Security Policy Chapter 7

Ricky is reviewing security logs to independently assess security controls. Which security review process is Ricky engaging in?

Audit

Which audit data collection method helps ensure that the information-gathering process covers all relevant areas?

Checklist

Which regulatory standard would NOT require audits of companies in the United States?

Correct Personal Information Protection and Electronic Documents Act (PIPEDA) (Sarbanes-Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS))

What information should an auditor share with the client during an exit interview?

Details on major issues

Curtis is conducting an audit of an identity management system. Which question is NOT likely to be in the scope of his audit?

Does the firewall properly block unsolicited network connection attempts? (Does the organization have an effective password policy?, Who grants approval for access requests?, Is the password policy uniformly enforced?)

A report indicating that a system's disk is 80 percent full is a good indication that something is wrong with that system.

False

Committee of Sponsoring Organizations (COSO) is a set of best practices for IT management.

False

Regarding log monitoring, false negatives are alerts that seem malicious but are not real security events.

False

The four main types of logs that you need to keep to support security auditing include event, access, user, and security.

False

What is a set of concepts and policies for managing IT infrastructure, development, and operations?

IT Infrastructure Library (ITIL)

Jacob is conducting an audit of the security controls at an organization as an independent reviewer. Which question would NOT be part of his audit?

Is the security control likely to become obsolete in the near future? (Is the level of security control suitable for the risk it addresses?, Is the security control in the right place and working well?, Is the security control effective in addressing the risk it was designed to address?)

Christopher is designing a security policy for his organization. He would like to use an approach that allows a reasonable list of activities but does not allow other activities. Which permission level is he planning to use?

Prudent

Which item is an auditor least likely to review during a system controls audit?

Resumes of system administrators

Emily is the information security director for a large company that handles sensitive personal information. She is hiring an auditor to conduct an assessment demonstrating that her firm is satisfying requirements regarding customer private data. What type of assessment should she request?

SOC 3

Anomaly-based intrusion detection systems compare current activity with stored profiles of normal (expected) activity.

True

Data loss prevention (DLP) uses business rules to classify sensitive information to prevent unauthorized end users from sharing it.

True

In security testing data collection, observation is the input used to differentiate between paper procedures and the way the job is really done.

True

In security testing, reconnaissance involves reviewing a system to learn as much as possible about the organization, its systems, and its networks.

True

Regarding an intrusion detection system (IDS), stateful matching looks for specific sequences appearing across several packets in a traffic stream rather than just individual packets.

True

SOC 2 reports are created for internal and other authorized stakeholders and are commonly implemented for service providers, hosted data centers, and managed cloud computing providers.

True