4-1. Protection of Information

Question 1

What is the source of IT security principles? How is it used?

Answer 1

AICPA Assurance Services Executive Committee (ASEC) principles.
Used to evaluate system controls and confidentiality and privacy of information processed by system.

Question 2

IT security principles: what are 5 trust service principles?

Answer 2

Security, availability, processing integrity, confidentiality, privacy.

Question 3

IT security principles: what is the foundation of systems reliability? Whose issue is this?

Answer 3

Security.

A top management issue.

Question 4

IT security principles: What does security procedures do?

Answer 4

• Restrict access to only authorized users
• Protect the confidentiality and privacy of sensitive information
• Provide integrity of information
• Protect against attacks

Question 5

IT security principles: what is availability concerned about?

Answer 5

Is system operational and usable as specified in commitments and agreements?
Does internal control support (or impede) system availability?

Question 6

IT security principles: what are 5 elements Processing integrity is concerned with?

Answer 6

Completeness, validity, accuracy, timeliness, authorization of system processing.

Question 7

IT security principles: Processing integrity: what is a question does it concerned with?

Answer 7

Does system of internal control help ensure that system processes execute as intended without error or manipulation?

Question 8

IT security principles: confidentiality: what is the question is it concerned with?

Answer 8

Is confidential information protected consistent with the organizations’ commitments and agreements?

Question 9

IT security principles: privacy: what is the question is it concerned with?

Answer 9

Does system’s collection, use, retention, disclosure, and disposal of personal information conform to its own commitments and with generally accepted privacy principles (GAAP)?

Question 10

IT security principles: what is GAPP?

Answer 10

Generally accepted privacy principles.

Question 11

IT security principles: what are 10 sub-principles of GAAP?

Answer 11

1. Management: the entity defines documents, communicates, and assigns accountability for its privacy policies and procedures.
2. Notice: the entity tells people about its privacy policies and procedures and explains why personal information is collected, used, retained, and disclosed.
3. Choice and consent: Users (in US) can opt out of collection of personal information.
4. Collection: collects personal info only for identified purposes.
5. Use and retention: uses personal info consistent with stmts about use. Retains only as long as needed or allowed by law or regulation.
6. Access: people can access, review and update their info.
7. Disclosure to third parties: third parties receive info according to policy and individual consent.
8. Security for privacy: protect personal info against unauthorized access.
9. Quality: personal info is accurate, complete, and relevant.
10. Monitoring and enforcement: someone monitors the entity’s compliance with privacy policies and procedures and has procedures to address privacy-related complaints and disputes.

Question 12

IT security principles: what are criteria for assessing achievement of IT security principles?

Answer 12

1. Organization and management: organizational structures and processes for managing and supporting people includes criteria addressing accountability, integrity, ethical values and qualifications of personnel and the operational conditions in which they function.
2. Communications: communication of policies, processes, procedures, commitments, and requirements.
3. Risk management and design and implementation of controls: how the entity (i) identifies potential risks, (ii) analyzes risks, (iii) develops risk responses, and (iv) conducts ongoing monitoring of risks and risk management.
4. Monitoring of controls: including the suitability, and design and operating effectiveness of the controls and actions to address identified deficiencies.
5. Logical and physical access controls: how entity restricts access, providers and removes access, and prevents unauthorized access.
6. System operations: management of execution of system procedures including detecting and mitigating processing deviations.
7. Change management: identification of needed changes, management of changes, and prevention of unauthorized changes.

Question 13

IT security principles: why is time-based model of controls important?

Answer 13

Because preventative control can be compromised given enough time and resources. Therefore, detection and correction must be timely.

Question 14

IT security principles: what does time-based model of controls do?

Answer 14

Evaluate the effectiveness of an organization’s security by measuring and comparing the 3 categories of controls.

Question 15

IT security principles: how does time-based model of controls work?

Answer 15

1. P = time it takes an intruder to break through the organization’s preventative controls
2. D = time it takes to detect that an attack is in progress
3. C = time to respond to the attack
   If P > (D+C), then security procedures are effective.

Question 16

IT security principles: what are examples of multiple layers of controls/holistic approach?

Answer 16

Combination of firewalls, passwords, and other preventative procedures to restrict access.

Question 17

IT security principles: what are examples of IT preventative controls used for defense-in-depth?

