Auditing Ch. 1 and 2
What does the CIRT do?
(Computer Incident Response Team) CIRTs collects/anaylzes a large amount of network-derived data, likely exceeding the sorts of data collected by traditional security systems.
What are the Risk Management Framework steps?
1. Categorizing the information system, based on data and potential impact 2. Selecting a baseline set of controls based on the previous categorization 3. Implementing and documenting the security controls 4. Assessing the security controls to ensure they are producing the desired results 5. Authorizing the operation of the information system based on an acceptable level of risk 6. Monitoring the security controls continuously
4 NIST 800-53A provides _____________
A guide for assessing security controls
NIST SP 800-53A
A set of procedures for conducting assessments: Assessing the Security Controls in Federal Information Systems and Organizations
1 Which of the following acknowledges the importance of sound information security practices and controls in the interest of national security? A. FISMA B. GLBA C. HIPPA D. FACTA E. FERPA
A. FISMA
10 Which regulatory departments is responsible for the enforcement of HIPPA laws? A. HHS B. FDA C. US Department of Agriculture D. US EPA E. FTC
A. HHS
4 Which of the following organizations was tasked to develop and prescribe standards and guidelines that apply to federal information systems? A. NIST B. FISMA C. Congress D. PCI SSC E. U.S Department of Navy
A. NIST
Children's Internet Protection Act (CIPA)
Attempts to prevent children from being exposed to explicit content at schools and libraries
Audit vs Assessment?
Audit: Independent, concerned about past results, Pass/fail, places blame, negative consequences; Assessment: identifies gaps to improve, nonattributive
13 While the Family Educational Rights and Privacy Act Prohibits the use of Social Security numbers as directory information, the act does permit the use of the act four digits of SSN. A. true B. False
B. False
14 PCI DSS is a legislative act enacted by Congress to ensure that merchants meet baseline security requirements for how they store, process, and transmit payment card data. A. True B. False
B. False
6 SOX explicitly addresses the IT security controls required o ensure accurate financial reporting. A. True B. False
B. False
11 Which one of the following is not one of the safeguards provided within the HIPPA Security rule? A. Administration B. Operational C. Technical D. Physical
B. Operational
6 Which of the following is an assessment method that attempts to bypass controls and gain access to a specific system by simulating the actions of a would-be attacker? A. Policy review B. Penetration Test C. Standards Review D. Controls audit E. Vulnerability Scan
B. Penetration Test
5 What section of Sarbanes Oxley requires management and the external auditor to report on the accuracy of internal controls over financial reporting? A. Section 301 B. Section 404 C. Section 802 D. Section 1107
B. Section 404
12 In accordance with the Children's Internet Privacy Act, who determines what is considered inappropriate material? A FCC B US department of Education C The local communities D US Department of Interior Library E State governments
C The local communities
2 What organization was tasked to develop standards apply to federal information systems using a risk based approach? A. Public Entity Risk Institute B. International Organisation for Standardization C. National Institute of Standards and Technology D. International Standards Organization E. American National Standards Institute
C. National Institute of Standards and Technology
NSM vs. CM (Continuous Monitoring)
CM is vulnerability-centric, focusing on configuration and software weaknesses. • NSM is threat-centric, meaning adversaries are the focus of the NSM operation.
