Computer Audit Exam 2
What is the purpose of the business impact analysis - a) Measure potential financial and operational impacts of the unavailability of a business process over time - b) Determine the frequency of threats and consequences of them to determine mitigating procedures and protocols needed - c) Look at activities for IT application recovery and data recovery
- a) Measure potential financial and operational impacts of the unavailability of a business process over time
What are the different cloud models - a) SaaS, Paas, Public Cloud - b) SaaS, hosted enterprise, free cloud - c) Saas, Paas, IaaS - d) Iaas, hybrid, development platform
- c) Saas, Paas, IaaS
Which of these are driving forces of business continuity management: - a) Globalization - b) Security threats: loss of data - c) Growth of Data - d) Regulatory Requirements - e) All of the above
- e) All of the above
What support does crisis wargaming provide to leadership?
-Increase awareness and knowledge of the Crisis Management Team's roles and responsibilities, decision making authority, and escalation paths -Stress test existing crisis response plans -Evaluate intra-organization and 3rd party coordination and communication in crisis
Identify and briefly describe the 4V's of big data:
-Volume: The size of the data -Variety: The different forms of data: source, type, and structure -Velocity: The speed at which data is created, analyzed, and used -Veracity: The trustworthiness of the data
What are the 6 steps of Fraud Risk Assessment?
1. Brainstorm Risks 2. Assess Significance 3. Link to contols 4. Gather Data 5. Analyze Results 6. Recommend Enhancements
Free Response: Please list the four basic requirements of the Red Flag Rules.
1. Develop procedures for identifying typical "red flags" that arise when identity theft may occur 2. Develop procedures for investigating identity theft red flags 3. Develop procedures for mitigating the damages associated with identity theft 4. Regularly review and update policies and procedures
What are the top three greatest cyber challenges for CEOs at Fortune 500 companies?
1. The pace of technological change 2. Advanced Threats and Broader Impact 3. Shortage of Skills and Competencies
Please identify and explain 3 key drivers for cloud computing.
1. increase scalability, availability and strength 2. Reduce deployment times 3. Improve back up and recovery
Please list the 5 Privacy Framework Functions:
1.Identify 2.Govern 3.Control 4.Communicate 5.Protect
In looking at BCM in a holistic view, what is not an important element that the strategic scope of BCM include? 1.business continuity 2.disaster recovery 3.enterprise security 4.cost optimization 5.marketing
5.marketing
Amended in 2019 by HB 4390 (effective January 1, 2010), Texas Business and Commerce Code (Section 521) now mandates that individual notice be provided within how many days of determining that the breach occurred?
60 days
Texas Business and Commerce Code HB 4390 mandates individual notice be provided within ____ of determining a breach has occurred A) 60 days B) 90 days C) 6 months D) 1 year
A) 60 days
Which regulation in this set was not enacted for privacy and security concerns? A) Foreign Corrupt Practices Act (FCPA) B) Health Insurance Portability and Accountability Act (HIPAA) C) Fair Credit Reporting Act (FCRA) D) Video Privacy Protection Act (VPPA) E) Telephone Consumer Protection Act (TCPA)
A) Foreign Corrupt Practices Act (FCPA)
Which of the following is an operational risk? A) Inability to serve customers B) Decrease in earnings outlook C) Inability to meet regulatory requirements D) Loss of future revenues
A) Inability to serve customers
Which of the following presents the highest security threat? A) Privilege misuse B) Denial of service C) Web application attacks D) Social engineering
A) Privilege misuse
Requires certain technical information to be included in unsolicited emails and permits consumers to opt-out of the receipt of such emails. Is which of the following: A- CAN-SPAM Act B- Video Privacy Protection Act C- Children's Online Privacy Protection Act (COPPA) D- Telephone Consumer Protection Act (TCPA)
A- CAN-SPAM Act
A capability to track and analyze multiple sources of data. is which of the following: A- Continuous Monitoring B- Communication C- Response Readiness D- First Action Page
A- Continuous Monitoring
Unprocessed facts and figures without any added interpretation or analysis. is which of the following: A- Data B- Information C- Facts D- Knowledge
A- Data
Which of the following a type of Operational Risk: A- Inability to process transactions B- Lost revenues C- Penalties and fines D- Loss of future revenues
A- Inability to process transactions
Access rights to confidential data are defined and documented (policies and procedures). is a control for which risk category: A- Information Security B- Training and Awareness C- Incident Response D- 3rd Party Management
A- Information Security
All of the following are Areas with cyber implications relating to Protecting the customer except: A- Safety B- Privacy C- Digital and Social Interaction D- Mobility
A- Safety
Which of the following is a characteristic of Anomalies: A- not intentional B- intentional C- found in very few data sets D- Is large in quantity
A- not intentional
Which of the following is a Reactive AND Proactive tactic to fight cyber fraud A. Forensic Interviews B. Malware Analysis C. Perimeter Hardening D. Computer forensics E. Investigation of vulnerabilities
A. Forensic Interviews
Which of the following areas with cyber implications is not related to "Protect the customer" A. Plant safety B. Privacy C. Digital and Social Interaction D. Customer experience
A. Plant safety
In which cloud model does the vendor manage the greatest number of responsibilities? A. Software as a Service (SaaS) B. Platform as a Service (PaaS) C. Infrastructure as a Service (IaaS)
A. Software as a Service (SaaS)
Relate each question with one of the four types of analytics: What is the probability that the company will go out of business next year?
