PSCS 3111 - Midterm Exam (Chapters 1-6)

Ace your homework & exams now with Quizwiz!

What can be done to manage risk? (Select three.)

Accept, Transfer, Avoid

Which component is not part of the CIA triad?

Access

Account management and separation of duties are examples of what type of controls?

Access Control

The key difference between a framework and standard is?

All of the Above

Which of the following is an example of why an ongoing IT compliance program is important?

All of the Above

Noncompliance with regulatory standards may result in which of the following?

All of the Above Brand Damage Fines Imprisonment

Which one of the following can an audit help identify?

All of the Above Fraud Ineffective IT practices Improper use of resources Inadequate Security

To comply with the Red Flags Rule, financial institutions and creditors must do which of the following?

All of the above Identify red flags for covered accounts. Detect red flags. Respond to detected red flags. Update the program periodically.

Which of the following policies would apply to the User Domain concerning the seven domains of a typical IT infrastructure?

Answers A and B Acceptable Use Policy Internet Access Policy

Which of these domains of security are responsible for the systems on the network that provide the applications and software for the users?

Application Domain

Which of the following defines the goals for an audit?

Audit Objective

Which of the following is not one of the titles within SOX?

Auditor Conflicts of Interest

Which one of the following is true with regard to audits and assessments?

Audits can result in blame being placed upon an individual.

If a baseline security control cannot be implemented, which of the following should be considered?

Compensating Control

Which of the following best describes an audit used to determine if a Fortune 500 health care company is adhering to HIPAA regulations?

Compliance Audit

Which of the following is not an example of a technical controls performed by the IT systems?

Computer support and operations

Which of these is not an effective method used by organizations to protect privacy data?

Conduct irregular risk assessments of access controls

Which of the following does not deal with the addressable HIPAA administrative safeguard of workforce security?

Contingency Operations

Regarding the seven domains of IT infrastructure, the Workstation Domain includes which of the following? (Select three.)

Desktop Computers, Laptop Computers, Email Servers

When applying controls, which of the following is not an example of what needs to be considered when examining the trade-offs?

Due Diligence

Which of the following documents should be included in the gathering process of an IT audit?

E: A,B,C Policies and procedures Previous audit reports Network diagrams

Which of the following acknowledges the importance of sound information security practices and controls in the interest of national security?

FISMA

Which of the following does not deal with the HIPAA administrative safeguard of the security management process?

Facility Security Plan

A WAN typically covers communication to a smaller defined geographical area.

False

A security assessment is a method for proving the strength of security systems.

False

A standard and a policy are exactly the same.

False

Avoiding the need for audits is one reason organizations develop clearly documented policies, standards, and procedures.

False

ISO/IEC 27002, formally known as "ISO/IEC 27002:2013 Information Technology—Security Techniques—Code of Practice for Information Security Management" is made up of 16 sections of code.

False

Internal written policies by themselves reduce risk?

False

Mitigating a risk from an IT security perspective is about reducing the risk to zero.

False

Only internal audit function can perform an audit?

False

Only security operations personnel need to follow IT security policies.

False

Organizations may be audited for both ISO/IEC 27001 and ISO/IEC 27002 and receive a formal certification for each.

False

PCI DSS is a legislative act enacted by Congress to ensure that merchants meet baseline security requirements for how they store, process, and transmit payment card data.

False

Personal information, such as a person's name by itself, can be considered sensitive information

False

Pretexting is a technical method of intercepting passwords embedded in text messages.

False

SOX explicitly addresses the IT security controls required to ensure accurate financial reporting.

False

SSAE 16 Type 1 includes everything in a SSAE 16 Type 2 report, but it adds a detailed testing of the controls over a specific time frame.

False

The Family Educational Rights and Privacy Act (FERPA) of 1974 is a U.S. federal law that protects the privacy of student education records and allows parents certain access rights to the student's educational records, even when a student turns 18 and attends college.

False

Threat is synonymous with risk and can be used interchangeably.

False

Which of the following was established to have oversight of public accounting firms and is responsible for defining the process of SOX compliance audits?

PCAOB

Which of the following is an assessment method that attempts to bypass controls and gain access to a specific system by simulating the actions of a would-be attacker?

Penetration Test

Which of the following is not a category of IT security controls defined by NIST?

Physical Controls

ISO/IEC 27002 is a code of ________ for information security management.

Practice

Which one of the following is not an example of an audit facilitating tool defined by the IIA?

Presentation software

Which of these is a listing of codes used for prioritizing decisions during security control implementation and control enhancements for systems of varying degrees of impact?

