BUS 303 Compliance and Auditing
122. An audit of _________ will determine the following: I. Are the controls effective at reducing the targeted risk? II. Do the controls incorporate a mix of preventive, detective, and corrective controls? III. How are the controls monitored and audited in case of failure or breach?
baseline controls
52. Which law requires consent to disclose educational records other than directory information?
Family Educational Rights and Privacy Act (FERPA)
85. Which of the following best describes a prescriptive IT control?
Helps standardize IT operations and tasks
103. When analyzing threats, which of the following would be classified a low threat?
Hurricane damage to an electrical generating facility in Iowa
99. The _____________ includes all the auditable resources or auditable components within an organization.
IT universe
118. Which of the following is an approach for identifying security weaknesses within an organization and attempts to exploit vulnerabilities?
Penetration test
102. Which of the following is NOT an important step for conducting effective IT audit interviews?
Setting organizational goals during the interview
114. A large data intelligence company has storage technology at multiple sites that store redundant data from its servers at the main office. Which of the following risk management strategies has primarily been implemented?
Sharing/Transference
126. In an IT security assessment, the _______________ provide(s) details on vulnerability and threats, specifically, the pairing of threats with vulnerabilities that can be exploited.
assessment results
108. An IT infrastructure audit __________ is the system in a known good state, with the applied minimum controls relative to the accepted risk.
baseline
110. The plan for establishing the basic standard of system configurations and the management of configuration items is called __________.
baseline configuration management
30. Are compliance laws and regulations always clear?
- no
116. Company A wants to upgrade its client computers to a new operating system that was recently released. However, industry experts indicate that the new system has security holes. Company A decides not to upgrade at this time. Which of the following risk management strategies has primarily been implemented?
Avoidance
33. What is compliance closely related to?
- risk management - governance
117. Which of the following controls can be one of the least expensive but the most difficult to implement effectively?
A security policy
115. IT personnel decide that their company is at low risk of flooding and decide not to purchase insurance or implement other controls that would prevent flood damage. Which of the following risk management strategies has primarily been implemented?
Acceptance
43. Which auditing company was dropped from the Big Five list in 2002, as a result of the Enron scandal?
Arthur Anderson
86. Which framework applies across the functions of a company, does not describe any IT controls, and is not prescriptive?
COSO
131. Of the four elements that constitute an audit finding, which one provides a starting point from which the auditor can recommend a correction for the situation?
Cause
48. What is the name of the process, based on Department of Defense (DoD) methodologies, for auditing federal systems before putting them in a production environment?
Certification and Accreditation (C&A)
125. Which section is typically NOT part of an audit report?
Chain of Custody
132. An IT auditor's finding is "The auditee had not established security protocols for controlling access through user names and passwords." Which category applies to this finding?
Circumstance
119. ______ are alternative measures put in place to mitigate a risk in lieu of implementing a control requirement or best practice.
Compensating controls
123. ___________ are used for many different functions, including the following: I. Testing transactions within applications II. Reviewing procedures III. Testing system and application controls for compliance IV. Conducting automated vulnerability assessments
Computer assisted audit tools and techniques (CAATTs)
70. What term describes the identification, control, logging, and auditing of all changes made across the infrastructure?
Configuration and change management
113. Viruses and worms are risks from the Internet. If you purchase and install antivirus software before accessing the Internet, which of the following risk management strategies are you implementing?
Control
109. What is generally NOT tracked in a configuration management database (CMDB)?
Cost of software
128. Of the four elements of an audit finding, which one identifies the expected or desired state?
Criteria
130. Of the four elements that constitute an audit finding, which one provides context for evaluating the evidence collected by the auditor?
Criteria
88. The COSO framework identifies eight interrelated parts in connection with the management processes of an organization. These include Internal Environment, which is:
Establishing a culture in a company that tolerates or even favors risk
121. What enables organizations to better manage vast amounts of data, such as finding patterns of malicious activity or irregular activity in voluminous log files?