A: Predictive analytics
Relate each question with one of the four types of analytics: -How can I use the predictive results to best hedge risks for my firm?
A: Prescriptive analytics
What's the difference between anomalies and fraud?
Anomalies are not intentional and will be found throughout a data set, for example, input errors and mistyped names. Fraud is intentional, found in very few data sets, and like "finding a needle in a haystack."
What are the differences between anomalies and fraud? (free response)
Anomalies are not intentional, will be found throughout a data set, and two examples are input errors and mistyped names. Fraud is intentional, found in very few data sets, and is like "finding a needle in a haystack." (slide 21)
T or F: If state law provides greater privacy protection of health information than federal law (HIPPA), state law governs.
Answer: True
What data is "sensitive"?
Any information alone or in conjunction with other information that can identify an individual.
Which of the following is not considered a covered entity? a. Health Plans b. Clearinghouses c. Applications and consumer devices d. Providers
Applications and consumer devices
Which of the following is NOT true about GDPR? A) GDPR replaces local EU Data Protection Directive implementations B) GDPR applies only to organizations with an office the EU C) The penalty is Up to 20M € or 4% of organization's annual global turnover, whichever is higher D) It becomes effective as of May 25, 2018
B) GDPR applies only to organizations with an office the EU
Which of the following is not a key financial fraud risk? A) Revenue recognition B) Manual entry accounts C) Journal entries and other adjustments D) Accounts subject to estimation E) Significant unusual transactions
B) Manual entry accounts
Which of the following is not a part of the NIST framework? A) Govern B) Regulate C) Communicate D) Identify
B) Regulate
All of the following are obligations that must be abided by in the General Data Protection Regulation (GDPR), except: A) The GDPR requires data controllers to ensure that organizational safeguards are implemented B) The GDPR requires data controllers to be opaque, even when data subjects do specifically request information C) The data controller must adopt a data protection policy D)The GDPR expands on the Directive with developing 'Data Protection Impact Assessments' (DPIA) for kinds of processing considered high risk
B) The GDPR requires data controllers to be opaque, even when data subjects do specifically request information
The privacy principles defined by the OECD consist of the following except: A- Collection Limitation B- Access C- Purpose Specification D- Use Limitation
B- Access
Assess the likelihood and significance of identified risks. is which of the following: A- Link to Controls B- Assess Significance C- Catalog Fraud Symptoms D- Analyze Results
B- Assess Significance
Avoiding public embarrassment and loss of credibility. Is which of the following: A- Health and Safety B- Brand Protection C- Continuing New Business D- Viability
B- Brand Protection
Business operational cyber resiliency requires all the following except: A- Govern and challenge cyber resiliency B- IT General Controls C- Risk-assess cyber resiliency D- Test systems and recovery plans
B- IT General Controls
Which of the following is not an obligation the data controller has to abide by in GDPR: A- Data controllers must keep detailed, accounting-like records of their processing activities. B- Must notify consumer reporting agencies if more than 10,000 persons are affected by the breach. C- Requires data controllers to ensure that organizational safeguards are implemented. D- Personal data breach notification obligation.
B- Must notify consumer reporting agencies if more than 10,000 persons are affected by the breach.
