B1: Systems Security and IT General Controls

Question 1

Effectiveness of ITGC is measured by the number of these:

Answer 1

• Incidents that damage the enterprise’s public reputation.
• Systems that do not meet security criteria.
• Violations in segregation of duties.

Question 2

Security RM Process List

Answer 2

Typical security risk management steps include identification, probability determination, quantification of potential loss, and selection (evaluates feasibility of alternative RM techniques; results in the selection of the best technique(s). Security RM process should be appropriate for the org and its security objectives.

Question 3

IS Steps to perform assessment of security risks

Answer 3

1) analyze reported incidents; 2) review exposure stats 3) map key processes 4) periodic inspection 5) periodic process and prod audits 6) assess mgt system effectiveness 7) scenario analysis

Question 4

What are the roles and resp of IA and management for threats, incidents, vulnerabilities exploited, corrective measures?

Answer 4

IA: assesses the effectiveness of preventative, detective and mitigation measures against past attacks, future attempts/incidents likely to occur;
Management: monitoring information security (and other areas), however, IA monitors the EFFECTIVENESS OF MANAGEMENT IN THIS AREA incl. assessing the org’s information reliability and integrity practices; makes reocmmendations, etc.

Question 5

Hardware Control - What is redundant data check

Answer 5

Each transmitted data element receives an additional bit (character)of data mathematically related to the data. Abnormal changes wil lvoid the mathematical relationship.

Question 6

Hardware Control - What is equipment check?

Answer 6

These are circuitry controls that detect hardware errors

Question 7

Hardware Control - What is duplicate process check

Answer 7

A process is done twice and results are compared

Question 8

Hardware Control - What is echo check?

Answer 8

Received data is returend to the sender for comparison

Question 9

Hardware Control - What is Fault-tolerant components?

Answer 9

F-T components have redundancies in hardware or software to allow continued operations if a system fails.

Question 10

System and Data Backup and Recovery Controls - grandfather-father-son concept

Answer 10

son is the most recent backup followed by the father and grandfatherbackups. As a new backup is made, it becomes the new son, the oldson becomes the father, and so on

Question 11

System and Data Backup and Recovery Controls - Sequential access means

Answer 11

data mustbe accessed in the order it was recorded, such as for tape storage. Tape storage is more rare as cloud backups are more common.

Question 12

System and Data Backup and Recovery Controls - Director random access means

Answer 12

system can go to any location forfaster retrieval, such as for magnetic and optical disks

Question 13

Physical controls for an off-site storage facility

Answer 13

• Revealing the locationof the facility to as few people as possible.
• Ensuringthat the outside of the facility does not reveal its purpose oruse.
• Securingall access points and eliminating windows.
• Providingappropriate controls on environmental conditions (e.g., raised platforms, waterproofing,fire alarms, and climate monitoring and control).
• Keepinginventory of the contents.

Question 14

cloud-based backup methods satisfies the physical distance and secret location criteria, because

Answer 14

the cloud is a network ofdistributed databases and servers in which data is placed whereverthere is available capacity rather than having designated storageareas. In this method, backups are electronically transmitted tothe cloud, which could be internally owned or a third-party system.Internally owned clouds need to ensure that the physical distancecriterion is satisfied for backups

Question 15

what is electronic vaulting?

Answer 15

electronically transmitting changes to data to an off-sitefacility and then creating backup long-term storage, eliminatingphysical transportation; electronically vaulting can provide shorter reocvery oint for businesses that see a delay in receovery point (24 - 48 hrs) as an unacceptable risk.

Question 16

Back up data controls - labelling to prevent restoration delays or inadvertent restoration to the wrong point.

Answer 16

labels should be internal (digital) and external (physical) and use a logical file-naming convention to prevent files from being deleted accidentally
- methodology should cover rotatingthe files from the data center to an off-site location

Question 17

To safeguard against storage media failure, how should critical data be stored?

Answer 17

should be stored on two separate types of media.

Question 18

auditors need to develop an awareness of these and other ethical implications when assessing and providing assurance or consulting in relation to the IT security and control environment.

Answer 18

• emails are considered legal evidence

- Other issues include safeguarding data for privacy

Question 19

Data security categories: what is low security data?

Answer 19

Low impact on reputation/productivity/assets: Data on public servers such as web pages

Question 20

Data security categories: what is medium security data?

Answer 20

Serious impact on missing; market losses; major damage to assets or resources: ERP data, regulatroty compliance data; personal data

Question 21

Data security categories: what is high security data?

Answer 21

could cuase catastrophic losses to reputation, productivitiy or market share: e.g. contingency plan data, r&d data, court trial data

Question 22

Security levels must be customized tothe particular organization and its risks

Answer 22

Low security would stillhave firewalls, hardware locked in a data center, and off-site orcloud backup storage. Moderate security would include all of thelow security items plus items such as electronic vaulting or a redundantdata center. High security would also include biometric devices,perhaps a physical security checkpoint, and other considerations

Question 23

what does computer forensics (e-discovery) attempt to discover?

Answer 23

how, why, who. How fraud committed, understand motives, required level of access or cmputer proficiency will lead to list of suspects.

Question 24

What is a mirror image backup?

Answer 24

aka bit stream backup or cc of hard drive; used for forensic auditing but not a way of backing up data for recovery.

Question 25

IT risk control sefl-assessment (CSA)

Answer 25

Controlself-assessment (CSA) presumes that the scope of control for anorganization is so broad and continually changing that it takesthe efforts of the entire organization to make a timely and adequateassessment. CSA generally takes place in group settings, not inan individual survey form. However, once CSA teams have met andcompiled a list of issues, they can use an intranet survey or electronicvoting technology to vote on the issues that they think need tobe addressed. The conclusions of the CSA should be reported to participantsas soon as possible, with IT potentially being able to help speeddistribution.

Question 26

What is application authentication?

Answer 26

user authentication and authorization controls

Question 27

what is least privilege access?

Answer 27

users and/or departments are
assigned roles or profiles granting them access only to areas where
there is a genuine business need. Access rights are based on a role
name set in a hierarchy, which should be audited to see if roles are
too broad and some users get unnecessary rights

Question 28

three universally accepted elements of information

security:

Answer 28

Confidentiality.
Policies and practices for privacy and
safeguarding confidential information and protections against
unauthorized access or interceptions.

Integrity.
Provisions to ensure that data is complete and
correct, including how it relates to financial reporting.

Availability.
Actions to ensure that there is very little downtime
and to enhance recovery of data after disruptions, disasters, and
corruptions of data/services.

Question 29

six indicators of poor vulnerability management

Answer 29

1) higher than acceptable no of security incidents within a given time period;
2) inability to ID IT vulnerabilities systematically, results in exposing critical assets;
3) inability to assess risks associated with vulnerabilities & to prioritize mitigation efforst
4) poor IT management and IT security working relationship
5) lack of asset management system
6) lack of configuration management process integrated with vulnerability mitigation efforts.

Question 30

Examples of information security controls that can be used to manage IT vulnerabilities:

Answer 30

Encryption - private and public keys;
private are simple and only one key for encrypt & decrypt;
Public keys create two keys: private and public. Think CFIA email encryption…to decrypt, private key is used;

Question 31

Evaluation encryption includes:

Answer 31

1) evaluating physical controls over computers that have password keys;
2) testing policies to see if they being followed;
3) implmenting and monitoring logic controls.

Question 32

Types of firewalls:

Answer 32

1) Packet filtering - cmpares source and destination addressed to an allowed list;
2) Gateways - stops traffic flowing to a specific applicaition, e.g. application gateway/proxy server.

Question 33

Auditing firewalls includes:

Answer 33

determining if firewall can be bypassed or controls overriden; user prompts for allow/deny comms can be most risky;
Auditors should veryify the efficacy of a firewall to determine how specific rules are, whether lists of acceptable users, IP addrs, and apps are kept uptodate;

Question 34

Firewall is a chokepoint

Answer 34

can be used to audit controls or trace source of an incoming attack; firewall logs can be used as legal audit evidence if the data was collected processed and retained proprerly.