Chapter 8 Flashcards
the Trust Services Framework reliability principle that states that users must be able to enter, update and retrieve data during agreed upon times is known as
availability
According to the Trust Services Framework, the reliability principle of integrity is achieved when the system produces data that
is complete, accurate, and valid
The three fundamental information security concepts
- security is a technology issue based on prevention
- the idea of defense in depth employs multiple layers of controls
- the time based model of security focuses on the relationship between preventive, detective and corrective controls
some of the essential criteria for successfully implementing each of the principle that contribute to systems reliability, as discussed in the Trust Services Framework
- developing and documenting policies
- designing and employing appropriate control procedures to implement policies
- monitoring the system and taking corrective action to maintain compliance with policies
Who was a part below who was involved with developing the Trust Services Framework
AICPA (American Institute of CPAs)
information security procedures protect information integrity by
preventing fictitious transactions
identify one aspect of systems reliability that is not a source of concern with regards to a public cloud
efficiency
identify the primary means of protecting data stored in a cloud from unauthorized access
authentication
Virtualization refers to the ability of
running multiple systems simultaneously on one physical computer
True or False: Cloud computing can potentially generate significant cost savings for an organization
True
True or False: Cloud computing is traditionally more secure than traditional computing
False
The Trust Services Framework reliability principle that states sensitive information be protected from unauthorized disclosure is known as
confidentiality
The Trust Services Framework reliability principle that stats personal information should be protected from unauthorized disclosure is known as
privacy
The Trust Services Framework reliability principle that states access to the system and its data should be controlled and restricted to legitimate users is known as
security
What is not a useful way to control procedure regarding access to system outputs
allowing visitors to move through the building without supervision
verifying the identity of the person or device attempting to access the system is an example of
authentication
restricting access of users to specific portions of the system as well as specific tasks, is an example of
authorization
this is an example of a preventative control
encryption
this is an example of a detective control
log analysis
what is an example of a corrective control
incident response teams
multi factor authentication
involves the use of two or more basic authentication methods
identify the best description of an access control matrix below
is a table specifying which portions of the system users are permitted to access
perimeter defense is an example of which preventative controls that are necessary to provide adequate security
controlling remote access
which preventative controls are necessary to provide adequate security for social engineering threats
awareness training
a special purpose hardware device or software running on a general purpose computer, which filters information that is allowed to enter and leave the organization’s information system, is known as a
firewall
this protocol specifies the procedures for dividing files and documents into packets to be sent over the Internet.
transmission control protocol
This protocol specifies the structure of packets sent over the internet and the route to get the to the proper destination
internet protocol
This network access control determines which IP packets are allowed entry to a network and which are dropped
access control list
a list of authorized users, programs, and data files the users are authorized to access or manipulate, compatibility tests utilize this
access control matrix
the process that screens individual IP packets based solely on the contents of the source and/or destination fields in the packet header is known as
static packet filtering
the process of maintaining a table listing all established connections between the organization’s computers and the internet to determine whether an incoming packet is part of an ongoing communication initiated by an internal computer is known as
stateful packet filtering
the process that allows a firewall to be more effective by examining the data in the body of an IP packet, instead of just the header, is known as
deep packet inspection
the security technology that evaluates P packet traffic patterns in order to identify attacks against a system is known as
an intrusion prevention system
this is used to identify rogue modems (or by hackers to identify targets)
war dialing
the process of turning off unnecessary features in the system is known as
hardening
the most common input related vulnerability is
buffer overflow attack
this keeps a record of the network traffic permitted to pass through the firewall
intrusion detection system
the process that uses automate tools to identify whether a system possesses any well known security problems is known as
vulnerability scan
an authorized attempt by an internal audit team or an external security consultant to attempt to break into the organization’s information system
penetration test
this person disseminates information about fraud, errors, breaches and other improper system uses and their consequences
chief security officer
hiring a security firm to attempt to compromise a computer network and being successful at entering the system without being detected and then presented an analysis of the vulnerabilities that had been found is an example of a
detective control
this commonly true of the default settings for most commercially available wireless access points
security is set to the lowest level that the device is capable of
in recent years, many of the attacks carrie out by hackers have relied on this type of vulnerability in computer software
buffer overflow
Each employee is provided with a name badge with a photo and embedded computer chip that is used to gain entry to the facility. this is an example of an
authentication control
When new employees are hired by Pacific technologies, they are assigned user names and appropriate permissions are entered into the information system’s access control matrix. This is an example of a
authorization control
the most effective way to protect network resources that are exposed to the internet, yet reside outside of a network is
a demilitarized zone
All employees of E.C. Hoxy are required to pass through a gate and present their photo identification cards to the guard before they are admitted. Entry to secure areas, such as the Information Technology Department offices, requires further procedures. This is an example of a
physical access control
Identify three ways users can be authenticated and give an example of each
- something they know (password)
- something hey have (smart card or ID)
- something they are (biometric identification of fingerprint
describe four requirements of effective passwords
- Strong passwords should be at least 8 characters
- Passwords should use a mixture of upper and lowercase letters, numbers and characters
- Passwords should be random and not words found in dictionaries
- Passwords should be changed frequently
connects an organization’s information system to the internet
border router
permits controlled access from the internet to selected resources
a demilitarized zone
the most important element of any preventive control is
the people
