ISC Flash Cards Part I (S1&2)
Describe the term change management.
Change management is used to describe the policies, procedures, and resources employed to govern change in an organization. (from internal or external sources) A change is adding, modifying, or removing anything that could have a direct or indirect effect on services. 1 These changes include: • Installing new IT • Updating existing IT • Fixing or repairing existing IT (Each of the following projects would fall under the scrutiny of an entity's change management policy, except: A. Updating a version of the entity's existing software system. B. Installing a new module to an existing enterprise resource planning system already in place. C. Fixing a software bug after the platform release. D. Purging data from a financial application's data cache. Answer = D) Question 1 2? 3
Identify five forms of computing environments. (DTS PD)
Changes should be implemented in segregated environments within an organization so that normal business operations are not disrupted. 1. Development environment programmers write code to create application prototypes. 2. Testing environment developers test and debug code to identify errors that need to be corrected. 3. Staging environment test programs that are in their final phases for functionality, compatibility, security, and performance 4. Production environment application is deployed and made available to end users. 5. Disaster recovery environment ensure that applications can be restored quickly, save critical data and systems, notify management, and recover in the event of an outage or attack
COSO Enterprise Risk Management for Cloud Computing (10 of them) Extra
Cloud Risks: 1. The rate of competitor adoption 2. Being in the same risk ecosystem as the CSP and other tenants 3. Transparency 4. Reliability and performance 5. Lack of application portability (vendor lock-in) 6. Security and compliance 7. Cyber attacks 3. Data leakage 9. IT organizational change 10. CSP long-term viability • COSO also recognizes that risk increases when moving from a private model to a public deployment model. • Risk also increases with less control when moving from a LaaS model to an SaaS model (The COSO Enterprise Risk Management Framework emphasizes that risk increases when an organization changes its cloud deployment model from: Answer = Private to public.) Question 19 22^
Describe the three principles used to develop the COBIT 2019 core model (CFA)
Based on Conceptual Model: Governance frameworks should identify key components as well as the relationships between those components in order to provide for greater automation and to maximize consistency. Open and Flexible: (Sim Exam) Frameworks should have the ability to change, adding relevant content and removing irrelevant content, while keeping consistency and integrity. Aligned to Major Standards: Frameworks should align with regulations, frameworks, and standards. (Each of the following are considered principles for a governance framework under COBIT 2019 except which of the following? Answer = Confidential and private) Question 1
Describe the location, connections in place, equipment in place, days to be operational, and cost for the three alternative processing facilities. (this is part of disaster recovery)
Cold Site: Located off-site, connections are in place, equipment is not in place, typically takes 1-3 days to be operational, and is the cheapest. (empty building) 7 Warm Site: Located off-site, connections are/are not in place, equipment is/is not in place, typically takes 0-3 days to be operational, and is moderately expensive. 9 Hot Site: Located off-site, connections are in place, equipment is in place, typically immediate to be operational, and is the most expensive. (duplicate of normal cite) 4 10 15 Connections = wires and cabbles (Which of the following characteristics describes a hot site? Answer = Connections are always in place) Question 4 5 7 9 10 15
Explain the concept of computer hardware in the context of IT infrastructure.
Computers, the physical components that comprise computers, computer related equipment, and external peripheral devices are referred to as computer hardware (or just "hardware"). examples: o computers; o the physical components that comprise computers; o computer-related equipment; and o external peripheral devices o laptops or desktops; and o back-end devices like servers, server-side equipment, switches, and routers.
7. Data Archival
Following the decline in need of specific data sets data sets are moved from active systems to passive systems for archiving to: • free up storage resources for the active systems; • enhance active system performance; and • reduce security risks. Note: archived data will be tested for accuracy and completeness prior to removal from active systems. (Which of the following best describes the stage of the data cycle that results from the decline in the need for specific data sets, resulting in a move from active systems to passive systems to free up storage resources for the active systems? Answer = Archival) Question 6
Describe the purpose of the GROUP BY SQL command. Describe the purpose of the HAVING SQL command.
GROUP BY: view data by subtotals 1. Determine which field to aggregate. 2. Determine which field is preferred to group aggregate by. 3. put descriptive attribute and aggregate function in SELECT 4. Indicate which table contains the attributes and place that table in FROM. 5. Add a third clause, GROUP BY, which will also contain the descriptive attribute that is preferred to group the aggregate by. Example: How many sales orders for each customer? • SELECT CustomerlD, COUNT(Sales_Order_ID) • FROM Sales_Orders • GROUP BY CustomerlD HAVING: the appropriate filter clause for aggregate measures is HAVING. similar to WHERE. SQL cannot filter aggregate measures in the WHERE clause 9 • aggregate value, SUM(), AVG(), or COUNT() • attribute COUNT(Sales_Order_ID) or SUM(Quantity) • The = can be replaced with any operator, =, <, >, =<, =>, <> SELECT COUNT(CustomerID), Country FROM Customers GROUP BY Country HAVING COUNT(CustomerID) > 5; (Brad is developing SQL queries for his marketing firm to pull data for market analysis. As part of Brad's analysis, he wants to only include inventory quantity sold for fewer than 100 items in total in a grouped result. This information will be necessary to determine the lower-selling products to help decide if additional advertising is needed or if the product lines should be discontinued altogether. When developing the SQL query, which of the following lines from the query would best assist with achieving Brad's goal? Answer = HAVING SUM(quantity_sold) < 100) Question 5 6 7 9
What is a primary key, composite primary key, and foreign key?
Primary Key: An attribute required in every table to help solidify that each row in the table is unique. • rarely truly descriptive; instead, a collection of letters or simply sequential numbers are often used • e.g. student ID, order numbers, invoice numbers, account numbers, social security numbers, and driver's license numbers Composite Primary Key: The combination of more than one attribute to uniquely identify each record in the table. Foreign Key: Attributes in one table that are also primary keys in another table. (drives and creates relationships)
Describe the concept of processing integrity. Describe the concept of deficiencies in the design
Processing integrity: refers to a system's ability to initiate and complete transactions so that they are valid, accurate, completed timely, and authorized to meet an organization's objective. (confidentiality and privacy) deficiencies in the design • necessary controls that are missing; or • existing controls that are not designed properly.
What are the seven different layers responsible for specific data exchange functions in the Open Systems Interconnection (OSI) model? (P DoNT SPA) Are all the acronymns necessary?
(OSI) Model helps explain: how these protocols work; and how networking devices communicate with each other (Encapsulation and Decapsulation) 1. Physical (Layer 1) - converts the message into bits so it can be transmitted to other physical devices. o High-Speed Serial Interface (HSSI) 2. Data Link (Layer 2) - Data packets are formatted for transmission. It adds Media Access Control (MAC) addresses 3. Network (Layer 3) - adds routing and address headers or footers (It detects errors.) o Internet Protocol (IP) 4. Transport (Layer 4) - supports and controls the communication connections between devices o Transmission Control Protocol (TCP) 5. Session (Layer 5) - allows sessions between communicating devices to be established and maintained o Structured Query Language (SQL) 6. Presentation (Layer 6) - transforms data received from the Application layer into a format that other devices using the OSI model can interpret, (Encryption occurs at this layer) o Joint Photographic Experts Group (JPEG) 9 7. Application (Layer 7) - interface between applications that a person uses and the network protocol needed to transmit a message. o Hypertext Transfer Protocol (HTTP) (A business analyst is attempting to diagnose why encrypted data is getting corrupted during transmission, causing decryption to fail. At what layer in the Open Systems Interconnection (OSI) model is the issue most likely occurring? Answer = Presentation layer) Question 9
Crisis Management Plans
A crisis is an unexpected, large-scale incident that can cause major negative effects on stakeholders goals of a crisis management plan should be to: • lessen the impact of the crisis; • protect people; • protect organizational reputation; and • return to normal operations as soon as possible. Crisis management policies should address the following: • Risk assessment • Procedures for implementation • establish crisis response command center • establish Crisis management roles and responsibilities • maintain Internal and external communication lines • Train Employees on the crisis management policies
What are the four broad areas of process improvements that can enhance accounting information system performance? Additionally, there are three specific forms of technology that are gaining mass adoption in process improvement
1. Automation • perform simple and repetitive tasks without human intervention. 16 • understand the process thoroughly enough to replace it 2. Shared services • seeking out redundant services, combining them, sharing services within org (combining HR, payroll, and legal department services) 17 • software designed to process large batches of data 3. Outsourcing 22? • contracting of services to an external provider (e.g. payroll service or a call center) • associated risks: reduced quality, productivity, Language barriers, turnover risks, and security. 22 4. Offshore operations outsourcing of services outside the country (e.g. India) - Information technology by managed service provider (MSP) - Business processes (call centers, accounting, tax compliance) - Software research and development (software development) - Knowledge processes (processes requiring advanced knowledge and specialized skill sets e.g. reading X-rays, etc.) 21 Adopted Technology: 1. robotic process automation (RPA); programs capable of extracting information from a specific user interface (TurboTax) 19 20 yield a more highly curated collection of data for a more reliable analysis (better than web scraping) 2. natural language processing (NLP) software; and encode, decode, and interpret human languages (e.g. siri, alexa) 26 3. neural networks. networks modeled after neurons that facilitate the function of human memory. (puting weights of importance to information) 25 (When an organization employs business process automation, it is looking to identify and automate business processes. Which of the following would not be an attribute that would make a process a good candidate for business process automation? Answer = The process changes regularly.) Question 16 17 19 20 21 22? 25 26
What are the three primary components to manage cybersecurity risk under the NIST Cybersecurity Framework?