Which is of the following is a control for Management risk category: A- Organization has identified requirements for compliance with all applicable data privacy laws and regulations. B- Roles and responsibilities for data protection have been clearly defined and assigned to specific individuals. C- Scheduled reviews are performed to ensure compliance with applicable laws and regulations. D- Secure methods are used to transmit sensitive data (email encryption, sftp, etc.).
B- Roles and responsibilities for data protection have been clearly defined and assigned to specific individuals.
Health Insurance Portability and Accountability Act (HIPAA) is: A- Sets the standards for the treatment of NPI about consumers by financial institutions by providing opt-out rights and establishing appropriate safeguards. B- Sets the standards for the electronic exchange, privacy and security of health information. C- Enacted to protect wrongful disclosure of video-tape rental or sale records or similar audio-visual materials, including online streaming. D- Requires certain technical information to be included in unsolicited emails and permits consumers to opt-out of the receipt of such emails.
B- Sets the standards for the electronic exchange, privacy and security of health information.
Which of the following is not a reputational risk? A. Erosion of brand name B. Penalties and fines C. Loss of future revenues D. Loss of competitive position and market share E. Diminished customer base
B. Penalties and fines
Who is mainly responsible for cybersecurity governance/oversight? A. The CEO B. The Board of Directors C. The CISO D. The IT Department Head
B. The Board of Directors
What is the main cloud challenge for each level of cloud maturity?
Beginner: Lack of resources/expertise Intermediate: Security Advanced: Managing cloud spend
Which of these are not a component of privacy? A) Data governance B) IT security C) Availability D) Compliance
C) Availability
What type(s) of issues are important for privacy objectives? A) Business issues B) Compliance issues C) Both D) Neither
C) Both
Which of the following is the basic requirement for Red Flag Rules? A) Occasionally reviewing and updating the policies and procedures B) Development of procedures for expanding the damages associated with identity theft C) Development of procedures for identifying typical "red flags" that arise when identity theft may occur D) Development of procedures for ignoring identity theft red flags
C) Development of procedures for identifying typical "red flags" that arise when identity theft may occur
Which of the following is NOT a US-based privacy regulation? A) Fair Credit Reporting Act (FCRA) - 1970 B) Payment Card Industry Data Security Standard (PCI DSS) C) General Data Protection Regulation (GDPR) D) Children's Online Privacy Protection Act (COPPA)
C) General Data Protection Regulation (GDPR)
Covered entities must obtain __________ of HIPAA compliance by contract from their business associates. A) Reasonable assurances B) Absolute assurances C) Satisfactory assurances D) None of the above
C) Satisfactory assurances
Which of these is not a reason businesses are moving to the cloud? A) Reduce costs B) Improve backup & recovery C) Easy to understand the options available D) Focus resources on core competencies
C) because one of the key barriers to adoption is that it is complex to understand the options and how to best deploy the cloud.
Which of the following is not a Financial Fraud Risk indicator: A- Sudden fluctuations in volume and/or value of transactions B- Control overrides C- Accounts subject to estimation D- Unusually large product losses
C- Accounts subject to estimation
Which of the following is not a Business Continuity Objective: A- Earnings/Profit Protection B- Viability C- Business Continuity Plan D- Health and Safety
C- Business Continuity Plan
Sets the standards for the collection, communication, and use of information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living. Is which of: A- Gramm-Leach-Bliley Act (GLBA or Privacy Act) B- Federal Trade Commission (FTC) Act C- Fair Credit Reporting Act (FCRA) D- Payment Card Industry Data Security Standard (PCI DSS)
C- Fair Credit Reporting Act (FCRA)
Which of the following is not a type of Cloud Risk: A- Server-host only B- Host-to-guest C- Host-to-Host D- Guest-to-host
C- Host-to-Host
All of the following are risk categories except: A- Data Privacy Laws B- Physical Security C- Monitoring & Enforcement D- Training and Awareness
C- Monitoring & Enforcement
the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. is which of the following: A- Risk-assess cyber resiliency B- Identify, architect, and protect systems C- Resiliency D- Data Protection
C- Resiliency
Which of the following is not included in the five principles found in the National Association of Corporate Directors' (NACD) Cyber-Risk Oversight: Director's Handbook Series: A. Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue. B. Directors should understand the legal implications of cyber risks as they relate to their company's specific circumstances. C. Boards should establish an enterprise-wide cyber-risk management framework with adequate staffing and budget. D. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.
