ISMN 5750 Exam 1

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Descriptive Framework

High level Align IT with business goals

2 Types of Compliance

Internal and External

Regarding privacy, what is a common characteristic of "personal information"?

It can be used to identify a person

Control Activities

More specific Describe how to achieve goals

Prescriptive Framework

More specific Standardize IT operations and tasks

Scope of a Security Audit

Organizational, Compliance, Technical, Application

Which of the following requires organizations to have an annual assessment by a Qualified Security Assessor (QSA)?

PCI DSS

Risk Management

Seeks to mitigate risk through controls

Designing Security Controls

Discover, Select, Implement, Assess, Authorize, Monitor

Which of the following best describes Control Objectives for Information and related Technology (COBIT)?

A framework providing best practices for IT governance and controls

Configuration and Change Management

All changes must be approved Unauthorized changes lead to breaches and failures. Process of systems control throughout their life cycle

Security Controls

Apply across the IT infrastructure

What term describes the identification, control, logging, and auditing of all changes made across the infrastructure?

Configuration and Change Management

Configuration Management

Ensures changes are requested, evaluated and authorized

Noncompliance can result in:

Fines, jail time, operational consequences

Foundation of Cybersecurity

Integrity, confidentiality, availability

Cybersecurity Framework

Profile, Implementation Tiers, Core

Enron Corporation

The Enron Corporation, an energy trading company, filed for bankruptcy in 2001, dissolving millions of dollars in profit-sharing pension plans held by employees. Enron and other top corporations were investigated for illegal accounting practices. Shareholders saw a loss of 11 billion -Reduced its tax payments -Increased its stock price and credit ratings -Hidden losses in off balance sheet -Employees funneled money to themselves

COSO Framework

Used for improving organizational performance and governance, and reducing fraud in organizations

In an IT infrastructure, the end users' operating environment is called the

Workstation Domain

International Organization for Standardization (ISO) 27000 series

-Focuses on management and processes -Relies on other standards: ISO IEC

HIPAA (Health Insurance Portability and Accountability Act)

-Helps citizens maintain health insurance coverage -Improves efficiency and effectiveness of american health care system -Protects the privacy and security of certain health information -Financial penalties for non-compliance Privacy rule: dictates how covered entities must protect the PHI Security rule: Dictates covered entities must protect the CIA of electronic PHI

Configuration and Change Management Process

-Identify and request change -Evaluate change request -Decision response -Implement approved change -Monitor change

External Business challenges for compliance

-Standards and regulations change -Organizational policies change

6 Steps of Risk Management Framework

1. Categorize information system 2. Select security control 3. Implement security controls 4. Assess security controls 5. Authorize information system 6. Monitor security controls

IT Security Policy Framework

Policies, Standards, Guidelines.

COPPA (Children's Online Privacy Protection Act)

Requires web sites and other online services aimed at children less than 13 years of age to comply: post a privacy policy, notify parents directly before collecting personal information from kids, get parents verifiable consent before collecting information from kids

FERPA (Family Educational Rights and Privacy Act)

Right to inspect and review, right to correct records, parental written permission required

Which of the following uses "engagements" to report on the evaluation of controls of third-party service businesses that host or process data on behalf of customers?

SOC

Compliance

To comply, conform, submit or adapt as required or requested -Helps risk management by verifying that the desired controls are in place

TJX Case Study

Unauthorized intruder accessed TJX systems in July 2005 and continued till 2007. At time was the biggest credit card breach in history. The stores used WEP.

An acceptable use policy (AUP) is part of the _____________ Domain.

User Domain

Framework

-A conceptual set of rules and ideas that provide structure to a complex and tough situation -May be rigid in structure but provides flexibility -Can guide content and provide consistency -Includes distinct components: intro, learning objectives, headings and summary

IT Security Assessment

-Identify weaknesses within the controls implemented on IS -Confirm that previously identified weaknesses have been remediated or mitigated -Prioritize further decisions to mitigate risks -Provide assurance so that associated risks are accepted and authorized -Provide support and planning for future budgetary requirements

Common Types of Audits

-Financial- financial statements -Compliance- laws, regulations -Operational- policies, procedures and operational controls -Investigative- records and processes on suspicious activity -Information Technology- addresses IT system risk exposures

Internal Business challenges for compliance

-Standards can interfere with operations -Gaining acceptance is challenging

What must your organization do to be in compliance?

