Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

I0090 *IT infrastructure > 90 STUDY GUIDE > Flashcards

90 STUDY GUIDE Flashcards

1
Q

7111.01 IT Infrastructure

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

7111.02 IT Architecture

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

7111.03 Operating systems (OS)

A

7111.03 Operating systems (OS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

7111.04 Servers

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

7111.05 Network infrastructure

A

Network infrastructure

Purpose:
Connectivity: Establishes connections between various devices and servers for communication and data sharing.
Data transmission: Facilitates the smooth and swift data transmission between connected entities.
Security and control: Network infrastructure incorporates security measures to control access and protect data during transmission.
Examples:
>Switches
>Routers
>Firewalls
>Wireless access points (WAP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

7111.06 End-user devices

A

End-user devices

Purpose:
* Access to resources: End-user devices are the primary means for individuals to access organizational resources and applications.
* Productivity: These devices enable users to perform various tasks, including document creation, communication, and data analysis.
* Mobility: Allows users to access organizational resources remotely, promoting flexibility and mobility.
Examples:
Personal computers (PCs)
Laptops
Tablets
Smartphones

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

7111.07 Additional components
Middleware
Storage systems
Virtualization platforms

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

7111.08
Cloud Computing

A

Cloud computing is a popular term referring to a concept of computing where processing and storage are performed elsewhere over a network connection rather than locally. Cloud computing is often thought of as internet‐based computing or remote virtualization.

Some of the concepts in cloud computing are listed here:

Platform as a service (PaaS) is a cloud solution that provides all the aspects of a platform (the operating system and complete solution package). The cloud provider might provide virtual desktops so the organization can deploy their applications.

Software as a service (SaaS) provides on‐demand online access to specific software applications or suites without the need for local installation. SaaS can be implemented as a subscription service (for example, Microsoft Office 365).

Infrastructure as a service (IaaS): Users can access the underlying cloud infrastructure resources, such as virtual machines and other abstracted hardware and operating systems. Users can self‐provision their infrastructure from a console to build adaptable and customizable computer systems.

Cloud deployment models:

  • A private cloud is a cloud service isolated from the internet within a corporate network. The private cloud is for internal use only. A virtual private cloud is a service offered by a public cloud provider that provides an isolated subsection of a public or external cloud for exclusive use by an organization internally. In other words, an organization outsources its private cloud to an external provider.
  • A public cloud is a cloud service that is accessible to the public, typically over an internet connection. Public cloud services may require some form of subscription or pay-per-use or may be offered for free. Although an organization’s or individual’s data is usually kept separated and isolated from other customers’ data in a public cloud, the overall purpose and use of the cloud is the same for all customers.
  • A hybrid cloud is a mixture of private and public cloud components. For example, an organization could host a private cloud for exclusive internal use but distribute some resources onto a public cloud for the public, business partners, customers, the external sales force, and so on.
  • A community cloud is a cloud environment maintained, used, and paid for by a group of users or organizations for their shared benefit, such as collaboration and data exchange. This may allow for some cost savings compared to accessing private-public clouds independently.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

7111.08 Cloud Computing (screenshot)

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

7111.09 Advantages of cloud computing

A

Advantages of cloud computing

  • Cost reduction: One of the biggest advantages of using cloud computing is the reduction in hardware as well as software maintenance costs, as the cloud service providers make these investments.
  • Backup and restore data: It is easy to back up and recover data stored on the cloud.
  • Anytime, anywhere accessibility: Information stored on the cloud can be accessed anytime, anywhere in the world, leading to improved productivity for the company.
  • Easy to deploy: Applications can be easily deployed globally in multiple geographic locations and the system can function quickly.
  • Pay as you go: Companies can pay for the services as per their usage.
  • Unlimited storage capacity: As the cloud offers unlimited storage capacity, businesses can easily scale resources up or down to increase or reduce the capacity as per the needs of the business.
  • Agility: The cloud offers a range of cutting-edge technologies, enabling businesses to experiment and test new ideas.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

7111.10 Disadvantages of cloud computing

A

Disadvantages of cloud computing

Although cloud computing services are on the rise, the risk exposure is also on the rise.

