IT Security Audits Ch. 1-4 Questions
framework
A ___________ is a conceptual set of rules and ideas that provide structure to a complex and challenging situation.
False
A security assessment is a method for proving the strength of security systems.
access control
Account management and separation of duties are examples of what type of controls?
identity
Adequate controls over privacy data helps prevent ___________ theft.
GAP
After mapping of existing controls to new regulations, an organization needs to conduct a _________ analysis.
independent
An IT security audit is an _______________ assessment of an organization's internal policies, controls, and activities.
Governance and risk management
At all levels of an organization compliance is closely related to which of the following?
false
Avoiding the need for audits is one reason organizations develop clearly documented policies, standards, and procedures.
committee of sponsoring organizations
COSO is the acronym for which of the following?
risk-based approach
Categorizing information and information systems and then selecting and implementing appropriate security controls is part of a ____________________
To adhere to an auditor's recommendation
Compliance initiatives typically are efforts around all except which of the following?
false
PCI-DSS is a legislative act inacted by Congress to insure that merchants meet baseline security requirements for how they store, process, and transmit payment card data.
framework
Policies, standards, and guidelines are part of the policy __________.
risk
RMF provides for the authorization of the operation of an information system based on an acceptable level of ___________.
desktop computers, laptop computers, handheld devices
Regarding the seven domains of IT infrastructure, the workstation domain includes which of the following? (select 3)
goal
Responding to business requirements and alignment with a business strategy is an example of an IT _____________.
false
SSAE 16 TYPE 1 includes everything in a SSAE 16 TYPE 2 report but it adds a detail testing of the controls of a specific timeframe.
false
Sarbanes-Oxley explicitly addresses the IT security controls required to ensure accurate financial reporting.
strict liability
Some regulations are subject to ____________, which means even if there wasn't intent of non-compliance, an organization can still incur large fines.
executive management
The COSO framework is targeted to which of the following groups within a company?
true
The internal audit function may be outsourced to an external consulting firm.
true
The process of selecting security controls is considered within the context of risk management.
Detect red flags and responds to detected red flags
To comply with the Red Flags Rule, financial institutions and creditors must do which of the following?
auditing standard no. 5
What PCAOB standard states that the auditor should assess the amount of IT involvement in the financial reporting process?
accept, transfer, avoid
What can be done to manage risk? (select 3)
NIST
What organization was tasked to develop standards to apply to Federal information systems using a risk-based approach?
section 404
What section of the Sarbanes-Oxley requires management and the external auditor to report on the accuracy of internal controls over financial reporting?
True
Whereas only qualified auditors perform security audits, anyone may do security assessments.
FISMA
Which of the following acknowledges the importance of sound information security practices and controls in the interest of national security?
compliance audit
Which of the following best describes an audit used to determine if a Fortune 500 health care company is adhering to Sarbanes-Oxley and HIPAA regulations?
privacy management
Which of the following best describes the rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of personal information?
Worldcom and Enron
Which of the following companies engaged in fraudulent activity and subsequently filed for bankruptcy?
penetration test
Which of the following is an assessment method that attempts to bypass controls and gain access to a specific system by simulating the actions of a would-be attacker?
organizations are dynamic, growing environments, threats evolve and laws and regulations evolve
Which of the following is an example of why an ongoing IT compliance program is important?
test
Which of the following is not a method used for conducting an assessment of security controls?
information security rule
Which of the following is not considered a principle part of the Gramm Leach Bliley act?
operational
Which of the following is not one of the safeguards provided within the HIPAA security rule?
LAN-to-LAN domain
Which of the following is not one of the seven domains of a typical IT infrastructure?
auditor conflict of interest
Which of the following is not one of the titles within Sarbanes-Oxley?
implement unapproved change
Which of the following is not part of the change management process?
It is security-centered
Which of the following is not true about COBIT?
implement and support
Which of the following is not true of the four domains of COBIT?
Audits can result in blame being put on the individual
Which of the following is true with regard to audits and assessments?
NIST
Which of the following organizations was tasked to develop and prescribe standards and guidelines that apply to Federal information systems?
acceptable use policy and internet access policy
Which of the following policies would apply to the user domain concerning the seven domains of a typical IT infrastructure?
NIST 800-53A
Which of the following provides a framework for assessing the adequacy of implemented controls?
select a standard that can be followed, employ the selected standard, select flexible standard
Which of the following should organizations do when selecting a standard? (select 3)
PCAOB
Which of the following was established to have oversight of public accounting firms and is responsible for defining the process of SOX compliance audits?
HHS
Which regulatory department is responsible for the enforcement of HIPAA laws?
false
While the family educational rights and privacy act prohibits the use of social security numbers as directory information, the act does not permit the use of the last four digits of an SSN.
false
Organizations may be audited for both ISO/IEC 27001 and ISO/IEC 27002 and receive a formal certification for each.
false
Mitigating a risk from an IT security perspective is about eliminating the risk to zero.
a guide for assessing security controls
NIST 800-53A provides _______________
Brand damage, fines and imprisonment
Non-compliance with regulatory standards may result in which of the following?
true
Frameworks differ from each other in that they might offer varying levels of depth and breadth.
practice
ISO/IEC 27002 is a code of ___________ for information security management.
compensating control
If a baseline security control cannot be implemented, which of the following should be considered?
local communities
In accordance with the Children's Internet Protection Act, who determines what is considered inappropriate material?