C. Boards should establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
Which is not a benefit of Mobile Computing? A. Cost Savings B. Increased Productivity C. Increased Information Security D. Employee Retention E. Greater Responsiveness
C. Increased Information Security
What is the main control that should be focused on to respond to new cyber risks nowadays? A. detective controls B. monitoring controls C. preventative controls D. corrective controls
C. preventative controls
Identify the meaning of Cloud Bursting and state one advantage of it.
Cloud Bursting is a deployment model where an application runs in a private cloud or data center and bursts into a public cloud when the computing capacity demand spikes. An advantage could be that an organization pays for extra computing resources only when needed.
What is the difference between causation & correlation?
Correlation involves a relationship between two variables while causation involves an act that occurs in such a way that something happens as a result. Correlation does not imply causation.
Identify the difference between the terms "correlation" and "causation".
Correlation usually involves a relationship between two or more variables while Causation is an act that occurs in such a way that something happens as a result, meaning that an outcome is inevitable. It is important to note that correlations does not always imply causation.
Name the components of a crisis management plan key
Crisis management contact sheet, First action page, Crisis control center description, Crisis risk assessment, Business continuity plan
Which of the following would be considered a business associate in relation to a HIPAA covered entity? A) A receptionist at a dentist's office B) A staff accountant at a regional hospital C) A contractor who is building a new wing of a hospital D) A third party who handles billing services for a chiropractor
D) A third party who handles billing services for a chiropractor
Which of the following is not an example of a proactive cybercrime prevention effort? A) Investigation of vulnerabilities B) Advanced analytics of system data C) Perimeter hardening D) Breach indicator assessment
D) Breach indicator assessment
All of the following are examples of risks due to user behavior except: A) Circumvention of controls B) User error C) Lack of responsibility D) Damage of devices
D) Damage of devices
with unique identifiers and the ability to transfer data over a network without human to human interaction? A) Data B) Applications C) Devices D) Internet of things
D) Internet of things
All of the following are examples of the challenges faced when utilizing the cloud except: A) Increased Complexity B) Regulation and Trust C) Increase Attack Risk D) None of the above
D) None of the above
Which of the following cloud models is most likely to be used by a small start-up company that want to outsource most of the functions A) Traditional On-Premises B) Infrastructure as a Service C) Platform as a Service D) Software as a Service
D) Software as a Service
Which of these statements is false about the General Data Protection Regulation? A) It is borderless. B) It replaces local EU Data Protection Directive implementations. C) It applies to all organizations that collect and process the personal data of EU data subjects regardless of size. D) It does not apply to data processors.
D) because GDPR applies to both data processors and data controllers.
Which of the following is a requirement for the Red Flag Rules: A- Regularly reviewing and updating the policies and procedures. B- Development of procedures for investigating identity theft red flags C- Development of procedures for mitigating the damages associated with identity theft D- All of the above
D- All of the above
All of the following are components of the Crisis Management Plan except: A- Crisis Management Team Contact Sheet B- Crisis Control Center Description C- Crisis Risk Assessment D- Communication
D- Communication
Which of the following is not a Factor to Consider when Analyze Results of fraud risks: A- False positives B- Thresholds C- Supplemental analyses D- False negatives
D- False negatives
Which of the following is not considered a other control area: A- Patch management B- Vendor risk management C- Enhanced monitoring solutions D- IT General Controls
D- IT General Controls
All of the following is part of Generally Accepted Privacy Principles except: A- Management B- Disclosure to Third Parties C- Monitoring & Enforcement D- Quality
D- Quality
Why are businesses moving to the cloud: A- Right-size capacity and demand B- Increase scalability, availability, and strength C- Reduce costs D- Reduce backup & recovery time
D- Reduce backup & recovery time
which of the following is not a Key Financial Fraud Risk: A- Revenue recognition B- Significant unusual transactions C- Journal entries and other adjustments D- Unauthorized transactions
D- Unauthorized transactions
Boards should focus on adopting the following as it relates to cyber risk : 1: Overhaul cyber training for directors 2: Develop more robust and transparent reporting 3: Measure and evaluate cyber risk 4: Define and approve your cyber risk appetite A. 1,3, B. 2,4 C. 4 D. 1,2,3,4
D. 1,2,3,4
Which of the following is NOT one of the ten AICPA general privacy principles? A.) Management B.) Notice C.) Security D.) Conformity E.) Quality
D.) Conformity
What are some ways Privacy Risk can be controlled:
Data Privacy Laws, Physical Security, 3rd Party Management, Training and Awareness etc.
