15 IT Security and Controls

Question 1

Why is the audit trail in a computer-based environment volatile?

Answer 1

In any computer-based environment, a complete trail useful for audit purposes might exist for only a short time or in only computer-readable form. In online and real-time systems, data are entered directly into the computer, eliminating portions of the audit trail traditionally provided by source documents.

Question 2

What does a firewall do?

Answer 2

A firewall limits access to a private network connected to the internet rather than completely blocking information to and from the private network. Information with granted authorization (satisfying predefined security rules) is still accessible.

Question 3

What is malware (malicious software)?

Answer 3

Malware is a term describing any program code that enters a computer system that has the potential to degrade that system.

Question 4

What are some common forms of malware?

Answer 4

• Trojan horse
• virus
• worm
• denial-of-service
• phishing
• back door

Question 5

What is a Trojan horse malware?

Answer 5

A Trojan horse is an apparently innocent program (ex- spreadsheet) that includes a hidden function that may do damage when activated.

Question 6

What is a virus malware?

Answer 6

A virus is a program that copies itself from file to file. The virus may destroy data or programs. A common way of spreading a virus is by email attachments and downloads.

Question 7

What is a logic bomb virus?

Answer 7

Logic bombs are a type of virus triggered by a predetermined event (such as Friday the 13th, April Fool’s day, etc.)

Question 8

What is a worm malware?

Answer 8

A worm copies itself not from file to file but from computer to computer, often very rapidly. Repeated replication overloads a system by depleting memory or overwhelming network traffic capacity.

Question 9

What is a denial-of-service (DoS) malware attack?

Answer 9

A denial-of-service (DoS) attack is an attempt to overload a system (ex- network or web server) with messages so that it cannot function (a system crash).

Question 10

What is a distributed denial-of-service (DDoS) malware attack?

Answer 10

A distributed denial-of-service (DDoS) attack comes from multiple sources, for example, the machines of innocent parties infected by Trojan horses. When activated, these programs send messages to the target and leave the connection open.

Question 11

What is phishing malware?

Answer 11

Phishing is a method of electronically obtaining confidential information, such as a password or credit card number, through deceit. The perpetrator may set up a website that appears to be legitimate but actually serves no other purpose than to obtain the victim’s information.

Question 12

How are phishing scams often initiated?

Answer 12

Through email spoofing, in which the perpetrator sends out emails that appear to be from a real financial institution. When the victim clicks on the link to what (s)he thinks is the institution’s website, the victim is unknowingly redirected to the perpetrator’s website.

Question 13

What is a back door malware?

Answer 13

A back door is a program that allows unauthorized access to a system and bypasses the normal login procedures (front door). Trojan horses and viruses can create a back door that allows unauthorized access to the system or data.

Question 14

What is COBIT?

Answer 14

Control Objectives for Information and Related Technology - the best-known control and governance framework that addresses IT-related governance and management.

Question 15

What are the COBIT information criteria?

Answer 15

• Effectiveness (doing the right things)
• Efficiency (doing things right)
• Confidentiality
• Integrity
• Availability
• Compliance
• Reliability

Question 16

What does the COBIT information criteria effectiveness mean?

Answer 16

Effectiveness (doing right things) deals with information’s relevance to the business process and receipt in a timely, correct, consistent, and usable manner.

Question 17

What does the COBIT information criteria efficiency mean?

Answer 17

Efficiency (doing things right) concerns the provision of information through the optimal (most productive and economical) use of resources.

Question 18

What does the COBIT information criteria confidentiality mean?

Answer 18

Confidentiality concerns the protection of sensitive information from unauthorized disclosure.

Question 19

What does the COBIT information criteria integrity mean?

Answer 19

Integrity relates to the accuracy and completeness of information, as well as to its validity in accordance with the business values and expectations.

Question 20

What does the COBIT information criteria availability mean?

Answer 20

Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.

Question 21

What does the COBIT information criteria compliance mean?