1. CSF Core - The focus is to reduce cybersecurity risks. 2. CSF Tiers - measure of information security infrastructure sophistication 3. CSF Organization Profiles - measure cybersecurity risk and how to minimize such risk.
Other types of Firewalls Extra Sim Exam
1. Circuit-Level Gateways: A type of firewall that verifies the source of a packet and meets rules and policies set by the security team. 2. Application-Level Gateways: A type of firewall that inspects the packet itself. These gateways are very resource intensive and may slow performance. 3. Network Address Translation Firewalls: Assigns an internal network address to specific, approved external sources so that those sources are approved to be inside the firewall. 4. Stateful Multilayer Inspection Firewalls: Combines packet-filtering and network address translation. 5. Next-Gen Firewalls: Assigns different firewall rules to different applications as well as users. In this way, a low threat application has more permissive rules assigned to it while a high-security application may have a highly restrictive rule set assigned.
What are the three control implementation approaches that are to be implemented on a per-control basis with respect to implementation models?
1. Common (Inheritable): Implement controls at the organizational level, which are adopted by information systems. (Sim Exam) 2. System-Specific: Implement controls at the information system level. 3. Hybrid: Implement controls at the organization level where appropriate and the remainder at the information system level.
What are the 11 design factors that should be considered under COBIT?
1. Enterprise Strategy (growth, cost, innovation) 2. Enterprise Goals (balanced scorecard) 3. Risk Profile (Org's risk appetite.) 4. Information and Technology Issues (IT quality, control, costs) 5. Threat Landscape (industry, economic) 6. Compliance Requirements (low, normal, high) 7. Role of IT (Support, Factory, Turnaround, Strategic) 8. Sourcing Model for IT (outsource, cloud, in-house) 9. IT Implementation Methods (agile, waterfall, DevOps) 10. Technology Adoption Strategy (First mover, Follower, Slow) 11. Enterprise Size (large > 250 full-time employees) (Which of the following COBIT design factors is best described as the environment in which the company operates and may be classified as normal or high due to factors such as the industry sector or economic issues? Answer = Threat landscape) Question 6
List the procedures to test change management controls for IT resources. (EA EMT)
1. Establish acceptance criteria: - measurable and specific criteria for evaluating change control policies. Metrics may be either quantitative; or qualitative Examples include the following: - Performance (uptime, downtime, or speed) - Compliance (yes or no verdict) - Functionality (efficiency or practicallity) - Scalability (max number of transactions, users, customers) 2. Analyze logs. - process of recording events into logs so organization can track activities that occur on a system and investigate known violations of policy. Log Types include: • Application logs (record employee accesses) • Change logs (Track changes) • Event logs (Record various events) (including who accesses) • Firewall logs (Record all traffic that flows through a firewall) • Network logs (guard a network's perimeter) • Proxy logs (control internet access) 3. Evaluate the results. • Review written change management policies • Review documentation • Confirm that all necessary authorizations • Review change requests made • Review evidence showing separation of duties. • testing of change controls • Perform monitoring activities 4. Monitor. - accountability; the ability to troubleshoot; and tools for identifying and solving problems • reviewing audit trails and performing log analysis 5. Test using continuous adoption. - streamline the testing process • helps identify bugs faster; enhances application quality; and shortens the time needed to release software updates. • software is automatically: created; tested; and then deployed to a production environment Note: closed loop verification, 6 which is a critical change management step that involves: o continuously monitoring the output from the changes; o comparing it with the desired outcome; and o calibrating the changes to minimize discrepancies from the acceptance criteria Question 6
What are the common system availability risks and their accompanying threats?
1. Failure of IT Infrastructure: The availability of systems may directly be affected by failures in hardware, software, and network applications. These failures can result from • outdated infrastructure/ Lack of system maintenance • Physical damage occurring to systems (e.g. natural disaters) • Cyberattacks 2. Insufficient Capacity and Resources: System availability may be slowed down or disrupted if the infrastructure is unable to meet the processing or storage needs. 3. Lack of Business Resiliency: Organizations may lose critical, confidential, or private data if a business resiliency program is insufficient/nonexistent. Specific IT processes exist to: mitigate risks; and provide access to data and IT systems in the event of a threat: 1. Mirroring - Data backups, for example, help avoid complete data loss. (copying a database onto a different machine) 2. Replication - copying and transferring data between geographically different databases or the cloud 24 (Which of the following controls would most likely ensure that an entity can reconstruct its financial records? Answer = Cloud-based backup copies of financial records.) Question 24
When implementing the COSO's controls in a blockchain setting, what should an organization consider? (P DAPS)
1. Focus on preventative controls due to volume and speed of transactions being processed. 30 2. Increase the frequency of detective controls, also due to the volume of transactions. 3. Develop controls that use other analytic technology like Al tools. 4. Develop a code of conduct and establish policies that comply with KYC and AML. 5. Create cross-disciplinary teams with segregation of duties and clear reporting lines in mind. (Due to the volume of transactions being processed on a blockchain, organizations should focus on what type of controls when applying the COSO internal control framework? Answer = Preventative and detective) Question 30
Identify the three primary cloud computing models and the respective levels of control associated with each model. (also BPaaS)
1. IaaS (Infrastructure-as-a-Service): More control 14 Firewalls and cybersecurity operating systems 2. PaaS (Platform-as-a-Service): Medium control virtual management environment runtime 3. SaaS (Software-as-a-Service): Less control application design, tools, and data 4. BPaaS (Business Processes as a Service): 13 o outsourced payroll; billing; or logistics services (Gibbs Energy Inc. is a power producer and distribution network operator that runs a power grid which generates, transmits, and distributes power to customers. These core business functions require a large amount of computing power to run highly customized software applications. These applications often require modifications to the operating system. Since the usage of energy and computing power varies, Gibbs rents servers, storage, and firewalls from a cloud service provider (CSP). What type of CSP does Gibbs most likely use? Answer = Infrastructure-as-a-Service) Question 10^ 13 14?
Describe the intent of Control 01 - 09 (IID SAAC AE)
1. Inventory and Control of Enterprise Assets. Actively manage all enterprise assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise 2 2. Inventory and Control of Software Assets. Actively manage all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. 3. Data Protection. Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. 3 4 4. Secure Configuration of Enterprise Assets and Software. Establish and maintain the secure configuration of enterprise assets and software. 5. Account Management. Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts as well as service accounts, to enterprise assets and software. 5 6. Access Control Management. Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. 1 7. Continuous Vulnerability Management. Develop a plan to continuously assess and track vulnerabilities on all enterprise assets, in order to remediate and minimize the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information. 6 7 8. Audit Log Management. Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack. 9. Email and Web Browser Protections. Improve protections and detections of threats from email and web vectors... (phishing) Question 1 2 3 4 5 6 7
What are three examples of risks that exist pertaining to the selection and acquisition of software?
1. Lack of expertise risk that the purchasing agent does not have the expertise or organizational perspective to purchase software that meets the needs of an organization 2. Lack of a formal selection and acquisition process risk that an organization either does not have or does not follow a formal selection and acquisition process as it pertains to software. 3. Software/hardware vulnerability and compatibility risk that proper safeguards to adequately protect an organization from unauthorized use do not exist. or is incompatible with each other or with existing resources
What are three examples of outsourcing risks during the change management process?
1. Lack of organizational knowledge leave the organization vulnerable, because it must rely on the third party to fully comprehend the organization's business model 2. Uncertainty of the third party's knowledge and management risk that the external party has ineffective or weak management, inexperienced or underqualified staff, or a lack of technology expertise. 3. Lack of security risk that an external organization does not have sufficient or effective safeguards to make sure that client, customer, employee, or operational information is kept secure
Identify and describe a few common types of network architecture designs. (5 of them)
1. Local-Area Networks (LANs): Provide network access to a limited geographic area. (home or single-location office.) 2. Wide-Area Networks (WANs): Connect multiple LANs to provide access to larger geographic areas. (cities, regions, or countries) (example: internet) 3. Software-defined Wide Area Networks (SD-WANs): Monitor the performance of WAN connections and manage traffic to optimize connectivity. 4. Virtual Private Networks (VPNs): Virtual connections through a secure channel or tunnel that provide remote and secure access to an existing network. 5. Demilitarized Zone (DMZ): Provides an additional layer of security to an organizations LAN by creating a physical or logical subnetwork outside of the LAN's firewall to house the organizations external facing resources to an untrusted network such as the internet. The setup of the DMZ typically involves at least two firewalls: one firewall to separate the DMZ from the internet and another firewall to separate the DMZ from the LAN.
What are some examples of traditional hardware found in most networks? (7 of them) (MR. SEGS F)
1. Modems: Connect a network to an internet service provider's network 2. Routers: Manage network traffic by connecting devices to form a network. (Acts as a link between: modem and switches) 3. Switches: Connect and divide devices within a computer network. (does not assign IP addresses. router does that) 4. Gateways: A computer or device that gets as an intermediary between different networks. transforms data from one protocol into another (translator) 1 5. Edge-Enabled Devices: Allow computing, storage, and networking functions closer to the device's source of the data or system requests. (faster network response times) 6 6. Servers: Physical or virtual machines that coordinate the computers, programs, and data that are part of the network. 7. Firewalls: Software applications or hardware devices that protect a person's or a company's network traffic by filtering it through security protocols with predefined rules. • Assign internal IP Addresses • prevent unauthorized access to the organization; and • prevent employees from downloading malicious programs 2 3 4 (Which of the following statements regarding a computer network is incorrect? A. Servers act as an intermediary among different networks. B. Routers manage traffic on a network. C. Switches can divide one connection into multiple connections. D. Gateways convert protocols to communicate with other network devices. Answer = A) Question 1! 2 3 4 5!