Priority and baseline allocation

Which of the following best describes the rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of personal information?

Privacy Management

Which type of tool includes mechanisms for managing any project, including auditing projects, by helping track progress to established milestones?

Project management software

Which one of the following is not a method used for conducting an assessment of security controls?

Remediate

Which of the following components of IT governance deals with ensuring the proper management of IT resources and that they are used responsibly?

Resource Management

Which of the following is the discipline of managing and understanding uncertainty?

Risk Management

Categorizing information and information systems and then selecting and implementing appropriate security controls is part of a(n) __________.

Risk-based approach

What section of SOX requires management and the external auditor to report on the accuracy of internal controls over financial reporting?

Section 404

Which of the following should organizations do when selecting a standard? (Select three.)

Select a standard that can be followed, Employ the selected standard, select a flexible standard.

Of the following four different document types, which is most likely to be used for audits and assessments because of their depth and prescriptive stance?

Special Publications

Which of the following components of an IT policy framework would require users to use two-factor authentication when accessing the remote network—usually combining a physical one-time token code with a PIN?

Standard

Which one of the following is the best example of avoiding risk?

The IT department disables the ability for end users to use portable storage devices

In accordance with CIPA, who determines what is considered inappropriate material?

The local communities

Having a photograph or physical description on an identification that is not consistent with the applicant or consumer presenting the identification is an example of what type of red flag category?

The presentation of suspicious documents

What is an important characteristic of a project such as an audit?

The project will occur in seperate steps, getting progressively elaborate.

Compliance initiatives typically are efforts around all except which one of the following?

To adhere to an auditor's recommendation

A compliance assessment or audit should not only consider controls but also measures the effectiveness of the governance and management oversight to ensure the controls are being followed.

True

Frameworks differ from each other in that they might offer varying levels of depth and breadth.

True

Fraudulent activity uncovered during interviews would be a reason to expand the scope of an audit.

True

ISO/IEC 27002 certification is not a one-time process but needs to be continuously updated.

True

NIST is a framework that applies only to government funded systems.

True

The Family Educational Rights and Privacy Act prohibits the use of Social Security numbers as directory information, even the use of the just the last four digits of a SSN.

True

The decision to apply or not apply controls is based on risk.

True

The internal audit function may be outsourced to an external consulting firm.

True

The process of selecting security controls is considered within the context of risk management.

True

The results of a risk assessment help define the audit objectives.

True

Whereas only qualified auditors perform security audits, anyone may do security assessments.

True

Which of the following is the best example of a potential vulnerability to an IT system?

Unpatched Operating System

Which of these domains of security are responsible for the end users' operating environment?

Workstation Domain

Which one of the following is not one of the seven domains of a typical IT infrastructure?

LAN-to-LAN Domain

Regulatory compliance laws do not exist at what different level?

Local

Which of the following is not an example of operational controls?

Logical Access

Which one of the following is not part of the change management process?

Monitor Change

Which of the following organizations was tasked to develop and prescribe standards and guidelines that apply to federal information systems?

NIST

What organization was tasked to develop standards to apply to federal information systems using a risk-based approach?

National Institute of Standards and Technology

Which one of the following is not one of the safeguards provided within the HIPAA Security Rule?

Operational

A(n) _______ is a conceptual set of rules and ideas that provide structure to a complex and challenging situation.

Framework

Policies, standards, and guidelines are part of the policy ________.

Framework

After mapping existing controls to new regulations, an organization needs to conduct a(n) ________ analysis.

GAP

Which of the following is an examination of the current state of controls against the desired state of controls?

Gap analysis

Responding to business requirements in alignment with the business strategy is an example of an IT ________.

Goal

Which regulatory department is responsible for the enforcement of HIPAA laws?

HHS

Which of the following describes all the auditable components within an organization?

IT Universe

The ______________ is typically defined as everything needed to operate and manage the IT environment. It is simply all installed technologies, including all hardware, software, network devices, storage, storage, cables, printers, monitors, and such.

IT infrastructure

The Framework Core is a matrix of activities and associated references that uses various categories across five different functions including which of the following? (Pick three.)

Identify, Protect, Respond

Adequate controls over privacy data helps prevent ________ theft.

Identity

Which one of the following is not one of the four domains of COBIT?

Implement and Support

Which one of the following is not considered a principal part of the GLBA?

Information Security Rule

Which one of the following is not true of COBIT?

It is security centered


Related study sets

Reproductive System Chapter 28 Mastering 28.2

View Set

Substance Abuse & Counseling, Exam 2

View Set

Course Point - Ch. 15 Evaluation

View Set