Answer 17

• Authentication controls to identify the person or device attempting access (log analysis - manual, intrusion detection systems - automated monitoring)
• Authorization controls to restrict access to authorized users. These controls are implemented with an access control matrix and compatibility tests
• Training to teach employees why security measures are important and teach them to use safe computing practices.
• Managerial reports
• Security testing

Question 18

IT security principles: define defense-in-depth.

Answer 18

The strategy of implementing multiple layers of controls to avoid having a single point of failure at a greater cost.

Question 19

IT security principles: what are examples of corrective controls?

Answer 19

• A computer emergency response team
• A chief security officer
• Patch managend: involves fixing known vulnerabilities and installing the latest updates to antivirus software, firewalls, operating systems, and application programs

Question 20

Cyber-risk assessment: which COSO is applicable? Application?

Answer 20

Principle 6: “Organization specifies objectives with sufficient clarity ti enable identification and assessment of risks relating to objectives”
*Assessing cyber risks begins with understanding the value of information systems to an organization - requires collaboration and coordination between business unit and IT stakeholders.

Question 21

Cyber-risk: risk identification and fraud: which COSO? Application?

Answer 21

Principle 7: “Organization identifies, analyzes and manages risks.”
Principle 8: “Organization considers fraud risks.”
*Assess likelihood and severity of cyber risk impact - require collaboration.
*Consider industry-specific attacks.

Question 22

Cyber-risk assessment: what is COSO #9? Application?

Answer 22

“Organization identifies and assesses changes that could impact internal control.”

*Risks: rapidly changing technologies and cyber criminals quick adaption to changes yield new methods of exploiting vulnerabilities.

Question 23

Cyber-risk: Control activities: Which COSO? Application?

Answer 23

#10: "Organization selects and develops control activities that contribute to mitigate risks"
#11: "Organization selects and develops general control activities over technology to support the achievement of objectives"
#12: "Organization deploys control activities through policies that establish expectations and procedures that implement policies"
*Control activities should relate to the organizations' objectives and cyber risk profile (e.g. defense-in-depth approach. Manage cyber risks through careful design and implementation of controls)
*Cyber breaches are inevitable - layered control structures should prevent intruders from free roaming systems after breaches.

Question 24

Cyber-risk: Control activities: what are 3 important elements?

Answer 24

1. Preventative, detectives, corrective controls
2. Timely detection of breaches and corrective actions
3. After corrections, determine root causes of failure

Question 25

Cyber-risk: communication: use of info: COSO? Applications?

Answer 25

13: “Organization obtains, generates and uses relevant, quality information to support internal control”

• Information needs follow from cyber risk assessment and control design processes
• Formally document information requirements to support processes and controls
• Availability of “big data” (e.g. terabytes of log data related to information systems) can create information overload problems
• Transform control system data into actionable, high-quality information to support cyber-related controls

Question 26

Cyber-risk: internal communication: COSO? Applications?

Answer 26

#14: "Organization internally communicates information, including objectives and responsibilities for internal control, necessary to support internal control functioning"
*Communication should include all personnel and the Board of Directors

Question 27

Cyber-risk: communication: what are 3 categories of personnel involved? What must be done for each?

Answer 27

• All personnel: people are often weakest link in I/C (criminals “socially engineer” attacks to exploit human trust and curiosity)- organization-wide communication should raise awareness and vigilance regarding cyber risks
• Personnel responsible for managing and monitoring: share info to enable them to execute their cyber control responsibilities - Responsible personnel must formally document cyber controls
• Board of Directors: Must understand critical, relevant cyber trends - complex IT topics must be communicated respectfully and meaningfully.

Question 28

Cyber-risk: external communication: COSO? Applications?

Answer 28

15: “Organization communicates with external parties regarding internal control”

• External parties are useful sources of info about cyber risk assessment and controls (e.g. regulators, industry experts)
• Assistance from cyber risk specialists may be needed to prioritize deployment of resources against cyber risks
• Inform some (not all!) external parties about cyber events and cyber control activities (e.g. external auditors)
• Communicates about proactive organizational cyber security measures may be relevant

Question 29

Define cyber crime.

Answer 29

Illegal activity that uses a computer as its means of commission, or i which a computer is the target of the crime.

Question 30

Define cyber risk.

