Chapter 1 Auditing IT Infrastructures for Compliance
NIST 800-53A provides
A guide for assessing security controls
Which one of the following is true with regard to audits and assessments?
Audits can result in blame being placed upon an individual
Noncompliance with regulatory standards may result in?
Brand damage, Fines, and Imprisonment
What best describes an audit used to determine if a Fortune 500 health care company is adhering to Sarbanes-Oxley and HIPPA regulations?
Compliance audit
What companies engaged in fraudulent activity and subsequently filed for bankruptcy?
Enron WorldCom
A security assessment is a method for proving the strength of security systems.
False
Which of the following is an assessment method that attempts to bypass controls and gain access to a specific system by simulating the actions of a would-be attacker.
Penetration test
Not a method used for conducting an assessment of security controls?
Remediate
At all levels of an organization, compliance is closely related to which of the following?
Risk management Governance
Categorizing information and information systems and then selecting and implementing appropriate security controls is part of a
Risk-based Approach
Some regulations are subject to _________ which means even if there wasn't intent of noncompliance, an organization can still incur large fines.
Strict Liability
Compliance initiatives typically are efforts around all except which one of the following?
To adhere to an auditor's recommendation
The internal audit function may be outsourced to an external consulting firm.
True
Whereas only qualified auditors perform security audits, anyone may do security assessments.
True
An IT security audit is an __________ assessment of an organization's internal policies, controls, and activities.
Independent