ISC Flashcards

Question 1

Q

What is the key difference in controls when changing from a manual system to a computer system?

Answer

A

Methodologies for implementing controls change. The controls almost always are different. Objectives and principles remain the same. Implementation of the principles are different.

Question 2

Q

What is the purpose of an organization’s company-wide acceptable use policy (AUP)?

Answer

A

An acceptable use policy (AUP) is a control document that is created by an organization to regulated and protect technology resources by assigning varying levels of responsibilities to job roles, listing acceptable behaviors by employees and vendors, and specifying consequences of those who violate the AUP. Users are often asked to sign and agree to the terms of an AUP prior to being granted access to systems, applications, and devices issued by the organization.

Question 3

Q

Define an Access Control List (ACL)

Answer

A

Is a list of rules that outlines which users have permission to access certain resources, such as a file, folder, directory, or other IT resources. Also administers account restrictions, which govern what type of action the user can execute using those resources, such as the ability to edit a file, apply read-only status, or execute a program. Access and account restrictions are enforced by controlling network traffic based on the rules defined in the ACL.

Question 4

Q

What are the two types of ACLs

Answer

A

Filesystem ACL:
These ACLs grant or deny privileges in an operating system by restricting access to certain files, folders, and directories.

Networking ACL:
These ACLs are used to regulate the type of network traffic that is allowed to flow across a network by configuring routers, switches, and other network devices with an array of lists to enforce. Networking ACLs are not only used for controlling access, but also for improving network performance by restricting or channeling the flow of data.

Question 5

Q

Define a Adverse Event

Answer

A

Is any event with a negative consequence. System crashes, packet floods, unauthorized use of system privileges, and unauthorized access to sensitive data would all be examples that best describe an adverse event.

Question 6

Q

What is the difference between Confidentiality and Privacy

Answer

A

Independent terms when it comes to cybersecurity.

Privacy:
Protects the rights of an individual and gives the individual control over what information they are willing to share with others.

Confidentiality:
Protects unauthorized access to information gathered by the company.

Question 7

Q

What are the System Conversion Methods in Change Management?

Answer

A

Direct:
Involves the organization ceasing the use of the old system and starting the new one immediately.

Parallel:
The new system is implemented while the old system is still in use for an extended period of time.

Pilot:
An organization performs a conversion on a small scale within a test environment while continuing to use the older system. Allows for validation and testing before rolling it out to the entire organization so adjustments can be made.

Phased:
Also referred to as gradual or modular conversion, this transition plan gradually adds volume to the new system while still operating the old system. Useful for businesses with distributed locations as it allows them to implement one site at a time.

Hybrid:
These are custom combinations of the above approaches, tailored to the unique needs of an organization.

Question 8

Q

What are the types of Data Storage?

Answer

A

Operational Data Store (ODS):
Is a repository of transactional data from multiple sources and is often an interim aria between an data source and data warehouses.

Data Warehouse:
Very large data repositories that are centralized and used for reporting and analysis rather than for transactional purposes.

Data Mart:
Is much like a data warehouse but is more focused on a specific purpose such as marketing or logistics and is often a subset of a data warehouse.

Data Lake:
Is a repository similar to a data warehouse, but it contains both structured and unstructured data, with data mostly being in its natural or raw format.

Question 9

Q

How is a document encrypted?

Answer

A

A sender used an algorithm to convert cleartext to ciphertext.

Question 10

Q

Cybersecurity Event vs Incident

Answer

A

Cybersecurity Event:
Is a change in the normal behavior of a given system, process, environment or workflow.
In other words: When something happens, it’s an event.
Occurs within a network or information system.

Examples: Employee flags a suspicious email. Someone downloads software (authorized or unauthorized) to a company device. A security lapse occurs due to a server outage.

Cybersecurity Incident:
Is a change in a system that negatively impacts the organization, municipality, or business. Might take place when a cyber attack occurs.

Examples: Employee replies to a phishing email, divulging confidential information. Equipment with stored sensitive data is stolen. A password is compromised through a brute force attack on your system.

