ISMN 6750 Exam 1 Questions
Three IT security controls covered by the National Institute of Standards and Technology (NIST) include management, operational, and __________. A. Systems B. Technical C. Computing D. Organizational
B. Technical
An unauthorized user has gained access to data and viewed it. What has been lost? A. Accountability B. Confidentiality C. Integrity D. Availability
B. Confidentiality
Whereas only qualified auditors issue opinions for security audits, anyone can perform a security assessment. True / False
True
An acceptable use policy (AUP) is part of the _____________ Domain. A. Sys/App Domain B. LAN Domain C. Workstation Domain D. User Domain
D. User Domain
This is a widely used control framework of IT. A. COBIT B. PCI-DSS C. SOX D. SOC Type II
A. COBIT
NIST has three IT security control categories. The following are controls in one of the categories: 1. Identification and authorization 2. Logical access control 3. Audit trail 4. Cryptography The above controls are examples of which control category? A. Technical B. Infrastructure C. Management D. Operational
A. Technical
An IT infrastructure audit __________ is the system in a known acceptable state, with the applied minimum controls relative to the accepted risk. A. Working case B. Configuration map C. Baseline D. Assessment model
C. Baseline
Regarding privacy, what is a common characteristic of "personal information"? A. It is most commonly healthcare-related information B. It is most commonly financial-related information C. It can be used to identify a person D. It is classified
C. It can be used to identify a person
Which of the following requires organizations to have an annual assessment by a Qualified Security Assessor (QSA)? A. Gramm-Leach-Bliley Act (GLBA) B. Sarbanes-Oxley (SOX) Act C. Payment Card Industry Data Security Standard (PCI DSS) D. HITECH
C. Payment Card Industry Data Security Standard (PCI DSS)
What term describes the identification, control, logging, and auditing of all changes made across the infrastructure? A. Access Control B. Audit Scope C. Assessment Parameters D. Configuration and Change Management
D. Configuration and Change Management
A security assessment is a method for proving the strength of a security system. True / False
False
Which of the following is NOT an important step for conducting effective IT audit interviews? A. Scheduling the interview B. Recording the interview C. Setting organizational goals during the interview D. Preparing for the interview
C. Setting organizational goals during the interview
National Institute of Standards and Technology (NIST) security controls are classified as being preventive, detective, or __________. A. Concurrent B. Collaborative C. Compensating D. Corrective
D. Corrective
Which of the following uses "engagements" to report on the evaluation of controls of third-party service businesses that host or process data on behalf of customers? A. NIST B. COBIT C. PCI-DSS D. SOC
D. SOC
Which act, which consists of 11 "titles," mandated many reforms to enhance corporate responsibility, enhance financial disclosures, and prevent fraud? A. Federal Information Security Management Act of 2002 (FISMA) B. Gramm-Leach-Bliley Act (GLBA) C. Family Educational Rights and Privacy Act (FERPA) D. Sarbanes-Oxley (SOX) Act
D. Sarbanes-Oxley (SOX) Act