-Start with a organizational governance framework -implement controls -have sound policies in place -perform a gap analysis

Gramm-Leach Bliley Act GLBA

-The financial modernization act of 1999 -Protects personal financial information held by financial institutions -To protect personally identifiable information PII, GLBA divides privacy requirements in three parts: Financial privacy rule, safeguards rule and pretexting provisions

Audit Characteristics

-Independent evaluations -Rigorous approach, must be qualified -Certification received upon passing -Concerned about past results -Auditors never audit applications, processes, systems they designed or created

Types of Assessments

-Network security architecture -Review of security policies, procedures, and practices -Vulnerability scanning and testing -Physical security -Social engineering -Applications -Security risks

7 domains of IT infrastructure

-User, Workstation, LAN, Lan to Wan, WAN, System application, Remote Access

Red Flags Rule

Based upon the Fair and Accurate Credit Transactions Act of 2003 -Establishes procedures for the identification of possible instances of identity theft -To comply: identify red flags for covered accounts -detect red flags -respond to red flags -update program often

Penetration Test

Assessment that attempts to bypass controls and gain access to a specific system by simulating the actions of a would-be attacker. It reveals weaknesses

NIST 800-53

Provides a comprehensive catalog of security controls -Targeted to federal government but widely used in corporations

CIPA (Children's Internet Protection Act)

-Attempts to prevent children from being exposed to explicit content at schools and libraries -Schools must: use technology protection measures, protect our children from exposure to offensive internet content, adopt and enforce a policy to monitor the online activities of minors

Protecting Privacy Data

-Develop appropriate privacy policies -Establish a privacy officer -Conduct training and awareness around data handling, identity theft, and social engineering -Conduct regular risk assessments of access controls -Establish data retention and data destruction controls -Limit data to only that which is required -Encryption -HIPAA, GLBA, COPPA

PCI DSS (Payment Card Industry Data Security Standard)

-Not a law or regulation -A set of requirements that prescribe operational and technical controls to protect cardholder data -Requirements follow security best practices and use 12 high level requirements aligned across 6 goals -Assess, remediate, report

SOX Act- Sarbanes Oxley

-Protects investors by requiring accuracy and reliability in corporate disclosures. Cracks down on corporate fraud -Created new standards for corporate accountability -Created new penalties for acts of wrongdoing, both civil and criminal -Changes how corporate boards and executives must exchange information and work with corporate auditors

An effective IT Security Audit program should:

-Provide an objective and independent review of an organizations policies, is, and controls -Provide reasonable assurance that appropriate and effective IT controls are in place -Provide audit recommendations for both corrective actions and improvement to controls

Public and Private Sector Requirements

-Troubles come from 2 directions: IT personnel have no legal background and regulations have little technical depth -Vague regulation requirements -Regulatory requirements: state, federal and international -Internal policies should execute the regulatory policies

An organization creates policies and a framework for the application of controls. The organization then maps existing controls to each regulation to which it must comply. Thereafter, the organization performs a __________ to identify anything that is missing.

Gap Analysis

Which of the following best describes a prescriptive IT control?

Helps standardize IT operations and tasks

Control Objectives

High level, remain almost constant Describe organizational goals

Assurance against unauthorized modification or destruction of data is the definition of:

Integrity

Change Management

Provides method for tracking unauthorized changes

SOC - Service Organization Controls

Reports -Help customers understand adequate controls and processes are in place -Auditing standards board of the american institute of certified public accountants issues and maintains auditing standards

A large financial organization wants to outsource its payroll function. Which of the following should the financial organization ensure the payroll company has?

SOC repot

Which act, which consists of 11 "titles," mandated many reforms to enhance corporate responsibility, enhance financial disclosures, and prevent fraud?

Sarbanes Oxley

Governance

Seeks to better run an organization using complete and accurate information and management processes or controls

Privacy Management

The rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retentions of personal information. -Name, social, address, email, physical characteristics

Policy Framework

Standards, Procedures, guidelines, Policies

Selecting a standard

Evaluate, select, employ

COBIT 5 Principles

1. Meeting stakeholder needs 2. Covering the enterprise end to end 3. Applying a single integrated framework 4. Enabling a holistic approach 5. Separating governance from management

Which of the following best describes a descriptive IT control?

Aligns IT with business goals

IT Security Audit

An independent assessment of an organizations internal policies, controls, and activities. -Assess the presence and effectiveness of IT controls -Ensure that those controls are compliant with stated policies -Provide reasonable assurance that organizations are compliant with regulations and requirements

An unauthorized user has gained access to data and viewed it. What has been lost?

Confidentiality

Arthur Anderson

Enron's auditing Firm. -Was convicted of obstruction of justice, shredded paper and electronic documents -This led to other audit discrepancies at WorldCom


Ensembles d'études connexes

Chapter 1: The Human Body: An Orientation

View Set

Physics 100 Chapter 1( Physics fundamentals)

View Set

3. Intro to HVACR - Four Components of Indoor Comfort Control (Unit 2 of 2)

View Set

NRM_Lea_4odd Midterm Study Guide

View Set

MICRO Chap. 1 Practice Questions

View Set