  • Lack of good internet connection: As cloud services depend on internet connectivity, a good internet connection is a must to use these services, lack of which can hamper work.
  • Loss of control: The cloud infrastructure is owned and managed by cloud service providers; therefore, the user has no control over the execution of the services.
  • Vendor lock-in: One of the biggest security risks in cloud computing is the movement of services from one vendor to another. Not all vendors provide the same platform, which can make the movement of services difficult.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

7111.11
Cloud Governance

A

Cloud governance

Managing cloud services is a shared responsibility between an organization and the cloud service provider. Developing cloud‐specific standards may enable organizations to increase interoperability and optimize cloud adoption while managing their risk appetite and tolerances. Ensuring that IT is aligned with the business objectives, sensitive data is protected, and risk is managed is challenging in any environment and even more complex in a third‐party arrangement.

Organizational policies must be developed or modified to address the process of outsourcing, managing, and terminating the use of cloud services. Organizations should include fundamental governance activities such as goal setting, policy, defining roles and responsibilities, and managing risk into the organization’s policies and practices when conducting business with technology providers.

Once data leaves an organization, it will have little control over the data. Therefore, the organization should choose wisely where its sensitive or critical data goes, how information processing facilities are accessed, how data is processed, what happens to the data, and how data is shared with third parties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

7111.11 Cloud governance (screen shot)

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

7111.12

Cloud security controls

A

Cloud security controls:

  • ensure the availability of systems and data.
  • maintain the integrity and the confidentiality of sensitive data in transit and at rest.
  • include the cloud in security policies.
  • restrict personal use of cloud storage and services.
  • ensure data storage complies with applicable laws and regulations.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Cloud Service Provider’s Services

7111.13

Infrastructure Management

~Hardware and Software Management
~Network Management

A

Infrastructure management

Hardware and software management

  • Provisioning: Setting up necessary hardware and software resources to support cloud-based services
  • Maintenance: Regularly updating hardware and software to maintain optimal performance and security

Network management

  • Traffic management: Monitoring and managing data traffic to prevent congestion and ensure smooth service delivery
  • Security: Installing and managing firewalls, intrusion prevention systems (IPS), and other network security measures
  • Connectivity: Ensuring uninterrupted network connectivity through redundant paths and failover mechanisms
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Cloud Service Provider’s Services

7111.13

Data Security

~Encryption
~Access Control

A

Data security

Encryption

  • Data at rest: Encrypting data stored in the cloud to prevent unauthorized access
  • Data in transit: Encrypting data during transmission between the cloud and client devices

Access control

  • Authentication: Implementing robust authentication mechanisms such as multifactor authentication (MFA)
  • Authorization: Setting up access controls to restrict user access to only necessary data and services
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Cloud Service Provider’s Services

7111.13

Data Backup and Recovery

~Backup strategies
~Disaster Recovery Planning

A

Data backup and recovery

Backup strategies

  • Scheduled backups: Conducting regular backups of data according to a predetermined schedule
  • Geo-redundancy: Storing backup data in geographically separate locations to prevent data loss due to regional disasters

Disaster recovery planning

  • Disaster recovery: Developing and implementing plans to restore services in case of catastrophic failures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Cloud Service Provider’s Services

7111.13
Compliance and Legal Obligations

~Regulatory Compliance
~Legal Documentation

A

Compliance and legal obligations

Regulatory compliance

  • Data protection laws: Adhering to data protection regulations such as GDPR (General Data Protection Regulation) and HIPAA (Health Insurance Portability and Accountability Act of 1996)

Legal documentation

  • Service-level agreements (SLAs): Clearly defining service levels, responsibilities, and customer rights in legal documents
  • Privacy policies: Outlining how customer data is handled, used, and protected
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Cloud Service Provider’s Services