Answer 21

Compliance deals with complying with the laws, regulations, and contractual arrangements to which the business process is subject, i.e., externally imposed business criteria as well as internal policies.

Question 22

What does the COBIT information criteria reliability mean?

Answer 22

Reliability relates to the provision of appropriate information for management to operate the entity and exercise its fiduciary and governance responsibilities.

Question 23

What are the IT governance focus areas?

Answer 23

• strategic alignment
• value delivery
• resource management
• IT risk
• Risk management
• Performance measurement

Question 24

What is the IT governance focus area strategic alignment?

Answer 24

Strategic alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining, and validating the IT value proposition; and aligning IT operations with enterprise operations.

Question 25

What is the IT governance focus area value delivery?

Answer 25

Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs, and proving the intrinsic value of IT.

Question 26

What is the IT governance focus area resource management?

Answer 26

Resource management is about the optimal investment in, and the proper management of, critical IT resources.

Question 27

What is the IT governance focus area IT risk?

Answer 27

IT risk is the business risk associated with the use, ownership, operation, involvement, influence, and adaption of IT within an enterprise or organization.

Question 28

What is the IT governance focus area risk management?

Answer 28

Risk management involves risk awareness by senior corporate officers, understanding of compliance requirements, transparency about the significant risks to the enterprise, and embedding of risk management responsibilities into the organization.

Question 29

What is the IT governance focus area performance measurement?

Answer 29

Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance, and service delivery.

Question 30

What are the 5 key principles of COBIT?

Answer 30

1. meeting stakeholder needs
2. covering the enterprise end-to-end
3. applying a single, integrated framework
4. enabling a holistic approach
5. separating governance from management

Question 31

How is value creation achieved in the COBIT model?

Answer 31

By balancing 3 components

1. realization of benefits
2. optimization (not minimization) of risk
3. optimal use of resources

Question 32

What are the factors referred to as stakeholder drivers?

Answer 32

internal factors (such as changes in organizational culture) and external factors (such as disruptive technologies). COBIT 5 recognizes that stakeholder needs are not fixed and evolve under the influence of these factors.

Question 33

What is the process in COBIT 5 described as the goals cascade?

Answer 33

1. COBIT 5 supplies 17 generic enterprise goals that are tied directly to the balanced scorecard model.
2. next, IT-related goals (referred to as alignment goals) are drawn up to address the enterprise goals
3. Finally, enablers (referred to as components by COBIT 2019) that support the pursuit of the IT-related goals are identified

Question 34

What are the 7 categories of enablers described in COBIT 5 that support comprehensive IT governance and management?

Answer 34

1. principles, polices, and frameworks - to translate desired behavior into guidance
2. Processes - which are sets of practices to achieve the objectives
3. organizational structures - which are decision-making entities
4. culture, ethics, and behavior - of individuals and the enterprise
5. information - produced and used by the enterprise
6. services, infrastructure, and applications - that provide the enterprise with IT processing and services
7. people, skills, and competencies - required for operations, error detections, and corrections

Question 35

Why are enablers interconnected?

Answer 35

• they need the input of other enablers to be fully effective
• they deliver output for the benefit of other enablers

Question 36

In COBIT 5, principle 5, Separating Governance from Management, what is governance?

Answer 36

Governance is the setting of overall objectives and monitoring progress toward those objectives. COBIT 5 associates governance with the board of directors.

Question 37

What are the 3 practices that must be addressed within any governance process?

Answer 37

1. evaluate
2. direct
3. monitor

Question 38

In COBIT 5, principle 5, Separating Governance from Management, what is management?

Answer 38

Management is the carrying out of activities in pursuit of enterprise goals. COBIT 5 associates these activities with executive management under the leadership of the CEO.

Question 39

What are the 4 responsibility areas that must be addressed within any management process?

Answer 39

1. plan
2. build
3. run
4. monitor

Question 40

COBIT 5 divides governance and management into 5 domains, what are the 5 domains (key areas)?