Answer 30

The likelihood of a financial loss, a disruption or damage to an organization from failure of, or an attack on, its IT systems.

Question 31

Cyber security: what are goals of the resulting cyber risk framework?

Answer 31

• Creating a common, shared language for understanding cyber risks
• Cost-effective means for managing organizational cybersecurity risks
• Describe current cybersecurity and existing risks
• Describe target or goal cybersecurity and desired types and levels of risk
• Identify and prioritize improvements to cybersecurity
• Assess progress toward cybersecurity goals
• Communicate with stakeholders about cybersecurity and cyber risk

Question 32

Cyber security: Framework principles?

Answer 32

• Framework compliments, but does not replace, existing risk management and cybersecurity approaches
• Both public and private organizations have responsibilities related to ensuring the US critical infrastructure

Question 33

Cyber security: what is US critical infrastructure?

Answer 33

Defined as “the systems and assets,…physical or virtual, so vital to the United States that their incapacity or destruction would…debilitate security, national economic security, national public health or safety, or any combination of these.”

Question 34

Cyber security: what are 3 framework structure?

Answer 34

1. The core: include cybersecurity activities, outcomes, and references
2. The implementation Tiers: provide a mechanism for viewing and understanding the approaches to managing cybersecurity risk
3. The profiles: help align organizational cybersecurity activities with business requirements, risk tolerances, and resources

Question 35

Cyber security: Framework core matrix: what are 4 elements?

Answer 35

Functions, categories, subcategories, references.

Question 36

Cyber security: Framework core matrix: what are 5 functions?

Answer 36

Identify, protect, detect, respond, recover.

Question 37

Cyber security: Framework core element: Describe each 4 elements.

Answer 37

1. Functions: organize basic, high-level cybersecurity activities
2. Categories: high-level cybersecurity outcomes that link to organizational needs and activities
3. Subcategories: divide categories into specific outcomes of technical and/or management activities
4. (Informative) references: specific stds, guidelines, and practices that provide benchmarks and methods for achieving the control goals found in the subcategories

Question 38

Cyber security: Framework core matrix: when can 5 core functions be performed?

Answer 38

Periodically or continuously to address evolving cybersecurity risks.

Question 39

Cyber security: Framework core matrix: describe 5 functions.

Answer 39

1. Identify: develop foundational understanding to among organizational cybersecurity risk by identifying and assessing organizational systems, assets, data, and capabilities
2. Protect: develop and implement controls to ensure delivery of critical infrastructure services
3. Detect: develop and implement controls to identify cybersecurity incidents
4. Respond: develop and implement controls to respond to detected cybersecurity events
5. Recover: develop and implement controls for building resilience and responding capabilities or services impaired due to a cybersecurity event

Question 40

Cyber security: Framework: what are implementation tiers?

Answer 40

They identify the degree of control that an organization desires to apply to cybersecurity risk.

Question 41

Cyber security: Framework: Implementation Tiers: how may?

Answer 41

4 tiers.

Question 42

Cyber security: Framework: Implementation Tiers: describe Tier 1.

Answer 42

Partial - appropriate for low risk situations

• Risk management: organizational cybersecurity risk management practices are informal. Risk is managed as ad hoc and reactive (reactive, limited awareness, no organizational-wide approach)
• External participation: organization has weak or nonexistent processes to coordinate and collaborate with other entities

Question 43

Cyber security: Framework: Implementation Tiers: describe Tier 2.

Answer 43

Risk informed.

• Risk management: management approves risk management practices but not as organizational-wide policy
• Integrated risk management program: some awareness of organizational cybersecurity risk. No organizational-wide approach to cybersecurity risk
• External participation: the organization assesses and understands its cybersecurity roles and risk. No formalized process to share information externally

Question 44

Cyber security: Framework: Implementation Tiers: describe Tier 3.

Answer 44

Repeatable.

• Risk management process: organization’s risk management practices are formally approved as policy
• Integrated risk management program: organization-wide management of cybersecurity risk. management has risk-informed policies, processes, and procedures which are defined, implemented, and regularly reviewed
• External participation: organization understands its dependencies and partners. Communicates with partners to enable collaboration and risk-based management incident responses

Question 45

Cyber security: Framework: Implementation Tiers: describe Tier 4.