Question 11

Q

Network Security

Media Access Control (MAC) Filtering

Answer

A

Is a way to control which devices can connect to your WiFi network based on their physical addresses.

This is a form of filtering in which an access point blocks access to unauthorized devices using a list of approved MAC addresses. A MAC address, also referred to as a physical or hardware address, is a unique identifier found on devices in a network that is used as an address for communication with other devices on that network.

Question 12

Q

What should service auditors do when it comes to Reporting Failures, System Incidents, and Concerns

Answer

A

They should gain an understanding of processes in place to report system failures, system incidents, and complaints by either external or internal system users by inquiring of management about the controls in place.

Question 13

Q

Who is responsible for identifying the nature, extent, and timing of system incidents in the service organization’s system description?

Answer

A

Management.

Question 14

Q

What are the ways to delete confidential information?

Answer

A

Physical destruction = involves the physical act of disassembling or changing the chemical construct of the data (i.e. through heat, pressure, or shredding).

Erasing = Performance of a delete operation of a file or its data.

Overwriting (Clearing) = Involves preparing media for reuse by replacing the old data with unclassified data.

Purging = Repeats the clearing process various times and may combine that process with another method, such as degaussing, which involves creating a strong magnetic field used to erase data on storage devices that use magnetism, such as magnetic tapes.

Question 15

Q

Which deletion of confidential data method has the least risk?

Answer

A

Physical destruction of data.

Question 16

Q

Whaat is the biggest risk to confidential information when deleting/purging confidential information from storage devices?

Answer

A

When data is removed, a residual magnetic flux or imprint may remain on storage devices where tools can reverse the effects of wiping.

Question 17

Q

What is the difference between Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS)?

Answer

A

DoS = An attacker floods a system’s network by congesting it with large volumes of traffic that are greater than the bandwidth it was designed to handle.

DDoS = These occur when multiple attackers or compromised devices are working in unison to flood an organization’s network with traffic. These attacks manipulate the operation of network equipment and services in such a way that they may be more powerful than a traditional DoS attack.

Question 18

Q

What is Data Obfuscation and what are the three most common obfuscation applications?

Answer

A

Obfuscation = is the process of replacing production data or sensitive information with data that is less valuable to unauthorized users.

Encryption = Scrambles unencrypted data using cryptography so that it can generally only be deciphered with a key.

Tokenization = Removes production data and replaces it with a surrogate value or token. Uses mathematical algorithms.

Masking = Swaps data with other like data so that the original identifying characteristics are disguised, or masked, while maintaining a similar structure to the unmodified data set.

Question 19

Q

What is a complementary user entity controls (CUECs)?

Answer

A

Are controls that are necessary to be implemented by the user entity, in combination with the service organization’s controls, to provide reasonable assurance that the control objectives stated in management’s description of the service organization’s system (SOC 1) or the service organization’s service commitments and system requirements (SOC 2) were achieved.

Question 20

Q

Who is responsible for determining whether to carve out or include a subservice organization?

Answer

A

Management.

Question 21

Q

What is the Carve-Out Method?

Answer

A

This method is most common and means that the subservice organization’s controls are NOT included in the scope of the SOC report.

The vendor has CARVED OUT all the controls that the subservice is responsible for and essentially make them not applicable.

Question 22

Q

What is the Inclusive Method?

Answer

A

In this method, the controls from the subservice organization that support normal operations are included in the SOC report and will be reviewed by the auditor.

Question 23

Q

When complementary user entity controls are identified, which sections of the service auditor’s SOC report will be amended to include language that references the complementary user entity controls?

Answer

A

Both the scope and opinion sections of the service auditor’s report will refer to the identified complementary user entity controls.

Question 24

Q

Describe Patch Management

Answer

A

Is an important part of minimizing security threats that works in conjunction with vulnerability management solutions. Keeps devices up to date and secure.

Question 25

Q

What do Detective Controls do? List examples of them.

Answer

A

They detect a threat event while it is occurring and provide assistance during investigations and audits after the event has occurred.

Network Intrusion Detection System (NIDS)

Antivirus Software Monitoring

Network Monitoring Tools

Log Analysis

Intrusion Detection Systems (IDS)

Question 26

Q

What do Corrective Controls do? List examples of them.

Answer

A

Are intended to fix known vulnerabilities as a result of recent security incidents, security self-assessments, or changes in industry practices. These controls become preventive or detective once they are put in place and operating effectively.

Reconfigurations

Upgrades and Patches

Revised Policies and Procedures

Updated Employee Training

Recovery and Continuity Plans

Antivirus Software Removal of Malicious Viruses

Virus Quarantining

Question 27

Q

When a service organization has more than one subservice organization, do they choose carve-out or inclusive method?

Answer

A

It is up to the service organization management to apply the carve-out method, inclusive method, or a mix of both to the subservice organizations. There is no requirement for a consistent application of one method.

When a service organization uses multiple subservice organizations, it may prepare its description using the carve-out method for one or more subservice organizations and the inclusive method for others.

Question 28

Q

What are the five trust criteria?

Answer

A

CAPPS

Confidentiality = Information designated as confidential is protected to meet the entity’s objectives.

Availability = Information and systems are available for operation and use to meet the entity’s objectives.

Processing Integrity = System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.

Privacy = Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.

Security = Information and systems are protected against unauthorized access; unauthorized disclosure of information; and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.

Question 29

Q

What is a service commitment of a SOC 2?

Answer

A

Declarations made by service organization management to user entities and others (such as user entities’ customers) about the system used to provide the service.

Question 30

Q

What are system requirements for a SOC 2?

Answer

A

Specifications on how the system should function to meet all service commitments for user entities, user entity customers, vendors, business partners, laws and regulations.

Question 31

Q

What are the stages of a cyberattack

Answer

A

Reconnaissance: First stage, attackers discover and collect as much information about the target IT system as possible.

Gaining Access: When information collected in the previous steps is used to gain access to the target of an attack using a variety of techniques.

Escalation of Privileges: Once access into a system is obtained, attackers attempt to gain higher levels of access in this stage.

Maintaining Access: Attacker remains in the system for a sustained period of time until the attack is completed and looks for alternative ways to prolong access or return later.

Network Exploitation and Exfiltration: Attackers proceed with the objective of disrupting system operations by stealing sensitive data, modifying data, disabling access to systems or data, or performing other malicious activities.

Covering Tracks: Occurs while the attack is in progress or after the attack is completed and involves the attacker concealing the entry or exit points in which access was breached.

Question 32

Q

What are the criteria that must be met for a vendor to be considered a subservice organization?

Answer

A

The services provided by the vendor must be relevant to the users’ understanding of the service organization’s system and the controls must be necessary, in combination with the controls of the service organization, to provide reasonable assurance that the system commitments and service requirements are achieved.

Question 33

Q

What are examples of Personal Identifiable Information (PII)?

Answer

A

Name

SSN, Passport Number, Driver’s License Number, Taxpayer Number, Credit Card Number

Address, Street or Email

Personal Characteristics, Photos, Fingerprints, Handwriting, or other Biometric Data

Question 34

Q

What are the three Threat Methodologies?

Answer

A

Process for Attack Simulation and Threat Analysis (PASTA)

Visual, Agile, and Simple Threat (VAST)

Spoofing, Tampering, Repudiation, Information Disclosure, Denial-of-service attack, and Elevation or privilege (STRIDE)

Question 35

Q

CIS Control 16: Application Software Security

Answer

A

Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.

Question 36

Q

Types of system backups

Answer

A

Full: Exact copy of the entire database.

Incremental: Copying only the data items that have changed since the last backup.

Differential: Copies all changes made since the last full backup.

Question 37

Q

Main contents of a Type 1 report

Answer

A

Management’s description of the service organization’s system.

A written assertion by management of the service organization about whether, AS OF A SPECIFIED DATE, based on the criteria:

Management’s description of the system fairly presents the service organization’s system that was designed and implemented.
The controls related to the control objectives stated in management’s description of the system were suitably designed to achieve those control objectives.