13 Noncompliance with regulatory standards may result in which of the following? A. Brand damage B. Fines C. Imprisonment D. All of the above E. B and C only
D. All of the above
8 Which of the following best describes an audit used to determine if a Fortune 500 health care company is adhering to SOX and HIPPA regulations? A. IT audit B. Operational audit C. Compliance audit D. Financial audit E. Investigative audit
D. Financial audit
9 Which one of the following is not considered a principal part of the Gramm - Leach- Billey Act? A. Financial Privacy Rule B. Pretexting provisions C Safeguards rule D. Information Security rule
D. Information Security rule
5 Which one of the following is not a method used for conducting an assessment of security controls? A. Examine B. Interview C. Test D. Remediate
D. Remediate
7 Which of the following was established to have oversight of public accounting firms and is responsible for defining the process of SOX compliance audits? A. COSO B. Enron C. PCAOB D. SOX E. None of the above
D. SOX
10 Compliance initiatives typically are efforts around all except which one of the following? A. To adhere to internal policies and standards B. To adhere to regulatory requirements C. To adhere to industry standards and best practices D. To adhere to an auditors recommendation
D. To adhere to an auditors recommendation
14 Which of the following companies engaged in fraudulent activity and subsequently filed for bankruptcy? A. Worldcom B. Enron C. TJX D. All of the above E. A and B only
E. A and B only
15 To comply with the Red Flags Rule, financial institutions and creditors must do which of the following? A. Identify red flags for covered accounts B. Detect red flags C. Respond to detected red flags D. Update the program periodically E. All of the above F. Answers B and C only
E. All of the above
8 Which of the following is not one of the titles within SOX A. Corporate Responsibility B. Enhanced Financial Disclosures C. Analyst Conflicts of Interest D. Studies and reports E. Auditor conflicts of interest
E. Auditor conflicts of interest
12 Which one of the following is true with regard to audits and assessments? A. Assessments typically result in a pas/fail grade, where as audits result in a list of recommendations to improve controls B. Assessments are attributive and audits are not C. An audit is typically a precursor to an assessment D. An audit may be conducted independently of an organization, where as internal IT staff always conducts an IT security assessment E. Audits can result in blame being placed upon an individual
E. Audits can result in blame being placed upon an individual
11 At all levels of an organization, compliance is closely related to which of the following? A. Governance B. Risk Management C. Government D. Risk Assessment E. Both A and B F. Both C and D
E. Both A and B
Certification and accreditation help do what?
Ensure a process for auditing before production is in place (FISMA), security controls are properly implemented, and ensures risk mitigation
Red Flags Rule
Establishes procedures for the identification of possible instances of identity theft (Fair and accurate Credit Transactions Act)
1 A security assessment is a method for proving the strength of security systems. A. True B. False
False
What key laws apply to DoD?
Paperwork Reduction Act of 1995, Clinger-Cohen Act of 1996 (improves acquisition/use of fed IT resources), E-Government Act of 2002 (improves management of electronic services)
What rules does HIPPA have?
Privacy rule (PHI protection) and security rule (CIA protection)
Sarbanes-Oxley (SOX) Act
Protects investors by requiring accuracy and reliability in corporate disclosures, new standards for corporate accountability
Gramm-Leach Bliley Act (GLBA)
Protects personal financial information held by financial institutions based on 3 privacy principals: financial privacy rule, safeguards rule, pretexting provisions
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Protects the privacy and security of certain health information
Children's Online Privacy Protection Act (COPPA)
Requires Web sites and other online services aimed at children less than 13 years of age to comply by getting consent from parents before collecting info
Family Educational Rights and Privacy Act (FERPA)
Right to inspect/review/correct records --> parental consent required
3 RMF provides for the authorization of the operation of an information system based on an acceptable level of _____________
Risk
2 Categorizing information and information systems and then selecting and implementing appropriate security controls is a part of a ______________
Risk based approach
15 Some regulations are subject to _____________ which means even if there wasn't intent of noncompliance, an organization can still incur large fines.
Strict liability
3 Whereas only qualified auditors perform security audits, anyone may do security assessments. True False
True
9 The internal audit function may be outsourced to an external consulting firm. True False
True
What information should a security assessment produce?
control weaknesses, confirm that previous control weaknesses have been mitigated, info that will prioritize/give assurance on accepted risks/support for future budget requirements
What are the different types of assessments?
Network security architecture; Review of security policies, procedures, practices; Vulnerability scanning and testing; Physical security; Social engineering; Applications; Security risks
What is Network Security Monitoring (NSM)?
Network security monitoring (NSM) is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions.
Payment Card Industry Data Security Standard (PCI DSS)
Not a law or regulation --> set of requirements on protecting cardholder data
The scope of a security audit can be ..?
Organizational, compliance, technical, and application
FISMA?
Federal Information Security Management Act - applies to federal agencies
What's the purpose of FISMA?
Increased oversight of federal agency information security programs and provide a framework, coordination of efforts b/w civilian, national security, and law enforcement communities
7 An IT security audit is an ____________ assessment of an organization's internal policies, controls, and activities.
Independent