What's the difference between data and information?
Data is raw, unorganized facts that need to be processed. Data can be something simple and seemingly random and useless until it is organized. When data is processed, organized, structured or presented in a given context so as to make it useful, it is called information.
Describe the difference between data and information.
Data is raw, unprocessed facts and figures. Data alone in uninterpreted and has no meaning or value. Information is data that has been interpreted, processed, or organized to extract some meaning for the user.
Relate each question with one of the four types of analytics: What was the average sales of company's products last month?
Descriptive analytics
Relate each question with one of the four types of analytics: -Why the company's revenues increased so dramatically last year?
Diagnostic analytics
What are some of the analysis techniques that are most commonly used by fraud investigators? A) Data preparation B) Benford's law C) Digital analysis D) Outlier Investigation E) All of the Above
E) All of the Above
Which of the following are attributes of Big Data? A) Volume B) Variety C) Velocity D) Veracity E) All of the above
E) All of the above
Which of these is a key financial fraud risk? A) Revenue recognition B) Significant unusual transactions C) Journal entries and other adjustments D) Accounts subject to estimation E) All of the above
E) All of the above
Who is responsible for privacy? A) Chief Privacy Officer B) Chief Legal Officer C) Director of Human Resources D) Internal AUdit Director/Director of Internal Controls E) All of the above
E) All of the above
Which one of the following is NOT the privacy sponsor's responsibility? A) Attend relevant meetings B) Provide an overview of relevant processes C)Maintain project ownership and oversight D) Assist and support the implementation of Data Privacy policy and procedures E) Avoid phishing Emails
E) Avoid phishing Emails
Which of the following are sources for 3rd party data A. Enforcement Lists B. Public Court Records C. Client Requests D. Government Sanction Lists E. All of the above
E. All of the above
Which mobile computing risk can be mitigated through the use of a Virtual Private Network (VPN) when connected to public Wi-Fi? A. Phishing B. Malware C. Compromised Supply Chain of Devices D. Loss, Theft, or Damage of Devices E. Man-in-the-Middle attacks
E. Man-in-the-Middle
Which of the following is not part of the Privacy Framework A. Identification B. Governance C. Communication D. Protection E. Quality
E. Quality
Which of the following is a cybersecurity market force? A. accelerating technology B. accelerating cyber threats C. accelerating cost D. talent shortfall E. all of the above
E. all of the above
The FTC Act prohibits companies from what?
Engaging in deceptive trade practices
True or False: Medical Offices are allowed to accept personal medical records electronically when they are not encrypted.
FALSE
Correlation is an act that occurs in such a way that something happens as a result: A- True B- False
False
T or F: Each engagement must include all 15 key components in their current state assessment.
False
T or F: HIPPA still applies to entities that do not engage in covered electronic transactions
False
True or False: Recent cyber events have exposed little business unpreparedness resulting in considerable business operational impacts and financial losses - these situations are limited to a single sector, geography, size or scale.
False
True or False: Metadata is generally NOT an important data source when conducting fraud detection.
False
True or False: The individually identifiable health information that is transmitted or maintained in any form or medium includes education, student medical, and employment records?
False
True or False: When referring to crisis management, only big disasters like pandemic or earthquake are relevant. Small disasters such as building's power failure are not in the scope of business continuity management.
False
True/False Any third party where cardholder data is shared is not in the scope of PCI-DSS.
False
True/False: Covered Entities are only required to follow HIPPA, even if there is a state law that offers more protection to individuals.
False
True/False: Open and public Wi-Fi generally is the safest in the terms of session risk and integrity when utilizing a mobile device.
False
True/False: The efficiency and use of Big Data negates the need for data governance.
False
HIPPA applies to entities even if they do not engage in covered electronic payments (true/false).
False (slide 7)
True or False A Data Breach is an incident that results in the exposure of data to an unauthorized party which may be intentional or non-intentional in nature.
False - has to be confirmed disclosure of data as well.
True or false: The goal of big data is analyzing data with enormous volume and proven value.
False- unproven value.
True or False? Once established by the company, the safeguards a financial institution maintains to safeguard a consumer's financial information to comply with the GLBA are unlikely to change year to year.
