Chapter 1 Auditing IT Infrastructures for Compliance
NIST 800-53A provides
A guide for assessing security controls
A level of confidence that appropriate and effective IT controls are in place.
Assurance
An Independent assessment that takes a well-defined approach to examining an organization's internal policies, controls, and activities.
Audit
Which one of the following is true with regard to audits and assessments?
Audits can result in blame being placed upon an individual
This test makes no assumptions about the environment to be tested.
Black Box
Noncompliance with regulatory standards may result in?
Brand damage, Fines, and Imprisonment
The act of adhering to internal policies, applicable laws, regulations, and industry requirements.
Compliance
What best describes an audit used to determine if a Fortune 500 health care company is adhering to Sarbanes-Oxley and HIPPA regulations?
Compliance audit
Actions or changes put in place to reduce a weakness or potential loss. Also referred to as a countermeasure.
Controls
A large U.S-based energy company that went bankrupt in 2001 and has become a symbol of corporate fraud and corruption.
Enron
What companies engaged in fraudulent activity and subsequently filed for bankruptcy?
Enron WorldCom
Methods for conducting a security control assessment
Examination Interview Test
Refers to the needs or desire for an organization to follow rules and guidelines set forth by external organizations and initiatives.
External Compliance
A security assessment is a method for proving the strength of security systems.
False
Industry-created standards to prevent payment card theft and fraud.
Payment Card Industry Data Security Standard
A method for assessing information systems in an attempt to bypass controls and gain access.
Penetration Test
Which of the following is an assessment method that attempts to bypass controls and gain access to a specific system by simulating the actions of a would-be attacker.
Penetration test
Not a method used for conducting an assessment of security controls?
Remediate
An uncertainty that might lead to loss. Losses occur when a threat exploits vulnerability.
Risk
The practice of identifying assessing, controlling, and mitigating risks. Techniques to manage risk include avoiding, transferring, mitigating, and accepting the risk.
Risk Management
At all levels of an organization, compliance is closely related to which of the following?
Risk management Governance
Categorizing information and information systems and then selecting and implementing appropriate security controls is part of a
Risk-based Approach
An act that was created in the wake of accounting scandals from the likes of Enron and WorldCom. This act set new accountability and corporate responsibility standards for public companies and accounting firms.
Sarbanes-Oxley Act
Some regulations are subject to _________ which means even if there wasn't intent of noncompliance, an organization can still incur large fines.
Strict Liability
A Large off-price retailer of apparel and home fashions that suffered one of the most severe breaches of private data in history.
The TJX Companies, Incorporated
Compliance initiatives typically are efforts around all except which one of the following?
To adhere to an auditor's recommendation
The internal audit function may be outsourced to an external consulting firm.
True
Whereas only qualified auditors perform security audits, anyone may do security assessments.
True
This test provides complete knowledge and information, such as network diagrams, about the environment to be tested.
White box
What was the Wireless Network Security protocol that lead to a weak system for TJX?
Wired Equivalent Privacy (WEP)
A large U.S-based telecommunications company involved in a massive accounting scandal which ultimately forced it to file bankruptcy in 2002.
WorldCom
An organization that promotes innovation and competitiveness through the advancement of science, standards, and technology to improve economic security and quality of life.
National Institute of Standards and Technlogy
A set of goals. Used as part of an assessment to determine what needs to be accomplished to validate a control.
Objectives
The process through which an organization's processes and assets are directed and controlled.
Governance
This test has little knowledge over the environment to be tested.
Gray Box
An IT security audit is an __________ assessment of an organization's internal policies, controls, and activities.
Independent
Refers to an organization's ability to follow its own rules, which are typically based on defined policies.
Internal Compliance
These investigate company records and processes based on suspicious activity or alleged violations.
Investigative Audits