ISC

Question 1

What are the 8 functions of the NIST Privacy Framework Core?

Answer 1

1. Identify (ID-P): company’s privacy risks related to data processing activities
2. Govern (GV-P): best governance structure for privacy risks related to the company’s data processing activities
3. Control (CT-P): best management structure for privacy risks related to data processing activities
4. Communicate (CM-P): organization’s dialogue around privacy risks related to data processing acitivities
5. Protect (PR-P): safeguards that should be in place around privacy risks related to data processing activities
6. Detect (DE): detect data privacy risks and events
7. Respond (RS): respond to data privacy events
8. Recover (RC): continue business after data privacy events

Question 2

What are the five categories in the **protect function **of the NIST Privacy Framework Core Functions?

Answer 2

1. data protection policies
2. processes
3. procedures
4. identity management, authentication, and access control
5. data security, maintenance, and protective technology

Question 3

What are the three categories in the **control function **of the NIST Privacy Framework Core Functions?

Answer 3

1. data processing policies, processes, and procedures
2. data processing management
3. disassociated processing

Question 4

What are the four categories in the **identify function **of the NIST Privacy Framework Core Functions?

Answer 4

1. inventory and mapping
2. business environment
3. risk assessment
4. data processing ecosystem management

Question 5

What are the four categories in the **govern function **of the NIST Privacy Framework Core Functions?

Answer 5

1. governance policies, process, and procedures
2. risk management strategy
3. awareness and training
4. monitoring review

Question 6

What are the four Tiers under the NIST CSF?

Answer 6

Tier 1 (partial): when incident management not integrated into organizational processes and is often ad hoc
Tier 2 (risk informed): implementation involves cybersecurity awareness by the rest of the organization but does not involve being securely managed.
Tier 3 (repeatable): implementation involves an organizational risk approach to cybersecurity where it is integrated into planning and regularly communicated among senior leadership.
Tier 4 (adaptive): implementation involves the prioritization of managing cyber risks similar to other forms of organziational risks.

Question 7

What are the common transaction cycles?

Answer 7

• Revenue and cash collection cycle
• Human Rsources and payroll cycle
• Purchasing and disbursement cycle
• Production and fixed asset cycle
• Treasury cycle (facilitates the movement of capital that is generated and spent in the other cycles so that cash is managed effectively)

Question 8

What’s an example of an economic event paired to a transaction cycle?

Answer 8

Loan payments for retail locations are made in the treasury cycle. This is used to disburse capital for things like investments, purchases of fixed assets, and other expenses.

Question 9

What are the computer network devices and their specific roles in facilitating network interconnectivity?

Answer 9

• Routers manage traffic
• Gateways act as intermediaries
• Servers execute commands and provide computing power for other machines on the network

Question 10

What is the order for developing a business continuity plan for disaster recovery?

Answer 10

1. Assess key risks
2. Identify mission-critical applications and data
3. Develop a plan for handling these applications
4. Determine responsibilities for parties involved in disaster recovery
5. Test recovery plan

Question 11

What are the steps for a business impact analysis (BIA)?

Answer 11

1) establish the BIA approach,
2) identify critical resources,
3) define disruption impacts,
4) estimate losses,
5) establish recovery priorities (e.g., determine optimal MTD and MTTR),
6) create the BIA report
7) implement BIA recommendations

Question 12

What and why is business impact analysis (BIA) critical in establishing an effective business resliency program?

Answer 12

BIA is an analysis that identifies departments, business units, and processes that are critical to a company’s survival and impact if any of those fail.
It ensures a company’s survival in the event of a system failure or disruption.

Question 13

What is the process of normalization?

Answer 13

1) determine whether the data conforms to the first normal form (1NF), which will make sorting and filtering data easier. Each field must contain only one piece of information and each record in every table must be uniquely identified.
2) Conforming data by requiring all non-key attributes in the table to depend on the entire primary key
3) Ascertaining whether each column in the table describes only the primary key, and establishing that none of the non-key attributes depend on other non-key attributes

Question 14

What are the three principles for a governance framework

Answer 14

Based on conceptual model, open and flexible, and aligned to major standards.

Question 15

Why is a business impact analysis (BIA) important?

S2 - M3

Answer 15

A BIA is critical in establishing an effective business resiliency program that ensures a company’s survival in the event of a system failure or disruption.

Question 16

What are the steps in a business impact analysis (BIA)?

S2 - M3

Answer 16

1. Establish BIA approach:
   Identify Critical Roles:
   Define Disruption Impacts:
   Estimate Losses:
   es: executives and management define impact types, criteria, and time frames to observe and methodology(s) to use.
2. Establish BIA approach:
   Identify Critical Roles:
   Define Disruption Impacts:
   Estimate Losses:
   es: define cricial functions with IT resources by interviewing key personnel and review docs.
3. Establish BIA approach:
   Identify Critical Roles:
   Define Disruption Impacts:
   Estimate Losses:
   es: identify and evaluate impact of service disruption
4. Establish BIA approach:
   Identify Critical Roles:
   Define Disruption Impacts:
   Estimate Losses:
   es: list provavle risks and events and assign likelihood of the loss (i.e., ARO - annualized rate of occurrence)
5. Establish Recovery PrioritiEstablish BIA approach:
   Identify Critical Roles:
   Define Disruption Impacts:
   Estimate Losses:
   es: prioritize resource recovery
6. Create the BIA report: can be a the department level, business unit level, product level, etc.
7. Implement BIA recommendations: Senior Manager evaluates the comprehensive VIA report for greatest risks, and implementing preventaitive or corrective actions for remediation.

