ISMN 5750 exam 2

Ace your homework & exams now with Quizwiz!

types of documentation (information gathering)

- administrative - system - procedural - network architecture diagrams - vendor support access documents and agreements

threat analysis (threat identification)

- adversarial - accidental - structural - environmental

enterprise risk management (ERM):

- align risk appetite and strategy - identify cross-enterprise risks - reduce surprises and losses - improve capital allocations - seize opportunities - enhance risk response decisions

NIST has three IT security control categories. The following are controls in one of the categories: 1. Identification and authorization 2. Logical access control 3. Audit trail 4. Cryptography The above controls are examples of which control category?

technical

Three IT security controls covered by the National Institute of Standards and Technology (NIST) include management, operational, and __________.

technical

threat analysis

when undertaking a risk management plan, a complete threat analysis must be completed

assessing IT security controls:

- is it effective? - is it required? - how much effort or money should be spent?

minimum acceptable level of risk and security baseline definitions

- need to complete risk assessment - controls based on level of risk to the org - org wide - 7 domains of a typical IT infrastructure

IT testing and monitoring (questions):

- is IT performance measured to detect problems before it is too late? - does management ensure that internal controls are effective and efficient? - can IT performance be linked back to business goals?

security control points in an IT infrastructure

- management - operational - technical - detective - corrective

scope restrictions (negative impacts of scope restrictions)

- not providing enough resources - limiting the time frame - preventing the discovery of audit evidence - restricting audit procedures - withholding relevant historical records or information about past incidents

necessary documentation

- organizations written policies - administrative documentation - system documentation - procedural documentation - network architecture diagrams - vendor support access documents and agreements

audit interview framework:

- preparing - scheduling - opening - conducting - closing - recording

documented security policy framework

- security policy framework: foundation, direction, support internally, direction for assessments and audits - policies: quality, inexpensive control, difficult to implement, provides reference to auditor, includes standards, procedures, and guidelines

examples of documents auditor should gather include:

- system config documentation - applications config documentation - network documentation for applications and systems being audited - standard config documents for role specific systems

risk assessment analysis

- the likelihood of a threat to exploit a given vulnerability - the impact on the organization if that threat against the vulnerability is achieved - the sufficiency of controls to either eliminate or reduce the risk

IT testing and monitoring

- the most important and beneficial element of an IT security program - testing and monitoring must be conducted to know the controls are working - all frameworks include a control objective for regularly assessing and monitoring IT systems and controls

vulnerability identification resources

- vulnerability lists and databases - security advisories - software and security analysis

privacy audits address the following three concerns:

1. what type of personal information is processed and stored? 2. where is it stored? 3. how is it managed?

scope

includes areas to be reviewed and the time period

frequency

is every one,two, or three years

goals

must be aligned with audit objectives

Which of the following is NOT an important step for conducting effective IT audit interviews?

setting organizational goals during the interview

objectives

should satisfy internal and external requirements

resources in an IT infrastructure

- data - apps - technology - facilities - personnel

system configuration documentation:

- IP addresses - operating system - patch level - hardware specifications - installed software - protocols - service config - user accounts - password settings - audit log settings

NIST standards and methodologies

- NIST 800-53 and NIST 800-53A are two important and widely used standards - NIST provides a catalog of security controls and a framework to assess the controls - many orgs base their policies on NIST - CSD of NIST provides several popular publications: special publications, NISTIR, ITL bulletins, FIPS

layered audit

- a layer audit approach is necessary when systems span across the domains of an IT infrastructure - predominant in audits: of a particular process,

applying risk management strategies

- accept the risk - avoid the risk - share the risk - control the risk

identifying critical security control points:

- adequate controls should be in place to meet high level defined control objectives - organizational risk assessment plays an important role in identifying high risk areas - consensus audit guidelines (CAG)

tradeoffs to risk assessment analysis

- cost: are the costs of a control justified by the reduction of risk? - operational impact: does the control have an adverse effect on system performance - feasibility: is the control technically feasible? will the control be feasible for the end users?

tools used in the IT audit process

- electronic work papers - project management software - flowcharting software - open issue tracking software - audit department website

standard config documents for role specific systems:

- firewalls - web servers - mail servers - DNS servers - FTP servers

existing IT security policy framework defintion

- frameworks exist to help with risk management programs, security programs, and policy creation - ensure compliances across the IT infrastructure - important for the auditor to know upon what framework organization has based its policy - allows better alignment between the organizations policy and the audit

obtaining information, documentation, and resources

auditor: must understand organization, must understand security in place, must know industry best practices

An IT infrastructure audit __________ is the system in a known acceptable state, with the applied minimum controls relative to the accepted risk.

baseline

National Institute of Standards and Technology (NIST) security controls are classified as being preventive, detective, or __________.

corrective


Related study sets

Module Nine (Ch 11 & 12) Practice Quiz

View Set

Create 18 - Finance: Notes and Security Instruments

View Set

FRISBEE PHYSICS, HANG TIME & AIR PRESSURE

View Set

Chapter 30 Bowel Elimination and Care

View Set