ISMN 5750 Exam 1
Descriptive Framework
High level Align IT with business goals
2 Types of Compliance
Internal and External
Regarding privacy, what is a common characteristic of "personal information"?
It can be used to identify a person
Control Activities
More specific Describe how to achieve goals
Prescriptive Framework
More specific Standardize IT operations and tasks
Scope of a Security Audit
Organizational, Compliance, Technical, Application
Which of the following requires organizations to have an annual assessment by a Qualified Security Assessor (QSA)?
PCI DSS
Risk Management
Seeks to mitigate risk through controls
Designing Security Controls
Discover, Select, Implement, Assess, Authorize, Monitor
Which of the following best describes Control Objectives for Information and related Technology (COBIT)?
A framework providing best practices for IT governance and controls
Configuration and Change Management
All changes must be approved Unauthorized changes lead to breaches and failures. Process of systems control throughout their life cycle
Security Controls
Apply across the IT infrastructure
What term describes the identification, control, logging, and auditing of all changes made across the infrastructure?
Configuration and Change Management
Configuration Management
Ensures changes are requested, evaluated and authorized
Noncompliance can result in:
Fines, jail time, operational consequences
Foundation of Cybersecurity
Integrity, confidentiality, availability
Cybersecurity Framework
Profile, Implementation Tiers, Core
Enron Corporation
The Enron Corporation, an energy trading company, filed for bankruptcy in 2001, dissolving millions of dollars in profit-sharing pension plans held by employees. Enron and other top corporations were investigated for illegal accounting practices. Shareholders saw a loss of 11 billion -Reduced its tax payments -Increased its stock price and credit ratings -Hidden losses in off balance sheet -Employees funneled money to themselves
COSO Framework
Used for improving organizational performance and governance, and reducing fraud in organizations
In an IT infrastructure, the end users' operating environment is called the
Workstation Domain
International Organization for Standardization (ISO) 27000 series
-Focuses on management and processes -Relies on other standards: ISO IEC
HIPAA (Health Insurance Portability and Accountability Act)
-Helps citizens maintain health insurance coverage -Improves efficiency and effectiveness of american health care system -Protects the privacy and security of certain health information -Financial penalties for non-compliance Privacy rule: dictates how covered entities must protect the PHI Security rule: Dictates covered entities must protect the CIA of electronic PHI
Configuration and Change Management Process
-Identify and request change -Evaluate change request -Decision response -Implement approved change -Monitor change
External Business challenges for compliance
-Standards and regulations change -Organizational policies change
6 Steps of Risk Management Framework
1. Categorize information system 2. Select security control 3. Implement security controls 4. Assess security controls 5. Authorize information system 6. Monitor security controls
IT Security Policy Framework
Policies, Standards, Guidelines.
COPPA (Children's Online Privacy Protection Act)
Requires web sites and other online services aimed at children less than 13 years of age to comply: post a privacy policy, notify parents directly before collecting personal information from kids, get parents verifiable consent before collecting information from kids
FERPA (Family Educational Rights and Privacy Act)
Right to inspect and review, right to correct records, parental written permission required
Which of the following uses "engagements" to report on the evaluation of controls of third-party service businesses that host or process data on behalf of customers?
SOC
Compliance
To comply, conform, submit or adapt as required or requested -Helps risk management by verifying that the desired controls are in place
TJX Case Study
Unauthorized intruder accessed TJX systems in July 2005 and continued till 2007. At time was the biggest credit card breach in history. The stores used WEP.
An acceptable use policy (AUP) is part of the _____________ Domain.
User Domain
Framework
-A conceptual set of rules and ideas that provide structure to a complex and tough situation -May be rigid in structure but provides flexibility -Can guide content and provide consistency -Includes distinct components: intro, learning objectives, headings and summary
IT Security Assessment
-Identify weaknesses within the controls implemented on IS -Confirm that previously identified weaknesses have been remediated or mitigated -Prioritize further decisions to mitigate risks -Provide assurance so that associated risks are accepted and authorized -Provide support and planning for future budgetary requirements
Common Types of Audits
-Financial- financial statements -Compliance- laws, regulations -Operational- policies, procedures and operational controls -Investigative- records and processes on suspicious activity -Information Technology- addresses IT system risk exposures
Internal Business challenges for compliance
-Standards can interfere with operations -Gaining acceptance is challenging
What must your organization do to be in compliance?
