Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CPA ISC > chapter 6 -security > Flashcards

chapter 6 -security Flashcards

1
Q

What indicates an effective security awareness program?

A

Effective in changing employee behavior

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What detection System detects attacks by searching for specific patterns?

A

Signature-based intrusion detection system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What detection System monitors the general patterns of network traffic activity and creates a database of patterns?

A

neural network-based detection system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What detection system detects network traffic outside the scope of the routine activity flagged as abnormal?

A

statistical network-based IDS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What attack exploits existing code sequences in a program’s memory to perform malicious actions without injecting new code?

A

Return-oriented programming (ROP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

True or False?

IPS is both a detective and a preventive control.

IPS can’t reconfigure firewall rules.

IPS accepts or denies network traffic.

A

true, false, true

IPSs are configured to detect and prevent potential attacks on the IT environment and assets.

Some IPSs are also designed to reconfigure other security mechanisms, e.g., a firewall.

The IPS effectively limits damage to affected systems and must be appropriately configured to accept or deny network traffic correctly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is data diddling? How to detect it?

A

Data diddling is changing the data with malicious intent before it is entered into the system.

Detected by exception reports.

Exception reports highlight exceptions or deviations from the anticipated situation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What implementation tier is this?

Organizational privacy risk management
practices are ad-hoc and not formalized. The
organization may be unaware of the full scope of its
privacy risks.

A

Tier 1 (Partial)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What implementation tier is this?

The organization is aware of
privacy risks and has certain practices approved by
management, but it lacks an organization-wide
approach.

A

Tier 2 (Risk-Informed)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What implementation tier is this?

A consistent organization-wide
approach to privacy risk management is in place. The
organization regularly reviews and updates its risk
management practices based on changes in privacy
risks.

A

Tier 3 (Repeatable)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What implementation tier is this?

The organization adapts its privacy
practices based on lessons learned and predictive
indicators. Privacy risk management is a part of the
organizational culture and evolves in a proactive
manner.

A

Tier 4 (Adaptive):

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What standards should you use to provide a security assessment that involves documenting issues, findings, and recommendations?

A

Statements on standards for consulting services

Consulting services apply the CPA’s technical skills, education, experience, knowledge and observations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What standards should you use to provide a SOC or compliance assessment?

A

Statements on standards for attestation engaements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

For Defense in Depth describe which one is which

  1. Controls based on physical access to assets
  2. Controls based on policies and procedures
  3. controls that are applied by use of technology
A
  1. physical control - ex - surveillance cameras
  2. admin control - ex - Access control policies , security training
  3. technical control - ex - multifactor authentication
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What does Layered Security say will never be secure?

A

Components

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What does defense in depth say will never be secure?

A

systems

17
Q

What are the 4 supplemental trust services criteria?

A
  1. Logal and physical access controls.
  2. System operations
  3. Change management
  4. risk mitigation
18
Q

What stage of the vulnerability management cycle is this?

-identify root causes
-evolve processes
-evaluate metrics

A

Improve

19
Q

What stage of the vulnerability management cycle is this?

-Scan Network
-Identify Assets
-Report Risks

A

Assess

20
Q

What stage of the vulnerability management cycle is this?

-Assign a value
-gauge exposure
-add threat context

A

Prioritize

21
Q

What stage of the vulnerability management cycle is this?

-Accept Risk
-Mitigate
-Remediate

A

Act

22
Q

What stage of the vulnerability management cycle is this?

-Rescan
-validate fixes

A

Reassess

23
Q

What assessment includes an ongoing process for identifying changes that would cause additional risks or alter existing risks?

A

Cybersecurity Risk assessment

-includes changes to technology use, business lines, growth, or locations

24
Q

What are these examples of?

-Virus Quarantining
-Patch Management
-Vulnerability Management
-Incident Response Plans

A

Corrective Plans

25
Q

What does Symmetric Encryption Secure
What does Asymmetric Encryption Secure

A

S- Data being Transferred
A- establishes a secure communication channel.

26
Q

What is recommended regarding password complexities issues?

A

Using a minimum password length

27
Q

What based system checks for system files missing from data leaving a host device;

A

Host based

28
Q

What based system safeguards web servers by examining data going to and from a user front-end

A

Protocol Based

29
Q

What based system defends application servers by examining data sent between application servers

A

Application Protocol Based

30
Q

Who assigns each object a security classification (eg, top secret) and a category that defines the department or role that is granted access.?

A

System Administrator

31
Q

What does requesting ad hoc computer-generated reports from the company’s database prove about the data?

A

Relevant and complete?

32
Q

What is the sum of all the points where an attacker can try to gain unauthorized access to a company’s environment?

A

Attack Surface

33
Q

Which practice should an entity include in management’s description of the entity’s cybersecurity risk management program?

A

Process for managing risks associated with third parties

34
Q

What attacker redirects a website’s URL or IP TO Bogus website?

A

Pharming

35
Q

What intruder observes data being transmitted and makes inferences from the frequency and length of the calls?

A

Traffic Analysis

36
Q

What’s one crucial thing to consider when auditing business continuity?

A

Timely media backups are taken on and stored at an offsite location

37
Q

what physical attack in which an employee allows an unauthorized person to use their employee access badge is known as?

A

pass back

38
Q

What principle states that employees should have access to only the information their job function requires?

A

Need to know

39
Q

What is an easy way to re-authenticate your identity?

A

Smart tokens

CPA ISC (14 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions