IS4550 CHAPTER 8 Flashcards

1
Q

A committee that deals with audit issues and non-finacial risks is called ___.

A

AUDIT COMMITTEE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

An organization that developed a framework for validation internal controls and managing enterprise risks; focuses on finical operations and risk management is called ___.

A

COMMITTEE OF SPONSORING ORGANIZATIONS (COSO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Relates to the impact on the business for failing to comply with legal obligations is called ___.

A

COMPLIANCE RISK

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A widely accepted framework that brings together business and control requirements with technical issues is called ___.

A

CONTROL OBJECTIVES FOR INFORMATION AND RELATED TECHNOLOGY (COBIT)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A person that implements policies and procedures such as backup, versioning, uploading, downloading and database administration is called ___.

A

DATA ADMINISTRATOR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A person that grants access rights and assesses information security threats to organization is called ___.

A

DATA SECURITY ADMINISTRATOR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The owner of data and approver of access rights and is responsible for data quality is called ___.

A

DATA STEWARD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A framework that aligns strategic goals, operations effectiveness, reporting, and compliance objectives; not technology specific is called ___.

A

ENTERPRISE RISK MANAGEMENT (ERM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A committee that helps align the security committee to organization goals and objectives is called ___.

A

EXECUTIVE COMMITTEE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Events that could potentially impact the business when it fails to provide adequate liquidity to meet its obligations is called ___.

A

FINANCIAL RISK

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A set of tools that bring together the capabilities to systematically manage risk and policy compliance is called ___.

A

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE (GRC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A role that deals with all aspects of information such as security, quality, definition, and availability; responsible for data quality is called ___.

A

HEAD OF INFORMATION MANAGEMENT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

An individual accountable for identifying, developing, and implementing security policies and corresponding security controls is called ___.

A

INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Having two or more layers of independent controls to reduce risk is called ___.

A

LAYERED SECURITY APPROACH

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

An organization that creates security guidelines on security controls for federal information systems is called ___.

A

NATIONAL INSTITUE OF STANDARDS AND TECHNOLOGY (NIST)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

___ is a framework for information security assessment and planning consisting of tools, techniques, and methods.

A

OCTAVE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

An event that disrupts the daily activities of an organization is called ___.

A

OPERATIONAL RISK

18
Q

A committee that provides important information on the risk appetite of the organization and various businesses is called ___.

A

OPERATIONAL RISK COMMITTEE

19
Q

Understanding risks and determining how much potential risk and related problems the business is willing to accept is called ___.

A

RISK APPETITE

20
Q

A domain in the ISACA Risk IT framework that calls for analyzing risk and determining impact on the business is called ___

A

RISK EVALUATION

21
Q

A domain in the ISACA Risk IT framework that ensures that risk management activity aligns with the business goals, objectives, and tolerances is called ___.

A

RISK GOVERNANCE

22
Q

A domain in the ISACA Risk IT framework that specifies the ability to react so that risks are reduced and remedied in a cost-effective manner is called ___.

A

RISK RESPONSE

23
Q

A committee that acts as a steering committee for the information security program is called ___.

A

SECURITY COMMITTEE

24
Q

Underlying principle states that no individual should be able to execute a high-risk transaction or conceal errors or fraud in the normal course of their duties is called ___.

A

SEPARATION OF DUTIES (SOD)

25
Q

An event that may change how the entrée organization operates is called ___.

A

STRATEGIC RISK

26
Q

Focusing resources to deliver the greatest benefits is called ___.

A

VALUE DELIVERY

27
Q
  1. The security committee is the key committee for the CISO?

TRUE OR FALSE

A

TRUE

28
Q
  1. Which of the following is not an IT security policy framework?
  2. COBIT
  3. ISO
  4. ERM
  5. OCTAVE
A

ERM

29
Q
  1. Which of the following are PCI DSS network requirements?
  2. Network segregation
  3. Penetration testing
  4. Virus scanning
  5. All the above
  6. 1 and 2 only
A

Network segregation
Penetration testing
Virus scanning

ALL THE ABOVE

30
Q
  1. Which of the following are common IT framework characteristics?
  2. Risk based management
  3. Aligned business risk appetite
  4. Reduced operation disruption and losses
  5. Established path from requirements to control
  6. All the above
  7. 1 and 3 only
A

Risk based management
Aligned business risk appetite
Reduced operation disruption and losses
Established path from requirements to control

ALL THE ABOVE

31
Q
  1. Which of the following applies to both GRC and ERM?
  2. Defines an approach to reduce risk
  3. Applies rigid framework to eliminate redundant controls, policies, and efforts
  4. Passively enforces security policy
  5. Seeks line of sight into root causes of risks
A

Defines an approach to reduce risk

32
Q
  1. The underlying concept of SOD is that individuals execute high risk transactions as they receive pro-approval.
    TRUE OR FALSE
A

FALSE

33
Q
  1. A risk management and metrics team is generally the first team to respond to an incident.
    TRUE OR FALSE
A

FALSE

34
Q
  1. which of the following approves business access to data?
  2. Data steward
  3. Data guardian
  4. Data administrator
  5. 1 and 3
  6. All the above
A

Data steward

35
Q
  1. Which of the following is not a key area of improvement noted after COBIT implementation?
  2. Value delivery
  3. Decentralization of the risk function
  4. Better resourcing of IT
  5. Better communication
A

Decentralization of the risk function

36
Q
  1. A security team’s organizational structure defines the team’s ___.
A

Priorities or specialties

37
Q
  1. Implementing a governance framework can allow an organization to systemically identify and prioritize risks.
    TRUE OR FALSE
A

TRUE

38
Q
  1. The more layers of approval required for SOD, the more ___ it is to implement the process.
A

Expensive or burdensome

39
Q
  1. Monitoring detects which of the following?
  2. A network breach
  3. Hackers probing the network
  4. 1 and 2
  5. None of the above
A

A network breach

Hackers probing the network

40
Q
  1. All organizations should have a full-time team dedicated to collecting, reviewing, and reporting to demonstrate adherence to regulation.
    TRUE OR FALSE
A

FALSE