Ch. 1 Chapter Questions

¡Supera tus tareas y exámenes ahora con Quizwiz!

Which of the following is an assessment method that attempts to bypass controls and gain access to a specific system by simulating the actions of a would-be attacker? a. Policy review b. Penetration test c. Standards review d. Vulnerability scan

B. Penetration test

Which of the following best describes an audit used to determine if a Fortune 500 health care company is adhering to the Sarbanes-Oxley and HIPPA regulations? a. IT audit b. Operational audit c. Compliance audit d. Financial audit e. Investigative audit

C. Compliance audit

Which one of the following is not a method used for conducting an assessment of security controls? a. Examine b. Interview c. Test d. Remediate

D. Remediate

Compliance initiatives typically are efforts around all EXCEPT which one of the following? a. To adhere to internal policies and standards b. To adhere to regulatory requirements c. To adhere to industry standards and best practices d. To adhere to an auditor's recommendation

D. To adhere to an auditor's recommendation

Noncompliance with regulatory standards may result in which of the following? a. Brand damage b. Fines c. Imprisonment d. All of the above e. B and C only

D. all of the above

Which of the following companies engaged in fraudulent activity and subsequently filed bankruptcy? a. WorldCom b. Enron d. TJX e. All of the above e. A and B only

E. A and B only

An IT security audit is an ___________________ assessment of an organization's internal policies, controls, and activities.

independent

Which one of the following is true in regard to audits and assessments? a. Assessments typically result in a pass or fail grade, whereas audits result in a list of recommendations to improve controls. b. Assessments are attributive and audits are not. c. An audit is typically a precursor to an assessment. d. An audit may be conducted independently of an organization, whereas internal IT staff always conducts an IT security assessment. e. Audits can result in blame being placed upon an individual.

E. Audits can result in blame being placed upon an individual

At all levels of an organization, compliance is closely related to which of the following? a. Governance b. Risk management c. Government d. Risk assessment e. Both A & B d. Both C & D

E. Both A & B (Governance and Risk management)

Categorizing information and information systems and then selecting and implementing appropriate security controls is a part of a

Risk Based Approach

Some regulations are subject to __________________, which means even if there wasn't intent of noncompliance, an organization can still incur large fines.

Strict Liability

The internal audit function may be outsourced to an external consulting firm. True or False

True

Whereas only qualified auditors perform security audits, anyone may do security assessments. True or False

True

NIST 800-53A provides ________________________.

a guide for assessing security controls

A security assessment is a method for proving the strength of security systems? True or False

False...you should not use a security assessment simply as a method for proving the strength of system security or as a reason to immediately provide greater security. Rather, a security assessment should produce information required to do the following: Identify weaknesses within the controls implemented on information systems Confirm that previously identified weaknesses have been re-mediated or mitigated prioritize further decisions to mitigate risks Provide assurance so that associated risks are accepted and authorized Provide support and planning for future budgetary requirements


Conjuntos de estudio relacionados

Pesticides and Herbicides: An Introduction Review

View Set

Psychology chapter 11,12, 13, 14

View Set

Spanish 3 Final Exam - Self Check Quizzes

View Set