A report that expresses an opinion on the matters described above.

Question 38

Q

Main contents of a Type 2 report

Answer

A

Management’s description of the service organization’s system.

A written assertion by management of the service organization about whether, THROUGHOUT A SPECIFIED DATE, based on the criteria:

Management’s description of the system fairly presents the service organization’s system that was designed and implemented.
The controls related to the control objectives stated in management’s description of the system were suitably designed and operated effectively to achieve those control objectives.

A report that expresses an opinion on the matters described above and includes a description of the tests of controls and the results.

Question 39

Q

Key differences between Type 1 and Type 2 SOC Report

Answer

A

A type 1 report covers the system design as of a given point in time whereas a type 2 report covers both the design and operating effectiveness over a period of time.

Question 40

Q

Who are SOC 1 reports restricted to?

Answer

A

Management of the service organization

User entities of the service organization’s system

Independent auditors of such user entities.

*It does not include potential users of the service organization.

Question 41

Q

What does a SOC 3 report not include?

Answer

A

A description of the system (detailed controls within the system are not disclosed)

A description of the service auditor’s tests of controls, and the results thereof.

Question 42

Q

What is a Race Condition?

Answer

A

Where two or more processes trying to modify shared data simultaneously leading to unpredictable results.

Question 43

Q

What is system hardening?

Answer

A

Hardening is a cybersecurity strategy that involves strengthening the security of a network component by reducing its vulnerability to attacks.

Question 44

Q

What are 4 main examples of system hardening?

Answer

A

Database hardening
Endpoint hardening
Network hardening
Server hardening

Question 45

Q

Examples of physical (on-premises) attacks

Answer

A

Intercepting Discarded Equipment = Stealing thrown out equipment and getting the data from it.

Piggybacking = Using an authorized person’s access to gain entrance to a physical location or electronic access.

Targeted by Attackers =

Tampering = Getting to the physical IT infrastructure and modifying the way its network deals with data.

Theft = Straight up stealing stuff.

Question 46

Q

When forming an Opinion in a SOC Engagement the auditor should evaluate:

Answer

A

The sufficiency and appropriateness of the evidence obtained; and

Whether uncorrected misstatements, individually or in the aggregate, are material.

Question 47

Q

What are the contents of the Auditor’s Report for a SOC Engagement?

Answer

A

Management’s description of the system

Management’s assertion

Independent service auditor’s report

Auditor’s tests of controls and results of tests

Question 48

Q

COSO Control Environment

Answer

A

Covers control from the perspective of the board and management through integrity, ethics, the proper corporate structure, and establishing an environment that holds employees accountable.

The entity demonstrates a commitment to integrity and ethical values.

The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

Question 49

Q

COSO Risk Assessment

Answer

A

Focuses on identifying risk, considering the potential for fraud, and understanding changes that could impact internal controls.

The entity specifies with sufficient clarity to enable the identification and assessment of risks relating to objectives.

The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

The entity considers the potential for fraud in assessing risks to the achievement of objectives,

The entity identifies and assesses changes that could significantly impact the system of internal control.

Question 50

Q

COSO Control Activities

Answer

A

Relates to the control activities implemented and designed to ensure the proper application of policies and procedures that help ensure management directives and control objectives are met.

Selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

Also selects and develops general control activities over technology to support the achievement of objectives.

Deploys control activities through policies that establish what is expected and procedures that put into action.

Added trust services supplemental criteria
-Logical and physical access controls
-System Operations
-Change Management
-Risk Mitigation

Question 51

Q

COSO Information and Communication

Answer

A

Focus on obtaining, generating, and controlling information and communication.

Obtains or generates and uses relevant, quality information to support the functioning of internal control.

Internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

Communicates with external parties regarding matters affecting the functioning of internal control.

Question 52

Q

COSO Monitoring

Answer

A

Outlines how an organization should conduct ongoing evaluations of control activities and communicate internal control deficiencies.

The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

Evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

Question 53

Q

Common sections of management’s system description SOC 1

Answer

A

Types of services provided.