Answer 40

Governance:
1. evaluate, direct, and monitor (EDM) - evaluate stakeholder needs, conditions, and options. Set direction through prioritization and decision making. Monitor performance and compliance

Management:

2. align, plan, and organize (APO) - Plan how IT can be used to achieve the company’s goals and objectives
3. build, acquire and implement (BAI) - Identify IT requirements, build or acquire the technology, and incorporate into business processes.
4. deliver, service, and support (DSS) - Execute and support the application of the technology in business processes.
5. monitor, evaluate, and assess (MEA) - Monitor and evaluate whether the current IT system and internal control system meet the company’s goals and objectives.

Question 41

What is the difference between COBIT 2019 and COBIT 5?

Answer 41

COBIT 2019 expands on COBIT 5’s key principles for a governance system applicable to IT governance to include 6 governance system principles and 3 governance framework principles.

Question 42

What is a governance system?

Answer 42

A governance system is the rules, practices, and processes that direct and regulate an entity.

Question 43

What is a governance framework?

Answer 43

A governance framework is the structure upon which the governance system is built?

Question 44

What are the 6 principles for a governance system in COBIT 2019?

Answer 44

1. provide stakeholder value
2. holistic approach
3. dynamic governance system
4. governance distinct from management
5. tailored to enterprise needs
6. end-to-end governance system

Question 45

What are the two types of governance system components (enablers)?

Answer 45

Generic - components applied in principle to any circumstances
Variant - components designed for a given purpose or context in a focus area

Question 46

What are the 3 principles for a governance framework in COBIT 2019?

Answer 46

1. it is based on a conceptual model - the governance framework achieves consistency and automation by identifying components and their relationships
2. it is open and flexible - the governance framework is flexible and permits inclusion of new content and issues without loss of consistency and integrity
3. it is aligned with major standards - the governance framework aligns with relevant regulations, standards, frameworks, and best practices (ex - the latest IT standards and compliance regulations)

Question 47

What are the 7 phases of COBIT implementation?

Answer 47

1. program initiation - what are the drivers? - involves recognizing change drivers and establishing management’s desire to change
2. problems and opportunities definition - where are we now? - involves assessing the current state or capability and forming an implementation team
3. road map definition - where do we want to be? - involves defining the target state and identifying the gap as well as potential solutions
4. program planning - what needs to be done? - involves planning implementation to close the gap
5. plan execution - how do we get there? - involves implementing the plan and establishing monitoring systems
6. benefits realization - did we get there? - involves monitoring progress and achievement
7. effectiveness review - how do we keep the momentum going? - involves reviewing the overall program and reinforcing improvements.

Question 48

What is the COBIT Performance Management (CPM) model?

Answer 48

The COBIT Performance Management (CPM) model measures performance using capability and maturity levels.

Question 49

What are capability levels?

Answer 49

The CPM measures performance by using the capability level to quantify how well a process is operating, ranging from 0 (no capability or not meeting the intent of any process practices) to 5 (well defined process or continues improvement enabled).

Question 50

What are maturity levels?

Answer 50

The CPM measures performance by using focus area maturity levels.

0 - incomplete
1- initial
2 - managed
3- defined
4- quantitative
5- optimizing

Question 51

What are the challenges when starting a data governance program or improving an existing program?

Answer 51

• enterprises cannot easily quantify the benefits of data governance, which leads to a lack of management commitment
• unclearly defined data ownership
• disaggregated data sets from siloed departments

Question 52

What are the 5 stages of the data management approach to overcome challenges published in 2020 by ISACA?

Answer 52

1. establish a data governance foundation
2. establish and evolve the data architecture
3. define, execute, assure data quality and clean polluted data
4. realize data democratization
5. focus on data analytics

Question 53

What is a data governance foundation?

Answer 53

A data governance foundation guides how to collect and use data by addressing legal, business intellectual property, and customer sensitivity considerations.