To date, three of the most prolific sets of standardized frameworks promulgated by NIST include the
1. NIST Cybersecurity Framework (CSF); 2. NIST Privacy Framework; and 3. NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations.
Change Management and New System Controls Evaluating the Impact of System Changes on Internal Controls Documenting System Controls
1. Policies and Procedures 2. Emergency Change Policies 3. Standardized Change Requests 4. Impact Assessment 5. Authorization 6. Separation of Duties 7. Conversion Controls (convert data) 8. Reversion Access (backtrack) 9. Pre-implementation Testing 10. Post-implementation Testing 11. Ongoing Monitoring Trust services criteria for SOC 2 annual risk assessment process that evaluates the following: Documenting System Controls Baseline Configuration 4? • establishing a starting point for reconfigurations so that changes are deployed in a consistent and secure environment (checklists, baseline images) • used as a benchmark to compare current progress or performance of a system. 5 • Baseline configuration metrics used may include: System uptime, Resource utilization, Failover time System Component Inventory List of items that comprise a system, including: o hardware; o software; o peripherals; and o other IT assets This information can be used to track the following: o Components that are nearing end of life (Sim Exam) o Repairs and maintenance that have been made o Component owners o Upgrades and replacements that need to be made o Guidance related to troubleshooting o Specs such as model types and serial numbers (Setting system parameters to meet a company's needs during an enterprise resource planning system implementation is known as: Answer = Configuration.) Question 4? 5
What are the six governance system principles under COBIT 2019? mnemonic: Very Healthy Dieters Do Try Everything Sim exam edited
1. Provide Stakeholder Value should create value by balancing benefits, risks, and resources. 2. Holistic Approach comprise diverse components, collectively providing a holistic model. (encompases all IT components) 3. Dynamic Governance System Flexible and be able to change 4. Governance Distinct From Management distinguished managment and governance roles 5. Tailored to Enterprise Needs system customized to individual company's needs 6. End-to-End Governance System All processes in the organization involving information and technology should be factored in (All IT related processes are factored in) mnemonic: Very Healthy Dieters Do Try Everything (Which of the following descriptions best summarizes the holistic approach governance system principle under COBIT 2019? Answer = Governance systems for IT can comprise diverse components.)
Describe the five objectives of the three AlS subsystems. (VCV PP) (existence, classification, accuracy, cutoff, presentation)
1. Record valid transactions. 2. Properly classify those transactions. 3. Record transactions at their correct value. 4. Record transactions in the correct accounting period. 5. Properly present transactions and related information in the financial statements.
Identify common transaction cycles within an accounting department. (7 of them)
1. Revenue and cash collections cycles • access to the inventory • customer's credit record 9 • sales invoices sends packing slips 12 • cash receipts 2. Purchasing and disbursement cycles • approved vendors • bidding process • purchase order (quantity) 14 • voucher (invoices, PO records, and receiving report records) 3. Human resources and payroll cycles • time and attendance files; and • the labor usage file. 13 4. Production cycles • work order • labor and materials (bill of materials) 15 5. Fixed asset cycles • useful life, salvage value, depreciation method • asset disposal 6. Treasury cycles • Pay expenses, Pay employees, Purchase fixed assets 10 • deposit slips, checks, stock market data, and interest data • bank reconciliations 7. General ledger and reporting cycles • trial balance • adjusting entries • closes temporary (The finance division of an EV (electric vehicle) manufacturer works directly with customers in the last phase of the buying process to set up their car loans. This process includes checking the customer's credit and approving or denying a loan based on their credit history. In which of the following transaction cycles would this occur? Answer = Sales and cash collection cycles) Question 9 10 12 13 14 15
What are the two common types of schemas for dimensional modeling?
1. Star Schema: A central fact table with associated dimension tables surrounding it. 2. Snowflake Schema: Similar to a star schema, but with dimension tables further normalized. The dimension tables are broken down into multiple related tables rather than a single table. (more complex) • requires more tables and more foreign keys to link the tables together. • it can also be more flexible, as it allows for more detailed information to be stored about the dimensions Tables: Fact Table - contain measures or metrics, which are referred to as facts. These facts measure the business, such as sales, cost of goods, or profit • do not contain descriptive elements about the business, but they do contain foreign keys to the dimension tables Dimension Table - contain descriptive or contextual data for measures, such as dates, product names, and customer names (Which of the following database schemas is best described as a more complex schema requiring the greatest number of foreign keys to link tables together but allows for added flexibility by allowing for more detailed information to be stored about the dimensions? Answer = Snowflake schema) Question 1
What are the data elements associated with relational databases? (TARF DD)
1. Tables - organizational structures that establish columns and rows to store specific types of data records • e.g. customers, employees, sales orders, and inventory • relational databases are made up of at least two tables 2. Attributes - Columns in relational database tables • attribute (column) in the customers table may be "Last Name." 3. Records - Rows in relational database tables • record in the customers table would provide certain information about a single customer 4. Fields - space created at the intersection of a column and row in a table 5. Data types - specify how the data is stored and analyzed e.g. numerical, text, or date/time. 6. Database keys - help to uniquely identify each record in a table (and thus, uniquely identify each field at a cross section of attribute and record) and facilitate the relationships between related tables
What are the three subsystems (or modules) that typically make up an accounting information system (AIS)?
1. Transaction Processing System (TPS) Converts economic events into financial transactions (i.e., journal entries) and distributes info (sales, expenditures, conversion cycle) 6 2. Financial Reporting System (FRS) Aggregates daily financial information from the TPS and other sources (e.g. mergers, lawsuit settlements) 3. Management Reporting System (MRS) Provides internal financial information to solve day-to-day business problems, (e.g. budgeting, variance analysis) (A transaction processing system would appropriately include each of the following activities for an online bookseller, except: Answer = Monitoring competitor price changes.) Question 6
What are six examples of integration risks during the change management process?
1. User resistance resistance to adoption of the change by employees (employees do not adapt to the change, ignore training) 2. Lack of management support management does not provide both resources and adequate support (could magnify existing employee resistance) 3. Lack of stakeholder support employees to suppliers to customers, may have an adverse reaction or disposition toward change 4. Resource concerns appropriate resources may not be made available for the change (financial and labor) 5. Business disruption disruptions to core functions 6. Lack of system integration different systems that do not effectively adapt or integrate with more modern systems
Metrics for System Availability (9 of them) (ADS MM RRRR)
1. agreed service time (AST) the amount of time that services are operational, expressed in hours or days 2. Downtime (DT) the amount of time a system or application is not functional 3. Service level agreement (SLA) 20? terms used to calculate a system's overall availability, to determine whether a service organization is meeting performance standards 4. Maximum Tolerable Downtime (MTD) Amount of time a business can tolerate an outage without causing long-term significant damage. 5. Recovery Point Objective (RPO) The maximum threshold for acceptable data lost after an unplanned negative event. 6. Recovery Time Objective (RTO) 21? The maximum time it should take to restore business operations to a target state following a system failure 7. Mean Time to Repair (MTTR) 19 Average length of time it takes to repair a damaged or inoperable device 8. Recovery Time Actual (RTA) The actual time it takes to restore business operations to its target state after a system failure. 9. Recovery Point Actual (RPA) The actual point in time to which data can be recovered (e.g., recover all trading data up to two minutes prior to the incident) (A consumer-packaged goods (CPG) organization outsources its IT services to a managed services provider. For its distribution system to be continuous and lean, the CPG company specifies in its service level agreement that it must take no longer than eight hours to restore its IT systems. This is an example of which of the following metrics? Answer = Recovery time objective (RTO)) Question 19 20 21
Describe the intent of Control 10 - 18 (MD NN SS AIP)
10. Malware Defenses. Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets. 11. Data Recovery. Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state. 12. Network Infrastructure Management. Establish, implement, and actively manage network devices in order to prevent attackers from exploiting vulnerable network services and access points. 2 3 13. Network Monitoring and Defense. Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise's network infrastructure and user base. 14. Security Awareness and Skills Training- Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise. 15. Service Provider Management. Develop a process to evaluate service providers who hold sensitive data or are responsible for an enterprise's critical IT platforms or processes to ensure these providers are protecting those platforms and data appropriately. 16. Application Software Security. Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise. 4 17. Incident Response Management. Establish a program to develop and maintain an incident response espability to prepare, detect, and quickly respond to an attack 5 18. Penetration Testing. Test effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker 1 Question 1 2 3 4 5
What are the two general categories of data breaches? The four costs of data breaches expenditures?
A data breach is the exposure of confidential information to unauthorized persons. Unintentional Data Breach: A breach resulting from negligence or error. Intentional Data Breach: A breach resulting from bad actors illegally gaining access to data. The four costs of data breaches expenditures: 1. Detection and Escalation: The cost to detect a breach, such as forensics and investigative efforts. 2. Notification: The cost to notify necessary parties, such as consumers and regulators. 3. Post-breach Response: The cost to rectify the effects of the breach, such as paying regulatory fines, implementing credit-monitoring services for consumers, and providing ongoing communicatians to consumers. 4. Loss of Business and Revenue: Revenue is temporarily lost during downtime caused by data breaches, and this can ultimately lead to loss of customers, which creates a more permanent loss of revenue. business disruption, reputational harm, financial loss, data loss, legal and regulatory implications
What is a data model and a database schema?
