PSCS 3111 - Midterm Exam (Chapters 1-6)
What can be done to manage risk? (Select three.)
Accept, Transfer, Avoid
Which component is not part of the CIA triad?
Access
Account management and separation of duties are examples of what type of controls?
Access Control
The key difference between a framework and standard is?
All of the Above
Which of the following is an example of why an ongoing IT compliance program is important?
All of the Above
Noncompliance with regulatory standards may result in which of the following?
All of the Above Brand Damage Fines Imprisonment
Which one of the following can an audit help identify?
All of the Above Fraud Ineffective IT practices Improper use of resources Inadequate Security
To comply with the Red Flags Rule, financial institutions and creditors must do which of the following?
All of the above Identify red flags for covered accounts. Detect red flags. Respond to detected red flags. Update the program periodically.
Which of the following policies would apply to the User Domain concerning the seven domains of a typical IT infrastructure?
Answers A and B Acceptable Use Policy Internet Access Policy
Which of these domains of security are responsible for the systems on the network that provide the applications and software for the users?
Application Domain
Which of the following defines the goals for an audit?
Audit Objective
Which of the following is not one of the titles within SOX?
Auditor Conflicts of Interest
Which one of the following is true with regard to audits and assessments?
Audits can result in blame being placed upon an individual.
If a baseline security control cannot be implemented, which of the following should be considered?
Compensating Control
Which of the following best describes an audit used to determine if a Fortune 500 health care company is adhering to HIPAA regulations?
Compliance Audit
Which of the following is not an example of a technical controls performed by the IT systems?
Computer support and operations
Which of these is not an effective method used by organizations to protect privacy data?
Conduct irregular risk assessments of access controls
Which of the following does not deal with the addressable HIPAA administrative safeguard of workforce security?
Contingency Operations
Regarding the seven domains of IT infrastructure, the Workstation Domain includes which of the following? (Select three.)
Desktop Computers, Laptop Computers, Email Servers
When applying controls, which of the following is not an example of what needs to be considered when examining the trade-offs?
Due Diligence
Which of the following documents should be included in the gathering process of an IT audit?
E: A,B,C Policies and procedures Previous audit reports Network diagrams
Which of the following acknowledges the importance of sound information security practices and controls in the interest of national security?
FISMA
Which of the following does not deal with the HIPAA administrative safeguard of the security management process?
Facility Security Plan
A WAN typically covers communication to a smaller defined geographical area.
False
A security assessment is a method for proving the strength of security systems.
False
A standard and a policy are exactly the same.
False
Avoiding the need for audits is one reason organizations develop clearly documented policies, standards, and procedures.
False
ISO/IEC 27002, formally known as "ISO/IEC 27002:2013 Information Technology—Security Techniques—Code of Practice for Information Security Management" is made up of 16 sections of code.
False
Internal written policies by themselves reduce risk?
False
Mitigating a risk from an IT security perspective is about reducing the risk to zero.
False
Only internal audit function can perform an audit?
False
Only security operations personnel need to follow IT security policies.
False
Organizations may be audited for both ISO/IEC 27001 and ISO/IEC 27002 and receive a formal certification for each.
False
PCI DSS is a legislative act enacted by Congress to ensure that merchants meet baseline security requirements for how they store, process, and transmit payment card data.
False
Personal information, such as a person's name by itself, can be considered sensitive information
False
Pretexting is a technical method of intercepting passwords embedded in text messages.
False
SOX explicitly addresses the IT security controls required to ensure accurate financial reporting.
False
SSAE 16 Type 1 includes everything in a SSAE 16 Type 2 report, but it adds a detailed testing of the controls over a specific time frame.
False
The Family Educational Rights and Privacy Act (FERPA) of 1974 is a U.S. federal law that protects the privacy of student education records and allows parents certain access rights to the student's educational records, even when a student turns 18 and attends college.
False
Threat is synonymous with risk and can be used interchangeably.
False
Which of the following was established to have oversight of public accounting firms and is responsible for defining the process of SOX compliance audits?
PCAOB
Which of the following is an assessment method that attempts to bypass controls and gain access to a specific system by simulating the actions of a would-be attacker?
Penetration Test
Which of the following is not a category of IT security controls defined by NIST?
Physical Controls
ISO/IEC 27002 is a code of ________ for information security management.
Practice
Which one of the following is not an example of an audit facilitating tool defined by the IIA?
Presentation software
Which of these is a listing of codes used for prioritizing decisions during security control implementation and control enhancements for systems of varying degrees of impact?