Event correlation
129. Who is the primary audience of an executive summary in an IT audit report?
Senior management and other decision makers
89. What term describes an audit that combines the assessment of financial reporting along with the assessment of related IT controls?
Integrated audit
55. Assurance against unauthorized modification or destruction of data is the definition of:
Integrity
104. The National Institute of Standards and Technology (NIST) has three IT security control categories. The following are controls in one of the categories:
Management controls
1The National Institute of Standards and Technology (NIST) has three IT security control categories. The following are controls in one of the categories:
Operational controls
120. When performing a security assessment, which is the best choice for identifying communication paths and determining an Ethernet network's architecture?
Network discovery tool
112. What is risk arrogance?
Not adequately planning for or assessing risk
127. Which of the following compliance assessment results indicates that not enough evidence was collected or sufficient evidence wasn't collected to make an appropriate compliance determination?
Not determined
44. Regulatory compliance benefits organizations, ___________, and ___________.
Regulatory compliance benefits organizations, ___________, and ___________.
90. The Framework Core of the Cybersecurity Framework consists of five primary functions. Which of the following is NOT one of the functions?
Repeat
111. _____ defines the ranges of an organization's acceptance for specific risks.
Risk tolerance
106. The National Institute of Standards and Technology (NIST) has three IT security control categories. The following are controls in one of the categories:
Technical controls
133. During an IT audit, the auditor finds that unused personal information is being held in archives past its scheduled destruction date. Which privacy principle is most affected?
Use and retention
101. When assessing risk in an IT environment, which methodology identifies flaws or weaknesses that can be triggered or exploited, which might result in a breach?
Vulnerability identification
98. Interviews with key IT support and management personnel are part of an IT audit. Reasons to expand the scope from the initial interviews can vary, but common examples include lack of controls, override of controls, and __________.
fraudulent activity
57. An organization creates policies and a framework for the application of controls. The organization then maps existing controls to each regulation to which it must comply. Thereafter, the organization performs a __________ to identify anything that is missing.
gap analysis
124. In an IT security assessment report, _______________ provides details about infrastructure systems. This includes the hardware, software, data, interfaces, and associated users.
system characterization
94. Three IT security controls covered by the National Institute of Standards and Technology (NIST) include management, operational, and __________.
technical
107. Applying controls to a system helps eliminate or reduce the risks. In many cases, the goal is not to eliminate the risk. Rather, what's important is to reduce the risk to an acceptable level. Applying controls is a direct result of the risk assessment process combined with an analysis of ___________.
the tradeoffs
19. What is an integrated audit?
- a combination of audit types
22. Do external auditors provide advice?
- not typically - instead, they provide information about gaps discovered and leading the client to accepted principles
41. What is meant by risk?
An uncertainty that might lead to a loss
92. ISO/IEC 27000 is a series of standards and related terms that provides guidance on matters of information security. This includes implementing, designing, and auditing an Information Security Management System (ISMS). These standards were established by the International Organization for Standardization (ISO) in conjunction with:
International Electrotechnical Commission (IEC)
65. An attacker continually scans for new, unprotected systems and exploits such systems to gain control of them. Which of the SANS Critical Security Controls is primarily affected?
Inventory of authorized and unauthorized devices
63. Regarding privacy, what is a common characteristic of "personal information"?
It may be used to identify a person.
60. Backup procedures for a server are part of the _______ Domain.
LAN
53. Which of the following requires organizations to have an annual assessment by a Qualified Security Assessor (QSA)?
Payment Card Industry Data Security Standard (PCI DSS)
56. What name is given to industry-created standards to prevent payment card theft and fraud?
Payment Card Industry Data Security Standard (PCI DSS)
87. Which of the following is NOT recommended for organizations selecting a standard?
Select a rigid standard.