Procedures performed.

System functionality

Subservice organizations

Controls

Information on other aspects of the control environment, risk assessment process, information and communication, control activities, and monitoring activities that are relevant to the services provided.

Prepare reports

Deficiencies in information.

Complementary user entity controls (CUECs)

Relevant details of changes to the service organization’s system during the period covered by the description. (Type 2 only)

The description does not omit or distort information relevant to the system and is prepared to meet the common needs of a broad range of user entities and their auditors and thus may not include every aspect that a user entity may consider important in its own particular environment.

Question 54

Q

Common sections of management’s system description SOC 2

Answer

A

Types of services provided

Principal service commitments and system requirements
-Service Commitments
-System Requirements

Components of the system used to provide the services

Identified system incidents

Applicable trust services criteria

Complementary user entity controls (CUECs)

Subservice organizations
-Inclusive method
-Carve-out method

Irrelevant specific criteria

Detail of system and controls changes during the period that are relevant to the service organization’s service commitments and system requirements (Type 2 only)

Question 55

Q

What is management’s description of the entity’s cybersecurity risk management program?

Answer

A

It is a set of policies, processes, and controls designed to:

-Protect information and systems from security events that could compromise the achievement of the entity’s cybersecurity objectives; and

-Detect, respond to, mitigate, and recover from, on a timely basis, security events that are not prevented.

Question 56

Q

What are the categories of description criteria for an entity’s cybersecurity risk management program?

Answer

A

Nature of business and operations
Nature of information at risk
Cybersecurity risk management program objectives (cybersecurity objectives)
Factors that have a significant effect on inherent cybersecurity risks
cybersecurity risk governance structure
Cybersecurity risk assessment process
Cybersecurity communications and the quality of cybersecurity information
Monitoring of the cybersecurity risk management program
Cybersecurity control processes

Question 57

Q

The written assertions from management to the auditor state what?

SOC 1 & 2

Answer

A

Management’s description of the system fairly presents the system that was designed and implemented

The controls stated in management’s description of the system were suitably designed.

The controls stated in management’s description of the system operated effectively (Type 2 only)

Question 58

Q

In a SOC 3 engagement, management’s assertion addresses whether:

Answer

A

The controls within the system were effective throughout the specified period to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria, including a description of the boundaries of the system and the service organization’s principal service commitments and system requirements.

Question 59

Q

What should an auditor do if management refuses to give a written assertion?

Answer

A

The auditor is required to withdraw from the engagement when possible under applicable laws and regulations.

If law or regulation does not allow the service auditor to withdraw, the auditor should disclaim an opinion on the description, the suitability of design of controls in a Type 1, and the operation effectiveness of controls in a Type 2.

Question 60

Q

What are the key components of a SOC 1 & 2 report?

Answer

A

-Management’s description of the system

-Management’s Assertion

-Independent Service Auditor’s Report

Auditor’s Tests of Controls and Results of Tests (Type 2 only)

Question 61

Q

What are the key differences between CSOC and CUEC?

Answer

A

CSOCs are controls that a subservice organization must execute in order for a service organization’s controls to function effectively, whereas CUECs are controls a user organization must employ for the service organization’s controls to function. In both scenarios, the service organization relies on other entities (vendor or client) for their own controls to work properly.

Question 62

Q

NIST Implementation Tiers

Answer

A

Tier 1 (Partial) = On-demand or no security procedures. Very little awareness of cybersecurity risk. Risk management is ad hoc.

Tier 2 (Risk-informed) = More knowledge or risk but lack a coordinated strategy and uniform departmental rules. May be isolated from organizational processes.

Tier 3 (Repeatable) = More equipped to deal with risk and threats. Have risk management and cybersecurity best practices that have received executive approval.

Tier 4 (Adaptive) = Mostly in banking, healthcare, and critical infrastructure. High tech solutions are incorporated. Adaptive policies and procedures. Responsive to evolving threats. Organization-wide and similar to other forms of organizational risk.

