BEC IT2 Flashcards
_____ concerns the completeness, validity, accuracy, timeliness, and authorization of system process.
Processing integrity
An organization implements an integrated package of authentication controls related to its critical systems. This is an example of:
Defense in depth.
_____ concerns whether the system is operational and usable as specified in commitments and agreements.
Availability
According to the AICPA ASEC, the requirement of notice related to privacy states:
Individuals must be told about privacy policies including why information is collected, used, retained, and disclosed.
The AICPA Assurance Services Executive Committee (ASEC) principles and criteria can be used to evaluate:
(1) the controls of a system and (2) the confidentiality and privacy of the information processed by the system.
ASEC specifies five trust services principles:
- Security- foundation of systems reliability. Security procedures restrict access to authorized users only, protect the confidentiality and privacy of sensitive information, provide integrity of information, and protect against attacks. Security is a top management issue.
- Availability concerns whether the system is operational and usable as specified in commitments and agreements.
- Processing integrity concerns the completeness, validity, accuracy, timeliness, and authorization of system processing.
- Confidentiality concerns whether confidential information is protected consistent with the organization’s commitments and agreements.
- Privacy addresses whether the system’s collection, use, retention, disclosure, and disposal of personal information conforms to its own commitments and with criteria set forth in generally accepted privacy principles (GAPP). . GAPP includes these 10 subprinciples.
Time-based model of controls
P>D+C, so time it takes intruder to break through should be more than time to defect and correct attack for system to be effective
Defense in depth
The strategy of implementing multiple layers of controls to avoid having a single point of failure. Combination of firewalls, passwords, etc.
IT detective controls include:
- Log analysis (audit log)
- Intrusion detection systems
- Managerial reports (downtime due to security issues)
- Security testing
IT corrective controls include:
- Computer emergency response team (CERT)
- Chief security officer hired
- Patch management for known issues
Assessments of cyber risk impact:
Should assess the likelihood and severity of impacts and should be led by senior management in consultation with business and IT stakeholders.
Managing cyber risks requires:
Attempting to prevent cyber breaching but addressing those that occur through detective and corrective controls.
Principle 6—The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
Unless management understands which systems are critical to organizational objectives and which are not, it will underallocate scarce resources to mission-critical systems and overallocate resources to unimportant systems.
Principle 7—The organization identifies risks to the achievement of its objectives across the entity and analyzes risks in order to determine how the risks should be managed.
Principle 8—The organization considers the potential for fraud in assessing risks to the achievement of objectives.
led by senior management, in collaboration with business and IT stakeholders
Principle 9—The organization identifies and assesses changes that could significantly impact the system of internal control.
Rapidly changing technologies and cyber-criminals’ quick adaption to these changes yields new methods of exploiting system vulnerabilities
Principle 10—The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
Principle 11—The organization selects and develops general control activities over technology to support the achievement of objectives.
Principle 12—The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
Preventive, detective, and corrective controls are all essential to addressing cyber risks. Well-designed preventive controls may stop attacks from being realized by keeping intruders outside of the organization’s internal IT environment and keeping the information systems secure.
Principle 13—The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
Control system data must be transformed into actionable, high-quality information that informs and communicates about the effectiveness of cyber-related controls.
Principle 14—The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
Communication about cyber risks should include all personnel, personnel responsible for managing and monitoring cyber risks and controls, and the board of directors.
The need for a cybersecurity framework
The goals of the framework included creating a common language for understanding, and cost-effective means for managing, organizational cybersecurity risks without imposing regulations.
The need for a cybersecurity framework
The goals of the framework included creating a common language for understanding, and cost-effective means for managing, organizational cybersecurity risks without imposing regulations. Consists of 3 parts: the core, the profile, the implementation tiers.
Core elements of cybersecurity framework:
- Functions -cybersecurity activities and include: Identify, Protect, Detect, Respond, and Recover (5 core functions). They help manage cybersecurity risk by organizing information, enabling risk management, addressing threats, and enabling learning through monitoring.
- Categories -cybersecurity outcomes that link to organizational needs and activities. Examples of categories are: asset management, access control, physical security, and incident detection processes.
- Subcategories- divide categories into specific outcomes of technical and/or management activities, high-level control goals. Examples include: Identify and catalog external information systems; Protect data at rest.
- (Informative) References- are specific standards, guidelines, and practices that provide benchmarks and methods for achieving the control goals (i.e., outcomes) found in the subcategories.
Complete the missing words in the following sentence: ____ are actions that implement _____.
Procedures, policies
All polities, including IT policies should:
- Be linked to the entity’s strategy and objectives
- Need an owner who is responsible for ensuring that the policy is operating and is updated
- Need a process for evolving with change
- Should include a title, purpose, scope and context, statement of responsibilities, and time for updating
Important IT policies:
- Values and Service Culture—What is expected of IT function personnel in their interactions with clients and others
- Contractors, Employees, and Sourcing—Why, when, and how an entity selects IT human resources from among employees or outside contractors
- Electronic Communications Use—Policy related to employee use of the Internet, intranet, email, blogs, chat rooms, and telephones
- Use and Connection Policy—Policy that states the entity’s position on the use of personal devices and applications in the workplace and connection to the entity’s systems.
- Procurement—Policy on the procurement processes for obtaining IT services
- Quality—Statement of IT performance standards
- Regulatory Compliance—Statement of regulatory requirements of IT systems
- Security—Policy related to guarding against physical or electronic threats to IT. May include disaster recovery preparation policies
- Service Management and Operational Service Problem Solving—Policies for ensuring the quality of live IT services