A data model is a high-level design of the data structures in an information system, while a database schema is the actual implementation and execution of that design in a specific relational database. Database Models - start with conceptual (least complex), moving through logical, and into physical (the most complex). Conceptual - high-level, big-picture representation of the data structures • understand the overall structure and meaning of the data • communicating the design of a data model to stakeholders • no details of the attributes or the physical implementation Logical - more detailed representation of the data structures • defines attributes of each entity • useful for designing a data warehouse • differences between logical and conceptual models include: - logical identify the primary and foreign keys in each; - logical adjusts entity-relationship issues related to 1NF or 2NF Physical - specify how the data will be stored in the database (most detailed) • model is complete enough so database can be built • character limit (if applicable) can be included, as well as if the field is required and any default values for fields.
How does the AICPA define a deficiency in the operation of a control in a SOC 2° engagement?
A properly designed control that either: 1. does not operate as designed; or 2. is performed by a person who lacks authority or competence to perform the control effectively. Test of controls (NET)
Describe an operational data store (ODS).
An ODS is a repository of transactional data from multiple sources and is often an interim area between a data source and data warehouses. (temporary) Examples: • customer orders; sales; or vendor payments • system-related; measuring available storage; system latency; (Which of the following statements about operational data stores (ODS) and data warehouses is true? Answer = ODS serves as an interim area between data warehouses and data sources for transactional data.)
BPMN Activity Models
BPMN Activity Models: 1. Events (circle): Events describe how a process begins or ends. Events are not actions; they simply indicate when a process kicks off • Start Events • End Events • Intermediate Events 2. Tasks (rectangle): Every action in a process is documented as a task, 3. Sequence flows (arrow) 4. Message Flows (dash arrow): 5. Gateways (dimond): help provide analysis opportunities for when a task results more than one—be it two, three, or more.
What is CIS? Explain the principles by which the CIS Controls were designed. (CCC)
Center for Internet Security (CIS) recommended 18 Controls to strengthen a business cybersecurity defenses • controls are task-focused and organized by activities. • each control has recommendations referred to as Safeguards (153 of them) 1. Context: An enhancement to the scope and practical applicability of safeguards through incorporation of examples and explanations. 2. Coexistence: Alignment with evolving industry standards and frameworks, including NIST's CSF 2.0 framework. 3. Consistency: Disruption to controls users are minimized, not impacting implementation groups. (Which Center for Internet Security (CIS) Control principle was designed to enhance the scope and practical applicability of safeguards through incorporation of examples and explanations? Answer = Context)
COSO's five control components and 17 principles (CRIME)
Control Environment 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority, and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability 31 Risk Assessment 1. Specifies suitable objectives 2. Identifies and analyzes risk 3. Assesses fraud risk 4. Identifies and analyzes significant change Information and Communication 1. Uses relevant, quality information (FACT) 2. Communicates internally 32 3. Communicates externally Monitoring Activities 29 1. Conducts ongoing and/or separate evaluations 2.Evaluates and communicates deficiencies (Existing) Control Activities 1. Selects and develops control activities 2. Selects and develops general controls over technology 3. Deploys control activities through policies and procedures (In an effort to eliminate paper and create transparency in the logistics industry, Elige Supply Chain Inc. implemented a blockchain following the COSO internal control framework. In line with the framework, Elige educated its internal stakeholders on all relevant blockchain processes and developed software that continuously analyzed supply chain functions. Which two components of the COSO framework does Elige adhere to by executing these actions? Answer = Information and communication; monitoring activities) Question 29 31 32
Describe the purpose of ISACA's COBIT framework.
Control Objectives for Information and Related Technologies (COBIT) The COBIT framework provides a roadmap that organizations can use to implement best practices for IT governance and management. COBIT distinguishes between: • governance and management • internal or external Stakeholders
Define enterprise resource planning (ERP) systems. Difine AIS
Cross-functional systems that support different business functions and facilitate the integration of information across departments such as accounting, customer management, finance, human resources, inventory management, manufacturing, marketing, and vendor management. • not cost effective • not quickly implemented An ERP may include accounting information system (AlS) capabilities while being more robust than a standalone AlS and integrated with other departments. AIS: • collects, records, and stores accounting information; • compiles that information using accounting rules to report both financial and nonfinancial information to decision makers in an enterprise (An enterprise resource planning (ERP) system has which of the following advantages over multiple independent functional systems? A. The time to implement an ERP system is significantly less. B. Data input is less intensive because a central repository is used. C. ERP systems are more cost effective. D. Integration is less costly. Answer = B) Question 1 2 3 4 8 11
Describe the data collection method extract, transform, and load (ETL). Describe the active data collection method. Describe the passive data collection method.
Data can be collected through three methods which are: 1. Extract, Transform, and Load (ETL): 7 • When data already exists, whether that data is internal or external, the data must be extracted from its original source, transformed into useful information, and loaded into the tool you choose to use for analysis. • a more specific method for collecting existing data in order to answer a specific data analysis question 2. Active Data Collection: 9 • collect new data from your employees, customers, users, etc., • directly asking users for data through means such as a survey or an interview. 3. Passive Data Collection: 4 8 It is possible for companies to gather information without direct permission from their users through: • tracking web usage via cookies; or • gathering time stamps of when users interact with your website or online store (Sunriss Production Company creates short films online and earns revenue through advertising on its website. Sunriss wants to get a better idea of viewers' demographics, such as age and geographic location, as part of its planning for future production development. Sunriss hopes to bring more consistent traffic to its website by tailoring content to the appropriate demographics. What method of data collection would Sunriss most likely consider if the organization does not have relevant existing data yet and does not wish to seek direct permission from its viewers to collect the data? Answer = Passive data collection) Question 4? 7 8 9
Data Dictionary
Data dictionaries provide and summarize information about the data in a database to • make it easier to work with the data; and • understand how it can be used to inform decisions and build meaningful reports
Describe: a data warehouse a data mart. a data lake.
Data warehouses: are very large data repositories that are centralized and used for reporting and analysis rather than for transactional purposes. (Big) 2 • pulls data either directly from enterprise systems with transactional data or from an ODS • data is then combined into a single repository that can be used for reporting, to create data marts • It must be continuously updated to remain relevant. 3 Data mart: is similar to a data warehouse but more focused on a specific purpose and is often a subset of a data warehouse. (smaller) Data lake: is a repository similar to a data warehouse but contains both structured and unstructured data, with data mostly being in its natural or raw format. 4 different from data warehouses because it does not have a predefined data structure or schema. it is not indexed or prepped and can be accessed by a user in its original form Note: On-Premises Storage vs. Cloud-based Storage • Cloud-based storage is highly scalable, allowing companies to store as much or as little data they need (Jen manages multiple data repositories for Savestone Tax Services. One of the repositories Jen manages does not have a predefined data structure or schema, nor is the stored data indexed or prepped, so users can access the data in its original form. Which type of data storage does Jen's managed data repository best describe? Answer = Data lake) Question 2 3 4
What are end-user devices (EUDs)? examples of non-EUDs (non-end-user devices).
Electronic machines, typically computers or microcomputers (small, low-power computing devices for specific tasks), that directly interact with employees or consumers at the "edge" of a network. Examples of EUDs include: o company-issued laptops; o desktops; o tablets; and o wearables that are used by an employee who is strictly the final consumer of that device rather than an intermediary. EUDs are different than devices used by programmers, administrators, and developers, who are the people responsible for: • building; • maintaining; and • repairing underlying infrastructure on which EUDs operate. examples of non-EUDs (non-end-user devices). • Switches • Servers • Routers • Other network support devices
BIA Estimate Losses (terminology)
Estimate Losses: list of potential risks and events that could occur that would disrupt operations and likelihood of threats • Annualized Rate of Occurrence (ARO): is the expected frequency of occurrences in a year. • Exposure Factor (EF): is the damage in terms of dollars, expressed as a percentage of an asset's value. • Single Loss Expectancy (SLE): is the cost of an individual loss. SLE = Damage likelihood × Avg cost of asset 1 • Annualized Loss Expectancy (ALE): is the cost of a specific loss in a given year. ALE = SLE × ARO Add Example (Savestone Insurance is considering large premium increases for its clients for its upcoming fiscal year due to significant losses from tornadoes in the current year. To do that, it performs a business impact analysis to estimate losses. This process involves using the average value of the assets it insures and multiplying them by the likelihood of damage from a natural disaster based on historical weather patterns. This allows Savestone to estimate the cost of an individual loss, which is referred to as the: Answer = Single loss expectancy (SLE).) Question 1 17
What is infrastructure housing?