Question 63

Q

Define NIST SP 800-53

Answer

A

Is a set of security and privacy controls applicable to all information systems and has become the standard for federal information security systems.

Designed for protecting information systems against sophisticated threats.

Question 64

Q

NIST SP 800-53 Purpose and Applicability

Answer

A

These standards are designed to help organizations identify the security and privacy controls needed to manage risk and satisfy the following security and privacy requirements:

Office of management and budget (OMB circular A-130: Requires the controls for federal information systems.

The federal information security modernization act (FISMA): Requires the implementation of minimum controls to protect federal information and information systems.

Answer 65

A

Security threats that are reasonably anticipated.

Answer 66

A

Build and maintain a secure network and systems

Protect cardholder data

Maintain a vulnerability management program

Implement strong access control measures

Regularly monitor and test networks

Maintain an information security policy

Answer 67

A

Install and maintain a firewall configuration to protect cardholder data

Do not use vendor-supplied defaults for system passwords and other security parameters

Protect stored cardholder data

Encrypt transmission of cardholder data across open, public networks

Protect all systems against malware and regularly update anti-virus software or programs

Develop and maintain secure systems and applications

Restrict access to cardholder data through use of need-to-know restrictions

Identify and authenticate access to system components

Restrict physical access to cardholder data

Track and monitor all access to network resources and cardholder data.

Regularly test security systems and processes

Maintain a policy that addresses information security for all personnel.

Answer 68

A

Board of Directors

Answer 69

A

*These components are factors that either collectively or individually contribute to the successful execution of a company’s governance system over information technology and systems.

-Processes
-Organizational Structures
-Principles, Policies, Frameworks
-Information
-Culture, Ethics, and Behavior
-People, Skills, and Competencies
-Services, Infrastructure, and Applications

Answer 70

A

Modems - Connect a network to an internet service provider’s network, usually through a cable connection. It is the device that brings internet into a home or office. Each modem has a public IP address

Routers - Mange network traffic by connecting devices to form a network. They read the source and destination fields in information packet headers to determine the most efficient path through the network for the packet to travel. Act as a link between a modem and switches or user’s device.

Switches - Similar to routers in that they connect and divide devices within a computer network. Works like a power strip that converts one network jack into several so multiple devices can share one network connection.

Gateways - Is a computer or device that acts as an intermediary between different networks.

Servers - Physical or virtual machines that coordinate the computers, programs, and data that are part of the network.

Firewalls - Software applications or hardware devices that protect network traffic by filtering it through security protocols with predefined rules.

Answer 71

A

Basic packet-filtering firewalls - work by analyzing network traffic that is transmitted in packets (data communicated) and determining whether that firewall software is configured to accept the data.

Circuit-Level Gateways - Verifies the source of a packet and meets rules and policies set by the security team.

Application-Level Gateways - Inspects the packet itself. These gateways are very resource-intensive and may slow performance.

Network Address Translation - Assigns an internal network address to specific, approved external sources so that those sources are approved to be inside the firewall.

Stateful Multilayer Inspection - Combines packet-filtering and network address translation

Next-Gen - Assigns different firewall rules to different applications as well as users. In this way, a low-threat application has more permissive rules assigned to it while a high-security application may have a highly restrictive rule set assigned.

Answer 72

A

Are designed to thwart malicious activity from ever occurring. They attempt to prevent attackers from accessing devices, applications, and networks by employing some of the following tactics:

-Safeguarding Practices
-Education and Training
-Regular Security Updates
-Encryption
-Firewalls
-Patches
-Device and Software Hardening
-Intrusion Prevention Systems (IPS)

Answer 73

A

A preventive control

It is a network security solution that is intended to detect and stop a cyberattack before it reaches the targeted systems. It does this by receiving a direct feed of traffic so that all data coming into a network pass through the IPS, similar to a firewall.

Answer 74

A

Management

Answer 75

A

Board meetings minutes

Inquiries about third-party administered whistleblower hotlines.

Polices, procedures, and communication plans on the intranet, website, or customer portals.

