ISMN 6750 - CH 1, 2, 3, 4, 5, 6
T/F: Frameworks differ from each other in that they might offer varying levels of depth and breadth.
True
T/F: Fraudulent activity uncovered during interviews would be a reason to expand the scope of an audit.
True
Which of the following organizations was tasked to develop and prescribe standards and guidelines that apply to federal information systems? a) NIST b) FISMA c) Congress d) PCI SSC e) U.S. Department of the Navy
a) NIST
Which act, which consists of 11 "titles," mandated many reforms to enhance corporate responsibility, enhance financial disclosures, and prevent fraud? a) SOX b) FISMA c) FERPA d) GLBA
a) SOX
Which one of the following best describes an assessment objective for a control? a) a high-level statement to determine the effectiveness of a control b) a detailed statement on what activities need to occur to implement a control c) a definition of responsibilities to be assigned to security operations for the management of a control d) a statement about the required depth or coverage require d to test a control
a) a high-level statement to determine the effectiveness of a control
Regarding the seven domains of IT infrastructure, the Workstation domain includes which of the following? select 3 a) desktop computers b) laptop computers c) remote access systems d) e-mail servers e) handheld devices
a) desktop computers b) laptop computers e) handheld devices
Which of the following benefits does an automated security information and even management log solution provide? a) diagnosing and preventing operational problems b) assigning appropriate responsibilities to security operations c) management of a configuration change control board d) all of the above
a) diagnosing and preventing operational problems
Noncompliance with regulatory standards may result in which of the following? a) brand damage b) fines c) imprisonment d) all of the above e) b + c only
d) all of the above brand damage, fines, imprisonment
Which of the following companies engaged in fraudulent activity and subsequently filed for bankruptcy? a) WorldCom b) Enron c) TJX d) all of the above e) a + b only
e) a + b only WorldCom, Enron
T/F: PCI DSS is a legislative act enacted by Congress to ensure that merchants meet baseline security requirements for how they store, process and transmit payment card data.
False
T/F: SOX explicitly addresses the IT security controls required to ensure accurate financial reporting.
False
A ______ is an assessment method that uses methods similar to what a real-world attacker might use.
penetration test
T/F: Threat is synonymous with risk and can be used interchangeably.
False
Which one of the following is true with regard to audits and assessments? a) assessments typically result in a pass or fail grade, whereas audits result in a list of recommendations to improve controls b) assessments are attributive and audits are not c) an auditor is typically a precursor to an assessment d) an audit may be conducted independently of an organization, whereas internal IT staff always conduct an IT security assessment e) audits can result in blame being places upon an individual
e) audits can result in blame being places upon an individual
At all levels of an organization, compliance is closely related to which of the following? a) governance b) risk management c) government d) risk assessment e) both a + b f) both c + d
e) both a + b governance, risk management
ISO/IEC 27002 is a code of ________for information security management.
practice
What section of SOX requires management and the external auditor to report on the accuracy of internal controls over financial reporting? a) Section 301 b) Section 404 c) Section 802 d) Section 1107
b) Section 404
Account management and separation of duties are examples of what type of controls? a) audit and accountability b) access control c) security assessment and authorization d) personal security
b) access control
T/F: The process of selecting security controls is considered within the context of risk management.
True
What organization was tasked to develop standards to apply federal information systems using a risk-based approach? a) Public Entity Risk Institute b) International Organization for Standardization c) National Institute of Standards and Technology d) International Standards Organization e) American National Standards Institute
c) National Institute of Standards and Technology (NIST)
Which of the following is the discipline of managing and understanding uncertainty? a) audit management b) metrology c) risk management d) cryptology
c) risk management
Responding to business requirements in alignment with the business strategy is an example of an IT ________.
goal
Some regulations are subject to ________, which means even if there wasn't intent of noncompliance, an organization can still incur large fines.
strict liability
Adequate controls over privacy data helps prevent ________ theft.
identity
An IT security audit is an _________ assessment of an organization's internal policies, controls, and activities.
independent
Which of the following is NOT considered titles within SOX? a) Corporate Responsibility b) enhanced federal disclosures c) Analyst Conflicts of Interest d) Studies and Reports e) Auditor Conflicts of Interest
e) Auditor Conflicts of Interest
The audit ________ includes the area or areas to be reviewed.
scope
T/F: Avoiding the need for audits is one reason organizations develop clearly documented policies, standards, and procedures.