7111.13
Resource Scalability

~Resource Allocation
~Cost-effectiveness

A

Resource scalability

Resource allocation

  • Dynamic scaling: Offering the ability to scale resources up or down based on demand quickly
  • Resource monitoring: Providing tools for monitoring resource usage and performance

Cost-effectiveness

  • Pay-as-you-go pricing: Offering flexible pricing models where customers pay only for the resources they use
  • Cost optimization tools: Providing tools to help customers manage and optimize their cloud spending
20
Q

Cloud Service Provider’s Services

7111.13

Maintenance and support

~Support Services
~Knowledge Sharing

A

Maintenance and support

Support services

  • Customer support: Offering customer support through various phone, email, or live chat channels
  • Technical support: Providing technical support to help customers resolve issues related to the use of cloud services

Knowledge sharing

  • Documentation: Developing comprehensive documentation to help users understand and use the services effectively
  • Training and workshops: Conducting training sessions and workshops to educate customers about best practices and new features
21
Q

Cloud Service Provider’s Services

7111.13

Service Availability and Reliability

~Uptime Guarantee
~Performance Monitoring

A

Service availability and reliability

Uptime guarantee

  • High availability: Implementing systems and infrastructure to ensure high service availability
  • Redundancy: Building redundancy into the system to prevent service interruptions due to failures

Performance monitoring

  • Service monitoring: Continuously monitoring service performance to identify and address issues promptly
  • Performance optimization: Implementing measures to enhance the performance and responsiveness of cloud services
22
Q

7111.13

A

Cloud service providers (CSPs) offer a range of computing services and solutions; their roles and responsibilities typically encompass the following aspects:

Cost management and billing

~ Transparent billing:

  • Detailed billing: Providing detailed billing statements to help customers understand their charges
  • Billing support: Offering support to assist customers with billing-related inquiries and disputes
23
Q

7111.14

COSO Internal Control Framework:

CONTROL ENVIRONMENT

A

The COSO Internal Control Framework (the Internal Control—Integrated Framework of the Committee of Sponsoring Organizations (COSO) of the Treadway Commission) can also be applied to cloud computing governance. The following shows how the different components of the COSO Internal Control Framework relate to cloud computing governance:

Control environment

  1. Ethical values and integrity: Ensures that the management and personnel involved in cloud computing adhere to ethical values and demonstrate integrity, especially when handling sensitive data in the cloud
  2. Board of directors’ oversight: The board oversees the strategy and policies related to cloud computing to ensure that they align with the organization’s objectives and risk appetite
  3. Organizational structure: Defines the roles and responsibilities concerning cloud computing governance, establishing clear lines of reporting and communication
  4. Human resource policies: Develops policies to ensure that personnel involved in cloud computing have the necessary skills and knowledge to manage risks effectively
24
Q

7111.14

COSO Internal Control Framework:

RISK ASSESSMENT

A

Risk assessment

  1. Risk identification: Identifies the potential risks associated with the use of cloud computing services, including data breaches, service interruptions, and compliance risks
  2. Risk analysis: Analyzes the identified risks to determine their potential impact on the organization and to develop appropriate mitigation strategies
  3. Risk response: Develops strategies to respond to the identified risks, including implementing controls to prevent, detect, or correct issues
25
Q

7111.14

COSO Internal Control Framework:

CONTROL ACTIVITIES

A

Control activities

  1. Policies and procedures: Develops policies and procedures to govern the use of cloud computing services, including data protection policies, access control procedures, and incident response plans
  2. Control activities implementation: Implements control activities such as encryption, multifactor authentication, and regular security assessments to manage risks associated with cloud computing
  3. Information and communication technology controls: Implements controls to ensure the reliability and security of the information and communication technology used in cloud computing
26
Q