False. Safeguards to protect consumer financial information should be reevaluated whenever the business undergoes a material change (Slide 14).
True or false: The Board of Directors does not need to concern itself with cyber security.
False. The board should play an active role in defining, measuring, evaluating, and mitigating cyber risk.
T/F: A data breach is an incident that results in the confirmed disclosure of data to an unauthorized party only if intentional in nature.
False: It can be intentional or unintentional.
The most likely disaster, for a company or an agency, is something big like an earthquake, hurricane, flood, or terrorist attack. (true/false)
False: the most likely disaster is something small like a power outage knocking out a database server or a small fire preventing building access (slide 10).
True/False Continuing new business is a business continuity objective that is concerned with keeping the company in business.
False; Viability is the business continuity objective that is concerned with keeping the company in business.
The Safeguard Rule that regulates financial institutions to "develop, implement, and maintain a comprehensive security program that contains administrative, technical and physical safeguards" is the content of which law: a.GRAMM-LEACH-BLILEY ACT (GLBA) b.HIPPA c.Sarbanes Oxley d.FTC Data Security Requirements
GRAMM-LEACH-BLILEY ACT (GLBA)
Entities covered by the Reg Flag Rules are required to create a Written Identity Theft Prevention Program that ___, ___, and ___ to risks of identity theft.
Identify Detect Respond
What is Gramm-Leach-Bliley Act (GLBA)
It is a law signed in 1999 that sets the standards for the treatment of NPI about consumers by financial institutions by providing opt-out rights and establishing appropriate safeguards.
What is multi-tenancy and what unique cloud risk does it bring?
Multi-tenancy is a single instance of an application, such as Salesforce or Netflix, that serves multiple customers or tenants. Multiple customers share the same computing resources such as CPU, memory, storage, etc. The risk of multi-tenancy is that a flaw could allow other tenants or attackers to see all other data that they are not supposed to see.
What are some of the personal information identifiers under GDPR?
Name, Location data, Identification Number, and factors specific to physical, physiological, economical, cultural or social identity of that natural person.
In compliance with the FTC's Red Flag Rules, management at Asheville People's Credit Union first developed procedures for identifying red flags and investigating identity theft in 2008. Similarly, they have robust procedures for mitigating damages associated with identity theft, and satisfied with their work and the industry-low instances of identity theft at their branches, have not reviewed their policies for several years. Are they compliant with the Red Flag Rules?
No, they are not regularly reviewing their policies- even though they're good policies, they still require inspection.
What are the four risk categories?
Operational risk, financial risk, regulatory risk, and reputation risk
What is PCI-DSS?
PCI-DSS is the Payment Card Industry Data Security Standards which was developed in 2004 by credit card companies such as MasterCard, Visa, etc. It is a technical and operational requirement that protects customers' credit card data. This is a global standard, and the requirement must be met by all parties that store, process, or transmit cardholder data.
List examples of common types of data breaches:
Possible answer choices: Malware, Ransomware, Phishing, Misuse, Web App attacks, Hacking, Password Attacks, Insider Threats, Cloud Hacking
Please list out 3 of the Five Key Financial Fraud Risks
Possible answers include: 1. Revenue Recognition 2. Accounts subject to estimation 3. Significant unusual transactions 4. Journal entries and other adjustments 5. Inter-company/suspense & related parties
What are the 4 types of Clouds?
Private, Community, Hybrid, Public
What is the difference between proactive and reactive efforts?
Proactive efforts are forward-looking and assist businesses to identify high impact "good" and "bad" vulnerabilities. Reactive efforts are backward-looking and are used to develop key fraud risk indicators. These are used to initiate forensic investigations if sufficient red flags are identified.
What is a key difference between Sarbanes-Oxley 302 and 404, and the Federal Trade Commission's Red Flag Rules?
SOX 302 and 404 are prescriptive laws that provide a set of guidelines companies must follow to be in compliance. The FTC's Red Flag Rules require a company to establish their own "reasonable processes and procedures" commensurate with their risk (Slide 20).
What is the difference between data security vs data privacy?
Security - concerned with protection of personal data from unwanted intruders Privacy - concerned with the collection and use of personal data
What is the difference between 'security' and 'privacy'?
Security is a broader umbrella term that emphasizes the protection of information assets and encompasses three main concerns: confidentiality, integrity, and availability of data. Privacy has a more narrow focus on the confidentiality of data and places more emphasis on the protection of individual privacy.