Question 17

What are popular technologies that are used in business process improvement and accounting infomration system automations? Define them and explain what benefits they provide organizations.

S2 - M7

Answer 17

• Robotic process automation: use of programs to perform repetitive tasks that do not require skilled human labor (e.g., extracting info from UI and inputting data into a form, moving files, sending payment reminders, and other clerical work).
• Natural language processing (NLP) software: used to encode, decode, and interprest human languages so that the technology can perform tasks, interact with other humans, or carry out commands on other tech devices.
• Neural networks: mimic the functions of a human brain with basic pieces involving an input layer (stack-ranks content), a hidden layer (assigns weights), and an output layer (makes recommendations).
• Large language models: A.I. tool used to identify bugs in code.
• Logistic regression: statistical model used in machine learning to predict outcomes (no layers, just precise mathematical function).
• Decision tree: tree-like shape/model used for decision making, starting with a single node that splits off into multiple nodes, based on the probability of each node occurring.
• K-means clustering: algorithm used to segment a set of observations for the purpose of profiling and customer segementation.

Question 18

How does the National Institute of Standards for Technology (NIST) define confidentiality?

S3 - M4

Answer 18

NIST defines confidentiality as preserving authorized restrictions on access and disclosure of data, including means for protecting personal privacy and proprietary information.

Question 19

Define privacy.

S3 - M4

Answer 19

right of a party to maintain control and confidentiality of information about itself best defines the NIST’s definition of privacy.

Question 20

What are the four benefits of relational databases?

S2 - M6

Answer 20

1. Completeness
2. No redundancy
3. Business rules enforcement
4. Communication and integration of business processes

Combining attributes to create unique identifiers in a table is a compos

Question 21

What are the different types of System and Organizational Controls (SOC) reports for service organizations?

S4 - M1

Answer 21

1. SOC 1: Internal control over Financial Reporting. The examination and reporting on controls at a service organization that are likely to be relevant to user entities’ internal control over financial reporting.
2. SOC 2: Trust Services Criteria. The examination and reporting on the security, availability, or processing integrity of a system, or the confidentiality or privacy of the information processed by the system. SOC 2 reports are intended for use by those who have sufficient knowledge and understanding of the srvice organization, the services it provides, and the system used to provide those services, amoung other matters.
3. SOC 3: Trust Services Criteria for General Use Report. It differs from SOC 2, in that it’s for general users who need assurance about the controls but lack the knowledge and understanding for it, so a SOC 3 report does not include a description of the system, service auditor’s tests of controls, and the results thereof.

Question 22

What is the difference between a Type 1 and Type 2 report in a Service and Organization Controls (SOC) engagement?

S4 - M1

Answer 22

The key differences are related to the content and timing.
1. Type 1 report assesses the design of controls at a given point in time.
2. Type 2 report covers both design and operating effectiveness of controls over a period of time.

Question 23

What are the three commonly used methodologies for threat models?

Answer 23

• VAST (visual, agile, and simple threat): model based on the agile project management methodology with the goal to integrate threat management into a programming environment on a scalable basis.
• STRIDE (soofing, tampering, repudiation, information disclosure, denial-of-service attack, and elevation of privilege): used to assess threats related to applications and operating systems, including network threats and social engineering.
• PASTA (process for attack simulation and threat analysis): has seven stages that focus on risks and countermeasures that are prioritized by the value of the assets being protected.

Question 24

What is the relationship and difference between service commitments and system requirements?

Answer 24

• Service commitment is a declaration made to user entities about a system used to provide a service.
• Service requirement is a specification about how the system should function to meet those service commitments.

Question 25

When does a service auditor need to be independent from a subservice organization used by a service organization during an engagement to report on the controls of the service organization?

Answer 25

The service auditor must be independent from the responsible party depending on the method being used. If the service organization uses the inclusive method in its system description, then the subservice organization becomes a responsible party. If the service organization uses the carve-out method, the subservice organization is not considered a responsible party and no independence between the service auditor and subservice organization is needed.

Question 26

What are the 6 GDPR (General Data Protection Regulation) principles to follow when processing data?

Answer 26

1. Lawfulness, Fairness, Transparency
2. Purpose Limitation: processed for specified, explicit, and legitmate purposes.
3. Data Minimization: adequate, relevant, and limited to what is necessary for the purpose
4. Accuracy
5. Storage Limitation
6. Integrity and Confidentiality: processed securely and protected against unauthorized or unlawful processing, accidental loss, destruction, or damage.

Question 27

In addressing IT system availability risks, what is the difference from mirroring and replication?

Answer 27

• Mirroring: copies a database onto a different machine for the purpose of data redundancy in case the main database fails.
• Replication: copies and transfers data between different databases located in different sites geographically or the cloud.

Question 28

When it comes to collecting data, what’s the difference between active and passive data collection methods?

Answer 28

• Active data collection: directly asking for data through in person interview, survey, or other means.
• Passive data collection: data collected without permission or direct communication.