7111.14

COSO Internal Control Framework

INFORMATION AND COMMUNICATION

A

Information and communication

  1. Communication with external parties: Establishes mechanisms for communicating with cloud service providers and other external parties to manage risks effectively
  2. Communication with internal parties: Facilitates internal communication to ensure that personnel are aware of the policies, procedures, and risks associated with cloud computing
27
Q

7111.14

COSO Internal Control Framework

MONITORING

A

Monitoring

  1. Ongoing monitoring: Implements ongoing monitoring processes to evaluate the effectiveness of cloud computing governance and identify any improvement areas
  2. Separate evaluations: Conducts separate evaluations, such as audits or assessments, to independently verify the effectiveness of cloud computing governance
  3. Reporting of deficiencies: Establishes processes for reporting deficiencies in cloud computing governance to the appropriate levels of management and for taking corrective action
  • By integrating these principles and components of the COSO Internal Control Framework into cloud computing governance, organizations can develop a comprehensive approach to manage the risks and optimize the benefits associated with cloud computing effectively.
28
Q

7111.15 Common enterprise back-end devices

A

Common enterprise back‐end devices

Various devices deliver application services in a distributed environment. Growing usage of the internet of things (IoT) has been an essential consideration in recent years. Organizations must understand how connected devices such as cars, thermostats, video cameras, and medical equipment impact their operations. IoT can lead to significant innovations, productivity gains, and new services. However, IoT also poses privacy concerns due to personally identifiable information (PII), user tracking capabilities, and risks of data leakage.

Which of the following is the most difficult to implement in a distribut

Which of the following is the most difficult to implement in a distributed environment?

Security

29
Q

7111.16 Hardware maintenance program

A
30
Q

7111.17 IT Asset Managment
1 of 3

A

Assets are valuable objects that require protection from intrusion, theft, and exposure. Assets can be both tangible and intangible.

31
Q

7111.18 IT Asset Management
2 of 3

A

IT asset management encompasses all assets considered valuable to the organization, including physical assets, i.e., computer hardware and software assets such as off‐the‐shelf applications and software registration keys. Therefore, it is crucial to identify an asset to help management determine how to protect the asset from internal and external threats appropriately.

Decommissioned applications are not required to be part of the IT assets inventory as they are no longer active on the company’s IT network. Decommissioned applications may be tracked in a separate inventory listing.

The application inventory should include critical information including but not limited to the asset owner, asset custodian, asset’s value to the organization, impact of the asset loss and recovery prioritization, asset location, and security classification.

32
Q

7111.19 IT Asset Management

3 of 3

A

The first step of IT asset management is to identify and create a complete inventory of all IT assets, including software and hardware. The application inventory should include critical information including but not limited to the asset owner, asset custodian, asset’s value to the organization, impact of the asset loss and recovery prioritization, asset location, and security classification. Developing a complete IT asset inventory is a necessary precursor to developing and deploying an effective security strategy.

33
Q

Definition

7111.20
System Interfaces

A

A system interface is a group of interrelated elements, including hardware and software, that interact through one or more computers. System interfaces refer to moving data output from one application as data input to another, with minimal human interaction. Interfaces that involve humans are user interfaces.

System interfaces facilitate data transfer even if the software of the two systems is written using two different programming languages. System interfaces offer organizations the flexibility to acquire applications that best serve their objectives and ensure that systems can interact and share data.

34
Q

7111.21 System Interfaces

2 of 4
Data transfers through system interfaces

A

Data transfers through system interfaces can be categorized as the following:

System‐to‐system: Data is transferred between two systems, both internally within an organization or externally to other organizations. System‐to‐system interfaces are increasingly being used to transfer data to specialized tools for further analysis and insights through data mining.
Partner‐to‐partner: Partner‐to‐partner interface involves two organizations (partners) continuously exchanging data back and forth between their systems regularly.
Person‐to‐person: Person‐to‐person transfers can be as simple as sending an email communication. Person‐to‐person transfers are typically more challenging to capture, secure, and control.