-Start with a organizational governance framework -implement controls -have sound policies in place -perform a gap analysis
Gramm-Leach Bliley Act GLBA
-The financial modernization act of 1999 -Protects personal financial information held by financial institutions -To protect personally identifiable information PII, GLBA divides privacy requirements in three parts: Financial privacy rule, safeguards rule and pretexting provisions
Audit Characteristics
-Independent evaluations -Rigorous approach, must be qualified -Certification received upon passing -Concerned about past results -Auditors never audit applications, processes, systems they designed or created
Types of Assessments
-Network security architecture -Review of security policies, procedures, and practices -Vulnerability scanning and testing -Physical security -Social engineering -Applications -Security risks
7 domains of IT infrastructure
-User, Workstation, LAN, Lan to Wan, WAN, System application, Remote Access
Red Flags Rule
Based upon the Fair and Accurate Credit Transactions Act of 2003 -Establishes procedures for the identification of possible instances of identity theft -To comply: identify red flags for covered accounts -detect red flags -respond to red flags -update program often
Penetration Test
Assessment that attempts to bypass controls and gain access to a specific system by simulating the actions of a would-be attacker. It reveals weaknesses
NIST 800-53
Provides a comprehensive catalog of security controls -Targeted to federal government but widely used in corporations
CIPA (Children's Internet Protection Act)
-Attempts to prevent children from being exposed to explicit content at schools and libraries -Schools must: use technology protection measures, protect our children from exposure to offensive internet content, adopt and enforce a policy to monitor the online activities of minors
Protecting Privacy Data
-Develop appropriate privacy policies -Establish a privacy officer -Conduct training and awareness around data handling, identity theft, and social engineering -Conduct regular risk assessments of access controls -Establish data retention and data destruction controls -Limit data to only that which is required -Encryption -HIPAA, GLBA, COPPA
PCI DSS (Payment Card Industry Data Security Standard)
-Not a law or regulation -A set of requirements that prescribe operational and technical controls to protect cardholder data -Requirements follow security best practices and use 12 high level requirements aligned across 6 goals -Assess, remediate, report
SOX Act- Sarbanes Oxley
-Protects investors by requiring accuracy and reliability in corporate disclosures. Cracks down on corporate fraud -Created new standards for corporate accountability -Created new penalties for acts of wrongdoing, both civil and criminal -Changes how corporate boards and executives must exchange information and work with corporate auditors
An effective IT Security Audit program should:
-Provide an objective and independent review of an organizations policies, is, and controls -Provide reasonable assurance that appropriate and effective IT controls are in place -Provide audit recommendations for both corrective actions and improvement to controls
Public and Private Sector Requirements
-Troubles come from 2 directions: IT personnel have no legal background and regulations have little technical depth -Vague regulation requirements -Regulatory requirements: state, federal and international -Internal policies should execute the regulatory policies
An organization creates policies and a framework for the application of controls. The organization then maps existing controls to each regulation to which it must comply. Thereafter, the organization performs a __________ to identify anything that is missing.
Gap Analysis
Which of the following best describes a prescriptive IT control?
Helps standardize IT operations and tasks
Control Objectives
High level, remain almost constant Describe organizational goals
Assurance against unauthorized modification or destruction of data is the definition of:
Integrity
Change Management
Provides method for tracking unauthorized changes
SOC - Service Organization Controls
Reports -Help customers understand adequate controls and processes are in place -Auditing standards board of the american institute of certified public accountants issues and maintains auditing standards
A large financial organization wants to outsource its payroll function. Which of the following should the financial organization ensure the payroll company has?
SOC repot
Which act, which consists of 11 "titles," mandated many reforms to enhance corporate responsibility, enhance financial disclosures, and prevent fraud?
Sarbanes Oxley
Governance
Seeks to better run an organization using complete and accurate information and management processes or controls
Privacy Management
The rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retentions of personal information. -Name, social, address, email, physical characteristics
Policy Framework
Standards, Procedures, guidelines, Policies
Selecting a standard
Evaluate, select, employ
COBIT 5 Principles
1. Meeting stakeholder needs 2. Covering the enterprise end to end 3. Applying a single integrated framework 4. Enabling a holistic approach 5. Separating governance from management
Which of the following best describes a descriptive IT control?
Aligns IT with business goals
IT Security Audit
An independent assessment of an organizations internal policies, controls, and activities. -Assess the presence and effectiveness of IT controls -Ensure that those controls are compliant with stated policies -Provide reasonable assurance that organizations are compliant with regulations and requirements
An unauthorized user has gained access to data and viewed it. What has been lost?
Confidentiality
Arthur Anderson
Enron's auditing Firm. -Was convicted of obstruction of justice, shredded paper and electronic documents -This led to other audit discrepancies at WorldCom