely identify the computer that was
used by means of its network interface card's ________ address. Security cameras revealed the
identity of the student responsible for spoofing the class.
A) IDS
B) TCP/IP
C) MAC
D) DMZ
Answer: C
Objective: Learning Objective 2
Difficulty: Difficult
AACSB: Analytic
40) Identify three ways users can be authenticated and give an example of each.
Answer: Users can be authenticated by verifying: 1. something they know (password). 2.
something they have (smart card or ID badge). 3. Something they are (biometric identification of
fingerprint).
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic
41) Describe four requirements of effective passwords .
Answer: 1. Strong passwords should be at least 8 characters. 2. Passwords should use a mixture
of upper and lowercase letters, numbers and characters. 3. Passwords should be random and not
words found in dictionaries. 4. Passwords should be changes frequently.
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic
42) Explain social engineering.
Answer: Social engineering attacks use deception to obtain unauthorized access to information
resources, such as attackers who post as a janitor or as a legitimate system user. Employees must
be trained not to divulge passwords or other information about their accounts to anyone who
contacts them and claims to be part of the organization's security team.
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic
16
Copyright © 2015 Pearson Education, Inc.
Downloaded by YAHIA ADEL (yahiaadels.x1000@gmail.com)
lOMoARcPSD|6851183
43) Explain the value of penetration testing.
Answer: Penetration testing involves an authorized attempt by an internal audit team or an
external security consultant to break into the organization's information system. This type of
service is provided by risk management specialists in all the Big Four accounting firms. These
specialists spend more than half of their time on security matters. The team attempts to
compromise the system using every means possible. With a combination of systems technology
skills and social engineering, these teams often find weaknesses in systems that were believed to
be secure.
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Reflective Thinking
44) Describe the function of a computer incident response team (CIRT) and the steps that a CIRT
should perform following a security incident.
Answer: A CIRT is responsible for dealing with major security incidents and breaches. The
team should include technical specialists and senior operations management. In response to a
security incident, first the CIRT must recognize that a problem exists. Log analysis, intrusion
detection systems can be used to detect problems and alert the CIRT. Second, the problem must
be contained, perhaps by shutting down a server or curtailing traffic on the network. Third, the
CIRT must focus on recovery. Corrupt programs may need to be reinstalled and data restored
from backups. Finally, the CIRT must follow-up to discover how the incident occurred and to
design corrective controls to prevent similar incidents in the future.
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic
45) Identify six physical access controls.
Answer: Require visitors to sign in and receive a visitor badge before being escorted by an
employee; require employees to wear photo ID badges that are checked by security guards;
physical locks and keys; storing documents and electronic media in a fire-proof safe or cabinet;
restrict or prohibit cell phones, iPods and other portable devices; set screen savers to start after a
few minutes of inactivity; set computers to lock keyboards after a few minutes of inactivity;
utilize screen protection devices; use biometric devices to authorize access to spaces and
equipment; attach and lock laptops to immobile objects; utilize magnetic or chip cards to
authorize access to spaces and equipment; limit or prohibit windows and glass walls in sensitive
areas.
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic
17
Copyright © 2015 Pearson Education, Inc.
Downloaded by YAHIA ADEL (yahiaadels.x1000@gmail.com)
lOMoARcPSD|6851183
46) A border router
A) routes electronic communications within an organization.
B) connects an organization's information system to the Internet.
C) permits controlled access from the Internet to selected resources.
D) serves as the main firewall.
Answer: B
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic
47) A demilitarized zone
A) routes electronic communications within an organization.
B) connects an organization's information system to the Internet.
C) permits controlled access from the Internet to selected resources.
D) serves as the main firewall.
Answer: C
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic
48) Describe what information security process the term hardening refers to.
Answer: Hardening is the process of modifying the default configuration of a system to
eliminate unnecessary settings and services.
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic
49) Describe what a man-trap is and how it contributes to information security.
Answer: A man-trap is a specially designed room to trap unauthorized individuals. Typically, a
man-trap room contains two doors. Entry to the first door requires the person insert and ID card
and enter a password. Successful authentication opens the first door, permitting the individual
into the room. Once inside the room, the door closes and locks behind the individual. Then, the
individual must successfully pass a second set of authentication controls that typically includes a
biometric credential. Failure to pass results in the individual being trapped in the room.
Objective: Learning Objective 2
Difficulty: Difficult
AACSB: Reflective Thinking
18
Copyright © 2015 Pearson Education, Inc.
Downloaded by YAHIA ADEL (yahiaadels.x1000@gmail.com)
lOMoARcPSD|6851183
50) Why does COBIT5 DSS-05.06 stress the importance of restricting physical access to
network printers?
A) because hackers can use them to print out sensitive information
B) because hackers often hide inside large network printers until night
C) because document images are often stored on network printers
D) because network printers are easier to hack into than computers
Answer: C
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic
51) The most important element of any preventive control is
A) the people.
B) the performance.
C) the procedure(s).
D) the penalty.
Answer: A
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic
19
Copyright © 2015 Pearson Education, Inc.
Downloaded by YAHIA ADEL (yahiaadels.x1000@gmail.com)