Final Exam - Chapter 1
The internal audit function may be outsourced to an external consulting firm. A. True B. False
A
Whereas only qualified auditors perform security audits, anyone may do security assessments. A. True B. False
A
NIST 800-53A provides ________.
A guide for assessing security controls
Which of the following is an assessment method that attempts to bypass controls and gain access to a specific system by simulating the actions of a would-be attacker? A. Policy review B. Penetration test C. Standards review D. Controls audit E. Vulnerability scan
B
Which of the following best describes an audit used to determine if a Fortune 500 health care company is adhering to Sarbanes-Oxley and HIPAA regulations? A. IT audit B. Operational audit C. Compliance audit D. Financial audit E. Investigative audit audit D. Financial audit E. Investigative audit
C
Compliance initiatives typically are efforts around all except which one of the following? A. To adhere to internal policies and standards B. To adhere to regulatory requirements C. To adhere to industry standards and best practices D. To adhere to an auditor's recommendation
D
Noncompliance with regulatory standards may result in which of the following? A. Brand damage B. Fines C. Imprisonment D. All of the above E. B and C only
D
Which of the following companies engaged in fraudulent activity and subsequently filed for bankruptcy? A. WorldCom B. Enron C. TJX D. All of the above E. A and B only
D
Which one of the following is not a method used for conducting an assessment of security controls? A. Examine B. Interview C. Test D. Remediate
D
At all levels of an organization, compliance is closely related to which of the following? A. Governance B. Risk management C. Government D. Risk assessment E. Both A and B F. Both C and D
E
Which one of the following is true with regard to audits and assessments? A. Assessments typically result in a pass or fail grade, whereas audits result in a list of recommendations to improve controls. B. Assessments are attributive and audits are not. C. An audit is typically a precursor to an assessment. D. An audit may be conducted independently of an organization, whereas internal IT staff always conducts an IT security assessment. E. Audits can result in blame being placed upon an individual.
E
A security assessment is a method for proving the strength of security systems.
False
Categorizing information and information systems and then selecting and implementing appropriate security controls is part of a ________.
Risk-based approach
Some regulations are subject to ________, which means even if there wasn't intent of noncompliance, an organization can still incur large fines.
Strict Liability
An IT security audit is an ________ assessment of an organization's internal policies, controls, and activities.
Independent