IT Security Audits Ch. 1-4 Questions

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

framework

A ___________ is a conceptual set of rules and ideas that provide structure to a complex and challenging situation.

False

A security assessment is a method for proving the strength of security systems.

access control

Account management and separation of duties are examples of what type of controls?

identity

Adequate controls over privacy data helps prevent ___________ theft.

GAP

After mapping of existing controls to new regulations, an organization needs to conduct a _________ analysis.

independent

An IT security audit is an _______________ assessment of an organization's internal policies, controls, and activities.

Governance and risk management

At all levels of an organization compliance is closely related to which of the following?

false

Avoiding the need for audits is one reason organizations develop clearly documented policies, standards, and procedures.

committee of sponsoring organizations

COSO is the acronym for which of the following?

risk-based approach

Categorizing information and information systems and then selecting and implementing appropriate security controls is part of a ____________________

To adhere to an auditor's recommendation

Compliance initiatives typically are efforts around all except which of the following?

false

PCI-DSS is a legislative act inacted by Congress to insure that merchants meet baseline security requirements for how they store, process, and transmit payment card data.

framework

Policies, standards, and guidelines are part of the policy __________.

risk

RMF provides for the authorization of the operation of an information system based on an acceptable level of ___________.

desktop computers, laptop computers, handheld devices

Regarding the seven domains of IT infrastructure, the workstation domain includes which of the following? (select 3)

goal

Responding to business requirements and alignment with a business strategy is an example of an IT _____________.

false

SSAE 16 TYPE 1 includes everything in a SSAE 16 TYPE 2 report but it adds a detail testing of the controls of a specific timeframe.

false

Sarbanes-Oxley explicitly addresses the IT security controls required to ensure accurate financial reporting.

strict liability

Some regulations are subject to ____________, which means even if there wasn't intent of non-compliance, an organization can still incur large fines.

executive management

The COSO framework is targeted to which of the following groups within a company?

true

The internal audit function may be outsourced to an external consulting firm.

true

The process of selecting security controls is considered within the context of risk management.

Detect red flags and responds to detected red flags

To comply with the Red Flags Rule, financial institutions and creditors must do which of the following?

auditing standard no. 5

What PCAOB standard states that the auditor should assess the amount of IT involvement in the financial reporting process?

accept, transfer, avoid

What can be done to manage risk? (select 3)

NIST

What organization was tasked to develop standards to apply to Federal information systems using a risk-based approach?

section 404

What section of the Sarbanes-Oxley requires management and the external auditor to report on the accuracy of internal controls over financial reporting?

True

Whereas only qualified auditors perform security audits, anyone may do security assessments.

FISMA

Which of the following acknowledges the importance of sound information security practices and controls in the interest of national security?

compliance audit

Which of the following best describes an audit used to determine if a Fortune 500 health care company is adhering to Sarbanes-Oxley and HIPAA regulations?

privacy management

Which of the following best describes the rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of personal information?

Worldcom and Enron

Which of the following companies engaged in fraudulent activity and subsequently filed for bankruptcy?

penetration test

Which of the following is an assessment method that attempts to bypass controls and gain access to a specific system by simulating the actions of a would-be attacker?

organizations are dynamic, growing environments, threats evolve and laws and regulations evolve

Which of the following is an example of why an ongoing IT compliance program is important?

test

Which of the following is not a method used for conducting an assessment of security controls?

information security rule

Which of the following is not considered a principle part of the Gramm Leach Bliley act?

operational

Which of the following is not one of the safeguards provided within the HIPAA security rule?

LAN-to-LAN domain

Which of the following is not one of the seven domains of a typical IT infrastructure?

auditor conflict of interest

Which of the following is not one of the titles within Sarbanes-Oxley?

implement unapproved change

Which of the following is not part of the change management process?

It is security-centered

Which of the following is not true about COBIT?

implement and support

Which of the following is not true of the four domains of COBIT?

Audits can result in blame being put on the individual

Which of the following is true with regard to audits and assessments?

NIST

Which of the following organizations was tasked to develop and prescribe standards and guidelines that apply to Federal information systems?

acceptable use policy and internet access policy

Which of the following policies would apply to the user domain concerning the seven domains of a typical IT infrastructure?

NIST 800-53A

Which of the following provides a framework for assessing the adequacy of implemented controls?

select a standard that can be followed, employ the selected standard, select flexible standard

Which of the following should organizations do when selecting a standard? (select 3)

PCAOB

Which of the following was established to have oversight of public accounting firms and is responsible for defining the process of SOX compliance audits?

HHS

Which regulatory department is responsible for the enforcement of HIPAA laws?

false

While the family educational rights and privacy act prohibits the use of social security numbers as directory information, the act does not permit the use of the last four digits of an SSN.

false

Organizations may be audited for both ISO/IEC 27001 and ISO/IEC 27002 and receive a formal certification for each.

false

Mitigating a risk from an IT security perspective is about eliminating the risk to zero.

a guide for assessing security controls

NIST 800-53A provides _______________

Brand damage, fines and imprisonment

Non-compliance with regulatory standards may result in which of the following?

true

Frameworks differ from each other in that they might offer varying levels of depth and breadth.

practice

ISO/IEC 27002 is a code of ___________ for information security management.

compensating control

If a baseline security control cannot be implemented, which of the following should be considered?

local communities

In accordance with the Children's Internet Protection Act, who determines what is considered inappropriate material?


Ensembles d'études connexes

Figure 7-17: The Vertebral Column

View Set

Biomechanics - Wrist/Hand Questions

View Set

anatomy and physiology chapter 6

View Set