Explanation: Middleware, a class of software employed by client-server applications,provides services, such as identification, authentication, directories andsecurity. It facilitates client-server connections over the network and allowsclient applications to access and update remote databases and mainframe files.Firmware consists of memory chips with embedded program code that hold their contentwhen the power is turned off. X.25 interface is the interface between dataterminal equipment and data circuit terminating equipment for terminalsoperating in the packet mode on some public data networks. Utilities are systemsoftware used to perform system maintenance and routines that are requiredduring normal processing, such as sorting or backup.

Explanation: The lack of adequate security controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers, resulting in loss of sensitive information, which could lead to the loss of goodwill for the organization. A succinct definition of risk is provided by the Guidelines for the Management of IT Security published by the International Organization for Standardization (ISO), which defines risk as the potential that a given threat will exploit the vulnerability of an asset or group of assets to cause loss or damage to the assets. The various elements of the definition are vulnerability, threat, asset and impact. Lack of adequate security functionality in this context is a vulnerability.

Explanation: The first step of the review of the software quality management process should be to determine the evaluation criteria in the form of standards adopted by the organization. The evaluation of how well the organization follows their own standards cannot be performed until the IS auditor has determined what standards exist. The other items listed�verifying how well standards are being followed, identifying relevant controls and reviewing the quality metrics�are secondary to the identification of standards.

Explanation: Defense in-depth means using different security mechanisms that back up each other. When network traffic passes the firewall unintentionally, the logical access controls form a second line of defense. Using two firewalls of different vendors to consecutively check the incoming network traffic is an example of diversity in defense. The firewalls are the same security mechanisms. By using two different products the probability of both products having the same vulnerabilities is diminished. Having no physical signs on the outside of a computer center building is a single security measure. Using two firewalls in parallel to check different types of incoming traffic is a single security mechanism and therefore no different than having a single firewall checking all traffic.

Explanation: Worms are destructive programs that may destroy data or utilize tremendous computer and communication resources. Trojan horses can capture and transmit private information to the attacker's computer. Trapdoors are exits out of an authorized program. Vaccines are programs designed to detect computer viruses.

Explanation: If there are significant security issues identified by an IS auditor, the first question is whether the security requirements were correct in the project plan. While it is important for programmers to understand security, it is more important that the security requirements were properly stated in the project plan. System administrators may have made changes to the controls, but it is assumed that the auditor is reviewing the system as designed—meaning that the deployed system meets the requirements that were specified. It is possible that security requirements will change over time based on new threats or vulnerabilities, but if critical controls are missing, this points toward a faulty design that was based on incomplete requirements.

Explanation: The goals of IT governance are to improve IT performance, to deliver optimum business value and to ensure regulatory compliance. The key practice in support of these goals is the strategic alignment of IT with the business. To achieve alignment, all other choices need to be tied to business practices and strategies.

Explanation: Security administration procedures require write access to access control tables to manage and update the privileges according to authorized business requirements. Security administration procedures require read-only access to security log files to ensure that, once generated, the logs are not modified. Logs provide evidence and track suspicious transactions and activities. Logging options require write access to allow the administrator to update the way the transactions and user activities are monitored, captured, stored, processed and reported. The security administrator is often responsible for user-facing issues such as managing user roles, profiles and settings. This requires the administrator to have more than read-only access.

Explanation: Feasibility study-A feasibility study describes the key alternative courses of action that will satisfy the business and functional requirements of a project, including an evaluation of the technological and economic feasibility. However, the final UAT happens after the feasibility study and therefore is of greater value. UAT-UAT ensures that business process owners and IT stakeholders evaluate the outcome of the testing process to ensure that business requirements are met. The postimplementation review occurs after the implementation. The implementation plan formally defines expectations and performance measurement, and the effective recovery in the event of implementation failure. It does not ensure that business requirements are met.

Explanation: The most important element of an SLA is the measurable terms of performance, such as uptime agreements. While all of the choices are important, payment terms, indemnification and default resolution are typically included in the master agreement rather than in the SLA.

Explanation: To be effective, an information security policy should reach all members of the staff. Storing the security policy offsite or in a safe place may be desirable, but is of little value if its contents are not known to the organization's employees. The information security policy should be written by business unit managers including, but not exclusively, IS managers. Updating the information security policy is important but will not assure its dissemination.

Explanation: Deletion of transaction data files should be a function of the application support team, not operations staff. Read access to production data is a normal requirement of a computer operator, as is logged access to programs and access to JCL to control job execution.

Explanation: Throughput measures how much work is done by a system over a period of time; it measures the productivity of the system. In an online transaction processing system, transactions per second is a throughput index. Response time is defined as the length of time that elapsed between submission of an input and receipt of the first character of output in an online system. Turnaround time is the length of time that elapsed between submission of a job and receipt of a completed output. It is a measure of timeliness in a batch system. The percentage of time that the system is available for processing is called uptime or a reliability index; thus, this is not the correct answer.

Explanation: A randomly generated PSK is stronger than a MAC-based PSK, because the MAC address of a computer is fixed and often accessible. WEP has been shown to be a very weak encryption technique and can be cracked within minutes. The SSID is broadcast on the wireless network in plaintext.

Explanation: In a cost-benefit analysis, the total expected purchase and operational/support costs and a qualitative value for all actions are weighted against the total expected benefits in order to choose the best technical, most profitable, least expensive, or acceptable risk option. The ALE is the expected monetary loss that is estimated for an asset over a one-year period. It is a useful calculation that should be included in determining the necessity of controls, but is not sufficient alone. The cost of the hardware assets should be compared to the total value of the information that the asset protects, including the cost of the systems where the data reside and across which data are transmitted. Potential business impact is only one part of the cost-benefit analysis.