Chapter 1 Auditing IT Infrastructures for Compliance

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

NIST 800-53A provides

A guide for assessing security controls

A level of confidence that appropriate and effective IT controls are in place.

Assurance

An Independent assessment that takes a well-defined approach to examining an organization's internal policies, controls, and activities.

Audit

Which one of the following is true with regard to audits and assessments?

Audits can result in blame being placed upon an individual

This test makes no assumptions about the environment to be tested.

Black Box

Noncompliance with regulatory standards may result in?

Brand damage, Fines, and Imprisonment

The act of adhering to internal policies, applicable laws, regulations, and industry requirements.

Compliance

What best describes an audit used to determine if a Fortune 500 health care company is adhering to Sarbanes-Oxley and HIPPA regulations?

Compliance audit

Actions or changes put in place to reduce a weakness or potential loss. Also referred to as a countermeasure.

Controls

A large U.S-based energy company that went bankrupt in 2001 and has become a symbol of corporate fraud and corruption.

Enron

What companies engaged in fraudulent activity and subsequently filed for bankruptcy?

Enron WorldCom

Methods for conducting a security control assessment

Examination Interview Test

Refers to the needs or desire for an organization to follow rules and guidelines set forth by external organizations and initiatives.

External Compliance

A security assessment is a method for proving the strength of security systems.

False

Industry-created standards to prevent payment card theft and fraud.

Payment Card Industry Data Security Standard

A method for assessing information systems in an attempt to bypass controls and gain access.

Penetration Test

Which of the following is an assessment method that attempts to bypass controls and gain access to a specific system by simulating the actions of a would-be attacker.

Penetration test

Not a method used for conducting an assessment of security controls?

Remediate

An uncertainty that might lead to loss. Losses occur when a threat exploits vulnerability.

Risk

The practice of identifying assessing, controlling, and mitigating risks. Techniques to manage risk include avoiding, transferring, mitigating, and accepting the risk.

Risk Management

At all levels of an organization, compliance is closely related to which of the following?

Risk management Governance

Categorizing information and information systems and then selecting and implementing appropriate security controls is part of a

Risk-based Approach

An act that was created in the wake of accounting scandals from the likes of Enron and WorldCom. This act set new accountability and corporate responsibility standards for public companies and accounting firms.

Sarbanes-Oxley Act

Some regulations are subject to _________ which means even if there wasn't intent of noncompliance, an organization can still incur large fines.

Strict Liability

A Large off-price retailer of apparel and home fashions that suffered one of the most severe breaches of private data in history.

The TJX Companies, Incorporated

Compliance initiatives typically are efforts around all except which one of the following?

To adhere to an auditor's recommendation

The internal audit function may be outsourced to an external consulting firm.

True

Whereas only qualified auditors perform security audits, anyone may do security assessments.

True

This test provides complete knowledge and information, such as network diagrams, about the environment to be tested.

White box

What was the Wireless Network Security protocol that lead to a weak system for TJX?

Wired Equivalent Privacy (WEP)

A large U.S-based telecommunications company involved in a massive accounting scandal which ultimately forced it to file bankruptcy in 2002.

WorldCom

An organization that promotes innovation and competitiveness through the advancement of science, standards, and technology to improve economic security and quality of life.

National Institute of Standards and Technlogy

A set of goals. Used as part of an assessment to determine what needs to be accomplished to validate a control.

Objectives

The process through which an organization's processes and assets are directed and controlled.

Governance

This test has little knowledge over the environment to be tested.

Gray Box

An IT security audit is an __________ assessment of an organization's internal policies, controls, and activities.

Independent

Refers to an organization's ability to follow its own rules, which are typically based on defined policies.

Internal Compliance

These investigate company records and processes based on suspicious activity or alleged violations.

Investigative Audits


Ensembles d'études connexes

SS Economics Chapter 3 Vocabulary

View Set

CDA General Chairside & Radiology Exams 2021

View Set

Sexual Harassment prevention Test Out

View Set

EXAM 2 // FIN. 3100 // CH 5, 7, 8, 9

View Set

Chapter 3: External Analysis: Industry Structure, Competitive Forces, and Strategic Groups

View Set

HIST. 1301: U.S. History Unit 1 Questions

View Set

Assessing the Fetus During Labor

View Set