B1: Systems Security and IT General Controls Flashcards
Effectiveness of ITGC is measured by the number of these:
- Incidents that damage the enterprise’s public reputation.
- Systems that do not meet security criteria.
- Violations in segregation of duties.
Security RM Process List
Typical security risk management steps include identification, probability determination, quantification of potential loss, and selection (evaluates feasibility of alternative RM techniques; results in the selection of the best technique(s). Security RM process should be appropriate for the org and its security objectives.
IS Steps to perform assessment of security risks
1) analyze reported incidents; 2) review exposure stats 3) map key processes 4) periodic inspection 5) periodic process and prod audits 6) assess mgt system effectiveness 7) scenario analysis
What are the roles and resp of IA and management for threats, incidents, vulnerabilities exploited, corrective measures?
IA: assesses the effectiveness of preventative, detective and mitigation measures against past attacks, future attempts/incidents likely to occur;
Management: monitoring information security (and other areas), however, IA monitors the EFFECTIVENESS OF MANAGEMENT IN THIS AREA incl. assessing the org’s information reliability and integrity practices; makes reocmmendations, etc.
Hardware Control - What is redundant data check
Each transmitted data element receives an additional bit (character)of data mathematically related to the data. Abnormal changes wil lvoid the mathematical relationship.
Hardware Control - What is equipment check?
These are circuitry controls that detect hardware errors
Hardware Control - What is duplicate process check
A process is done twice and results are compared
Hardware Control - What is echo check?
Received data is returend to the sender for comparison
Hardware Control - What is Fault-tolerant components?
F-T components have redundancies in hardware or software to allow continued operations if a system fails.
System and Data Backup and Recovery Controls - grandfather-father-son concept
son is the most recent backup followed by the father and grandfatherbackups. As a new backup is made, it becomes the new son, the oldson becomes the father, and so on
System and Data Backup and Recovery Controls - Sequential access means
data mustbe accessed in the order it was recorded, such as for tape storage. Tape storage is more rare as cloud backups are more common.
System and Data Backup and Recovery Controls - Director random access means
system can go to any location forfaster retrieval, such as for magnetic and optical disks
Physical controls for an off-site storage facility
- Revealing the locationof the facility to as few people as possible.
- Ensuringthat the outside of the facility does not reveal its purpose oruse.
- Securingall access points and eliminating windows.
- Providingappropriate controls on environmental conditions (e.g., raised platforms, waterproofing,fire alarms, and climate monitoring and control).
- Keepinginventory of the contents.
cloud-based backup methods satisfies the physical distance and secret location criteria, because
the cloud is a network ofdistributed databases and servers in which data is placed whereverthere is available capacity rather than having designated storageareas. In this method, backups are electronically transmitted tothe cloud, which could be internally owned or a third-party system.Internally owned clouds need to ensure that the physical distancecriterion is satisfied for backups
what is electronic vaulting?
electronically transmitting changes to data to an off-sitefacility and then creating backup long-term storage, eliminatingphysical transportation; electronically vaulting can provide shorter reocvery oint for businesses that see a delay in receovery point (24 - 48 hrs) as an unacceptable risk.
Back up data controls - labelling to prevent restoration delays or inadvertent restoration to the wrong point.
labels should be internal (digital) and external (physical) and use a logical file-naming convention to prevent files from being deleted accidentally
- methodology should cover rotatingthe files from the data center to an off-site location
To safeguard against storage media failure, how should critical data be stored?
should be stored on two separate types of media.
auditors need to develop an awareness of these and other ethical implications when assessing and providing assurance or consulting in relation to the IT security and control environment.
- emails are considered legal evidence
- Other issues include safeguarding data for privacy
Data security categories: what is low security data?
Low impact on reputation/productivity/assets: Data on public servers such as web pages
Data security categories: what is medium security data?
Serious impact on missing; market losses; major damage to assets or resources: ERP data, regulatroty compliance data; personal data
Data security categories: what is high security data?
could cuase catastrophic losses to reputation, productivitiy or market share: e.g. contingency plan data, r&d data, court trial data
Security levels must be customized tothe particular organization and its risks
Low security would stillhave firewalls, hardware locked in a data center, and off-site orcloud backup storage. Moderate security would include all of thelow security items plus items such as electronic vaulting or a redundantdata center. High security would also include biometric devices,perhaps a physical security checkpoint, and other considerations
what does computer forensics (e-discovery) attempt to discover?
how, why, who. How fraud committed, understand motives, required level of access or cmputer proficiency will lead to list of suspects.
What is a mirror image backup?
aka bit stream backup or cc of hard drive; used for forensic auditing but not a way of backing up data for recovery.
