Loading...
Menu

CISA Exam-Testing Concept-Biometrics (Domain-5)

p<>{color:#000;}.

Domain-5

Testing Concept-Biometrics-Risks & Controls

Hemang Doshi

CISA, ACA, DISA, FIII

Details about this E-Book:

The objective of this e-book is to ensure that CISA candidate get adequate knowledge on concept of ‘Biometrics –Risks & Controls ’. Concepts have been simplified for easy reference of CISA candidates.

Questions, Answers and Explanation (QAE) on concept are designed in accordance with CISA exam pattern.

 

 

 

What is Biometric?

 

Biometrics refers to metrics related to human characteristics.

 

Biometric verification is any means by which a person can be uniquely identified by evaluating one or more distinguishing biological features.

 

Unique identifiers include palm, hand geometry, fingerprints, retina and iris patterns, voice waves and DNA.

 

Accuracy measures for Biometrics:

 

 

 

 

 

 

 

 

 

Biometrics-Attacks:

 

 

 

 

 

Point to remember for CISA Exam:

 

(1) Three main accuracy measures used for a biometric solution are:

 

(i)False-Acceptance Rate (FAR) (i.e access given to unauthorised person)

(ii) False-Rejection Rate (FRR), (i.e. access rejected to authorised person)

(iii)Cross-Error Rate (CER) or Equal-Error Rate (EER) (i.e. rate at which FAR is equal to FRR)

 

(2)Both FAR & FRR are inversely proportionate. As a general rule when FAR decreases, FRR increases and vice versa. Similarly if FRR decreases, FAR increases and vice versa. Adjustment point where both errors are equal is known as cross-error rate or equal-error rate.

 

(3)In any given scenario, most important performance indicator for biometric system is false-acceptance rate (FAR).

 

(4)In any given scenario, most important overall quantitative performance indicator for biometric system is CER or EER.

 

(5)In any given scenario, ‘Retina Scan’ has the highest reliability and lowest false-acceptance rate (FAR) among the current biometric methods.

 

Question, Answer & Explanation on ‘Biometrics-Risks & Controls’ Concept:

Below QAE are solely on the above mentioned concept. Questions have been designed as per CISA Exam pattern. Candidates are advised to attempt below questions multiple times. More emphasis to be given on explanation part for better understanding.

 

An organisation is considering implementing a biometric access control for one of its critical system. Among below mentioned biometrics, which has the highest reliability and lowest false-acceptance rate (FAR)?

 

A. Fingerprints

B. Retina Scan

C.Face recognition

D.Voice recognition

 

Answer: B. Retina Scan

 

Explanation:

In any given scenario, ‘Retina Scan’ has the highest reliability and lowest false-acceptance rate (FAR) among the current biometric methods. A retinal scan is a biometric technique that uses the unique patterns on a person’s retina blood vessels. Due to its unique and unchanging nature, the retina appears to be the most precise and reliable biometric, aside from DNA^.^ The National Center for State Courts estimate that retinal scanning has an error rate of one in ten million.This is highly reliable and has the lowest FAR among the current biometric methods.

 

 

(2) An organisation is considering implementing biometric access control for one of its critical system. The auditor should be MOST concerned with which of the following?

 

A. False-Acceptance Rate (FAR)

B. False-Rejection Rate (FRR)

C.Equal Error Rate (EER)

D.Number of staff enrolled for biometrics.

 

Answer: A. False-Acceptance Rate (FAR)

 

Explanation:

FAR is a rate of acceptance of unauthorised person i.e. biometric will allow unauthorised person to access the system. In any given scenario, most important performance indicator for biometric system is false-acceptance rate (FAR).This is a fail-unsafe condition, i.e., an unauthorized individual may be granted access. A low FAR is most desirable when it is used to protect highly sensitive data. EER or CER is best indicator when overall performance is to be evaluated.

 

 

The best overall quantitative performance indicator for biometric system is:

A. False-Acceptance Rate (FAR)

B. False-Rejection Rate (FRR)

C.Equal Error Rate (EER)

D.Number of staff enrolled for biometrics.

 

Answer: C.Equal Error Rate (EER)

 

Explanation:

In any given scenario, most important overall quantitative performance indicator for biometric system is CER or EER. A low EER is a combination of a low FRR and a low FAR. CER or EER is a rate at which FAR and FRR is equal. The most effective biometric control system is the one with lowest CER or EER. Low FRRs or low FARs alone does not measure the overall efficiency of the device.