Answer 45

Adaptive.

• Risk management process: organization adapts its cybersecurity practices based on experience and predictive indicators derived from cybersecurity activities, and engages in processes of continuous improvement
• Integrated risk management program: an organization-wide approach to managing cybersecurity risk uses risk-informed policies, processes, and procedures to address cybersecurity events. Cybersecurity risk management is integral to organizational culture
• External participation: the organization manages risk and actively shares information with partners to ensure the sharing of accurate, current information to improve collective cybersecurity before a cybersecurity event occurs

Question 46

Cyber security: Framework: what does profile do?

Answer 46

• Aligns and integrates the functions, categories, and subcategories with the organization’s requirements, risk tolerance, and resources
• Enables organization to create a plan to align cybersecurity risk with organizational goals
• Considers legal and regulatory requirements, industry best practices, and risk appetite

Question 47

Cyber security: Framework: profiles: describe its development re: current and desired state.

Answer 47

It can be developed for both the current and desired state of cybersecurity - comparing the two may reveal gaps to address in meeting cybersecurity risk management objectives.

Question 48

Cyber security: Framework: what are applications?

Answer 48

• Review and assess cybersecurity practices

* Establish or improve a cybersecurity program

Question 49

Cyber security: Framework: applications: what are 3 applications for “establish or improve a cybersecurity program”?

Answer 49

• Prioritize risks and determine scope: after identifying mission, make strategic decisions re: scope and purpose of cybersecurity systems and assets needed to support these objectives
• Link objectives to environment: identify systems and assets, regulatory requirements, and overall risk approach to support cybersecurity program
• Create current profile: develop a current profile by indicating which category and subcategory outcomes from the framework core are achieved currently
• Conduct risk assessment: guided by overall risk management process or previous risk assessment, analyze the operational environment to determine likelihood of a cybersecurity event and its potential impact
• Create a target profile: assess framework categories and subcategories to determine desired cybersecurity outcomes
• Determine, analyze, and prioritize gaps: compare current and target profile to determine gaps. Create a prioritized action plan to address gaps
• Implement action plan: determine and implement actions to address gaps

Question 50

Cyber security: Framework: what is important when communicating cybersecurity requirements to stakeholders?

Answer 50

Use Framework’s common language to communicate with stakeholders for the delivery of essential critical infrastructure services.

Question 51

Cyber security: Framework: how can framework be used to identify opportunities to adapt or apply new or revised references?

Answer 51

Use the Framework to identify opportunities for new or revised stds, guidelines, or practices where additional reference would help address emerging risks.

Question 52

Cyber security: Framework: when do privacy and civil liberties implications arise?

Answer 52

When personal information is used, collected, processed, maintained, or disclosed in connection with an organization’s cybersecurity activities.

Question 53

Cyber security: Framework: privacy and civil liberties: what are examples of relevant activities?

Answer 53

• Cybersecurity activities that result in the over-collection or over-retention of personal information
• Disclosure or use of personal information unrelated to cybersecurity activities
• Cybersecurity activities that result int denial of service or other similar potentially adverse impacts

Question 54

Cyber security: Framework: what can be used to address privacy and civil liberty risks?

Answer 54

Governance of cybersecurity risk

• The organization’s assessment of cybersecurity risk and responses should consider privacy implications
• Individuals with cybersecurity-related privacy responsibilities report to appropriate management and receive appropriate training
• Organizational processes support compliance of cybersecurity activities with applicable privacy laws, regulations, and constitutional requirements
• Monitor (continuously and periodically) privacy implications of cybersecurity measures and controls

Question 55

Cyber security: Framework: what are methods to address privacy and civil liberty risks?

Answer 55

• Identify and authorize individuals to access organizational assets and systems: Identify and address privacy implications of data access that include collecting, disclosing, or using personal information
• Implement awareness and training measures: training includes organizational privacy policies and regulations. Organization informs service providers of organization’s privacy policies and monitors for compliance with these policies
• Anomalous activity detection and system and assets monitoring: conduct privacy reviews of anomalous activity detection and cybersecurity monitoring
• Response activities, including information sharing or other mitigation efforts: assess and address whether, when, how, and the extent to which personal information is shared outside the organization as part of cybersecurity assessment and monitoring. Conduct privacy reviews of cybersecurity initiatives