35
Q

7111.22 System Interfaces

3 of 4
Security risks associated with system interfaces

A

Security risks associated with system interfaces

Organizations adopt a centralized methodology to track and manage system interfaces and ensure complete documentation for relevant laws and regulations. However, a lack of centralized methodology may lead to unmanaged and unmonitored interfaces, exposing the organization to risks related to data security, integrity, and privacy. Organizations typically use a managed file transfer (MFT) software program to centralize the scheduling, monitoring, and tracking of all system interfaces.

Organizations must implement controls that help ensure integrity of the data exchanged through system interfaces. If an interface is not working correctly or as intended, incorrect management reports may be generated that will negatively impact business decisions. Sometimes, inaccurate reporting may lead to compliance and legal issues.

Maintaining the security of the data sent through system interfaces ensures that the data from the originating system is the same as the data in the recipient system (data integrity). Therefore, it is essential to protect the data during the transmission process. Data confidentiality is achieved by protecting and securing the data from interception, errors, and malicious activities. In addition, the unavailability of system interfaces could also impact the reliability of data.

36
Q

7111.23 System Interfaces

4 of 4
Auditor’s role in auditing system interfaces

A

Auditor’s role in auditing system interfaces

The auditor must determine whether the auditee has knowledge of all internal and external interfaces in its IT environment and whether there is a process to track and manage the system interfaces. The auditor should design procedures to review the managed file transfer (MFT) solution and determine whether it supports commonly used file transfer formats and is compatible with the organization’s existing technology platforms and applications. Additionally, the auditor should determine whether the MFT solution has built‐in mechanisms to protect the data in transit (e.g., through encryption), has a job scheduling and monitoring function, and complies with applicable laws and regulations.

The auditor should determine whether data transferred through system interfaces is validated for completeness and accuracy. The auditor should also determine whether data transmitted through system interfaces is protected through encryption and password protection techniques. Organizations should implement controls over nonrepudiation to ensure that only the targeted recipient is the data recipient.

An IS auditor should also determine whether system interface activity is captured using an audit trail that records information, including the sender and the recipient of the data, when data was transmitted and received, and the encryption protocols applied to the data.

37
Q

Extra references given

A
38
Q

7113.38

A

Reference: 7113.38
Disaster recovery plans should contain the following:

> Recovery priorities. The plan should identify and prioritize:
hardware, software, applications, and data necessary to sustain —the most critical applications.
-the sequence and timing of all recovery activities.

> Insurance to:
-replace equipment or data lost in the disaster
-compensate for business interruptions
Some organizations are self-insured and assume all risks while others take insurance coverage from insurance companies. Obtaining insurance coverage for computer‐related property or equipment is no different than for other types of property (building, machinery, or personal property). A complete inventory of property is not only important for insurance purposes but also equally useful for disaster recovery planning. The steps involved in this process include the following:
-Determine the cost to replace each inventoried item.
-Inquire where the item can be replaced.
-Know the items that are irreplaceable.
-Determine the consequences if the items are lost.
A major area for the auditor to review is the adequacy of insurance coverage on IS resources such as property, software, IT equipment, facilities, and data, and the protection against human errors and omissions, fraud, theft, and embezzlement. An effective insurance recovery program does not alter or eliminate the need for a comprehensive disaster recovery plan but rather complements such a plan. This is because both have different but valuable purposes, and they work best together.

System reliability controls include mean time to repair (MTTR) and mean time between failures (MTBF). Information availability controls include backup and recovery, physical and logical security, and alternate computer equipment and facilities. To successfully implement system reliability principles, a company must:
-develop and document a comprehensive set of control policies before designing and implementing specific control procedures. Otherwise, they will most likely end up purchasing a confusing mixture of products that do not protect every information system resource.
-effectively communicate policies to all employees, customers, suppliers, and other authorized users. All users should be sent regular, periodic reminders about security policies and be trained in how to comply with them.
-design and employ appropriate and cost-beneficial control procedures to implement the policies.
-monitor the system and take corrective action to maintain compliance with policies. System reliability is a moving target as IT advances create new threats, alter the risks associated with existing threats, and provide new ways to deal with threats.
To ensure system reliability, companies must implement a set of preventive controls and supplement them with methods for detecting incidents and procedures for taking corrective remedial action. A company must also employ multiple layers of controls so that if one control fails or is circumvented, another control will prevent, detect, or correct the reliability breakdown.

