Ch. 1 Chapter Questions
Which of the following is an assessment method that attempts to bypass controls and gain access to a specific system by simulating the actions of a would-be attacker? a. Policy review b. Penetration test c. Standards review d. Vulnerability scan
B. Penetration test
Which of the following best describes an audit used to determine if a Fortune 500 health care company is adhering to the Sarbanes-Oxley and HIPPA regulations? a. IT audit b. Operational audit c. Compliance audit d. Financial audit e. Investigative audit
C. Compliance audit
Which one of the following is not a method used for conducting an assessment of security controls? a. Examine b. Interview c. Test d. Remediate
D. Remediate
Compliance initiatives typically are efforts around all EXCEPT which one of the following? a. To adhere to internal policies and standards b. To adhere to regulatory requirements c. To adhere to industry standards and best practices d. To adhere to an auditor's recommendation
D. To adhere to an auditor's recommendation
Noncompliance with regulatory standards may result in which of the following? a. Brand damage b. Fines c. Imprisonment d. All of the above e. B and C only
D. all of the above
Which of the following companies engaged in fraudulent activity and subsequently filed bankruptcy? a. WorldCom b. Enron d. TJX e. All of the above e. A and B only
E. A and B only
An IT security audit is an ___________________ assessment of an organization's internal policies, controls, and activities.
independent
Which one of the following is true in regard to audits and assessments? a. Assessments typically result in a pass or fail grade, whereas audits result in a list of recommendations to improve controls. b. Assessments are attributive and audits are not. c. An audit is typically a precursor to an assessment. d. An audit may be conducted independently of an organization, whereas internal IT staff always conducts an IT security assessment. e. Audits can result in blame being placed upon an individual.
E. Audits can result in blame being placed upon an individual
At all levels of an organization, compliance is closely related to which of the following? a. Governance b. Risk management c. Government d. Risk assessment e. Both A & B d. Both C & D
E. Both A & B (Governance and Risk management)
Categorizing information and information systems and then selecting and implementing appropriate security controls is a part of a
Risk Based Approach
Some regulations are subject to __________________, which means even if there wasn't intent of noncompliance, an organization can still incur large fines.
Strict Liability
The internal audit function may be outsourced to an external consulting firm. True or False
True
Whereas only qualified auditors perform security audits, anyone may do security assessments. True or False
True
NIST 800-53A provides ________________________.
a guide for assessing security controls
A security assessment is a method for proving the strength of security systems? True or False
False...you should not use a security assessment simply as a method for proving the strength of system security or as a reason to immediately provide greater security. Rather, a security assessment should produce information required to do the following: Identify weaknesses within the controls implemented on information systems Confirm that previously identified weaknesses have been re-mediated or mitigated prioritize further decisions to mitigate risks Provide assurance so that associated risks are accepted and authorized Provide support and planning for future budgetary requirements