Describe the difference between security and privacy.
Security is protecting data assets. Privacy is safeguarding confidential or private data, a process of which security is only one aspect.
What's the difference between use of stand-alone tools and add-on tools in fraud analytics?
Stand-alone tools need data extracted from original system and provide point in time analysis. It is a thorough analysis for reactive analysis. Add-on tools connect to already existing systems and can provide real-time or near real-time analytics. Add-on tools allow proactive fraud detection
T/F: Managing Cloud spend is not too relevant towards the beginning stages of a cloud computing project.
TRUE
Name three cyber challenges companies face:
The pace of technological change, advanced threats and broader impact, shortage of skills and competencies
What relationship was fiduciary duty equated to?
The relationship between a parent and child.
List and define the two types of forward looking analytics (free response).
The two forward looking analytics are predicting and prescriptive analytics. Predictive analytics describe the probability of different outcomes. Prescriptive analytics integrate tried-and-true predictive models into our repeatable processes to yield desired outcomes (slide 19).
You're creating a new account for an online banking portal. To help protect your account, the bank requires you to answer a couple of security questions; you choose to answer your mother's maiden name and the name of your favorite sport team. Why might this be a potential security issue? What can you do to mitigate risk in this situation?
This could be a potential risk as social engineers/hackers are adept at finding personal information online via sites like Ancestry.com or Facebook. By interacting on social media sites or other websites, users can unwittingly give away information that give clues about their security answers or passwords. To avoid weak security question answers, you could start by vetting your social media sites and internet visibility to determine that you haven't revealed any sensitive information related to the security questions you chose. Additionally, you can answer the security questions with unique, indirect answers.
Though you work for a company in Latveria, a country not in the European Union, why would it be important to apprise yourself of the EU's General Data Protection Regulation?
Though you might not be in a European Union nation, you may currently or some day do business with customers in the EU, and this will make you beholden to its borderless privacy policy.
Data Protection is a Differentially protects information assets that drive business goals & objectives. A- True B- False
True
T or F: Employees working below the C-suite who are closer to an organization's technology efforts and systems are over 1.5x as likely to see their companies as highly vulnerable to privacy problems
True
T/F: Anomalies are not intentional whereas frauds are intentional.
True
True or False: Hacking is the mostly utilized tactics/actions in data breaching cases statistically.
True
True or False: If UT's course registration system uses a private cloud during normal times and switches to using a public cloud like AWS during students' initial course registration period in order to handle peaks in IT demand, such concept is called cloud bursting.
True
True or False: If there is a more stringent state law in place, HIPAA allows the more stringent law to govern also
True
True or False: The amount of healthcare data breaches have increased since the beginning of the Covid-19 pandemic?
True
True or false: Historical control strategies may not be responsive to new threats.
True
True or false: most large breaches are the product of smaller, unmitigated incidents.
True
True or false: the GDPR presents a much broader obligation than the US approach.
True
When data is processed, organized, structured, or presented in a given context so as to make it useful, it is called information. A- True B- False
True
Sarbanes Oxley Section 404 describes the obligation to maintain adequate internal control structure and procedures (true/false).
True (slide 14)
Which of the following is not considered as a Payment Card Industry Data Security Standard? a.Use vendor-supplied defaults for system network password b.Regularly update anti-virus software c.Assign a unique ID to each person with computer access D.Maintain a policy that addresses information security
Use vendor-supplied defaults for system network password
What are the four attributes of Big Data?
Volume, Variety, Velocity, Veracity
Which of the following is not one of the GDPR 9 obligations the controller has to abide by (multiple choice)? a) Data controllers are NOT required to keep detailed accounting-like records of their processing activities (slide 25) b) The data controller must adopt a data protection policy c) The GDPR requires data controllers to be transparent d) The GDPR commends data users to incorporate protections into the technical design or services with data protection 'by design' and 'by default'.
