Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CPA - ISC > CPA ISC - S1 > Flashcards

CPA ISC - S1 Flashcards

1
Q

What are the 5 components of NIST CSF?

A
  1. Identify
  2. Protect
  3. Detect
  4. Respond
  5. Recover
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is NIST CSF Implementation Tier 1?

A
  1. Ad Hoc
  2. Not integrated into organizational processes
  3. Cybersecurity is isolated
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is NIST CSF Implementation Tier 2?

A
  1. Cybersecurity may be isolated from organizational processes
  2. Organization is aware of cybersecurity
  3. Awareness is there but response is inconsistent
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is NIST CSF Implementation Tier 3?

A
  1. Documented policies and procedures
  2. Organizational risk approach
  3. Collaborates with and contributes to security community at large
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is NIST CSF Implementation Tier 4?

A
  1. Iterative improvements
  2. Cybersecurity is prioritized organizational wide
  3. Organization external participation is robust
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a NIST Current Profile?

A

The current state of organizational risk management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a NIST Target Profile?

A

The desired future state of organizational risk management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the 5 steps to using organizational profiles?

A

SGCAI (Some Guy Created A I)
1. Scope of org profile
2. Gather info to prepare org profile
3. Create org profile
4. Perform gap analysis between current and target profiles
5. Implement action plan to rectify gaps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the 8 components of NIST Privacy?

A
  1. Identify
  2. Govern
  3. Control
  4. Communicate
  5. Protect
  6. Detect
  7. Respond
  8. Recover
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is NIST SP 800-53?

A

It is the standard for federal information security systems. This establishes controls for systems and organizations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What was the Safe Harbor Framework and Privacy Shield in 2016?

A

The Safe Harbor Framework was a joint framework between the EU and USA to allow data transfer between the two more freely and legally. However, an EU court struck this down as it was not secure enough.

The Privacy Shield of 2016 was the same thing but was also struck down by an EU court.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are examples of Primary Cardholder Data?

A
  1. Account number
  2. Cardholder name
  3. Expiration date
  4. Service code
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are examples of Sensitive Authentication Data for a cardholder?

A
  1. Card verification code
  2. Card PIN
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is Center for Internet Security (CIS) Controls?

A

CIS Controls are recommended set of actions, processes, and best practices that can be adopted and implemented by organizations to strengthen their cybersecurity defenses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the 3 CIS Controls design principles?

A
  1. Context
  2. Coexistance
  3. Consistency
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

CIS Control Design Principle - Context

A

An enhancement to the scope and practical applicability of safeguards through incorporation of examples and explanations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

CIS Control Design Principle - Coexistance

A

Alignment with evolving industry standards and frameworks, including NIST’s CSF 2.0 framework.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

CIS Control Design Principle - Consistency

A

Disruption to controls users are minimized, limiting impact on implementation groups.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are the 3 CIS Controls Implementation Groups?

A
  1. IG1
  2. IG2
  3. IG3
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

IG1 (CIS)

A
  1. Small or medium sized organizations
  2. Limited cybersecurity defense mechanisms
    Main focus is to keep company operational
21
Q

IG2 (CIS)

A
  1. Organizations that have IT Staff
  2. Various risk profiles
  3. Can tolerate short interruptions in service
22
Q

IG3 (CIS)

A
  1. Organizations have security experts
  2. Breaches can cause significant damage to the public
23
Q

CIS Control 1: Inventory and Control of Enterprise Assets

A

This control helps organizations actively track and manage all IT assets connected to a company’s IT infrastructure physically or virtually within a cloud environment.

Examples:
1. Inventory List
2. Identify devices connected to a company’s network

24
Q

CIS Control 2: Inventory and Control of Software Assets

A

This control provides recommendations for organizations to track and actively manage all software applications so that only authorized software is installed on company devices. This control also provides guidance on finding unmanaged and unauthorized software already installed so that it can be removed and remediated.

Examples:
1. Establish Software Inventory List
2. Address Unauthorized Software
3. Allowlist Authorized Software to ensure only authorized software can be accessed or executed

25
Q

CIS Control 3: Data Protection

A

This control helps organizations develop ways to securely manage the entire life cycle of their data, from their initial identification and classification data to its disposal.

Examples:
1. Establish and maintain a data management process
2. Document data flows
3. Encrypt sensitive data in transit

26
Q

CIS Control 4: Secure Configuration of Enterprise Assets and Software

A

This control helps organizations establish and maintain secure baseline configurations for their enterprise assets, including network devices, mobile and portable end-user devices, non-computing assets such as Internet of Things (IoT) devices, operating systems, and other corporately managed hardware or software applications.

Examples:
1. Change default configurations
2. Implement and manage a firewall on end-user devices and servers
3. Enforce remote wipe capabilities on portable end-user devices

27
Q

CIS Control 5: Account Management

A

This control outlines best practices for companies to manage credentials and authorization for user accounts, privileged user accounts, and service accounts for company hardware and software applications.

Examples:
1. Establish SSO and MFA
2. Use unique passwords
3. Disable dormant accounts

28
Q

CIS Control 6: Access Control Management System

A

This control expands on Control 5 Account Management by specifying the type of access that user accounts should have.

