ISMN Exam 1
system configuration documentation:
- IP addresses - operating system - patch level - hardware specifications - installed software - protocols - service config - user accounts - password settings - audit log settings
vulnerability identification resources
- vulnerability lists and databases - security advisories - software and security analysis
What name is given to an act of Congress to recognize the importance of information security to United States interests?
Federal Information Security Management Act of 2002 (FISMA)
After mapping existing controls to new regulations, an organization need to conduct a _____ analysis
GAP
HITECH 2009
Introduces the concept of "business associates". Any one that touches healthcare data, has to be hippa compliant.
tasked with to develop standards to apply to federal information systems using risk based approach
National institute of standards and technology
A person wants to withdraw funds from a personal banking account. She presents a driver's license to the bank teller, but the teller doesn't believe the driver's license belongs to the customer. Which of the following provides guidance for addressing this situation?
Red Flags Rule
Which of the following uses "engagements" to report on the evaluation of controls of third-party service businesses that host or process data on behalf of customers?
SOC
NIST 800-53A provides a guide for
assessing security
goals
must be aligned with audit objectives
NIST standards and methodologies
- NIST 800-53 and NIST 800-53A are two important and widely used standards - NIST provides a catalog of security controls and a framework to assess the controls - many orgs base their policies on NIST - CSD of NIST provides several popular publications: special publications, NISTIR, ITL bulletins, FIPS
Which of the following is NOT an important step for conducting effective IT audit interviews?
setting organizational goals during the interview
objectives
should satisfy internal and external requirements
NIST has three IT security control categories. The following are controls in one of the categories: 1. Identification and authorization 2. Logical access control 3. Audit trail 4. Cryptography The above controls are examples of which control category?
technical
Three IT security controls covered by the National Institute of Standards and Technology (NIST) include management, operational, and __________.
technical
Only auditors can do audits, anyone can do assessments T or F
true
The process of selecting security controls is considered within the context of risk management T or F
true
threat analysis
when undertaking a risk management plan, a complete threat analysis must be completed
Best describes the rights and obligations of individuals and organizations with respect to collection, use, disclosure and retention of personal data?
· Privacy management
If baseline security cannot be implemented, this should be considered
· compensating control
An internal audit may be outsourced to.....
· external consulting firm
security control points in an IT infrastructure
- management - operational - technical - detective - corrective
scope restrictions (negative impacts of scope restrictions)
- not providing enough resources - limiting the time frame - preventing the discovery of audit evidence - restricting audit procedures - withholding relevant historical records or information about past incidents
Which of the following best describes a descriptive IT control?
Aligns IT with business goals
3 broadly applicable security regulations
Broadly applicable Industry specific Key state regulation
_____________ · is an independent assessment of an organizations internal policies, controls and activities
IT security audit
Assurance against unauthorized modification or destruction of data is the definition of:
Integrity
Regarding privacy, what is a common characteristic of "personal information"?
It can be used to identify a person
Which of the following requires organizations to have an annual assessment by a Qualified Security Assessor (QSA)?
Payment Card Industry Data Security Standard (PCI DSS)
A large financial organization wants to outsource its payroll function. Which of the following should the financial organization ensure the payroll company has?
SOC Report
What must your organization do to be complaint
Start with a organizational governece framework, implement controls, have sound policies in place, perform gap analysis
System/application domain
Systems and software applications that user access Mainframes, applications, web servers, software, applications Harden servers to authorized baselines, configured to policies and standards with controls
An acceptable use policy (AUP) is part of the _____________ Domain.
User Domain
In an IT infrastructure, the end users' operating environment is called the _____________.
Workstation Domain
Method for assessing security controls
examine, interview, test
Mitigating risk from an IT security perspective is about eliminating the risk to zero. T or F
false
Compliance closely relates to
governance and risk management
frequency
is every one,two, or three years
User domain example
· acceptable use policy and internet policy
audit interview framework:
- preparing - scheduling - opening - conducting - closing - recording
To comply with the red flags rule, financial institutions must
....identify red flags for covered accounts, deflect red flags, respond to them, update the program occasionally
What is a rule established by the Fair and Accurate Credit Transactions Act and implemented to identify possible instances of identity theft?
Red Flag Rule
RMF
acceptable level of risk
Account management and separation of duties are examples of
access control
Hippa security rule
administrative, technical, physical (operational is not one)
Title 21
allows us to use digital signatures
802 Criminal Penalties for Altering Documents
anyone who knowingly alters, destroys, mutilates, conceals, covers up, falsies, or makes false entry in any record with the intent to impede, obstruct or influence the investigation. Can be fined, imprisoned for no more than 20 years or both. HAVE TO PROVE INTENT.
obtaining information, documentation, and resources
auditor: must understand organization, must understand security in place, must know industry best practices
National Institute of Standards and Technology (NIST) security controls are classified as being preventive, detective, or __________.
corrective
906 Corporate Responsibility For Financial Reports
criminal penalty for certifying a misleading or fraudulent financial report can be upwards of 5 million in fines and 20 years in prison
NIST
develop and prescribe standards and guidelines that apply to federal information systems
FISMA
importance of sound information security practices abd controls in the interest of national security
scope
includes areas to be reviewed and the time period
An IT infrastructure audit __________ is the system in a known acceptable state, with the applied minimum controls relative to the accepted risk.
baseline
layered audit
- a layer audit approach is necessary when systems span across the domains of an IT infrastructure - predominant in audits: of a particular process,
identifying critical security control points:
- adequate controls should be in place to meet high level defined control objectives - organizational risk assessment plays an important role in identifying high risk areas - consensus audit guidelines (CAG)
existing IT security policy framework defintion
- frameworks exist to help with risk management programs, security programs, and policy creation - ensure compliances across the IT infrastructure - important for the auditor to know upon what framework organization has based its policy - allows better alignment between the organizations policy and the audit
IT testing and monitoring (questions):
- is IT performance measured to detect problems before it is too late? - does management ensure that internal controls are effective and efficient? - can IT performance be linked back to business goals?
privacy audits address the following three concerns:
1. what type of personal information is processed and stored? 2. where is it stored? 3. how is it managed?