> Specific assignments. A plan coordinator should:
-be responsible for implementing the recovery plan.
-assign individuals and teams specific recovery responsibilities -such as finding new physical facilities, operating the system, installing software, setting up data communications linkages, recovering data, and procuring forms and supplies.

> Backup computer and telecommunications facilities, which can be arranged by:
-establishing reciprocal agreements with companies with compatible facilities so each company can use the other’s computers if an emergency occurs
-signing a contract for a contingent site. A hot site is configured to meet user requirements. A cold site has everything needed (power, air conditioning, and support systems) to quickly install a computer. Cold site users rely on their computer vendors for prompt delivery of equipment and software if an emergency occurs.
-fail-soft distributing processing capacity in a multilocation organization so other facilities can take over if one location is damaged or destroyed
-investing in duplicate hardware, software, or data storage devices for critical applications

39
Q

7210.20

A

The HIPAA Privacy Rule is a federal regulation that establishes national standards to protect the privacy of individuals’ medical records and other personal health information (collectively defined as protected health information or PHI) and applies to health plans, healthcare clearinghouses, and healthcare providers that conduct certain healthcare transactions electronically (collectively defined as “covered entities”). The Privacy Rule is part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and is enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

The Privacy Rule requires covered entities to implement appropriate administrative, technical, and physical safeguards to protect the privacy of PHI and sets limits and conditions on the uses and disclosures of such information without an individual’s authorization. The Privacy Rule also gives individuals rights over their PHI, including rights to access and amend, request an accounting of disclosures, request restrictions, request confidential communications, and file complaints.

Source: www.hhs.gov/hipaa/for-professionals/privacy/index.html

40
Q

7210.27

A

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to organizations based in the European Union (EU) and the European Economic Area (EEA), as well as to organizations outside the EU/EEA that offer goods or services to or monitor the behavior of individuals in the EU/EEA. The GDPR was adopted by the European Parliament and the Council of the EU in 2016 and became enforceable in 2018, replacing the previous Data Protection Directive 95/46/EC. The GDPR is widely recognized as one of the world’s most challenging privacy and security laws. The passing of this comprehensive regulation was Europe’s signal to the world of its firm stance on data privacy at a time when more people are entrusting their data to cloud services and breaches are a daily occurrence.

The GDPR is an important component of EU privacy law and human rights law; Article 8(1) of the Charter of Fundamental Rights of the European Union states that “everyone has the right to the protection of personal data concerning him or her.” The GDPR aims to enhance individuals’ control and rights over their personal data and simplify the regulatory environment for international business. The GDPR harmonizes data protection laws across the EU/EEA and seeks to ensure a consistent and high level of protection for individuals’ personal data.

Source: www.gdpreu.org

41
Q

7221.35

A

Cloud security controls:

  • ensure the availability of systems and data.
  • maintain the integrity and confidentiality of sensitive data in transit and at rest.
  • include the cloud in security policies.
  • restrict personal use of cloud storage and services.
  • ensure data storage complies with applicable laws and regulations.
42
Q

7221.55

A

Third-party management (TPM) programs should ensure third parties comply with the following:

  • Regulatory requirements
  • Protection of confidential information
  • Strengthening supply chain security
  • Maintaining high-quality performance levels
  • Ethical business practices

Third parties can cause significant risks to information security if access is not regulated. Third parties will require varying levels of oversight depending on the type of products, services, or capabilities they provide and their importance to the organization. In addition, the TPM program must address risk beyond third parties (the fourth, fifth parties, etc.) as this risk can infiltrate an organization and breach the control environment through the third-party relationship.