False
NIST 800-53A provides
a guide for assessing security controls
What does CAAT stand for? a) Computer Assisted Audit Tools and Techniques b) Computer Aided Assessment Tools c) Compliance Auditing Assisted Tactical Techniques d) Compliance Assisted Audit Tactical Tools
a) Computer Assisted Audit Tools and Techniques
Which one of the following is not an example of a review technique? a) password cracking b) file integrity checking c) log review d) network sniffing
a) password cracking
Which of the following is not a category of IT security controls defined by NIST? a) physical controls b) management controls c) operational controls d) technical controls
a) physical controls
Which of the following should organizations do when selecting a standard? (Select three.) a) select a standard that can be followed b) employ the selected standard c) select a flexible standard d) select a standard that other organizations in the same geographic location are using
a) select a standard that can be followed b) employ the selected standard c) select a flexible standard
Which of the following best describes documents such as policies, procedures, plans and architectural designs? a) specification objects b) mechanism objects c) activity objects d) configuration objects
a) specification objects
Three IT security controls covered by NIST include management, operational, and _____. a) technical b) computing c) organizational d) systems
a) technical
Which of the following is an examination of the current state of controls against the desired state of controls? a) control objective b) gap analysis c) baseline analysis d) log review
b) gap analysis
Which one of the following is NOT one of the safeguards provided within HIPAA Security Rule? a) administrative b) operational c) technical d) physical
b) operational
Which of the following provides a framework for assessing the adequacy of implemented controls? a) NIST 800-53 b) NIST 800 c) NIST 800-53A d) NIST 800A
c) NIST 800-53A
Compliance initiatives typically are efforts around all except which one of the following? a) to adhere to internal policies and standards b) to adhere to regulatory requirements c) to adhere to industry standards and best practices d) to adhere to an auditor's recommendation
d) to adhere to an auditor's recommendation
Which one of the following is NOT true of COBIT? a) it is business-focused b) it is security-centered c) it is process-oriented d) it is controls-based e) it is measurement-driven
b) it is security-centered
An acceptable use policy (AUP) is part of the _________ _______. a) workstation domain b) user domain c) LAN domain d) sys/app domain
b) user domain
Preventing a user who approves a configuration change from being the person who implements the change is an example of which of the following? a) rotation of duties b) least privilege c) segregation of duties d) dual control
c) segregation of duties
This is a widely used control framework of IT. a) SOC Type II b) PCI DSS c) SOX d) COBIT
d) COBIT
Which of the following is not part of the change management process? a) identify and request b) evaluate request c) decision response d) implement unapproved change e) monitor change
d) implement unapproved change
Which one of the following is not an example of an audit facilitating tool defined by the IIA? a) project management software b) flowcharting software c) electronic work papers d) presentation software
d) presentation software
Which one of the following is NOT a method used for conducting an assessment of security controls? a) examine b) interview c) test d) remediate
d) remediate
To comply with the Red Flags Rule, financial institutions and creditors must do which of the following ? a) identify red flags for covered accounts b) detect red flags c) respond to detected red flags d) update the program periodically e) all of the above
e) all of the above
Policies, standards, and guidelines are part of the policy ___________.
framework
After mapping existing controls to new regulations, an organization needs to conduct a ________ analysis.
gap
A configuration __________ database provides a central repository of configuration items.
management
RMF provides for the authorization of the operation of an information system based on an acceptable level of ________.
risk
Categorizing information and information systems and then selecting and implementing appropriate security controls in part of a
risk-based approach
Identifying potential dangers to an organization is part of the process called ________ identification.
threat
T/F: Whereas only qualified auditors perform security audits, anyone may do security assessments.
True
The COSO framework is targeted to which of the following groups within a company? a) executive management b) first-line management c) security analysts d) application developers
a) executive management
An unauthorized user has gained access to data and viewed it. What has been lost? a) confidentiality b) accountability c) integrity d) availability
a) confidentiality
NIST controls are classified as being preventive, detective, or ______. a) corrective b) compensating c) concurrent d) collaborative
a) corrective
COSO is the acronym for which of the following? a) Compliance Objectives Standards Organization b) Committee of Sponsoring Organizations c) Compliance Organization Standard Operation d) Committee on Standard Objectives
b) Committee of Sponsoring Organizations
Which one of the following is not one of the four domains of COBIT? a) Plan and Organize b) Implement and Support c) Acquire and Implement d) Deliver and Support e) Monitor and Evaluate
b) Implement and Support
Which of the following is an assessment method that attempts to bypass controls and gain access to a specific system by stimulating the actions of a would-be attacker? a) policy review b) penetration test c) standards review d) controls audit e) vulnerability scan
b) penetration test
Which one of the following is not one of the 7 domains of an IT infrastructure? a) user domain b) workstation domain c) LAN-to-LAN domain d) WAN domain e) remote access domain
c) LAN-to-LAN domain
Which of the following was established to have oversight of public accounting firms and is responsible for defining the process of SOX compliance Audits? a) COSO b) Enron c) PCAOB d) SOX e) None of the Above
c) PCAOB
Which of the following requires organizations to have an annual assessment by a qualified security assessor (QSA)? a) SOX b) HITECH c) PCI DSS d) GLBA
c) PCI DSS
Which of the following uses "engagements" to report on the evaluation of controls of third-party service businesses that host or process data on behalf of customers? a) PCI DSS b) NIST c) COBIT d) SOC
d) SOC
Which of the following examples of information provided by audit logs? a) failed authentication attempts b) account changes c) privileged use d) all of the above
d) all of the above failed authentication attempts, account changes, privileged use
Which of the following is an example of why an ongoing IT compliance program is important? a) organizations are dynamic, growing environments b) threats evolve c) laws and regulations evolve d) all of the above
d) all of the above organizations are dynamic, growing environments & threats evolve & laws and regulations evolve
When applying controls, which of the following is NOT an example of what needs to be considered when examining the tradeoffs? a) feasibility b) cost c) operational impact d) due diligence
d) due diligence
Which of the following defines the goals for an audit? a) audit objective b) audit scope c) audit frequency d) audit report
a) audit objective
Which of the following describes all the auditable components within an organization? a) cosmos domains of IT b) domains of applications c) IT universe d) universal audit
c) IT universe
A _____ is a conceptual set of rules and ideas that provide structure to a complex and challenging situation.