Priority and baseline allocation
Which of the following best describes the rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of personal information?
Privacy Management
Which type of tool includes mechanisms for managing any project, including auditing projects, by helping track progress to established milestones?
Project management software
Which one of the following is not a method used for conducting an assessment of security controls?
Remediate
Which of the following components of IT governance deals with ensuring the proper management of IT resources and that they are used responsibly?
Resource Management
Which of the following is the discipline of managing and understanding uncertainty?
Risk Management
Categorizing information and information systems and then selecting and implementing appropriate security controls is part of a(n) __________.
Risk-based approach
What section of SOX requires management and the external auditor to report on the accuracy of internal controls over financial reporting?
Section 404
Which of the following should organizations do when selecting a standard? (Select three.)
Select a standard that can be followed, Employ the selected standard, select a flexible standard.
Of the following four different document types, which is most likely to be used for audits and assessments because of their depth and prescriptive stance?
Special Publications
Which of the following components of an IT policy framework would require users to use two-factor authentication when accessing the remote network—usually combining a physical one-time token code with a PIN?
Standard
Which one of the following is the best example of avoiding risk?
The IT department disables the ability for end users to use portable storage devices
In accordance with CIPA, who determines what is considered inappropriate material?
The local communities
Having a photograph or physical description on an identification that is not consistent with the applicant or consumer presenting the identification is an example of what type of red flag category?
The presentation of suspicious documents
What is an important characteristic of a project such as an audit?
The project will occur in seperate steps, getting progressively elaborate.
Compliance initiatives typically are efforts around all except which one of the following?
To adhere to an auditor's recommendation
A compliance assessment or audit should not only consider controls but also measures the effectiveness of the governance and management oversight to ensure the controls are being followed.
True
Frameworks differ from each other in that they might offer varying levels of depth and breadth.
True
Fraudulent activity uncovered during interviews would be a reason to expand the scope of an audit.
True
ISO/IEC 27002 certification is not a one-time process but needs to be continuously updated.
True
NIST is a framework that applies only to government funded systems.
True
The Family Educational Rights and Privacy Act prohibits the use of Social Security numbers as directory information, even the use of the just the last four digits of a SSN.
True
The decision to apply or not apply controls is based on risk.
True
The internal audit function may be outsourced to an external consulting firm.
True
The process of selecting security controls is considered within the context of risk management.
True
The results of a risk assessment help define the audit objectives.
True
Whereas only qualified auditors perform security audits, anyone may do security assessments.
True
Which of the following is the best example of a potential vulnerability to an IT system?
Unpatched Operating System
Which of these domains of security are responsible for the end users' operating environment?
Workstation Domain
Which one of the following is not one of the seven domains of a typical IT infrastructure?
LAN-to-LAN Domain
Regulatory compliance laws do not exist at what different level?
Local
Which of the following is not an example of operational controls?
Logical Access
Which one of the following is not part of the change management process?
Monitor Change
Which of the following organizations was tasked to develop and prescribe standards and guidelines that apply to federal information systems?
NIST
What organization was tasked to develop standards to apply to federal information systems using a risk-based approach?
National Institute of Standards and Technology
Which one of the following is not one of the safeguards provided within the HIPAA Security Rule?
Operational
A(n) _______ is a conceptual set of rules and ideas that provide structure to a complex and challenging situation.
Framework
Policies, standards, and guidelines are part of the policy ________.
Framework
After mapping existing controls to new regulations, an organization needs to conduct a(n) ________ analysis.
GAP
Which of the following is an examination of the current state of controls against the desired state of controls?
Gap analysis
Responding to business requirements in alignment with the business strategy is an example of an IT ________.
Goal
Which regulatory department is responsible for the enforcement of HIPAA laws?
HHS
Which of the following describes all the auditable components within an organization?
IT Universe
The ______________ is typically defined as everything needed to operate and manage the IT environment. It is simply all installed technologies, including all hardware, software, network devices, storage, storage, cables, printers, monitors, and such.
IT infrastructure
The Framework Core is a matrix of activities and associated references that uses various categories across five different functions including which of the following? (Pick three.)
Identify, Protect, Respond
Adequate controls over privacy data helps prevent ________ theft.
Identity
Which one of the following is not one of the four domains of COBIT?
Implement and Support
Which one of the following is not considered a principal part of the GLBA?
Information Security Rule
Which one of the following is not true of COBIT?
It is security centered