78. Which framework provides a voluntary structure for reducing risks to critical infrastructure?
Cybersecurity Framework
96. In the risk assessment process, analyzing potential threats requires the identification of all possible threats first. This is called __________.
threat identification
45. Unlike the collapse of Enron and WorldCom, TJX did not break any laws. It was simply not compliant with stated payment card processing guidelines.
true
46. Security controls include the physical, procedural, and technical mechanisms to safeguard systems.
true
67. Who or what is usually the weakest link in a security "chain"?
users
7. What does an assessment objective include?
- includes one or more statements that are directly related to a corresponding control to determine the validity and effectiveness of the control
25. What two broad areas does compliance pertain to?
- internal - external
15. What are some sample assessments that might be encountered?
- network security architecture review - review of security policies, procedures, and practices - vulnerability scanning and testing - physical security assessment - security risk assessment - social engineering assessment - application assessment
16. Are pen tests the best means to judge the security of an information system?
- no, they operate under specific constraints and rules of engagement that hackers won't be restrained by - but it can be a great way to sell management on the need to invest resources in security
27. What is external compliance?
- the need or desire for an organization to follow rules and guidelines set forth by external organizations and initiatives
71. What is meant by local area network (LAN)?
A computer network for communications between systems covering a small physical area
75. Which of the following best describes Control Objectives for Information and related Technology (COBIT)?
A framework providing best practices for IT governance and control
84. Which of the following best describes a descriptive IT control?
Aligns IT with business goals
54. An act of Congress to protect the financial information of consumer information held by financial agencies is the definition of:
Gramm-Leach-Bliley Act (GLBA)
64. Which of the following is generally NOT in the scope of a privacy audit?
The range of health plans offered to employees
59. An acceptable use policy (AUP) is part of the _____________ Domain.
User Domain
73. An acceptable use policy (AUP) is part of the _____________ Domain.
User Domain
20. What can the scope of an audit involve?
a combination of the following: - organizational: this examines the management control over IT and related programs, policies, and processes - compliance: this pertains to ensuring that specific guidelines, laws, or requirements have been met - application: this involves the applications that are strategic, for example, those typically used by finance and operations - technical: this examines the IT infrastructure and data communications
42. Which scandal is primarily responsible for the resulting enactment of the Sarbanes-Oxley Act?
enron
32. What does meeting compliance often include?
implementing mechanisms to prove an organization has properly executed its plan
2. What do security controls include?
the - physical - procedural - technical mechanisms to safeguard systems
26. What is internal compliance?
- an organization's ability to follow its own rules, which are typically based on defined policies
13. What is helpful to do after you do a security control assessment?
create an executive summary document that quickly highlights the key findings and recommendations on a security assessment report
38. Which type of audit is performed to determine if a health care organization is adhering to Health Insurance Portability and Accountability Act (HIPAA) regulations?
compliance audit
69. Security assessments are grouped into different types. A _________ provides a targeted, concise, and technical review of information systems, and it involves control reviews and identification of vulnerabilities.
comprehensive security assessment
68. Who or what is usually the weakest link in a security "chain"?
high-level security assessment
3. What should a security assessment produce?
information required to do the following: - identify the weakness within the controls implemented on information systems - confirm that previously identified weaknesses have been remediated or mitigated - prioritize further decisions to mitigate risks - provide assurance - a level of confidence that effective controls are in place and that associated risks are accepted and authorized - provide support and planning for future budgetary requirements
81. Whereas ISO 27001 formally defines mandatory requirements for an information security management system (ISMS), ISO/IEC 27002 provides the ____________ within the ISMS.
information security controls
62. Which of the following is NOT a primary reason why organizations must maintain IT compliance as an ongoing program?
Changes to senior management staff
51. Which law requires technology in place that blocks or filters Internet access that is either obscene, harmful to minors, or represents child pornography?
Children's Internet Protection Act (CIPA)
74. COSO stands for ________________.
Committee of Sponsoring Organizations
79. Per the security assessment procedures in NIST SP 800-53A, how would you classify the following statement? Test the automated mechanism implementing the access control policy for failed logon attempts.