Facilities and the safeguards on such facilities that contain hardware. Examples include data centers or offices, which may include advanced security systems to monitor and control access
What are the six principles that must be followed when processing data in compliance with GDPR? (LPD ASC) (Sim Exam Edited)
General Data Protection Regulation (GDPR): European Union data privacy law provides circumstances when it is lawful to process personal data, such as with proper consent or when complying with a legal obligation. Scope extends to any data associated with the EU Data is (in or outside the EU): 1. Lawfulness, Fairness, Transparency Data must be processed lawfully, fairly, and in a transparent manner. 2. Purpose Limitation - (processed for legitimate purposes) Data must be processed for specified, explicit, and legitimate purposes. Further processing beyond the purpose is permitted for public interest archiving. scientitic or historical research, or statistical purposes. 3. Data Minimization - (process only what is necessary) Data processing must be adequate, relevant, and limited to what is necessary for the purpose. 4. Accuracy - (kept updated.) Data must be accurate and kept updated. 5. Storage Limitation - (stored for limited time) Data must be stored only for as long as is necessary. Storing it for longer periods is permitted for public interest archiving, scientific or historical research, or statistical purposes. 6. Integrity and Confidentiality - (protect data) Data must be processed sécurely and protected against unauthorized or unlawful processing, accidental loss, destruction, or damage. (TampCorp is an organization based out of Italy specializing in the data processing of third-party human resources data. TampCorp collects the human resource data on all clients and houses the information on company servers located in northern Italy, but the processing is conducted remotely from the United States. Which of the following best describes TampCorp's application of general data protection regulation (GDPR)? Answer = TampCorp must comply with GDPR.) Question 4
COSO Enterprise Risk Management—Integrating With Strategy and Performance (5 of them) (SPRIG) Extra
Governance & Culture 1. Exercises Board Risk Oversight 2. Establishes Operating Structures 3. Defines Desired Culture 4. Demonstrates Commitment to Core Values 5. Attracts, Develops, and Retains Capable Individuals Strategy & Objective-Setting (Sim Exam) 1. Analyzes Business Context 2. Defines Risk Appetite 3. Evaluates Alternative Strategies 4. Formulates Business Objectives Performance 1. Identifies Risk 2. Assesses Severity of Risk 3. Prioritizes Risks 4. Implements Risk Responses 5. Develops Portfolio View Review & Revision 1. Assesses Substantial Change 2. Reviews Risk and Performance 3. Pursues Improvement in Enterprise Risk Management Information, Communication, & Reporting 1. Leverages Information and Technology 2. Communicates Risk 3. Information Reports on Risk, Culture, and Performance (Which of the following activities would fall within the Performance component of the COSO Integrating with Strategy and Performance Framework? Answer = Prioritizing risk) 15^
List the governance objectives and management objectives according to the COBIT 2019 core model. (EAB DM)
Governance Objectives: 1. Evaluate, Direct, and Monitor (EDM) 2 evaluate objectives, direct management, monitor objectives o ensuring benefits delivery; o governance framework setting; o risk optimization; o resource optimization; o stakeholder engagement. Management Objectives: 1. Align, Plan, and Organize (APO) (Sim Exam) - align strategy, plan technology, orgainize for efficiency - managing data, IT infrastructure and architecture, budgeting, and risk 2. Build, Acquire, and Implement (BAI) 3 which technology will you build, acuire, or implement o identifying solutions, o managing capacity, o dealing with organizational and IT change, o managing knowledge, administering of assets, and o managing configuration. 3. Deliver, Service, and Support (DSS) (Sim Exam) o managed operations, o service requests, o managed problems, o continuity, o security services, o business process controls. 4. Monitor, Evaluate, and Assess (MEA) 4 includes APO, BAI, DSS, Org Technology, and internal control o managed performance and conformance monitoring; o managed system of internal control; o compliance with external requirements; and o managed assurance (Under the COBIT core model, which of the following groups of objectives would best be classified as Build, Acquire, and Implement (BAI)? Answer = Managed knowledge, managed organizational change, and managed availability and capacity) Question 2 3 4
What is IT Infrastructure? SOC 2® engagements Extra
IT Infrastructure has multiple, interconnected technological components. the core infrastructure involving a combination of: • on-premise and outsourced hardware; • software; and • specialized personnel. SOC 2® engagements are examinations in which a third-party evaluates and reports on a service organization's system controls as it relates to the AICPA's five Trust Services Criteria: 1. Security 2. Availability 3. Processing integrity 4. Confidentiality 5. Privacy
What are the key differences between management and governance under the COBIT framework?
Management is responsible for the daily planning and administration of company operations, such as executive officers. Governance is responsible for evaluating strategic objectives, directing management to achieve those objectives, and monitoring whether objectives are being met. (Which of the following is responsible for carrying out IT governance policies? A. Executives B. Board of directors C. End users D. Middle management Answer = D)
What is the NIST Privacy Framework? Identify the eight framework functions under the NIST Privacy Framework Core. (GIP CC DRR)
NIST Privacy Framework - protect a individuals' data 1. Govern-P best governance structure for privacy risks related to the company's data processing activities? 2. Identify-P What are the company's privacy risks related to data processing activities? 3. Protect-P What safeguards should be in place around privacy risks related to data processing activities? 4. Control-P What is the best management structure for privacy risks related to data processing activities? 5. Communicate-P how best to drive dialogue around privacy risks related to data processing activities? 6. Detect How should the organization detect data privacy risks and events? 7. Respond How should the organization respond to data privacy events? 8. Recover How should the company continue business after data privacy events? Note: P = for NIST Privacy Framework Note: Privacy Framework also has Implementation Tiers and Profiles which operate identically to NIST CSF (Which of the following framework functions in the Privacy Framework Core best describes the function that would include categories such as identity management, authentication, and access control, as well as data security? Answer = Protect) Question 1^ 4^
What are the forms in the normalization of data to eliminate redundant data and ensure data is stored logically? (steps to normalizing data)
Normalization is a database design technique that reduces data redundancy and eliminates undesirable characteristics like: insertion; update anomalies; and deletion anomalies 1. First Normal Form (1NF) - makes sorting and filtering data easier. First normal form has two criteria: 1. Each cell (field) in a table must contain only one piece of information. 2. Each record in every table must be uniquely identified 2. Second Normal Form (2NF) - all non-key attributes in a table to depend on the entire primary key (especially all peices of a composite primary keys) (The PK) • e.g.: composite primary key is Sales_Order ID and Inventory_ID. • Quantity_Ordered would pass the 2NF test • lnventory_Name would not pass the 2NF test, 3. Third Normal Form (3NF) - each column in a table describes only the primary key (only the PK) • establish that none of the non-key attributes depend on other non-key attributes • e.g.: primary Key of Sales_Order ID and a foreign key of EmployeelD • EmployeeName, that would violate 3NF because EmployeeName depends on the foreign key of EmployeelD but not on the primary key of SO_ID. Pass Key: • The first part of that phrase, "the key," refers to having a primary key in the first place, which is established by 1NF. • The second part of the phrase, "the whole key," refers to the necessity of every attribute relying on the entire composite primary key (2NF). • The third part of the phrase (3NF), "nothing but the key," refers to the necessity of every attribute to rely only on the primary key, not any other non-key (transitive) attributes Question 7
Explain the difference between a Current Profile and a Target Profile.
Organizational Profile include one or both of the following: Current Profile: specifies the outcome that an organization is achieving (or attempting to achieve) based on the current cybersecurity posture. 3 Target Profile: specifies the desired outcome that an organization prioritized achieving, considering the anticipated changes to the organization's cybersecurity posture. The differences between the current state and future state are identified in a gap analysis. five-step approach to help inform continuous improvement: 1. Scope the Organizational Profile 2. Gather the info to prepare the Organizational Profile 3. Create the Organization Profile 4. Analyze gaps between Current and Target Profiles and create an action plan 5. Implement action plan, and update Organizational Profile (Gamma Corporation is looking to create a gap analysis to assist the organization to drive change toward regulatory requirements, best practices within the organization's industry, and other specific organizational goals. Which organizational profiles should be used to measure the respective cybersecurity risks and establish necessary roadmaps? Answer = The current profile and the target profile) Question 3
Patch Management
Patch management is the systematic process of identifying specific vulnerabilities or software bugs in operating systems or applications; and addressing them with patches, or fixes, between releases Reactive: As vendors discover new vulnerabilities, they release patches so that organizations can implement fixes Proactive: track security controls and identify weaknesses on their own so that management can identify patches needed, as opposed to waiting until a vendor or external parties discover a vulnerability An effective patch management process includes (Sim Exam): 1. Evaluate new patch releases 2. Using a vulnerability tool 3. Testing patches in a test environment 4. Approving and deploying patches 5. Verifying patches deployed work appropriately (A company's network administrator discovered that critical software updates have not been installed on the network in a timely manner. Which of the following is a control that would directly address this situation? Answer = Creating and implementing a patch management policy.) Question 8
What are the six goals of the PCI DSS? (BP MIRM) What are the twelve PCI DSS Requirements?
Payment Card Industry Data Security Standard (PCI DSS): enhances payment security for cashless transactions 1. Build and maintain a secure network and systems • Install and maintain network security controls. • Apply secure configurations to all system components. 2. Protect account data • Protect stored account data. • Protect cardholder data with strong cryptography during transmission over open, public networks. 3. Maintain a vulnerability management program • Protect all systems and networks from malicious software. • Develop and maintain secure systems and software. 4. Implement strong access control measures • Restrict access to system components and cardholder data through use of need-to-know restrictions. • Identify users and authenticate access to system components. • Restrict physical access to cardholder data. 5. Regularly monitor and test networks • Log and monitor all access to system components and cardholder data. • Test security of systems and networks regularly. 6. Maintain an information security policy • Support information security with organizational policies and programs. (Mishinor Corp. operates a payment processing network that facilitates merchant purchases using credit cards, debit cards, and digital currency. Mishinor's payment platform catalogs employee access to system components and cardholder data, and it allows management to perform stress assessments to identify weaknesses. This meets which of the following PCI DSS (Payment Card Industry Data Security Standard) goals? Answer = Regularly Monitor and Test Networks)
What are "pools" and "swim lanes" in the context of BPMN activity models?
