376 Appendix ■ Answers
5 8. C. The audit finding indicates that the backup administrator may not be monitoring
backup logs and taking appropriate action based on what they report, thus resulting in
potentially unusable backups. Issues with review, logging, or being aware of the success or
failure of backups are less important than not having usable backups.- C. ITIL, which originally stood for IT Infrastructure Library, is a set of practices for
IT service management, and is not typically used for auditing. COBIT, or the Control
Objectives for Information and Related Technology, ISO 27002, and SSAE-18, or the
Statement on Standards for Attestation Engagements number 18, are all used for auditing. - A. NIST SP 800-137 outlines the process for organizations that are establishing,
implementing, and maintaining an ISCM as define, establish, implement, analyze and
report, respond, review, and update. Prepare, detect and analyze, contain, respond,
recover, report is an incident response plan, and the others do not match the NIST
process. - B. Lauren’s team is using regression testing, which is intended to prevent the recurrence of
issues. This means that measuring the rate of defect recurrence is an appropriate measure
for their work. Time to remediate vulnerabilities is associated with activities like patching,
rather than preparing the patch, whereas a weighted risk trend is used to measure risk
over time to an organization. Finally, specific coverage may be useful to determine if they
are fully testing their effort, but regression testing is more specifically covered by defect
recurrence rates. - C. Static program reviews are typically performed by an automated tool. Program
understanding, program comprehension, code review, software inspections and software
walkthroughs are all human-centric methods for reviewing code. - A. In order to fully test code, a white box test is required. Without full visibility of the
code, error conditions or other code could be missed, making a gray box or black box test
an inappropriate solution. Using dynamic testing that runs against live code could also
result in some conditions being missed due to sections of code not being exposed to typical
usage. - A. A test coverage report measures how many of the test cases have been completed and
is used as a way to provide test metrics when using test cases. A penetration test report
is provided when a penetration test is conducted—this is not a penetration test. A code
coverage report covers how much of the code has been tested, and a line coverage report is
a type of code coverage report. - C. The changes from a testing environment with instrumentation inserted into the code
and the production environment for the code can mask timing-related issues like race
conditions. Bounds checking, input validation, and pointer manipulation are all related to
coding issues rather than environmental issues and are more likely to be discoverable in a
test environment. - D. Once a vulnerability scanner identifies a potential problem, validation is necessary
to verify that the issue exists. Reporting, patching, or other remediation actions can be
conducted once the vulnerability has been confirmed.