26 Flashcards
Statement on Standards for Attestation Engagements 18 (SSAE 18) is a standard from the American Institute of Certified Public Accountants (AICPA). The standard defines three types of System and Organization Controls (SOC) audit reports that review different aspects of a company’s operations. A SOC 2 audit report provides detailed information and assurance about a service organization’s security, availability, processing integrity, confidentiality and/or privacy controls, based on their compliance with the AICPA’s TSC (Trust Services Criteria). Furthermore, a SOC 2 Type I audit provides a snapshot of the organization’s control landscape in a specific point in time, SOC 2 Type II audit evaluates the effectiveness of controls over a period of time of at least six consecutive calendar months (in simple terms, “SOC” defines the scope of the audit, “Type” defines the time covered during the audit).
True
Which of the following answers refers to a nonprofit organization promoting best security practices related to cloud computing environments?
** CSA **
Cloud Security Alliance
Which of the following answers refers to a cybersecurity control framework for cloud computing?
** CCM **
The CSA Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing
A type of document stipulating rules of behavior to be followed by users of computers, networks, and associated resources is referred to as:
** AUP **
An acceptable use policy (AUP) is a document stipulating constraints and practices that a user must agree to for access to a corporate network, the internet or other resources
From the security standpoint, the job rotation policy enables detection of fraudulent activity within the company/organization.
True
One of the goals behind the mandatory vacations policy is to mitigate the occurrence of fraudulent activity within the company/organization.
True
Which of the answers listed below refers to a concept of having more than one person required to complete a given task?
Separation of duties
A sticky note with a password kept on sight in user’s cubicle would be a violation of which of the following policies?
Clean desk policy
A legal contract between the holder of confidential information and another person to whom that information is disclosed prohibiting that other person from disclosing the confidential information to any other party is known as:
** NDA **
A non-disclosure agreement is a legal document which sets rules and principles for the confidentiality of the information to be exchanged.
An agreement between a service provider and users defining the nature, availability, quality, and scope of the service to be provided is known as:
** SLA **
A service-level agreement (SLA) is a contract between a service provider and its customers that documents what services the provider will furnish and defines the service standards the provider is obligated to meet.
Which of the following terms refers to an agreement that specifies performance requirements for a vendor?
** SLA **
A service-level agreement (SLA) is a contract between a service provider and its customers that documents what services the provider will furnish and defines the service standards the provider is obligated to meet.
Which of the following answers refer to a general document established between two or more parties to define their respective responsibilities and expectations in accomplishing a particular goal or mission? (Select 2 answers)
- MOU (Memorandum of Understanding)
- MOA (Memorandum of Agreement)
A type of agreement that specifies generic terms to simplify the negotiation of future contracts between the signing parties is called:
** MSA **
In business and legal contexts, MSA often stands for Master Services Agreement. It is a contract that establishes the overarching terms and conditions between a service provider and a client.
Which of the following answers refers to a key document governing the relationship between two business organizations?
** BPA **
Business partnership agreements (BPA) are legal agreements between partners.
Which of the terms listed below refer to a product/service that no longer receives continuing support? (Select 2 answers)
EOL (End of Life)
EOSL (End of Service Life)
The “Run as administrator” option in MS Windows allows users with lower-level permissions to perform tasks reserved for system administrators. This feature requires providing Administrator account credentials and temporarily elevates the current user’s privileges to perform a given task. A Linux command that temporarily modifies security privileges to allow an execution of a single command that requires root access permissions is called sudo.
True
Which of the following terms relates closely to the concept of residual risk?
** Risk acceptance **
Risk acceptance is a risk management strategy in which an organization acknowledges the existence of a risk but chooses not to take any specific action to mitigate or transfer it. Instead, the organization is willing to accept the consequences if the risk materializes. This approach is typically chosen when the cost or effort of risk mitigation outweighs the potential impact of the risk, or when the organization has a high tolerance for the risk. Risk acceptance should be a conscious and well-documented decision in a risk management plan.
Disabling certain system functions or shutting down the system when risks are identified is an example of:
** Risk avoidance **
Risk avoidance is a risk management strategy in which an organization takes actions to eliminate or entirely avoid certain risks. This approach involves making decisions and implementing measures to prevent specific activities or situations that could lead to adverse consequences or harm.
Contracting out a specialized technical component when the company’s employees lack the necessary skills is an example of:
** Risk transference **
Risk transference is a risk management strategy in which an organization shifts the responsibility for managing a specific risk to another party. This is typically done through contractual agreements, insurance policies, or other arrangements. When an organization transfers risk, it essentially transfers some or all of the financial or operational consequences of a risk to another entity. like Insurance
Cybersecurity insurance is an example of which risk management strategy?
** Risk transference **
Risk transference is a risk management strategy in which an organization shifts the responsibility for managing a specific risk to another party. This is typically done through contractual agreements, insurance policies, or other arrangements. When an organization transfers risk, it essentially transfers some or all of the financial or operational consequences of a risk to another entity. like Insurance
Which of the following is an example of a risk mitigation strategy?
Implementation of security controls
Which of the following answers refers to a document containing detailed information on potential cybersecurity risks?
** Risk register **
A risk register is a document or tool used in risk management to systematically identify, assess, track, and manage risks within an organization or a specific project. It serves as a central repository for all relevant information about risks and their potential impact on an organization’s objectives.
Which of the following answers refer to an assessment tool used for prioritizing the severity of different risks? (Select 2 answers)
- Risk heat map
- Risk matrix
A risk heat map and a risk matrix are commonly used tools in risk management to visually represent and prioritize risks based on their severity or impact and likelihood or probability. These tools help organizations make informed decisions about which risks to address first and how to allocate resources for risk mitigation.
Which of the following statements are not true with regards to Risk? (Select 2 answers)
- Inherent risk is the remaining risk after implementing controls
- Residual risk is the original level of risk that exist before implementing any controls
