Chapter 1: The Need for Information Systems Security Compliance
TJX
A large off-price retailer of apparel and home fashion. The company operates under several brands, including T.J. Maxx and Marshalls.
assurance
A level of confidence that effective controls are in place and that associated risks are accepted and authorized
b
A security assessment is a method for proving the strength of security systems. A. True B. False
independent
An IT security audit is an ________ assessment of an organization's internal policies, controls, and activities.
audit
An independent assessment of an organization's internal policies, controls, and activities.
risk
An uncertainty that might lead to a loss
e
At all levels of an organization, compliance is closely related to which of the following? A. Governance B. Risk management C. Government D. Risk assessment E. Both A and B F. Both C and D
risk-based approach
Categorizing information and information systems and then selecting and implementing appropriate security controls is part of a ________.
COBIT
Compliance frameworks, such as Control Objectives for Information and Related Technology _______ , and standards, such as NIST, help interpret how to comply with the regulations.
d
Compliance initiatives typically are efforts around all except which one of the following? A. To adhere to internal policies and standards B. To adhere to regulatory requirements C. To adhere to industry standards and best practices D. To adhere to an auditor's recommendation
objectives
Each _____ has a set of assessment methods, including examination, interview, and test; and each _____ has a set of assessment objects, including specification, mechanism, activity, and individual.
a guide for assessing security controls
NIST 800-53A provides ______.
d
Noncompliance with regulatory standards may result in which of the following? A. Brand damage B. Fines C. Imprisonment D. All of the above E. B and C only
WorldCom
Prior to filing bankruptcy in 2002, _____ was the second largest telecommunications company in the world. It handled Internet data traffic globally and accounted for more international voice traffic than any other company.
strict liability
Some regulations are subject to ________, which means even if there wasn't intent of noncompliance, an organization can still incur large fines.
c
Which of the following best describes an audit used to determine if a Fortune 500 health care company is adhering to Sarbanes-Oxley and HIPAA regulations? A. IT audit B. Operational audit C. Compliance audit D. Financial audit E. Investigative audit
e
Which of the following companies engaged in fraudulent activity and subsequently filed for bankruptcy? A. WorldCom B. Enron C. TJX D. All of the above E. A and B only
b
Which of the following is an assessment method that attempts to bypass controls and gain access to a specific system by simulating the actions of a would-be attacker? A. Policy review B. Penetration test C. Standards review D. Controls audit E. Vulnerability scan
d
Which one of the following is not a method used for conducting an assessment of security controls? A. Examine B. Interview C. Test D. Remediate
e
Which one of the following is true with regard to audits and assessments? A. Assessments typically result in a pass or fail grade, whereas audits result in a list of recommendations to improve controls. B. Assessments are attributive and audits are not. C. An audit is typically a precursor to an assessment. D. An audit may be conducted independently of an organization, whereas internal IT staff always conducts an IT security assessment.
governance
_____ seeks to better run an organization using complete and accurate information and management processes or controls.
enron
_____ was a U.S.-based energy company that at one point was the seventh-largest company in the United States and the largest trader of natural gas and electricity in the country.
controls
actions or changes to be applied to systems to reduce weaknesses or potential losses
penetration test
an assessment method that attempts to bypass controls and gain access to a specific system by simulating the actions of a would-be attacker.
PCI DSS
an industry-created standard that applies to organizations that process credit cards. Companies that meet a specific threshold for large volumes of credit card transactions are required to achieve compliance.
risk management
seeks to mitigate risk through controls
NIST
the technology agency of the U.S. Department of Commerce, provides a framework for effective security assessment plans
a
The internal audit function may be outsourced to an external consulting firm. A. True B. False
sarbanes-oxley act
This act addresses many of the shortcomings and lessons learned from the Enron scandal.
compliance
This pertains to ensuring that specific guidelines, laws, or requirements have been met
a
Whereas only qualified auditors perform security audits, anyone may do security assessments. A. True B. False