4. Risk management
a. 1 and 2
b. 1 and 3
c. 3 and 4
d. 1, 2, 3, and 4
231. d. Microsoft, for example, has achieved a trustworthy cloud computing infrastructure by earning the International Organization for Standardization/International Society of Electrochemistry 27001:2005 (ISO/IEC 27001:2005) certification and American Institute of Certified Public Accountants/Statement on Auditing Standards (AICPA/SAS)70 Type I and Type II attestation. The Type I attestation report states that information systems at the service organizations for processing user transactions are suitably designed with internal controls to achieve the related control objectives. The Type II attestation report states that internal controls at the service organizations are properly designed and operating effectively. These two accomplishments of certification and attestation were combined with security training, adequate and effective security controls, continuous review and management of risks, and rapid response to security incidents and legal requests.
232. Which of the following is the true purpose of “ping” in cellular wireless technologies?
a. The pinging tells the filters on the network.
b. The pinging tells the frequencies of the network.
c. The pinging tells the location of a phone user.
d. The pinging tells the troubles on the network.
232. c. To monitor the state of the network and to respond quickly when calls are made, the main cellular controlling switch periodically “pings” all cellular telephones. This pinging lets the switch know which users are in the area and where in the network the telephone is located. This information can be used to give a rough idea of the location of the phone user to help catch the fraud perpetrator. Vehicle location service is an application of the ping technology. The other three choices are not true.
233. Telecommuting from home requires special considerations to ensure integrity and confidentiality of data stored and used at home. Which of the following is not an effective control?
a. Employee accountability
b. Removable hard drives
c. Storage encryption
d. Communications encryption
233. a. In addition to risks to internal corporate systems and data in transit, telecommuting from home raises other concerns related to whether employees are using their own computers or using computers supplied to them by the organization. Other members of the employee’s household may want to use the computer used for telecommuting. Children, spouses, or other household members may inadvertently corrupt files, introduce viruses, or snoop. Therefore, employee accountability is difficult to monitor or enforce.
The other three choices provide effective controls. Removable hard drives are incorrect because they reduce the risk if corporate data is stored on them due to their removability, which can be safely stored away. Storage encryption and communications encryption are incorrect because they both provide confidentiality of data during its storage as well as in transit.
234. Secure remote procedure call (RPC) uses which of the following algorithms?
a. DES
b. DH
c. 3DES
d. IDEA
234. b. Secure remote procedure call (RPC) uses the Diffie-Hellman (DH) key generation method. Under this method, each user has a private/public key pair. Secure RPC does not use the other three choices.
235. In secure remote procedure call (RPC), which of the following provides the public and private keys to servers and clients?
a. Users
b. Clients
c. Servers
d. Authentication servers
235. d. The principals involved in the secure remote procedure call (RPC) authentication systems are the users, clients, servers, and authentication server. The authentication server provides the public and private keys to servers and clients.
236. The screened subnet firewall acts as which of the following?
a. Fast packet network
b. Digital network
c. Perimeter network
d. Broadband network
236. c. The screened subnet firewall acts as a perimeter network. If there is an attack on the firewall, the attacker is restricted to the perimeter (external) network and therefore is not attacking the internal network.
237. Which of the following are examples of security boundary access controls?
a. Patches and probes
b. Fences and firewalls
c. Tags and labels
d. Encryption and smart cards