 

 

(4) An organisation is considering implementing a biometric access control for one of its critical system. Among below mentioned biometrics, the MOST effective biometric control system is the one:

 

A. with highest equal-error rate(EER).

B. with lowest equal-error rate (EER).

C. with highest cross error rate( CER).

D. which covers all the systems in the organisation.

 

Answer: B. with lowest equal-error rate (EER).

 

Explanation:

CER or EER is a rate at which FAR and FRR is equal. The most effective biometric control system is the one with lowest CER or EER. Option A & C are incorrect as the biometric that has the highest EER or CER is the most ineffective. Option D is not correct as all systems may not be required to cover under biometric.

 

 

 

(5) Which of the following is a measure to ascertain accuracy of a biometric system?

 

A. response time.

B. registration time.

C. verification time.

D. false-acceptance rate.

 

Answer: D. false-acceptance rate.

 

Explanation:

Three main accuracy measures used for a biometric solution are:

(i)False-Acceptance Rate (FAR),

(ii) False-Rejection Rate (FRR),

(iii)Cross-Error Rate (CER) or Equal-Error Rate (EER)

FAR is a measure of how often invalid individuals are accepted. Other choices are performance measures.

 

 

An organization is evaluating the effectiveness of biometric systems for its extremely high security requirements. Which of the following performance indicators is MOST important?

 

A. False-acceptance rate (FAR)

B. Equal-error rate (EER)

C. False-rejection rate (FRR)

D. Fail to enrol rate (FER)

 

Answer: A. False-acceptance rate (FAR)

 

Explanation:

FAR is a rate of acceptance of unauthorised person i.e. biometric will allow unauthorised person to access the system. In any given scenario, most important performance indicator for biometric system is false-acceptance rate (FAR).This is a fail-unsafe condition, i.e., an unauthorized individual may be granted access. A low FAR is most desirable when it is used to protect highly sensitive data.

 

(7) Which of the following observations is the GREATEST concern to the auditor reviewing biometric control for a critical system?

 

A. Access to biometric scanner is provided through virtual private network (VPN).

B.Biometric devices are not installed in restricted area.

C.Data transferred between biometric device and access control system is not encrypted.

D.Risk anaylsis for biometric control is conducted before 2 years.

 

Answer: C.Data transferred between biometric device and access control system is not encrypted.

 

Explanation:

A. This is not a concern as VPN provides a secured environment.

B. This is a concern. However greatest concern should be with respect to data transmitted without encryption.

C. Data transmitted between the biometric device and the access controls system should use a securely encrypted tunnel to protect the confidentially of the biometric data.

D. This is a concern. The biometric risk analysis should be done periodically, but greatest concern should data transmitted without encryption.

 

 

An IS auditor is evaluating the effectiveness of biometric systems for extremely high secured environment. Which of the following stage should be reviewed first?

 

A. Storage

B. Enrollment

C.Identification

D.Termination

Answer: B. Enrollment

 

Explanation:

Biometric life cycle comprised of enrolment, transmission and storage, verification, identification and termination processes. The users of a biometrics device must first be enrolled in the device. This occur through iterative process of acquiring sample, extracting data from sample, validating the sample and developing final template that is stored and subsequently used to authenticate the user.

 

 

(9) An organisation is considering implementing access control for one of its critical system. Among below mentioned control measures, the MOST effective control is:

 

A. Token based PIN

B. Iris Scan

C.Photo Identification

D.Password

 

Answer: B. Iris Scan

 

Explanation:

Among all the controls, iris scan can be considered as most reliable. Fraudster finds it very difficult to bypass biometric controls. Since no two irises are alike, identification and verification can be done with confidence. Other options are not as strong as Iris Scan.

 

 

(10) An organisation is considering implementing access control for one of its critical system. Among below mentioned control measures, the MOST effective control is:

 

A. Cipher lock

B. Fingerprint scanner

C.Photo Identification

D.Electronic door lock

 

Answer: B. Fingerprint scanner

 

Explanation:

Among all the controls, fingerprint scanner can be considered as most reliable. Fraudster finds it very difficult to bypass biometric controls. Fingerprint is harder to duplicate, easier to deactivate and individually identified.

Since no two fingerprints are alike (very rare chances), identification and verification can be done with confidence. Other options are not as strong as fingerprint scanner.

 

 

 

(11) In which of the following attack, use of residual biometric information is done to gain unauthorized access:

 

A. Mimic

B. Brute-force

C. Cryptographic

D. Replay

 

Answer: D. Replay

 

Explanation:

In Replay attack, a residual biometric characteristic (example- such as fingerprints left on a biometric device) is used by an attacker to gain unauthorized access.