Pools are used to quickly showcase how many organizations (parties and departments) are involved in a given process. • For instance, in a sales process, the internal organization will be the selling organization, and a separate external organization will be the customer Swim lanes are more granular than pools, indicating the segregation of duties within an organization. • For example, in the selling (internal) organization, there might be a sales representative role that is separate from a cashier role
There are four common types of cloud computing deployment models, and how the cloud environment is shared differs with each model. Extra sim exam
Public: The cloud is owned and managed by a CSP that makes the cloud services available to people or organizations who want to use or purchase them. Private: the cloud is created for a single organization and is managed by the organization or a managed service vendor. The cloud infrastructure can exist on or off the organization's premises. The organization typically owns the underlying infrastructure in this model. Use of a private cloud is popular in highly regulated industries such as the financial services industry and the health care industry. Hybrid: The cloud is composed of two or more clouds, with at least one being a private cloud, that remain unique cloud entities but with technology in place that facilitates the portability of data and applications between each entity. Community: A community cloud infrastructure is shared by multiple organizations to support a common interest, such as companies banding together for regulatory compliance, a common mission, or collaboration with industry peers. Note: Public cloud = shared with everyone. Community cloud = shared with a specific group that has something in common. (like hospitals) (Which of the following types of cloud computing deployment models can have at least some of its infrastructure on the organization's premises? A. Community and private B. Public and community C. Hybrid and public D. Private and hybrid Answer = D)
Network Infrastructure Physical Layout (Topology) (4 of them) Extra
Refers to the physical layout equipment, or nodes, in a network • Each topology has different requirement for components Bus Topology • a linear or tree form, with each node connected to a single line or cable • disadvantage is if the central line is fails, the entire network goes offline Mesh Topology • There are numerous connections between nodes, with: • allows high levels of traffic and promotes network stability if a node is damaged, it can be costly to implement Ring Topology • Nodes are connected in a circular path in ring topologies. data must first go through every other device between • data transmission collision is minimized or eliminated, but this can result in very slow network performance Star Topology • Data passes through a central hub which acts as a switch or server, and then transmits to peripheral devices that act as clients. • this topology structure makes it easier to identify damaged cables
Describe the concept of relational databases and the benefit of storing data in a relational database. (6 words)
Relational databases store data across a series of related tables. Storing data in a normalized, relational database helps to reasonably assure that data are complete, not redundant, and that business rules and internal controls are enforced. it also aids communication and integration This differs from less complex methods of storage such as "flat files," which are files that contain plain text with no structural interrelationships within that file (such as an Excel or CSV file) (Kidell Corporation is considering establishing a normalized, relational database to store key data needed for decision making. Kidell Corporation contracted with Peggy to help determine whether a relational database is needed. Which of the following would Peggy most likely identify as a benefit associated with relational databases to assist Kidell Corporation? Answer = Relational databases assist with the goal that all data required for a business process is included within the data set.) Question 5 6
Describe the purpose of the SELECT SQL command. Describe the purpose of the FROM SQL command.
SELECT: This command is required as the first clause in most SQL queries. SELECT indicates which attributes are requested to view. Example : SELECT FirstName, LastName, State FROM: This command is required as the second clause in most SQL queries. FROM indicates which table the attribute(s) requested to SELECT are located in. Example: FROM Customers Using SELECT and FROM together: SELECT FirstName, LastName, State FROM Customers SELECT* FROM Customers Note: SELECT* = return all columns of all the queried tables 1 3 (Frederick is looking to obtain any and all data related to his manufacturing firm's vendors to perform extensive analysis, although Frederick does not exactly know what kinds of analysis he will perform as of yet. Each of the firm's data sets has at least 12 attributes. Which query would Frederick most likely run to collect the data needed? Answer = SELECT * FROM vendors) Question 1 2? 3 5 6 7 10
Describe the concepts of SQL commands and database elements.
SQL commands are language specific words used in SQL queries intended for data extraction. (e.g. SELECT, FROM, JOIN, GROUP BY, HAVING, WHERE and ORDER BY). Database elements are references to table names, attribute names, or criteria. Note: Database elements must be spelled exactly the sameas the table names or record, however case does not matter.
Accounting Information Systems (AIS) extras: Sequence of Events of an AIS AIS Audit Trail
Sequence of Events of an AIS: 1. Transaction data from source documents is entered into the 2. AIS by an end user. 3. Original source documents, if they exist, are filed. 4. Transactions are recorded in the appropriate journal. 5. Transactions are posted to general and subsidiary ledgers. 6. Trial balances are prepared. 7. Adjustment, accruals, and corrections are entered. 8. Financial reports are generated AIS Audit Trail: o trace a transaction from source documents to the ledger; o vouch from the ledger back to source documents. (Creataw Textile Manufacturing recently purchased fabric to be used as raw materials for weaving a new line of garments. Creataw's senior accountant posted the purchase of the fabric to the general ledger in the company's accounting information system (AIS). Which of the following steps would she have performed prior to this step? Answer = Record the journal entry) Question 7
Change Management Testing Strategies
Testing software accomplishes the following: • Determines whether the software is operating as expected. • Discovers errors, defects, missing components, and gaps in the software. • Verifies that the end product meets the business and user requirements software testing process steps: Step 1: Establish a testing plan including roles, and a timeline. Step 2: Identify and prioritize key areas of the software to test. Step 3: Determine type of test to run and specify test objective Step 4: Execute the tests. Step 5: Log the results and identify defects. Step 6: Report findings and fix the defects in a timely manner Change Advisory Board (CAB) • approve changes; • document changes; • notify users of upcoming or past changes; and • deploy resources for testing and responding to change. CABs should consider whether proper controls are in place so that there are separate environments for: o testing; o staging; and o production Rollback: Upon discovery of unwanted changes, an organization's CAB or IT team should notify users prior to reversing or rolling back those changes to prevent loss of productivity
What are three categories of safeguards for covered entities or business associates under HIPAA? what is HIPAA and when does it permit PHI disclosure? (7 of them)
The HIPAA Privacy Rule governs the privacy of protected health information (PHI) and medical records. HIPAA applies to covered member such as: 1 • Health care providers that transmit health info electronically; • Health plans; • Health care clearing houses; • Service providers who need access to PHI 1. Administrative safeguards - (training, procedures, response) 2. physical safeguards - (security, device and facility controls) 3. technical safeguards - (authentication, transmision security) The Privacy Rule permits a covered entity to use and disclose PHI, with no further authorization required: 2 • To the individual. • For treatment, payment, and health care operations. (Sim Exam) • Incident to an otherwise permitted use and disclosure. • With valid authorization. • After giving the individual the opportunity to agree or object. • As a limited (redacted) dataset for research or public health • For public interest and benefit activities provided by the law (Which of the following organizations would most likely be considered a covered entity under the Health Insurance and Portability Act (HIPAA)? Answer = A business that specializes in physical therapy for patients with knee and back issues, coordinating with each patient's primary physician) Question 1 2 3?
Implementation Groups
The implementation of the CIS Controls can be tailored to an organization's size by using one of three Implementation Groups (IGs). (Small to Big) IG1: small or medium-sized organizations (Tier 1 & 2) • their cybersecurity expertise is limited; • data being used is not sensitive; and Not collecting PII or PHI • the company cannot sustain long periods of downtime IG2 (Includes IG1): bigger company (Tier 3) • have IT staff who support multiple departments • have sensitive client data, and they can tolerate short interruptions in service. • big concern is loss of trust in the event of a data breach. IG3 (Includes IG1 and IG2): biggest companies (Tier 4) • have security experts in all of the domains • Data assets are sensitive and likely subject to compliance • Attacks can cause significant damage to company and public
What is the purpose of COSO's Enterprise Risk Management for Cloud Computing publication? (COSO Enterprise Risk Management for Cloud Computing) Extra
The publication provides specific guidance to organizations for applying the COSO framework to cloud computing. In general, an organization must integrate the governance of cloud computing into its overall risk management strategy. 1. Internal Environment: foundation for a company's risk appetite, helping a company understand the level at which it wants to outsource technology functions. 2. Objective-Setting Management: should understand how outsourcing technology functions will help it reach, or potentially hinder, its objectives. 3. Event Identification Management: must understand how adopting a CSP could make event identification more complex, or easier. 4. Risk Assessment Management: should understand the risks of its cloud strategy, understanding the impact to its risk profile, inherent and residual risks, and likelihood of the impact of all risks. 5. Risk Response Management: should determine whether its risk response will be to avoid a risk, reduce its likelihood, share the risk by transferring a portion of it to another entity, or accept the risk. 6. Control Activities: understand how controls such as detective, preventative, automated, and manual as well as entity-level controls are modified in a cloud environment. 7. Information and Communication Management: should understand how operating in the cloud will affect the timeliness, availability, and dissemination of information and communication. 8. Monitoring Management: should modify its monitoring mechanisms to accommodate new complexities introduced by adopting a cloud solution (The COSO Enterprise Risk Management for Cloud Computing publication provides guidance for organizations trying to decide whether to avoid, reduce, accept, or share risk in which of the following components? Answer = Risk Response)
When considering the identification of deviations in the operating effectiveness of controls, what should the service auditor consider?
The service auditor should accumulate documentation of deviations in the operating effectiveness of controls discovered. If the service auditor cannot obtain reasonable assurance that system requirements or service commitments are being met, then the deficiency should be considered material. • If deviations are the result of fraud, the service auditor should assess the risk that: - the system description does not accurately reflect the system that was designed; - the operating controls are not operating effectively.
5. Data Analytics and usage (internal)
The stage of analytics and usage lasts for as long as the data is useful to analysts in the company and focuses on the data being useful to the internal company—not being shared with external users or stakeholders.