_________________ is catergorizing information and information systems and then selecting and implementing appropriate security controls
RISK BASED APPROACH
applying risk management strategies
- accept the risk - avoid the risk - share the risk - control the risk
tradeoffs to risk assessment analysis
- cost: are the costs of a control justified by the reduction of risk? - operational impact: does the control have an adverse effect on system performance - feasibility: is the control technically feasible? will the control be feasible for the end users?
resources in an IT infrastructure
- data - apps - technology - facilities - personnel
standard config documents for role specific systems:
- firewalls - web servers - mail servers - DNS servers - FTP servers
examples of documents auditor should gather include:
- system config documentation - applications config documentation - network documentation for applications and systems being audited - standard config documents for role specific systems
risk assessment analysis
- the likelihood of a threat to exploit a given vulnerability - the impact on the organization if that threat against the vulnerability is achieved - the sufficiency of controls to either eliminate or reduce the risk
IT testing and monitoring
- the most important and beneficial element of an IT security program - testing and monitoring must be conducted to know the controls are working - all frameworks include a control objective for regularly assessing and monitoring IT systems and controls
Complaint audits ensure....
....adhere to internal policies and controls, industry standards and best practices, regulatory requirements
Which of the following best describes Control Objectives for Information and related Technology (COBIT)?
A framework providing best practices for IT governance and control
FISMA (Federal Information Security Management Act)
Applies to federal agencies Have to have an effective security program. They have to conduct risk assessment. Policies and procedures. Testing and evaluation
An act of Congress to protect the financial information of consumer information held by financial agencies is the definition of:
Gramm-Leach-Bliley Act (GLBA)
Which of the following best describes a prescriptive IT control?
Helps standardize IT operations and tasks
404 Management assessment of internal Controls
Internal controls report. It will assess the internal controls structure and the effectiveness. Make sure they are adequate to safeguard the asset. Management Assertion that internal accounting controls are in place, operational, and effective.
bypass controls and gain access to something
Penetration test
Which act, which consists of 11 "titles," mandated many reforms to enhance corporate responsibility, enhance financial disclosures, and prevent fraud?
Sarbanes-Oxley (SOX) Act
LAN to WAN Domain
WAN connects multiple LANS Routers, firewalls, intrusion detection devices Public IP addresses, high level security required
What term describes the identification, control, logging, and auditing of all changes made across the infrastructure?
Configuration and Change Management
types of documentation (information gathering)
- administrative - system - procedural - network architecture diagrams - vendor support access documents and agreements
threat analysis (threat identification)
- adversarial - accidental - structural - environmental
enterprise risk management (ERM):
- align risk appetite and strategy - identify cross-enterprise risks - reduce surprises and losses - improve capital allocations - seize opportunities - enhance risk response decisions
tools used in the IT audit process
- electronic work papers - project management software - flowcharting software - open issue tracking software - audit department website
assessing IT security controls:
- is it effective? - is it required? - how much effort or money should be spent?
minimum acceptable level of risk and security baseline definitions
- need to complete risk assessment - controls based on level of risk to the org - org wide - 7 domains of a typical IT infrastructure
necessary documentation
- organizations written policies - administrative documentation - system documentation - procedural documentation - network architecture diagrams - vendor support access documents and agreements
documented security policy framework
- security policy framework: foundation, direction, support internally, direction for assessments and audits - policies: quality, inexpensive control, difficult to implement, provides reference to auditor, includes standards, procedures, and guidelines
A security assessment is a method for proving the strength of security systems T OR F
FALSE
Which of the following best describes the Gramm-Leach-Bliley Act (GLBA)?
An act of Congress that prohibits banks from offering investment, commercial banking, and insurance services all under one umbrella
What is the definition of Qualified Security Assessor (QSA)?
An organization qualified and authorized to perform Payment Card Industry (PCI) compliance assessments
User domain
Anybody accessing info Policies for everything like email, internet, etc Authentication methods
Which law requires technology in place that blocks or filters Internet access that is either obscene, harmful to minors, or represents child pornography?
Children's Internet Protection Act (CIPA)
Adhering to the SOX and HIPPA requirements
Compliance audit
LAN domain
Computing and network equipment Access centralized resources such as files, printer. Physical connections Logon access control, hardening, configuration, network power supply
An unauthorized user has gained access to data and viewed it. What has been lost?
Confidentiality
302 Corporate Responsibilities
File periodic financial reports and must be approved and signed by an officer that they are true and not misleading. Also, the internal control structure and audited within 90 days.
An organization creates policies and a framework for the application of controls. The organization then maps existing controls to each regulation to which it must comply. Thereafter, the organization performs a __________ to identify anything that is missing.
Gap Analysis
Workstation Domain
End users computing environment Desktops, laptops, scanners, mobile devices, wireless devices Maintenance of systems hardware and software