Chapter 1 Auditing IT Infrastructures for Compliance

NIST 800-53A provides

A guide for assessing security controls

Which one of the following is true with regard to audits and assessments?

Audits can result in blame being placed upon an individual

Noncompliance with regulatory standards may result in?

Brand damage, Fines, and Imprisonment

What best describes an audit used to determine if a Fortune 500 health care company is adhering to Sarbanes-Oxley and HIPPA regulations?

Compliance audit

What companies engaged in fraudulent activity and subsequently filed for bankruptcy?

Enron WorldCom

A security assessment is a method for proving the strength of security systems.

False

Which of the following is an assessment method that attempts to bypass controls and gain access to a specific system by simulating the actions of a would-be attacker.

Penetration test

Not a method used for conducting an assessment of security controls?

Remediate

At all levels of an organization, compliance is closely related to which of the following?

Risk management Governance

Categorizing information and information systems and then selecting and implementing appropriate security controls is part of a

Risk-based Approach

Some regulations are subject to _________ which means even if there wasn't intent of noncompliance, an organization can still incur large fines.

Strict Liability

Compliance initiatives typically are efforts around all except which one of the following?

To adhere to an auditor's recommendation

The internal audit function may be outsourced to an external consulting firm.

True

Whereas only qualified auditors perform security audits, anyone may do security assessments.

True

An IT security audit is an __________ assessment of an organization's internal policies, controls, and activities.

Independent