In a mimic attack, the attacker attempts to fake the biometric characteristics similar to those of the enrolled user, such as imitating a voice.

A brute-force attack involves sending the numerous different biometric samples to a biometric device.

A cryptographic attack targets the algorithm or the encrypted data transmitted between biometric device and access control system.

 

 

(12) In which of the following attack, the attacker reproduces characteristics similar to those of the enrolled user:

 

A. Mimic

B. Brute-force

C. Cryptographic

D. Replay

 

Answer: A. Mimic

 

Explanation

In a mimic attack, the attacker attempts to fake the biometric characteristics similar to those of the enrolled user, such as imitating a voice.

A brute-force attack involves sending the numerous different biometric samples to a biometric device.

A cryptographic attack targets the algorithm or the encrypted data transmitted between biometric device and access control system.

In Replay attack, a residual biometric characteristic (example- such as fingerprints left on a biometric device) is used by an attacker to gain unauthorized access.

 

 

(13) Which of the following attack targets the algorithm or the encrypted data transmitted between biometric device and access control system?

 

A. Mimic

B. Brute-force

C. Cryptographic

D. Replay

 

Answer: C. Cryptographic

 

Explanation:

A cryptographic attack targets the algorithm or the encrypted data transmitted between biometric device and access control system.

In a mimic attack, the attacker attempts to fake the biometric characteristics similar to those of the enrolled user, such as imitating a voice.

A brute-force attack involves sending the numerous different biometric samples to a biometric device.

In Replay attack, a residual biometric characteristic (example- such as fingerprints left on a biometric device) is used by an attacker to gain unauthorized access.

 

 

(14) Which of the following attack involves sending the numerous different biometric samples to a biometric device?

 

A. Mimic

B. Brute-force

C. Cryptographic

D. Replay

 

Answer: B. Brute-force

 

Explanation:

A brute-force attack involves sending the numerous different biometric samples to a biometric device.

In a mimic attack, the attacker attempts to fake the biometric characteristics similar to those of the enrolled user, such as imitating a voice.

In Replay attack, a residual biometric characteristic (example- such as fingerprints left on a biometric device) is used by an attacker to gain unauthorized access.

A cryptographic attack targets the algorithm or the encrypted data transmitted between biometric device and access control system.

 

 

(15) An organisation is considering implementing access control for all PCs that access critical data. This will:

 

A. completely eliminate the risk of false acceptance i.e. unauthorised access will be eliminated completely.

B.require enrollment of all users that access the critical data.

C. require fingerprint reader to be controlled by a separate password.

D. provide assurance that unauthorized access will be impossible.

 

Answer: B. require enrollment of all users that access the critical data.

 

Explanation:

Setting any new biometric process requires enrollment of all users for whom access is to be provided.

The fingerprints of accredited users need to be read, identified and recorded, i.e., registered,

before a user may operate the system from the screened PCs. Choice A is incorrect, as the risk of false-acceptance cannot be eliminated. Risk of a biometric device may be optimized, but will never be zero because this would imply an unacceptably high risk of false rejection. Choice C is incorrect, as the fingerprint

reader does not need to be protected in itself by a password. Choice D is incorrect because the usage of biometric protection on PCs does not provide assurance that unauthorized access will be impossible.

[* Other CISA Exam- Study Material *]

 

Domain 1

 

Steps of Risk Assessment

 

https://www.youtube.com/watch?v=F2j8xhPaFTg

 

https://www.Shakespir.com/books/view/622303

 

Types of Risk

 

https://www.youtube.com/watch?v=FvuvARXcjss

 

 

Compliance & Substantive Testing

https://youtu.be/3-u2mpIZzW8

 

https://www.Shakespir.com/books/view/625599

 

 

Difference between Inherent Risk & Residual Risk

 

https://www.youtube.com/watch?v=72kv6yOpXEI

 

Difference between Vulnerability & Threat

 

https://www.youtube.com/watch?v=6KxEbth2Ziw

 

Audit Charter

 

https://www.youtube.com/watch?v=rbCJ3ceDuso

 

https://www.Shakespir.com/books/view/633923

 

COBIT-5

 

https://youtu.be/WfwjpDdBqr4

 

Internal Controls

 

https://youtu.be/RuX2hLnm3vY

 

Control Self Assessment (CSA)

