ISMN 6750 Exam 1 Questions

Three IT security controls covered by the National Institute of Standards and Technology (NIST) include management, operational, and __________. A. Systems B. Technical C. Computing D. Organizational

B. Technical

An unauthorized user has gained access to data and viewed it. What has been lost? A. Accountability B. Confidentiality C. Integrity D. Availability

B. Confidentiality

Whereas only qualified auditors issue opinions for security audits, anyone can perform a security assessment. True / False

True

An acceptable use policy (AUP) is part of the _____________ Domain. A. Sys/App Domain B. LAN Domain C. Workstation Domain D. User Domain

D. User Domain

This is a widely used control framework of IT. A. COBIT B. PCI-DSS C. SOX D. SOC Type II

A. COBIT

NIST has three IT security control categories. The following are controls in one of the categories: 1. Identification and authorization 2. Logical access control 3. Audit trail 4. Cryptography The above controls are examples of which control category? A. Technical B. Infrastructure C. Management D. Operational

A. Technical

An IT infrastructure audit __________ is the system in a known acceptable state, with the applied minimum controls relative to the accepted risk. A. Working case B. Configuration map C. Baseline D. Assessment model

C. Baseline

Regarding privacy, what is a common characteristic of "personal information"? A. It is most commonly healthcare-related information B. It is most commonly financial-related information C. It can be used to identify a person D. It is classified

C. It can be used to identify a person

Which of the following requires organizations to have an annual assessment by a Qualified Security Assessor (QSA)? A. Gramm-Leach-Bliley Act (GLBA) B. Sarbanes-Oxley (SOX) Act C. Payment Card Industry Data Security Standard (PCI DSS) D. HITECH

C. Payment Card Industry Data Security Standard (PCI DSS)

What term describes the identification, control, logging, and auditing of all changes made across the infrastructure? A. Access Control B. Audit Scope C. Assessment Parameters D. Configuration and Change Management

D. Configuration and Change Management

A security assessment is a method for proving the strength of a security system. True / False

False

Which of the following is NOT an important step for conducting effective IT audit interviews? A. Scheduling the interview B. Recording the interview C. Setting organizational goals during the interview D. Preparing for the interview

C. Setting organizational goals during the interview

National Institute of Standards and Technology (NIST) security controls are classified as being preventive, detective, or __________. A. Concurrent B. Collaborative C. Compensating D. Corrective

D. Corrective

Which of the following uses "engagements" to report on the evaluation of controls of third-party service businesses that host or process data on behalf of customers? A. NIST B. COBIT C. PCI-DSS D. SOC

D. SOC

Which act, which consists of 11 "titles," mandated many reforms to enhance corporate responsibility, enhance financial disclosures, and prevent fraud? A. Federal Information Security Management Act of 2002 (FISMA) B. Gramm-Leach-Bliley Act (GLBA) C. Family Educational Rights and Privacy Act (FERPA) D. Sarbanes-Oxley (SOX) Act

D. Sarbanes-Oxley (SOX) Act