Examples:
1. Establish an access granting and revoking process
2. Centralize access controls
3. Define and maintain role-based access controls

29
Q

CIS Control 7: Continuous Vulnerability Management

A

This control assists organizations in continuously identifying and tracking vulnerabilities within its infrastructure so that it can remediate and eliminate weak points or windows of opportunity for bad actors.

Examples:
1. Perform operating system patch management
2. Remediate detected vulnerabilities

30
Q

CIS Control 8: Audit Log Management

A

This control establishes an enterprise log management process so that organizations can be alerted and rec cover from an attack in real time.

Examples:
1. Establish and maintain an Audit Log Management Process
2. Collect Audit Logs
3. Standardize time synchronization
4. Centralize and retain audit logs

31
Q

CIS Control 9: Email and Web Browser Protections

A

This control provides recommendations on how to detect and protect against cybercrime attempted through email or the internet by directly engaging employees.

Examples:
1. Use URL filtering
2. Block unnecessary file types
3. Restrict browser extensions

32
Q

CIS Control 10: Malware Defenses

A

This control assists companies in preventing the installation and propagation of malware onto company assets and its network.

Examples:
1. Deploy anti-malware software
2. Enable anti-exploitation features
3. Use behavior-based anti-malware software

33
Q

CIS Control 11: Data Recovery

A

This control establishes data backup, testing, and restoration processes that allow organizations to effectively recover company assets to a pre-incident state.

Examples:
1. Perform automated backups
2. Protect recovery data
3. Establish and maintain an isolated instance of recovery data

34
Q

CIS Control 12: Network Infrastructure Management

A

This control establishes procedures and tools for managing and securing a company’s network infrastructure (both physical and virtual devices).

Examples:
1. Maintain a secure network architecture
2. Ensure remote devices utilize a VPN
3. Maintain architecture diagrams

35
Q

CIS Control 13: Network Monitoring and Defense

A

This control establishes processes for monitoring and defending a company’s network infrastructure against internal and external security threats.

Examples:
1. Centralize security event alerting
2. Collect network traffic flow logs
3. Deploy port-level access control

36
Q

What is a Denial of Service (DoS) Attack?

A

This is when the perpetrator gains access to a network and overloads it with traffic so that it is effectively rendered useless.

37
Q

What is Ransomware?

A

This is when an attacker gains access to a system and blocks employees from accessing it, then demands payment to restore access.

38
Q

CIS Control 14: Security Awareness and Skills Training

A

This control guides organizations in establishing a security awareness and training program to reduce cybersecurity risk.

Examples:
1. Establish a training program
2. Train employees on social engineering attacks
3. Train employees on how to report a security incident

39
Q

CIS Control 15: Service Provider Management

A

This control helps organizations develop processes to evaluate third party service providers that have acc ess to sensitive data or that are responsible for managing some or all of a company’s IT functions.

Examples:
1. Establish an inventory of service providers
2. Classify service providers
3. Monitor service providers

40
Q

CIS Control 16: Application Software Security

A

This control establishes safeguards that manage the entire life cycle of software that is acquired, hosted, or developed in-house to detect, deter and resolve cybersecurity weaknesses before they are exploited.

Examples:
1. Establish a severity rating system
2. Train developers in app security
3. Conduct app penetration testing and threat modeling

41
Q

CIS Control 17: Incident Response Management

A

This control provides the recommendations necessary to establish an incident response management program to detect, respond, and prepare for potential cybersecurity attacks.

Examples:
1. Designate incident personnel
2. Conduct post-incident reviews
3. Conduct routing incident response exercises

42
Q

CIS Control 18: Penetration Testing

A

This control helps organizations test the sophistication of their cybersecurity defense system in place by simulating actual attacks in an effort to find and exploit weaknesses.

Examples:
1. Perform penetration tests
2. Remediate penetration test findings
3. Validate security measures

43
Q

What are the 6 principles for a governance system?

A

VHDDTE - Very Healthy Dieters Do Try Everything

Value to stakeholder
Holistic approach
Dynamic governance system
Distinct governance from management
Tailored to enterprise needs
End-to-End governance system

44
Q

What are the 3 principles for a governance framework?

A

CFA

Conceptual Model
Flexible and Open
Aligned to Major Standards

45
Q

COBIT Core Model

A
  1. Governance Objectives
  2. Management Objectives
46
Q

What are the segments of governance objectives in the COBIT core model?

A

Evaluate, Direct, and Monitor (EDM)

47
Q

What are the segments of management objectives in the COBIT core model?

A
  1. Align, Plan, and Organize (APO)
  2. Build, Acquire, and Implement (BAI)
  3. Deliver, Service, and Support (DSS)
  4. Monitor, Evaluate, and Assess (MEA)
48
Q

Extensible Business Reporting Language (XBRL)

A

XBRL is specifically designed for exchanging financial information over the World Wide Web.

49
Q

What is parity checking?

A

Parity checking is a method where the number of bits in the total number of bytes in a transmitted message is added up. Then, a zero or a one is added to make the parity even or odd. If and when a transmitted message is modified and the number of bits has changed, the system detects this and triggers a resending of the message.

This ultimately helps keep transmitted data safe.

CPA - ISC (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions