ISMN Exam 1

system configuration documentation:

- IP addresses - operating system - patch level - hardware specifications - installed software - protocols - service config - user accounts - password settings - audit log settings

vulnerability identification resources

- vulnerability lists and databases - security advisories - software and security analysis

What name is given to an act of Congress to recognize the importance of information security to United States interests?

Federal Information Security Management Act of 2002 (FISMA)

After mapping existing controls to new regulations, an organization need to conduct a _____ analysis

GAP

HITECH 2009

Introduces the concept of "business associates". Any one that touches healthcare data, has to be hippa compliant.

tasked with to develop standards to apply to federal information systems using risk based approach

National institute of standards and technology

A person wants to withdraw funds from a personal banking account. She presents a driver's license to the bank teller, but the teller doesn't believe the driver's license belongs to the customer. Which of the following provides guidance for addressing this situation?

Red Flags Rule

Which of the following uses "engagements" to report on the evaluation of controls of third-party service businesses that host or process data on behalf of customers?

SOC

NIST 800-53A provides a guide for

assessing security

goals

must be aligned with audit objectives

NIST standards and methodologies

- NIST 800-53 and NIST 800-53A are two important and widely used standards - NIST provides a catalog of security controls and a framework to assess the controls - many orgs base their policies on NIST - CSD of NIST provides several popular publications: special publications, NISTIR, ITL bulletins, FIPS

Which of the following is NOT an important step for conducting effective IT audit interviews?

setting organizational goals during the interview

objectives

should satisfy internal and external requirements

NIST has three IT security control categories. The following are controls in one of the categories: 1. Identification and authorization 2. Logical access control 3. Audit trail 4. Cryptography The above controls are examples of which control category?

technical

Three IT security controls covered by the National Institute of Standards and Technology (NIST) include management, operational, and __________.

technical

Only auditors can do audits, anyone can do assessments T or F

true

The process of selecting security controls is considered within the context of risk management T or F

true

threat analysis

when undertaking a risk management plan, a complete threat analysis must be completed

Best describes the rights and obligations of individuals and organizations with respect to collection, use, disclosure and retention of personal data?

· Privacy management

If baseline security cannot be implemented, this should be considered

· compensating control

An internal audit may be outsourced to.....

· external consulting firm

security control points in an IT infrastructure

- management - operational - technical - detective - corrective

scope restrictions (negative impacts of scope restrictions)

- not providing enough resources - limiting the time frame - preventing the discovery of audit evidence - restricting audit procedures - withholding relevant historical records or information about past incidents

Which of the following best describes a descriptive IT control?

Aligns IT with business goals

3 broadly applicable security regulations

Broadly applicable Industry specific Key state regulation

_____________ · is an independent assessment of an organizations internal policies, controls and activities

IT security audit

Assurance against unauthorized modification or destruction of data is the definition of:

Integrity

Regarding privacy, what is a common characteristic of "personal information"?

It can be used to identify a person

Which of the following requires organizations to have an annual assessment by a Qualified Security Assessor (QSA)?

Payment Card Industry Data Security Standard (PCI DSS)

A large financial organization wants to outsource its payroll function. Which of the following should the financial organization ensure the payroll company has?

SOC Report

What must your organization do to be complaint

Start with a organizational governece framework, implement controls, have sound policies in place, perform gap analysis

System/application domain

Systems and software applications that user access Mainframes, applications, web servers, software, applications Harden servers to authorized baselines, configured to policies and standards with controls

An acceptable use policy (AUP) is part of the _____________ Domain.

User Domain

In an IT infrastructure, the end users' operating environment is called the _____________.

Workstation Domain

Method for assessing security controls

examine, interview, test

Mitigating risk from an IT security perspective is about eliminating the risk to zero. T or F

false

Compliance closely relates to

governance and risk management

frequency

is every one,two, or three years

User domain example

· acceptable use policy and internet policy

audit interview framework:

- preparing - scheduling - opening - conducting - closing - recording

To comply with the red flags rule, financial institutions must

....identify red flags for covered accounts, deflect red flags, respond to them, update the program occasionally

What is a rule established by the Fair and Accurate Credit Transactions Act and implemented to identify possible instances of identity theft?

Red Flag Rule

RMF

acceptable level of risk

Account management and separation of duties are examples of

access control

Hippa security rule

administrative, technical, physical (operational is not one)

Title 21

allows us to use digital signatures

802 Criminal Penalties for Altering Documents

anyone who knowingly alters, destroys, mutilates, conceals, covers up, falsies, or makes false entry in any record with the intent to impede, obstruct or influence the investigation. Can be fined, imprisoned for no more than 20 years or both. HAVE TO PROVE INTENT.

obtaining information, documentation, and resources

auditor: must understand organization, must understand security in place, must know industry best practices

National Institute of Standards and Technology (NIST) security controls are classified as being preventive, detective, or __________.

corrective

906 Corporate Responsibility For Financial Reports

criminal penalty for certifying a misleading or fraudulent financial report can be upwards of 5 million in fines and 20 years in prison

NIST

develop and prescribe standards and guidelines that apply to federal information systems

FISMA

importance of sound information security practices abd controls in the interest of national security

scope

includes areas to be reviewed and the time period

An IT infrastructure audit __________ is the system in a known acceptable state, with the applied minimum controls relative to the accepted risk.

baseline

layered audit

- a layer audit approach is necessary when systems span across the domains of an IT infrastructure - predominant in audits: of a particular process,

identifying critical security control points:

- adequate controls should be in place to meet high level defined control objectives - organizational risk assessment plays an important role in identifying high risk areas - consensus audit guidelines (CAG)

existing IT security policy framework defintion

- frameworks exist to help with risk management programs, security programs, and policy creation - ensure compliances across the IT infrastructure - important for the auditor to know upon what framework organization has based its policy - allows better alignment between the organizations policy and the audit

IT testing and monitoring (questions):

- is IT performance measured to detect problems before it is too late? - does management ensure that internal controls are effective and efficient? - can IT performance be linked back to business goals?

privacy audits address the following three concerns:

1. what type of personal information is processed and stored? 2. where is it stored? 3. how is it managed?

_________________ is catergorizing information and information systems and then selecting and implementing appropriate security controls

RISK BASED APPROACH

applying risk management strategies

- accept the risk - avoid the risk - share the risk - control the risk

tradeoffs to risk assessment analysis

- cost: are the costs of a control justified by the reduction of risk? - operational impact: does the control have an adverse effect on system performance - feasibility: is the control technically feasible? will the control be feasible for the end users?

resources in an IT infrastructure

- data - apps - technology - facilities - personnel

standard config documents for role specific systems:

- firewalls - web servers - mail servers - DNS servers - FTP servers

examples of documents auditor should gather include:

- system config documentation - applications config documentation - network documentation for applications and systems being audited - standard config documents for role specific systems

risk assessment analysis

- the likelihood of a threat to exploit a given vulnerability - the impact on the organization if that threat against the vulnerability is achieved - the sufficiency of controls to either eliminate or reduce the risk

IT testing and monitoring

- the most important and beneficial element of an IT security program - testing and monitoring must be conducted to know the controls are working - all frameworks include a control objective for regularly assessing and monitoring IT systems and controls

Complaint audits ensure....

....adhere to internal policies and controls, industry standards and best practices, regulatory requirements

Which of the following best describes Control Objectives for Information and related Technology (COBIT)?

A framework providing best practices for IT governance and control

FISMA (Federal Information Security Management Act)

Applies to federal agencies Have to have an effective security program. They have to conduct risk assessment. Policies and procedures. Testing and evaluation

An act of Congress to protect the financial information of consumer information held by financial agencies is the definition of:

Gramm-Leach-Bliley Act (GLBA)

Which of the following best describes a prescriptive IT control?

Helps standardize IT operations and tasks

404 Management assessment of internal Controls

Internal controls report. It will assess the internal controls structure and the effectiveness. Make sure they are adequate to safeguard the asset. Management Assertion that internal accounting controls are in place, operational, and effective.

bypass controls and gain access to something

Penetration test

Which act, which consists of 11 "titles," mandated many reforms to enhance corporate responsibility, enhance financial disclosures, and prevent fraud?

Sarbanes-Oxley (SOX) Act

LAN to WAN Domain

WAN connects multiple LANS Routers, firewalls, intrusion detection devices Public IP addresses, high level security required

What term describes the identification, control, logging, and auditing of all changes made across the infrastructure?

Configuration and Change Management

types of documentation (information gathering)

- administrative - system - procedural - network architecture diagrams - vendor support access documents and agreements

threat analysis (threat identification)

- adversarial - accidental - structural - environmental

enterprise risk management (ERM):

- align risk appetite and strategy - identify cross-enterprise risks - reduce surprises and losses - improve capital allocations - seize opportunities - enhance risk response decisions

tools used in the IT audit process

- electronic work papers - project management software - flowcharting software - open issue tracking software - audit department website

assessing IT security controls:

- is it effective? - is it required? - how much effort or money should be spent?

minimum acceptable level of risk and security baseline definitions

- need to complete risk assessment - controls based on level of risk to the org - org wide - 7 domains of a typical IT infrastructure

necessary documentation

- organizations written policies - administrative documentation - system documentation - procedural documentation - network architecture diagrams - vendor support access documents and agreements

documented security policy framework

- security policy framework: foundation, direction, support internally, direction for assessments and audits - policies: quality, inexpensive control, difficult to implement, provides reference to auditor, includes standards, procedures, and guidelines

A security assessment is a method for proving the strength of security systems T OR F

FALSE

Which of the following best describes the Gramm-Leach-Bliley Act (GLBA)?

An act of Congress that prohibits banks from offering investment, commercial banking, and insurance services all under one umbrella

What is the definition of Qualified Security Assessor (QSA)?

An organization qualified and authorized to perform Payment Card Industry (PCI) compliance assessments

User domain

Anybody accessing info Policies for everything like email, internet, etc Authentication methods

Which law requires technology in place that blocks or filters Internet access that is either obscene, harmful to minors, or represents child pornography?

Children's Internet Protection Act (CIPA)

Adhering to the SOX and HIPPA requirements

Compliance audit

LAN domain

Computing and network equipment Access centralized resources such as files, printer. Physical connections Logon access control, hardening, configuration, network power supply

An unauthorized user has gained access to data and viewed it. What has been lost?

Confidentiality

302 Corporate Responsibilities

File periodic financial reports and must be approved and signed by an officer that they are true and not misleading. Also, the internal control structure and audited within 90 days.

An organization creates policies and a framework for the application of controls. The organization then maps existing controls to each regulation to which it must comply. Thereafter, the organization performs a __________ to identify anything that is missing.

Gap Analysis

Workstation Domain

End users computing environment Desktops, laptops, scanners, mobile devices, wireless devices Maintenance of systems hardware and software