B1: Systems Security and IT General Controls Flashcards

1
Q

Effectiveness of ITGC is measured by the number of these:

A
  • Incidents that damage the enterprise’s public reputation.
  • Systems that do not meet security criteria.
  • Violations in segregation of duties.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Security RM Process List

A

Typical security risk management steps include identification, probability determination, quantification of potential loss, and selection (evaluates feasibility of alternative RM techniques; results in the selection of the best technique(s). Security RM process should be appropriate for the org and its security objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

IS Steps to perform assessment of security risks

A

1) analyze reported incidents; 2) review exposure stats 3) map key processes 4) periodic inspection 5) periodic process and prod audits 6) assess mgt system effectiveness 7) scenario analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the roles and resp of IA and management for threats, incidents, vulnerabilities exploited, corrective measures?

A

IA: assesses the effectiveness of preventative, detective and mitigation measures against past attacks, future attempts/incidents likely to occur;
Management: monitoring information security (and other areas), however, IA monitors the EFFECTIVENESS OF MANAGEMENT IN THIS AREA incl. assessing the org’s information reliability and integrity practices; makes reocmmendations, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Hardware Control - What is redundant data check

A

Each transmitted data element receives an additional bit (character)of data mathematically related to the data. Abnormal changes wil lvoid the mathematical relationship.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Hardware Control - What is equipment check?

A

These are circuitry controls that detect hardware errors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Hardware Control - What is duplicate process check

A

A process is done twice and results are compared

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Hardware Control - What is echo check?

A

Received data is returend to the sender for comparison

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Hardware Control - What is Fault-tolerant components?

A

F-T components have redundancies in hardware or software to allow continued operations if a system fails.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

System and Data Backup and Recovery Controls - grandfather-father-son concept

A

son is the most recent backup followed by the father and grandfatherbackups. As a new backup is made, it becomes the new son, the oldson becomes the father, and so on

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

System and Data Backup and Recovery Controls - Sequential access means

A

data mustbe accessed in the order it was recorded, such as for tape storage. Tape storage is more rare as cloud backups are more common.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

System and Data Backup and Recovery Controls - Director random access means

A

system can go to any location forfaster retrieval, such as for magnetic and optical disks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Physical controls for an off-site storage facility

A
  • Revealing the locationof the facility to as few people as possible.
  • Ensuringthat the outside of the facility does not reveal its purpose oruse.
  • Securingall access points and eliminating windows.
  • Providingappropriate controls on environmental conditions (e.g., raised platforms, waterproofing,fire alarms, and climate monitoring and control).
  • Keepinginventory of the contents.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

cloud-based backup methods satisfies the physical distance and secret location criteria, because

A

the cloud is a network ofdistributed databases and servers in which data is placed whereverthere is available capacity rather than having designated storageareas. In this method, backups are electronically transmitted tothe cloud, which could be internally owned or a third-party system.Internally owned clouds need to ensure that the physical distancecriterion is satisfied for backups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

what is electronic vaulting?

A

electronically transmitting changes to data to an off-sitefacility and then creating backup long-term storage, eliminatingphysical transportation; electronically vaulting can provide shorter reocvery oint for businesses that see a delay in receovery point (24 - 48 hrs) as an unacceptable risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Back up data controls - labelling to prevent restoration delays or inadvertent restoration to the wrong point.

A

labels should be internal (digital) and external (physical) and use a logical file-naming convention to prevent files from being deleted accidentally
- methodology should cover rotatingthe files from the data center to an off-site location

17
Q

To safeguard against storage media failure, how should critical data be stored?

A

should be stored on two separate types of media.

18
Q

auditors need to develop an awareness of these and other ethical implications when assessing and providing assurance or consulting in relation to the IT security and control environment.

A
  • emails are considered legal evidence

- Other issues include safeguarding data for privacy

19
Q

Data security categories: what is low security data?

A

Low impact on reputation/productivity/assets: Data on public servers such as web pages

20
Q

Data security categories: what is medium security data?

A

Serious impact on missing; market losses; major damage to assets or resources: ERP data, regulatroty compliance data; personal data

21
Q

Data security categories: what is high security data?

A

could cuase catastrophic losses to reputation, productivitiy or market share: e.g. contingency plan data, r&d data, court trial data

22
Q

Security levels must be customized tothe particular organization and its risks

A

Low security would stillhave firewalls, hardware locked in a data center, and off-site orcloud backup storage. Moderate security would include all of thelow security items plus items such as electronic vaulting or a redundantdata center. High security would also include biometric devices,perhaps a physical security checkpoint, and other considerations

23
Q

what does computer forensics (e-discovery) attempt to discover?

A

how, why, who. How fraud committed, understand motives, required level of access or cmputer proficiency will lead to list of suspects.

24
Q

What is a mirror image backup?

A

aka bit stream backup or cc of hard drive; used for forensic auditing but not a way of backing up data for recovery.

25
Q

IT risk control sefl-assessment (CSA)

A

Controlself-assessment (CSA) presumes that the scope of control for anorganization is so broad and continually changing that it takesthe efforts of the entire organization to make a timely and adequateassessment. CSA generally takes place in group settings, not inan individual survey form. However, once CSA teams have met andcompiled a list of issues, they can use an intranet survey or electronicvoting technology to vote on the issues that they think need tobe addressed. The conclusions of the CSA should be reported to participantsas soon as possible, with IT potentially being able to help speeddistribution.

26
Q

What is application authentication?

A

user authentication and authorization controls

27
Q

what is least privilege access?

A

users and/or departments are
assigned roles or profiles granting them access only to areas where
there is a genuine business need. Access rights are based on a role
name set in a hierarchy, which should be audited to see if roles are
too broad and some users get unnecessary rights

28
Q

three universally accepted elements of information

security:

A

Confidentiality.
Policies and practices for privacy and
safeguarding confidential information and protections against
unauthorized access or interceptions.

Integrity.
Provisions to ensure that data is complete and
correct, including how it relates to financial reporting.

Availability.
Actions to ensure that there is very little downtime
and to enhance recovery of data after disruptions, disasters, and
corruptions of data/services.

29
Q

six indicators of poor vulnerability management

A

1) higher than acceptable no of security incidents within a given time period;
2) inability to ID IT vulnerabilities systematically, results in exposing critical assets;
3) inability to assess risks associated with vulnerabilities & to prioritize mitigation efforst
4) poor IT management and IT security working relationship
5) lack of asset management system
6) lack of configuration management process integrated with vulnerability mitigation efforts.

30
Q

Examples of information security controls that can be used to manage IT vulnerabilities:

A

Encryption - private and public keys;
private are simple and only one key for encrypt & decrypt;
Public keys create two keys: private and public. Think CFIA email encryption…to decrypt, private key is used;

31
Q

Evaluation encryption includes:

A

1) evaluating physical controls over computers that have password keys;
2) testing policies to see if they being followed;
3) implmenting and monitoring logic controls.

32
Q

Types of firewalls:

A

1) Packet filtering - cmpares source and destination addressed to an allowed list;
2) Gateways - stops traffic flowing to a specific applicaition, e.g. application gateway/proxy server.

33
Q

Auditing firewalls includes:

A

determining if firewall can be bypassed or controls overriden; user prompts for allow/deny comms can be most risky;
Auditors should veryify the efficacy of a firewall to determine how specific rules are, whether lists of acceptable users, IP addrs, and apps are kept uptodate;

34
Q

Firewall is a chokepoint

A

can be used to audit controls or trace source of an incoming attack; firewall logs can be used as legal audit evidence if the data was collected processed and retained proprerly.