a) Data controllers are NOT required to keep detailed accounting-like records of their processing activities (slide 25)
The inability to serve customers would fall under which risk category? a: Operational Risk b: Financial Risk c: Regulatory Risk d: Reputation Risk
a: Operational Risk
Which of these is true in regards to threat intelligence? a) Focus is being shifted from organized crime to nation states b) Motivations include financial theft and disruption c) Cyber attacks are decreasing in frequency in comparison to physical theft d) Ransomware is becoming easier to detect
b) Motivations include financial theft and disruption
Which data tool has low volume and low proven value ? a: Big Data b: Excel SAS dataset access c: Data warehouse appliance d: Relational Database OLAP
b: Excel SAS dataset access
Which of the following is not a Privacy Framework function? a) Identify b) Govern c) Collaborate d) b and c e) All of the above f) None of the above
c) Collaborate
Which of these is not an "other control area" related to cyber security risk mitigation? a) Security awareness programs b) Vendor risk management c) Desegregation of duties d) Patch management
c) Desegregation of duties
Which of the following is NOT a barrier of mobile computing? a) security governance and administration complexities b) puts information at risk c) decreased productivity d) uniformity and compatibility
c) decreased productivity
Which is NOT a key CCPA requirement? a: Right to access b: Right to Opt-in & Opt-out c: Right to Modification d: Right for Equal Service
c: Right to Modification
___ refers to the policy of requiring employees to put away all documents/items whenever they leave their desks to protect confidential information.
clean desk policy
Which of the following is a motivation for cyber attacks? a) Financial theft b) Disruption c) Intellectual Property d) All of the above
d) All of the above
Set of privacy principles and related criteria will be useful to those who (multiple choice): a) Assess compliance and audit privacy and security programs b) Regulate privacy c) Implement and manage security in an organization d) All of the above (slide 53)
d) All of the above (slide 53)
Which regulation requires certain technical information be included in unsolicited emails and permits consumers to opt-out of the receipt of such emails? a) Video Privacy Protection Act b) GLBA c) TCPA d) CAN-SPAM Act e) GDPR
d) CAN-SPAM Act
Which cloud type is being adopted by more and more companies in the near future? a) Private b) Community c) Public d) Hybrid
d) Hybrid
Which of the following are NOT considered Covered Entities under HIPPA? a) Clearing Houses b) Health Plans c) Providers who conduct one or more of the HIPAA-defined transactions electronically d) Providers who do not engage in covered electronic transactions
d) Providers who do not engage in covered electronic transactions
Which of the following are new access points onto the network as the cyber environment has evolved (multiple choice)? a) Via new technologies b) Via malware of phishing attacks c) Vie physical assets d) a & b (slide 4)
d) a & b (slide 4)
As a company who is deciding on different options, which of the following is in the correct order for most responsibility to least responsibility: a. Infrastructure as a Service -> Platform as a Service -> Packaged Software -> Software as a Service b. Packaged Software -> Platform as a Service -> Infrastructure as a Service -> Software as a Service c. Software as Service -> Infrastructure as a Service -> Platform as a Service -> Packaged Software d. Packaged Software -> Infrastructure as a Service -> Platform as a Service -> Software as a Service
d. Packaged Software -> Infrastructure as a Service -> Platform as a Service -> Software as a Service
Which word describes the level of quality and trustworthiness that can be ascribed to the data set? a: Volume b: Variety c: Velocity d: Veracity
d: Veracity
The number of breaches______ while the related number of PHIs _________ this July.
decreases, increases
PCI-DSS regulations directly apply to which of the following: a) Merchants b) Consumers c) Third-parties that store credit card information d) a and b e) a and c f) all of the above
e) a and c
What are some key considerations when conducting current state assessment? a leadership/governance b regulatory/industry compliance c crisis management d business process/work recovery plans e marketing and communications
e) marketing and communications
In creating team members who are high experienced with BCM, what is not the area that the specialists should be expertise about? 1.operations 2.technology 3.finance 4.regulatory 5.communications
e). Explanation: that there are experienced crisis leaders coupled with specialists in operations, technology, finance and regulatory. Need support to leadership that is comprised of people with crisis intelligence capabilities as it is unfolding and how it may correlate with internal company data.
True or False: Hackers always have a specific target in mind and will tailor hacking techniques based on the target.
false
True/False: Very few companies would be considered "Business Associates" under HIPPA.
false
What are the two main classifications of data stored in the cloud?
personal data and organization data
What are the leading causes of healthcare breaches that happened this July?
phishing attacks and network server breaches.
List a few indicators of fraud
possible answer: unauthorized transactions, sudden fluctuations in volume and/or value of transactions, control overrides, unexplained pricing exceptions, and unusually large product losses
True/False: Computers will automatically process unintended input data and produce undesired output.
true