Data Integration Visualizing the Flow of Processes and Data BPMN Activity Models
Visualizing the Flow of Processes and Data • explain how a business works; and • helps users understand when data is created and how it is used BPMN Activity Models Business Process Modeling Notation (BPMN), which is used to create flowcharts referred to as activity models; and • standardized tool for creating diagrams with symbols and rules to depict business processes. • the more rule-bound a process is, the easier it is to automate. • Once BPMN activity models are created, they can be analyzed for how rule-bound the steps and decisions associated with the process are. Flow activities: A primary purpose of a BPMN activity model is: • to describe which organizations are involved in a process; • how the process is separated across roles/duties.
Describe the purpose of the WHERE SQL command and the JOIN, ON SQL command.
WHERE: The WHERE command is used to filter results. For example, WHERE [attribute name] = [criteria]. Each attribute is stored as a specific data type: • text: (descriptive or categorical elements) • number: [SUM() COUNT() AVG() MIN() MAX()] • date. When filtering for criteria from a text attribute, the criteria must be surrounded in quotes. SELECT * FROM Customers WHERE Country='Mexico'; number example: Select COUNT(Sales_Order_ID) FROM Sales_Orders JOIN and ON: JOIN and ON clauses are required to indicate the second table and how the second table is related to the primary table (via the related primary key and foreign key). INNER JOIN: will retrieve only the data for which there is a match in both tables (the order of the tables does not matter) 8 11 example: SELECT * FROM Customers INNER JOIN Sales_Orders ON Customers.CustomerlD = Sales_Orders.CustomerlD LEFT JOIN: If it is important to see all of the data from the Customers table, even if there is not a match in the Sales_Orders table LEFT JOIN will provide data for which there is not a match 12 example: SELECT * FROM Customers LEFT JOIN Sales_Orders ON Customers.CustomerlD = Sales_Orders.CustomerlD (Bill is looking to obtain a list of all orders along with corresponding customer names for a customer behavior analysis. There are two relevant tables in the SQL database with the following schema: 'Orders' table: order_id (integer), customer_id (integer), product_sku (variable character string) 'Customers' table: customer_id (integer), customer_name (variable character string) Which of the following SQL queries will correctly provide Bill with what he needs? Answer = SELECT Orders.order_id, Customers.customer_name, Orders.product_sku FROM Orders JOIN Customers ON Orders.customer_id = Customers.customer_id;) Question 4 8 10 11 12
Describe the waterfall model and the Agile method of managing change in systems. (flexibility)
Waterfall model: characterized by different teams of employees performing separate tasks in sequence, with: • each team beginning work from the pre written authoritative agreement of the preceding team; and • ending work when the requirements for the team have been met. (The project then passes to the next team) challenges associated with the waterfall model include: • Requires a great deal of time to complete. • Benefits of the new system are not realized until completion. • There is no customer input and change is difficult to manage. • Some employees may be idle before beginning or after completing their step in the process. Agile model: characterized by different teams working on different phases or tasks simultaneously, with shorter deadlines to encourage efficiency. Relative to the waterfall model, Agile offers a more flexible approach to change management. • shorter deadlines to encourage efficiency • allows changes of direction throughout the project • project can evolve throughout the project's life cycle The Agile principles are as follows: • Satisfy the customer with early and continuous delivery of the highest-priority features. • Welcome change; a change request is an opportunity to be closer to customer needs. • Deliver working software frequently; working software is the primary measure of progress. • Complete only the work requested by the customer. • Conduct short, frequent, and regular meetings to maintain focus and make adjustments. Question 7
4. Data Synthesis
bridge between preparation and usage (you can create calculated fields to prepare that data for quicker usage and analysis) (this step may not be necessary) (Which of the following would describe an example of data synthesis? A. Extracting data from a database to perform keyword analysis. B. Copying data from one spreadsheet to another. C. Creating a chart to visualize monthly website traffic. D. Calculating key anniversary dates based on each employee's hiring date. Answer = D)
Describe the considerations needed for business continuity plans.
business continuity plans are more comprehencive. How to continue operations or restore operations in the most efficient and effective manner possible with consideration given to all aspects of the organization. (e.g. relocating facilities, HR, customer and supplier relationships) 13 Business continuity plans must consider: • Identify the organization's key business processes. • Identify the risks that exist in key business processes. • Determine the acceptable downtime for key business processes. • Implement mitigation and contingeney plans to address risks and downtimes. For SOC 2® engagement: service auditors may verify that an organization's business continuity plan testing is performed on a periodic basis. determine if the plan: • was based on relevant and likely scenarios; • focused on components that significantly impair company • considered scenarios in which key personnel are lacking; and • was periodically revised based on test results. (Bacchus, Inc. is a large multinational corporation with various business units around the world. After a fire destroyed the corporate headquarters and largest manufacturing site, plans for which of the following would help Bacchus ensure a timely recovery? Answer = Business continuity.) Question 11 13
Business Impact Analysis (BIA) Business Impact Analysis catagories: BIA steps: Extra
business impact analysis (BIA) assesses risks by identifying how quickly essential business units and/or processes can return to full operation following a disaster; and the resources required to resume business operations. Business Impact Analysis catagories: high-impact (H) category (cannot operate without) (expensive recovery cost) medium-impact (M) category (partially function temporarily) (days or perhaps a week without) (some recovery cost) low-impact (L) category (can operate for an extended period) BIA steps: 1. Establish the BIA Approach (impact type, criteria, time frame) 2. Identify Critical Resources (critical Org functions) 3. Define Disruption Impacts (evaluate impact of disruption) 4. Estimate Losses (Process in slide Below) 5. Establish Recovery Priorities (prioritize recovery strategy) 16 6. Create the BIA Report 18 7. Implement BIA Report Recommendations (Suzie, the Senior Accounting Director for her organization, is working with the IT department on a business impact analysis (BIA). They are determining the optimal maximum tolerable downtime (MTD) and the mean time to repair (MTTR) for the company's general ledger software should an outage occur. In which of the following BIA steps would this occur? Answer = Establish recovery priorities.) Question 14 16! 18
8. Data Purging
data is completely removed (purged) from the company's storage systems (archived and otherwise) It is critical to ensure that: • the data has truly reached the end of its use; • no (legal) requirement to maintain the archived data; and • data is completely purged
1. Data Definition
defining what data a business needs and where to capture such data (helps Org achive goals)
3. Data Preparation validate captured data: Data Integration: Cleaning Data: 1
determine whether the data is complete, clean, current, encrypted, and user-friendly validate captured data: 1. Compare the intended number of records to actual 2. Compare the descriptive statistics for numeric fields if you are privy to checksums from the original data source. (Comparing those statistics helps to check for potential missing data or incorrectly formatted fields.) 3. Validate field formats (e.g., string/text, date, time, double/numbers) are consistent with source to ensure that the formatting transferred appropriately. 4. Compare character limits for the attributes in the source file to the new file to ensure data was not lost due to mismatched character limits. Data Integration: • When data is sourced externally (e.g., foreign exchange rates): • ensure that the data pipeline is integrated with the target location/database; and • ensure any ongoing updates of the external source are timely and accurately loaded in the target location/database. Cleaning Data: 1 1. Remove unnecessary headings or subtotals. 2. Clean leading zeroes and nonprintable characters. 3. Format negative numbers. 4. Identify and correct inconsistencies in data ("CA," "Cal," "Ca.,) 5. Address inconsistent data types. (e.g., datetime, doubles,) Data Encryption: (Brian works for a CPA firm and is in the process of preparing data for the analysis of client financial statement information for an audit. Brian would likely take each of the following steps to clean the data except: Answer = Create a calculated field to further prepare the financial statement data for additional analysis.) Question 1
What are Components of a governance system? What are the seven components to satisfy management and governance objectives under the COBIT 2019 core model? (POP I CPS)
factors that either collectively or individually contribute to the successful execution of a company's governance system over information technology and systems 1. Processes Various activities that help achieve overall information technology goals 2. Organizational Structures Decision-making entities within an organization. 3. Principles, Policies, Frameworks Provide guidance for turning desired behavior into practice. 4. Information info needed for governance system to function properly 5. Culture, Ethics, and Behavior Factors that influence the success of all management and governance activities. 6. People, Skills, and Competencies sound decisions are made, corrective actions are taken, and critical objectives are completed 7. Services, Infrastructure, and Applications Governance system tools needed for IT processing (Each of the following are components of the governance system except which of the following? Answer = External stakeholders, culture, and competencies) Question 5
2. Data Capture Types of Checks (Field, Reasonableness, Completeness, Validity, Limit, Size)
obtain the data, either by creating data internally or capturing data • Internal data created by the company: o manually (e.g., keying in a sales order); o automatically (e.g., system logs, electronic data interchange) o semi-automatically (e.g., employee-reviewed sales order) • external data, there is added complexity such as integrity, safety, and copyrights. 2 • Field Check: Checks input type to ensure consistency with field requirement (e.g., date, time, number, etc.). • Reasonableness Check: Compares inputs against expected norms based on the context of the data. 5 • Completeness Check: Checks for missing mandatory fields. • Validity Check: Verifies data against predefined rules or reference data (phone number is always 10 digits) • Limit Check: Checks data values against predefined upper and lower limits. (<100) • Size Check: Checks if the number of characters exceeds the maximum allowed for the field (Which data input control will alert a purchasing agent that the item quantity entered on a purchase order is 10 times the quantity purchased during the past 12 months? Answer = A reasonableness test) Quesiton 2 5
Describe the five common steps in a disaster recovery plan.
