Chapter 1: The Need for Information Systems Security Compliance

¡Supera tus tareas y exámenes ahora con Quizwiz!

TJX

A large off-price retailer of apparel and home fashion. The company operates under several brands, including T.J. Maxx and Marshalls.

assurance

A level of confidence that effective controls are in place and that associated risks are accepted and authorized

b

A security assessment is a method for proving the strength of security systems. A. True B. False

independent

An IT security audit is an ________ assessment of an organization's internal policies, controls, and activities.

audit

An independent assessment of an organization's internal policies, controls, and activities.

risk

An uncertainty that might lead to a loss

e

At all levels of an organization, compliance is closely related to which of the following? A. Governance B. Risk management C. Government D. Risk assessment E. Both A and B F. Both C and D

risk-based approach

Categorizing information and information systems and then selecting and implementing appropriate security controls is part of a ________.

COBIT

Compliance frameworks, such as Control Objectives for Information and Related Technology _______ , and standards, such as NIST, help interpret how to comply with the regulations.

d

Compliance initiatives typically are efforts around all except which one of the following? A. To adhere to internal policies and standards B. To adhere to regulatory requirements C. To adhere to industry standards and best practices D. To adhere to an auditor's recommendation

objectives

Each _____ has a set of assessment methods, including examination, interview, and test; and each _____ has a set of assessment objects, including specification, mechanism, activity, and individual.

a guide for assessing security controls

NIST 800-53A provides ______.

d

Noncompliance with regulatory standards may result in which of the following? A. Brand damage B. Fines C. Imprisonment D. All of the above E. B and C only

WorldCom

Prior to filing bankruptcy in 2002, _____ was the second largest telecommunications company in the world. It handled Internet data traffic globally and accounted for more international voice traffic than any other company.

strict liability

Some regulations are subject to ________, which means even if there wasn't intent of noncompliance, an organization can still incur large fines.

c

Which of the following best describes an audit used to determine if a Fortune 500 health care company is adhering to Sarbanes-Oxley and HIPAA regulations? A. IT audit B. Operational audit C. Compliance audit D. Financial audit E. Investigative audit

e

Which of the following companies engaged in fraudulent activity and subsequently filed for bankruptcy? A. WorldCom B. Enron C. TJX D. All of the above E. A and B only

b

Which of the following is an assessment method that attempts to bypass controls and gain access to a specific system by simulating the actions of a would-be attacker? A. Policy review B. Penetration test C. Standards review D. Controls audit E. Vulnerability scan

d

Which one of the following is not a method used for conducting an assessment of security controls? A. Examine B. Interview C. Test D. Remediate

e

Which one of the following is true with regard to audits and assessments? A. Assessments typically result in a pass or fail grade, whereas audits result in a list of recommendations to improve controls. B. Assessments are attributive and audits are not. C. An audit is typically a precursor to an assessment. D. An audit may be conducted independently of an organization, whereas internal IT staff always conducts an IT security assessment.

governance

_____ seeks to better run an organization using complete and accurate information and management processes or controls.

enron

_____ was a U.S.-based energy company that at one point was the seventh-largest company in the United States and the largest trader of natural gas and electricity in the country.

controls

actions or changes to be applied to systems to reduce weaknesses or potential losses

penetration test

an assessment method that attempts to bypass controls and gain access to a specific system by simulating the actions of a would-be attacker.

PCI DSS

an industry-created standard that applies to organizations that process credit cards. Companies that meet a specific threshold for large volumes of credit card transactions are required to achieve compliance.

risk management

seeks to mitigate risk through controls

NIST

the technology agency of the U.S. Department of Commerce, provides a framework for effective security assessment plans

a

The internal audit function may be outsourced to an external consulting firm. A. True B. False

sarbanes-oxley act

This act addresses many of the shortcomings and lessons learned from the Enron scandal.

compliance

This pertains to ensuring that specific guidelines, laws, or requirements have been met

a

Whereas only qualified auditors perform security audits, anyone may do security assessments. A. True B. False


Conjuntos de estudio relacionados

Prod Ops Chapter 14 Sections 6-8

View Set

Chapter 19: Nutrition for Patients with Diabetes Mellitus, Chapter 20: Nutrition for Patients with Cardiovascular Disorders, Chapter 21: Nutrition for Patients with Kidney Disorders

View Set

Unit 1: Nutrition Essentials 3rd Edition

View Set

Chapter 1 - Intro to Mobile App Programming

View Set

Politics and the media Test Three

View Set

Med Surg Test 4: Chap. 28, 29, 31, 53, 54, 55

View Set

A Tale of Two Cities Rhetorical Devices

View Set