Control
91. I. Optimization of business process functionality II. Optimization of business process costs III. Managed business change programs IV. Operational and staff productivity V. Compliance with internal policies The above are examples from a list of 17 goals developed through:
Control Objectives for Information and related Technology (COBIT)
50. If an organization discloses protected health information in a nonencrypted (readable) format, which act addresses how people should be notified of the breach?
HITECH
40. Which of the following is NOT a goal of an effective IT security audit program?
Provide opportunities for competitive advantage and reduction of costs throughout the organization.
93. The need for integrated audits is largely driven by Sarbanes-Oxley, which established the ____________. This oversees the rules that apply to publicly traded companies.
Public Company Accounting Oversight Board (PCAOB)
76. The COSO enterprise risk management (ERM) framework consists of four objectives: strategic, operations, reporting, and compliance. Which objectives are typically within the control of an organization and are NOT influenced by external events?
Reporting and compliance
49. Which act, which consists of 11 "titles," mandated many reforms to enhance corporate responsibility, enhance financial disclosures, and prevent fraud?
Sarbanes-Oxley (SOX) Act
66. An attacker distributes hostile content on Internet-accessible Web sites that exploit unpatched and improperly secured client software running on victim machines. Which of the SANS Critical Security Controls is primarily affected?
Secure configuration for hardware and software on mobile devices, laptops, workstations, and servers
80. Which of the following uses "engagements" to report on the evaluation of controls of third-party service businesses that host or process data on behalf of customers?
Service Organization Control (SOC)
82. A large financial organization wants to outsource its payroll function. Which of the following should the financial organization ensure the payroll company has?
Service Organization Control (SOC) Report 1
58. In an IT infrastructure, the end users' operating environment is called the _____________.
Workstation Domain
72. A computer network for communications between systems covering a small physical area
Workstation Domain
47. An unauthorized user has gained access to data and viewed it. What has been lost?
confidentiality
100. Assessing IT security is largely about ensuring adequate ________ are in place.
controls
31. What are the general steps to meeting compliance?
1. interpret the regulation and how it applies to the organization 2. identify the gap or determine where the organization stands with the compliance mandate 3. devise a plan to close the gap 4. execute the plan
39. How does an IT audit differ from a security assessment?
An audit follows a more rigid approach
83. Which of the following is NOT a characteristic of an IT security framework?
Is rigid in structure and content
97. Applying controls is a direct result of the risk assessment process combined with an analysis of the tradeoffs. Which of the following is a tradeoff?
Operational impact
34. How does an audit differ from an assessment?
- people tend to have a mindset about an audit - distrust and punishment - failure: audits are typically pass/fail, assessments are typically thought of as status finding and improvement planning opportunities - blame audits might place blame on specific individuals or groups in an organization. assessments are nonattributive, there is no single person or group for blame to fall on - consequences: audits can have consequences, most of which are negative, either due to failure, blame, or penalties for noncompliance. assessments don't have these consequences, just a discussion on what to improve
10. describe the 'examination' method for conducting a security control assessment
- verify, inspect, or review associated assessment objects to understand or obtain evidence to support the existence and effectiveness of the security control - examples: --- reviewing security policies and procedures --- observing physical security mechanisims
23. Do internal auditors provide advice? what shouldn't they provide?
- yes - they shouldn't be involved in the design or implementation of any system or control
77. Of the following frameworks available from ISACA, which one governs IT investments?
Val IT
8. Give an example of the relationship between the control and assessment objects, methods, and objects
- a common control that most users of computer systems have experienced, being locked out after too many login attempts - control: the system enforces a limit of four consecutive invalid access attempts on the same username within a period of 15 minutes. the system automatically locks the account for 30 minutes. subsequently, four more consecutive invalid access attempts within a period of 15 minutes lock the account indefinitely, which requires manual intervention by the sys admin - assessment objectives: --- determine if the system enforces the defined threshold of consecutive invalid access attempts. --- determine if the system enforces the delayed logon after the initial account lock. --- determine if the system enforces the defined threshold for locking the account indefinitely - assessment methods and objects: --- examine access control policy statement and procedures addressing failed logon attempts. --- examine associated information system documentation and configuration settings --- examine associated information system log records --- test the automated mechanism implementing the access control policy for failed logon attempts