43
Q

7221.56

A

Emerging and top TPM risks

Globalization: Organizations that rely on global third-party networks are exposed to various jurisdictional and regulatory rules and requirements. These are some of the risks that should be considered when developing a third-party management (TPM) program.
Cloud and virtualization: The advent of the cloud, virtual data centers, and hosted applications mean that companies’ critical business information is entrusted to third parties for processing and safekeeping. Data breaches and security incidents are risks that come with the third-party ecosystem.
Social media: While social media provides transparency and collaboration in some cases, it also brings along potential security and privacy concerns for businesses.
Mobility: Mobile devices pose multiple security risks to confidential information. A TPM program should ensure controls are enforced for security and privacy compliance.

44
Q

7222.66

A

-

45
Q

7222.70

A

Virtualization is used to host one or more operating systems within the memory of a single host computer. Thus, virtualization allows virtually any operating system (OS) to operate on any hardware and allows multiple operating systems to work simultaneously on the same hardware (e.g., VMware Workstation Pro). Virtualization has several benefits, such as deploying individual instances of servers or services as needed, real-time scalability, and running the exact OS version needed for a specific application.

The concept of OS virtualization has extended to other virtualization concepts, such as virtualized networks. A virtualized network combines hardware and software networking components into a single integrated entity. A virtualization hypervisor is computer software, firmware, or hardware that creates and runs a virtual machine environment—customarily called the “host.” The hypervisor is the component of virtualization that creates, manages, and operates virtual machines.

46
Q

7222.88

A

A virtualized environment can be deployed using one of the following methods:

  • Bare metal: The hypervisor runs directly on the underlying hardware, without a host operating system (OS).
  • Hosted virtualization: The hypervisor runs on top of the host OS (e.g., Windows, Linux). The hosted virtualization usually has an additional layer of software (the virtualization application) running in the guest OS that provides utilities to control the virtualization.
  • Containerization: Containers include the application and all its dependencies but share the kernel with other containers.
47
Q

Key risk areas of virtualized systems

7222.89

A

Key risk areas of virtualized systems

The following are high‐level risks for most of the virtualized systems in use:

Complex infrastructure: The complex configuration alone can be a big problem as it is more difficult to spot anomalies and unusual events happening in virtual machines and networks.
Dynamic design: Virtualized environments are dynamic by nature and constantly changing. Unlike adding physical equipment, virtual machines can go almost completely unnoticed as they are created in a matter of minutes and are not visible in the workspace.
Quick‐moving workloads: As the virtualized infrastructure grows, there will come a time when data needs to move from one machine to another. Unfortunately, when juggling multiple workloads over multiple virtual machines, mission‐critical data may accidentally move to a machine with minimal protection.
Misconfiguration of the hypervisor splitting resources (central processing unit (CPU), memory, disk space, and storage) can result in unauthorized access to resources, and one guest operating system (OS) may inject malware into another.
Rootkits on the host may install themselves as a hypervisor below the operating system (OS), which would enable the interception of any operations of the guest OS (i.e., logging password entry) as the malware runs below the OS. Antivirus software may not detect this.
Guest tools enable a guest OS to access files, directories, and other resources on the host OS. This functionality can inadvertently provide an attack vector for malware or allow an attacker to access resources.
Snapshots are backups of virtual machines and provide a quick mechanism to recover from errors or incomplete updates; they contain sensitive data such as passwords and personal data. Snapshots contain the random‐access memory (RAM) contents when the snapshot was taken, and they may include sensitive information that was not stored on the drive.
Hosted virtualization productsrarely have hypervisor access controls; therefore, if someone can launch an application on the host OS, they can run the hypervisor. The only access control is if someone can log into the host OS.

I0090 *IT infrastructure (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions