B1: Systems Security and IT General Controls Flashcards
Effectiveness of ITGC is measured by the number of these:
- Incidents that damage the enterprise’s public reputation.
- Systems that do not meet security criteria.
- Violations in segregation of duties.
Security RM Process List
Typical security risk management steps include identification, probability determination, quantification of potential loss, and selection (evaluates feasibility of alternative RM techniques; results in the selection of the best technique(s). Security RM process should be appropriate for the org and its security objectives.
IS Steps to perform assessment of security risks
1) analyze reported incidents; 2) review exposure stats 3) map key processes 4) periodic inspection 5) periodic process and prod audits 6) assess mgt system effectiveness 7) scenario analysis
What are the roles and resp of IA and management for threats, incidents, vulnerabilities exploited, corrective measures?
IA: assesses the effectiveness of preventative, detective and mitigation measures against past attacks, future attempts/incidents likely to occur;
Management: monitoring information security (and other areas), however, IA monitors the EFFECTIVENESS OF MANAGEMENT IN THIS AREA incl. assessing the org’s information reliability and integrity practices; makes reocmmendations, etc.
Hardware Control - What is redundant data check
Each transmitted data element receives an additional bit (character)of data mathematically related to the data. Abnormal changes wil lvoid the mathematical relationship.
Hardware Control - What is equipment check?
These are circuitry controls that detect hardware errors
Hardware Control - What is duplicate process check
A process is done twice and results are compared
Hardware Control - What is echo check?
Received data is returend to the sender for comparison
Hardware Control - What is Fault-tolerant components?
F-T components have redundancies in hardware or software to allow continued operations if a system fails.
System and Data Backup and Recovery Controls - grandfather-father-son concept
son is the most recent backup followed by the father and grandfatherbackups. As a new backup is made, it becomes the new son, the oldson becomes the father, and so on
System and Data Backup and Recovery Controls - Sequential access means
data mustbe accessed in the order it was recorded, such as for tape storage. Tape storage is more rare as cloud backups are more common.
System and Data Backup and Recovery Controls - Director random access means
system can go to any location forfaster retrieval, such as for magnetic and optical disks
Physical controls for an off-site storage facility
- Revealing the locationof the facility to as few people as possible.
- Ensuringthat the outside of the facility does not reveal its purpose oruse.
- Securingall access points and eliminating windows.
- Providingappropriate controls on environmental conditions (e.g., raised platforms, waterproofing,fire alarms, and climate monitoring and control).
- Keepinginventory of the contents.
cloud-based backup methods satisfies the physical distance and secret location criteria, because
the cloud is a network ofdistributed databases and servers in which data is placed whereverthere is available capacity rather than having designated storageareas. In this method, backups are electronically transmitted tothe cloud, which could be internally owned or a third-party system.Internally owned clouds need to ensure that the physical distancecriterion is satisfied for backups
what is electronic vaulting?
electronically transmitting changes to data to an off-sitefacility and then creating backup long-term storage, eliminatingphysical transportation; electronically vaulting can provide shorter reocvery oint for businesses that see a delay in receovery point (24 - 48 hrs) as an unacceptable risk.