29. What is COBIT (Control Objectives for Information and Related Technology)
- a compliance framework
17. What is an IT security audit?
- an independent assessment of an organizations internal policies, controls, and activities - assesses the presence and effectiveness of IT controls and to ensure that those controls are compliant with stated policies - provide reasonable assurance that organizations are compliant with applicable regulations and other industry requirements
6. What does NIST special publication 800-53a do
- defines a recommended assessment procedure, which includes a set of assessment objectives or goals - each objective has a set of assessment methods, including examination interview, and test - each objective has a set of assessment objects, including specification, mechanism, and individual
11. describe the 'interview' method for conducting security control assessment
- discuss associated assessment objects with groups or individuals to understand or obtain evidence to support the existence and effectiveness of the security control - interviews can include senior officials, information system owners, security officers, information system operators, and network administrators
36. What unique characteristics do audits have?
- auditors should never be involved in the auditing process, systems or applications that they themselves designed or implemented - audits are an independent evaluation. a security assessment may also be conducted independently, but it is not necessary. many organizations use a combination of both - audits follow a rigorous approach and are conducted according to accepted principles. this also requires that auditors be qualified. the approach taken for an assessment can fall across a wide spectrum, but in many cases, they have taken a cue from audits with well-defined approaches and frameworks - in the event an organization passes an audit, the organization typically receives some type of certification or confirmation. this is not the case for assessments - an audit is concerned about past results and performance, whereas an assessment considers previous and current results as well as expected performance
9. What are the methods for conducting a security control assessment
- examination - interview - test
35. What are some of the negative outcomes that can result from an audit?
- failure - blame - consequences
18. What are the types of audits?
- financial audits: these determine whether an organization's financial statements accurately and fairly represent the financial position of the organization - compliance audits: these determine if an organization is adhering to applicable laws, regulations, and industry requirements - operational audits: these provide a review of policies, procedures, and operational controls across different departments to ensure processes are adequate - investigative audits: these investigate company records and processes based on suspicious activity or alleged violations - information technology audits: these address the risk exposures within IT systems and assess the controls and integrity of information systems
1. What does a risk-based approach to managing information security involve?
- identifying and categorizing the information and the information systems - selecting and implementing appropriate security controls - actions or changes to be applied to systems to reduce weakness or potential losses - assessing the controls for effectiveness - authorizing the systems by accepting the risk based upon the selected security controls - monitoring the security controls on a continual basis
28. Discuss external compliance mandates?
- many are regulatory in nature - other compliance initiatives include standards and guidelines that must be followed as set forth by industry regulations
5. What is NIST?
- national institute of standards and technology - the technology agency of the US department of commerce - provides a framework for effective security assessment plans in NIST special publication 800-53a
14. Do all IT security assessments need to be comprehensive to cover all security controls or even all information systems?
- no - in fact, security assessments are often performed partially across controls and information systems
21. What three goals should an effective security audit program accomplish?
- provide an objective and independent review of an organization's policies, information systems, and controls - provide reasonable assurance that appropriate and effective IT controls are in place - provide audit recommendations for both corrective actions and improvement to controls
12. describe the 'test' method for conducting security control assessment
- put associated assessment objects under specific conditions to compare actual behavior with what is expected to obtain evidence to support the existence and effectiveness of the security control - objects can include hardware or software mechanisms or system operations or administration activities - examples include testing actual security configuration settings and conducting penetration tests
24. What is the Merriam-Webster definition of compliance? What is the dictionary definition of comply?
- the act or process of complying to a desire, command, proposal, or regimen or to coercion - to conform, submit, or adapt as required or requested
4. Are personnel who conduct security assessments internal or external to the organization?
can be either
37. Organizations are expected to abide by any laws that apply to them. What is this commonly called?
compliance
95. National Institute of Standards and Technology (NIST) security controls are classified as being preventive, detective, or __________.
corrective