plans for restoring IT after destruction of not only program and data files, but also computer processing capability (does not include Short-term problems or outages) 1. Assess the risks (BIA) 12 2. Identify mission-critical applications and data. 3. Develop a plan for handling the mission-critical applications. 4. Determine the responsibilities of the personnel involved in disaster recovery. 5. Test the disaster recovery plan. 3 (Pearlin Corp., a global IT services organization, has operations in three different countries and is creating its disaster recovery plan. Prior to identifying applications that are critical to its mission, Pearlin should perform which of the following activities? Answer = Assess risks at all facilities in each country.) Question 2 3 6 12
Data Flow Diagrams (DFD)
standardized tool for creating diagrams that describe the way data moves through an organization. offer a more granular level of detail about how data moves through a process. however, there are fewer objects than BPMN activity models Process (rectangle or circle): A process indicates any action that results in data changing and producing a new output. data flow (arrow): indicates the direction that data flows through processes. data store object (open-ended rectangle): indicates where data is stored for later use entity object (square): indicates the external entity (organization, group of people, or different department) that receives the data at the end of a set of processes represented in a data flow diagram.
system availability (5 of them) (BB SCD)
system availability: when business data is accessible, IT systems are operating normally; and availability of an human capital Availability Scope: 1. Business Resiliency - Consideration of continuous operation or quick return to operation 8 2. Business Continuity - Ability to continue delivering products and services; operations focused 3. System Availability -Ability to prevent systems disruptions 22 • Physical and IT Infrastructure Controls • Uninterrupted Power Supply • Redundancy and Backup 4. Controls Crisis Management - Overall response to a dire situation; broader than DR 5. Disaster Recovery - Strategic recovery after a disaster • Incident Response Plan - Specific recovery after an event; part of a DR or CM plan Pass Key: Business resiliency is the overall integration of procedures implemented to keep operations running smoothly, while disaster recovery, business continuity, and crisis management plans are different potential components of a business resiliency program. Disaster recovery focuses on IT functions, business continuity focuses on non-IT, operational and personnel functions, and crisis management focuses on large-scale incidents that are considered a crisis (A CPA is working closely with a client's IT administrator to understand all the accounting applications that need to be supported so that the company will have either uninterrupted operations or a quick return to operations after a system incident. The IT administrator's focus on the ability to quickly rebound best describes which of the following concepts? Answer = Business resiliency) Question 8 22
The NIST CSF framework core consists of six components. What are the six components? (GIP DRR)
• The CSF Core consists of six functions, which represent different points in the security risk management lifecycle that help enhance cybersecurity protection. 1. Govern - governance over all the 5 areas below 2. Identity - identify Cybersecurity risk 3. Protect - secure assets to prevent cybersecurity threats 4. Detect - timely discovery of cybersecurity attacks 5. Respond - contain the effects of cybersecurity incidents. 6. Recover - restoration of a company's normal operations Note: Components are not ordered steps, but rather functions that should be performed concurrently.
6. Data Publication (external)
the data is shared with external users including: • sending monthly statements to clients; • publishing financial statements; and • sending quotes to customers. Once data is shared externaly the company no longer has sole control of how that data will be used (A large insurance firmʹs claims department collects personally identifying information (PII) about its members to process the claims and grant or deny coverage. This department runs the PII through a cleansing program that strips the data of identifying factors except for Social Security numbers and demographic information (such as race and gender). The department then gives the cleansed information to its analytics team, which circulates its analysis along with underlying data to the marketing department and certain vendors. Once the analytics team is finished, the data is stored and then permanently destroyed after seven years. At which state during the data life cycle does this process break down and expose the company to legal confidentiality risk? Answer = Publication) Question 3
introduce blockchain
• Blockchain is a control system originally designed to govern the creation and distribution of cryptocurrency Bitcoin • must be "mined" in order to confirm transactions • The reward for solving (validating) the equation is both: o the receipt of Bitcoin; and o the validation of a new block of transactions (audit trail) • Blockchain technology was developed: o to prevent Bitcoin from being replicated; and o to limit its initial creation so that there is only a finite number of Bitcoins resists alteration; o multiparty transaction validation; and o decentralized nature. 27 decentralized blockchains affects both oversight responsibility and accountability control components 28 (Which of the following identifies a potential threat posed by the use of blockchain? Answer = The resulting decentralization could lead to a decreased level of accountability.) Question 27 28
What five components were used for the development of COBIT 2019's foundation? (COBIT core model)
• COBIT 5 (previous standards) • Six principles for a governance system • Three principles for a governance framework • Other standards and regulations • Community contribution
Cloud computing CSP Extra
• Cloud customers rent storage space, processing power, proprietary software, or a combination of the three on remote servers from another company. Cloud Service Providers (CSP) • A third party that provides cloud computing services such as o application delivery; o hosting; or o monitoring to customers. • performs all maintenance and tech support on the hardware A CSP could be a company that uses purpose-built infrastructure to support customer or one with a large computing infrastructure that leases/rent excess capacity during off-peak times • multi-tenant CSP: serve multiple cloud customers at once and use common resources and technology for all customers 11 (Which of the following are benefits of using a cloud service provider (CSP)? Answer = Processing and storage can be rented in units of time, scaling up during peak usage times.) Question 7 8 11 12 16
When an organization is converting its computer systems from one system to another, what are the different conversion methods? (5 of them)
• Direct method • ceasing the use of the old system and starting the new one immediately. • risky if the new system does not work, business operations could be severely hindered • Parallel method • new system is implemented while the old system is still in use for an extended period of time • downside: it requires a significant amount of effort from personnel because they must operate two systems simultaneously. 10 • Pilot method performs a conversion on a small scale within a test environment while continuing to use the older system. 9 • Phased method gradual or modular conversion. adds volume to the new system while still operating the old system (one site at a time) 11 • Hybrid method custom combinations of approaches, tailored to unique needs (An IT department is considering the replacement of discontinued software with new software. In order to ensure the completeness and accuracy of data processing within the new software, the department would appropriately designate which of the following installation processes as the safest option? Answer = Parallel) Question 9 10! 11
What are some examples of system availability controls? (5 of them) (PRIUS)
• Physical controls deter damage to the physical IT infrastructure including: Physical access controls, Fire alarms/sprinklers, Facility design • Redundancy • switch from a failed unit, router or switch, to another unit • apply to data storage and backup • IT infrastructure controls • Continuously using anti-malware software • Periodic reviews of IT infrastructure components • Network security controls • Access and authorization logical controls • Uninterrupted power supply (UPS) continuous supply of electrical power to equipment (battery backup) • System backup (full, incremental, or differential) 1. Full - Exact copy of the entire database. (longest time to back up; shortest time to restore) 27 2. Incremental - copy only changed data items since last backup (shortest time to back up; longest time to restore) 25 26 3. Differential - Copies all changes made since last full backup (medium time to back up; medium time to restore) 23 Detecting Deficiencies in Control Design SOC 2® audit specific criteria for availability include: • infrastructure capacity and monitoring; • backups and recovery infrastructure; and • testing recovery plans. (Which method of backup involves copying all data items that have changed since the last full backup? answer = Differential.) Question 23 25 26 27
Software Extra
• Software consists of the applications, procedures, or programs that provide instructions for a computer to execute. (allows humans to give instructions to computer.) Operating Systems (OS) Software that orchestrates the global functioning of a group of applications, hardware, and their performance Firmware locally embedded in hardware instructs the hardware how to operate (not updated frequently) Mobile Technology • wireless, ability to connect, to a private network or Internet • Internet of Things (IoT) devices: typically require either Bluetooth or an internet connection to access a larger network. (smartwatches, Bluetooth® earphones and speakers,)
NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations. Who is the Target audience (Sim exam)
• Stricter standard compared to the NIST CSF or Privacy Frameworks. • Designed for protecting information systems against sophisticated threats. • NIST SP 800-53 is subdivided into 20 different control families that cover organizational risk. (not in scope of exam) Target Audience: (extra sim exam) • Individuals with security, privacy, or risk management and oversight responsibilities, • Individuals with system development responsibilities • Individuals with logistical or disposition-related responsibilities • Individuals with security and privacy implementation and operations responsibilities • Individuals with security and privacy assessment and monitoring responsibilities • Commercial entities
State the NIST CSF Tiers that apply to cybersecurity risk governance and cybersecurity risk management. (least to most sophisticated) (PIRA)
• Tier 1: Partial - small business - risk management being ad hoc and not based on an organization's objective or threat environment. • Tier 2: Risk-Informed - mediem sized business - aware of cybersecurity but not managing securely -management approves of cybersecurity efforts, but may be isolated from processes • Tier 3: Repeatable - big business - cybersecurity is integrated into planning and regularly communicated among senior leadership - formally documented policies and processes • Tier 4: Adaptive - huge business - organization-wide where cybersecurity is prioritized Note: Tiers do not serve as a means to implement the six core functions. (Brown Corporation is evaluating the integration of its risk management program and determined that its management of incidents is not integrated into organizational processes. Which CSF tier under the NIST CSF would this management integration be considered to be? Answer = Tier 1 (partial)) Question 2?
Describe the system tests during the development process (4 of them)
• Unit Testing: Examining the smallest increment, or unit, of an application. (small view) • Integration Testing: Examining if different components or modules within an application will work cohesively. (mediem view) • System Testing: Verifying that all combined modules of a completed application work as designed in totality. Big picture view) • Acceptance Testing: Assessing an application to determine whether it meets end-user requirements. (beta testing) 12 (An organization is conducting a Beta test with its top customer. The developer will not be present during the test, and the customer gets to test the software at its own site. What type of test is this? Answer = Acceptance test) Question 12