Question 54

What is data taxonomy?

Answer 54

Data taxonomy, the amount of data collected and the functional classification of the information (ex- manufacturing data, product data, financial data, etc.) is defined.

Question 55

What is data classification?

Answer 55

Data classification identifies data categories (ex - public data, internal data, confidential data, or sensitive date) for data protection purposes.

Question 56

What are the data life cycle phases?

Answer 56

1. plan/design
2. build/acquire
3. store
4. use
5. share
   6 archive/destroy

Question 57

Who is responsible for data governance?

Answer 57

First a data governance structure is created to strategically evaluate, direct, and monitor (EDM) data governance activities. Next, a data stewardship structure is set to operationally define roles and responsibilities for data management activities.

• data owners
• data stewards
• data custodians

Question 58

What is a data owner?

Answer 58

Data owners make decisions about data as well as their business definitions, ex - forecasting sales using current sales data

Question 59

What is a data steward?

Answer 59

Data stewards ensure that data assets are used and adopted properly, ex - ensuring that the sales data used for forecasting are accurate and authorizing who can access the sales data.

Question 60

What is a data custodian?

Answer 60

Data custodians ensure the IT controls and safeguards for the data, ex - controlling the storage of the sales data and ensuring that only authorized personnel can access the data

Question 61

What is data democratization?

Answer 61

Data democratization is the creation of a self-serviced enterprise-wide platform, which allows permitted users to access the data, facilitates the sharing of data and insights, and provides a single source of reference for searching data.

Question 62

What is the Cybersecurity Framework (CSF)?

Answer 62

Created by the U.S. National Institute of Standards and Technology (NIST) the CSF is the Framework for Improving Critical Infrastructure Cybersecurity.

Question 63

What are the 5 functions defined by the CSF to control cyber risk activities and outcomes?

Answer 63

1. identify - understanding of cybersecurity risk management
2. protect - protection of critical services
3. detect - detective measures to identify occurrence of cybersecurity breaches
4. respond - corrective measures to tackle identified breaches
5. recover - plans to restore services impacted by breaches

Question 64

What are the 4 tiers of management processes in CSF?

Answer 64

tier 1 - partial
tier 2 - risk-informed
tier 3 - repeatable
tier 4 - adaptive

Question 65

What is tier 1 - partial - management process?

Answer 65

• cybersecurity management practices are informal and not based on risks
• awareness of cyber risk is limited
• processes to enable internal sharing of cybersecurity information may not exist
• the organization does not collaborate (receive and share) cybersecurity risk-related information with other entities

Question 66

What is tier 2 - risk-informed - management process?

Answer 66

• cybersecurity management practices are informal and not based on risks
• awareness of cyber risk exists, but the consideration of risk is not at all levels
• processes to enable internal information sharing are informal
• the organization receives cybersecurity risk-related information from other entities but may not share such information

Question 67

What is tier 3 - repeatable - management process?

Answer 67

• cybersecurity management practices are established as formal policies
• awareness of cyber risks exist at all levels of the organization
• processes to enable internal information sharing are formal
• the organization receives and shares cybersecurity risk-related information, but not practively

Question 68

What is tier 4 - adaptive - management process?

Answer 68

• cybersecurity management policies are constantly improving to respond to risks promptly
• awareness of current and evolving cyber risks is incorporated in the organization’s culture
• information is continuously shared internally
• the organization collaborates with other entities proactively in real time

Question 69

In the context of COBIT 2019, CSF is implement incrementally in 7 steps, what are the 7 steps?

Answer 69

1. prioritize and scope - identify objectives, roles, and responsibilities - the goals cascade of COBIT 2019 is conducted
2. orient - understand IT-related factors
3. create a current profile - access current state using four tiers and CPM
4. conduct a risk assessment - assess internal and external factors
5. create a target profile - determine target capacity
6. determine, analyze, and prioritize gaps - identify gap and plan to close gap
7. implement action plan - implement the plan