framework
Which of the following best describes an audit used to determine if a Fortune 500 health care company is adhering to Sarbanes-Oxley and HIPAA regulations? a) IT audit b) operational audit c) compliance audit d) financial audit e) investigative audit
c) compliance audit
What term describes the identification, control, logging, and auditing of all changes made across the infrastructure? a) access controls b) audit scope c) configuration and change management d) assessment parameters
c) configuration and change management
Regarding privacy, what is a common characteristic of "personal information"? a) it is most commonly healthcare-related information b) it is classified c) it can be used to identify a person d) it is most commonly financial-related information
c) it can be used to identify a person
Which one of the following is NOT considered a principal part of the Gramm-Leach-Biley Act? a) financial Privacy Rule b) pre-existing provisions c) safeguards Rule d) information Security rule
c) safeguards Rule
T/F: Whereas only qualified auditors issue opinions for security audits, anyone can performa a security assessment.
True
T/F: A security assessment is a method for proving the strength of a security system.
False
T/F: A security assessment is a method for proving the strength of security systems.
False
T/F: Mitigating a risk from an IT security perspective is about eliminating the risk to zero.
False
T/F: Only security operations personnel need to follow IT security policies.
False
T/F: Organizations may be audited for both ISO/IEC 27001 and ISO/IEC 27002 and receive a formal certification for each.
False
T/F: SSAE 16 Type 1 includes everything in a SSAE 16 Type 2 report, but it adds a detailed testing of the controls over a specific time frame.
False
T/F: The purpose of a network scan is to identify as many vulnerabilities as possible.
False
T/F: While the Family Educational Rights and Privacy Act prohibits the use of SSN as directory information, the act does permit the use of the last four digits of the SSN.
False
T/F: If required, an auditor is justified in the use of security assessment techniques such as penetration testing and vulnerability analysis and may consider using the work of other experts.
True
T/F: The decision to apply or not apply controls is based on risk.
True
T/F: The internal audit function may be outsources to an external consulting firm.
True
T/F: The results of a risk assessment help define the audit objectives.
True
Which of the following acknowledges the importance of sound information security practices and controls in the interest of national security? a) FISMA b) GLBA c) HIPAA d) FACTA e) FERPA
a) FISMA
Which regulatory department is responsible for the enforcement of HIPAA laws? a) HHS b) FDA c) US Department of Labor d) US EPA e) FTC
a) HHS
What can be done to manage risk? (select 3) a) accept b) transfer c) avoid d) migrate
a) accept b) transfer c) avoid
If a baseline security control cannot be implemented, which of the following should be considered? a) compensating control b) baseline security control standard revision c) policy revision d) none of the above
a) compensating control
Which one of the following is not an example of a level of depth required to access a control? a) comprehensive b) generalized c) focused d) detailed
a) comprehensive
Which one of the following is the best example of avoiding risk? a) The IT department decides to install an antivirus device at its network border b) The IT department outsources its vulnerability management program to a 3rd party c) The IT department disables the ability for end users to use portable storage devices d) The IT department installs data loss prevention software on all end users' workstations
c) The IT department disables the ability for end users to use portable storage devices
In accordance with the Children's Internet Protection Act, who determines what is considered inappropriate material? a) FCC b) US Department of Education c) The local communities d) US Dept. of Interior Library e) State Governments
c) The local communities
Which of the following best describes the rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of personal information? a) security management b) compliance management c) privacy management d) collection management
c) privacy management
Which of the following is the best example of a potential vulnerability to an IT system? a) hacker b) terrorist c) unpatched operating system d) none of the above
c) unpatched operating system
What PCAOB standard states that the auditor should assess the amount of IT involvement in the financial reporting process? a) Auditing Standard No. 1 b) Auditing Standard No. 11 c) Auditing Standard No. 55 d) Auditing Standard No. 5
d) Auditing Standard No. 5
Which of the following can an audit help identify? a) fraud b) ineffective IT practices c) improper use of resources d) inadequate security e) all of the above
e) all of the above fraud, ineffective IT practices, improper use of resources, inadequate security
Which of the following policies would apply to the user domain concerning the 7 domains of an IT infrastructure? a) acceptable use policy b) internet access policy c) security incident policy d) firewall policy e) answers A and B f) answers B and D
e) answers A and B acceptable use policy, internet access policy
Which of the following documents should be included in the gathering process of an IT audit? a) policies and procedures b) previous audit reports c) network diagrams d) answers A and C only e) answers A, B, and C
e) answers A, B, and C policies and procedures, previous audit reports, network diagrams