 

https://youtu.be/cGcMmt-03as

 

https://www.Shakespir.com/books/view/658967

 

Sampling

 

https://youtu.be/Ynif7SqvkvM

 

https://www.Shakespir.com/books/view/661847

 

 

Domain 2

 

Outsourcing Functions

 

https://youtu.be/vQsX6ZQSDXk

 

IT Strategy Committee & IT Steering Committee

 

https://youtu.be/Za9VMrSe094

 

IT Alignment with Business Objectives

 

https://www.youtube.com/watch?v=FEsP2LXSF9U

 

https://www.Shakespir.com/books/view/633047

 

IT Balanced Score Card

 

https://youtu.be/tvNAvAL9ZIg

 

https://www.Shakespir.com/books/view/639816

 

Roles of various functions of IT

 

https://youtu.be/UMDZrfp1W2Q

 

https://www.Shakespir.com/books/view/645822

 

 

 

Domain 3

 

Online Auditing Techniques

 

https://www.youtube.com/watch?v=HmGFIJlLu-4

 

https://www.Shakespir.com/books/view/637926

 

Parity-Checksum-CRC

 

https://youtu.be/Y14jVvOKqaU

 

https://www.Shakespir.com/books/view/656262

 

Check Digit

 

https://youtu.be/VH2yd3A6bMc

 

https://www.Shakespir.com/books/view/656262

 

PERT-CPM-Gantt Chart-FPA-EVA-Timebox

 

https://youtu.be/zYZYvcr_-3M

 

https://www.Shakespir.com/books/view/666753

 

Domain 4

 

Recovery Time Objective (RTO) and Recovery Point Objective (RPO)

 

https://youtu.be/2rDusGnW9qw

 

https://www.Shakespir.com/books/view/646456

 

 

Alternate Recovery Site

 

https://youtu.be/jCpcqaazkY4

 

https://www.Shakespir.com/books/view/647476

 

Domain 5

 

Digital Signature

 

https://youtu.be/_N3jisd1Vis

 

https://www.Shakespir.com/books/view/648923

 

Wireless (Wi-Fi)Security

 

https://youtu.be/csbd_V9PknI

 

https://www.Shakespir.com/books/view/651918

 

Firewall Types

 

https://youtu.be/x650kcv6Mfk

 

https://www.Shakespir.com/books/view/654726

 

Firewall Implementation

 

https://youtu.be/lltKNTdjg4Y

 

https://www.Shakespir.com/books/view/654726

 

Logical Access

 

https://www.Shakespir.com/books/view/630325

 

Classification of Information Assets

 

https://youtu.be/z7MwD8_ayCs

 

https://www.Shakespir.com/books/view/669437

 

 

Asymmetric Encryption

 

https://www.Shakespir.com/books/view/674900

 

https://youtu.be/mCM6dyQ_KmQ

 

 

Elements of Public Key Infrastructure

 

https://www.Shakespir.com/books/view/679445

 

https://youtu.be/ZqVciCzS3ng

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

table<>. <>. |<>.
p<>{color:#000;}.  

|<>. p<>{color:#000;}.   |<>. p<>{color:#000;}.   | <>. |<>. p<>{color:#000;}.   |<>. p<>{color:#000;}.   |<>. p<>{color:#000;}.   |

 

 


CISA Exam-Testing Concept-Biometrics (Domain-5)

(1) Three main accuracy measures used for a biometric solution are: (i)False-Acceptance Rate (FAR) (i.e access given to unauthorised person) (ii) False-Rejection Rate (FRR), (i.e. access rejected to authorised person) (iii)Cross-Error Rate (CER) or Equal-Error Rate (EER) (i.e. rate at which FAR is equal to FRR) (2)Both FAR & FRR are inversely proportionate. As a general rule when FAR decreases, FRR increases and vice versa. Similarly if FRR decreases, FAR increases and vice versa. Adjustment point where both errors are equal is known as cross-error rate or equal-error rate. (3)In any given scenario, most important performance indicator for biometric system is false-acceptance rate (FAR). (4)In any given scenario, most important overall quantitative performance indicator for biometric system is CER or EER. (5)In any given scenario, ‘Retina Scan’ has the highest reliability and lowest false-acceptance rate (FAR) among the current biometric methods.

  • ISBN: 9781370199747
  • Author: Hemang Doshi
  • Published: 2016-11-25 21:35:09
  • Words: 2207
CISA Exam-Testing Concept-Biometrics (Domain-5) CISA Exam-Testing Concept-Biometrics (Domain-5)