31. In what type of attack does the attacker send unauthorizedcommands directly to a database? A. Cross-site scripting B. SQLinjection C. Cross-site request forgery D. Database dumping

32. Ricky is reviewing security logs to independently assesssecurity controls. Which security review process is Ricky engagingin? A. Monitor B. Audit C. Improve D. Secure

33. Christopher is designing a security policy for hisorganization. He would like to use an approach that allows areasonable list of activities but does not allow other activities.Which permission level is he planning to use? A. Promiscuous B.Permissive C. Prudent D. Paranoid

34. Jacob is conducting an audit of the security controls at anorganization as an independent reviewer. Which question would NOTbe part of his audit? A. Is the level of security control suitablefor the risk it addresses? B. Is the security control in the rightplace and working well? C. Is the security control effective inaddressing the risk it was designed to address? D. Is the securitycontrol likely to become obsolete in the near future?

35. Which item is an auditor least likely to review during asystem controls audit? A. Resumes of system administrators B.Incident records C. Application logs D. Penetration testresults

36. Which audit data collection method helps ensure that theinformation-gathering process covers all relevant areas? A.Checklist B. Interviews C. Questionnaires D. Observation

37. Curtis is conducting an audit of an identity managementsystem. Which question is NOT likely to be in the scope of hisaudit? A. Does the organization have an effective password policy?B. Does the firewall properly block unsolicited network connectionattempts? C. Who grants approval for access requests? D. Is thepassword policy uniformly enforced?

38. What information should an auditor share with the clientduring an exit interview? A. Draft copy of the audit report B.Final copy of the audit report C. Details on major issues D. Theauditor should not share any information with the client at thisphase

39. What type of security monitoring tool would be most likelyto identify an unauthorized change to a computer system? A. NetworkIDS B. System integrity monitoring C. CCTV D. Data lossprevention

40. When should an organization's managers have an opportunityto respond to the findings in an audit? A. Managers should write areport after receiving the final audit report. B. Managers shouldinclude their responses to the draft audit report in the finalaudit report. C. Managers should not have an opportunity to respondto audit findings. D. Managers should write a letter to the Boardfollowing receipt of the audit report.

41. Which activity is an auditor least likely to conduct duringthe information-gathering phase of an audit? A. Vulnerabilitytesting B. Report writing C. Penetration testing D. Configurationreview