Management monitors and provides training to personnel

Description of system, system boundaries, and system processes on the intranet and internet.

Agreements are established with service providers and business partners that include clearly defined terms, conditions, and responsibilities for service providers.

Planned changes to system components from the IT maintenance schedule and communications for internal users, and the customer portal or website.

Answer 76

A

Cold = Facility is prepared

Warm = Equipment is in place

Hot = Operational data is loaded

Answer 77

A

Additional Industry Exposure

Cloud Malware Injection Attacks

Compliance Violations

Loss of Control

Loss of Data

Loss of Visibility

Multi-Cloud and Hybrid Management Issues

Theft or Loss of Intellectual Property

Answer 78

A

Public = Owned and managed by a CSP that makes the cloud services available to people or organizations who want to use or purchase them.

Private = The cloud is created for a single organization and is managed by the organization or a CSP. The cloud infrastructure can exist on or off the organization’s premises.

Hybrid = Is composed of two or more clouds, with at least one being a private cloud, that remain unique cloud entities but with technology in place that facilitates the portability of data and applications between each entity.

Community = Is shared by multiple organizations to support a common interest, such as companies banding together for regulatory compliance, a common mission, or collaboration with industry peers.

Answer 79

A

Governance and Culture = Sets company’s tone and reinforces the importance of having oversight of enterprise risk management.

Strategy and Objective-Setting = Considered with enterprise risk management and strategy during the strategic planning process. Risk appetite and business objectives.

Performance = Requires the organizations prioritize their risks based on risk appetite so that business objectives are assessed, met, and reported to key stakeholders.

Review and Revision = Involves reviewing a company’s performance over time and making revisions to functions when needed.

Information, Communication, and Reporting = Recommends that a continual process be in place that supports sharing both internal and external information throughout the organization.

Answer 80

A

Unit Testing = Examines the smallest increment, or unit, of an application.

Integration Testing = (Thread or String Testing) Performed after unit testing to enhance the likelihood that different components will work cohesively once all units are integrated. Also helps plan for future maintenance and updates.

System Testing = Verifies that all combined modules of a completed application work as designed in totality.

Acceptance Testing = Developers assess an application to determine whether it meets end-user requirements. May involve beta testing.

Answer 81

A

Attacks that target individual devices (e.g. laptops, servers) for disruption or unauthorized access. Attacks targeted towards specific systems (Windows, Linux).

Brute Force Attacks: password-cracking schemes

Keystroke Logging: tracks the sequence of keys pressed on your keyboard. (Trojan)

Malware: Is software or firmware that performs an unauthorized process. (viruses, worms, trojan, adware, spyware)

Rogue Mobile Apps: When victim installs malicious app.

Answer 82

A

Security Assessment Report

An engagement that involves organizations addressing the second component of the risk management framework, which includes performing a risk assessment and testing controls to obtain data on the company’s current state regarding information security capabilities.

Answer 83

A

-Summary of findings
-System overview
-Assessment methodology
-Security assessment findings
-Recommendations
-Action plan

Answer 84

A

Inherent risks (the risks present before the consideration of controls)

Answer 85

A

Extract, Transform, and Load (ETL) = When data already exists, internal or external, must extract from original source, transform into useful information, and load into the tool you choose for analysis.

Active Data Collection = Is when you need to collect new data.

Passive Data Collection = Tracking web usage via cookies or gather time stamps of when users interact with your website or online store.

Answer 86

A

Identifies the business units, departments and processes that are essential to the survival of an entity as well as the organizational impact in the event of failure or disruption.

Will identify how quickly essential business units and/or processes can return to full operation following a disaster.

Answer 87

A

High-impact (H) =
-Cannot operate without this resource
-May experience a high recovery cost
-May fail to meet the organization’s objectives or maintain its reputation

Moderate or medium-impact (M) =
-Could partially function temporarily for a period of days or a week
-May experience some cost of recovery
-May fail to meet the organization’s objectives or maintain its reputation

Low-impact (L) =
-Could operate for an extended period of time
-May notice an effect on achieving the organization’s objectives or maintaining its reputation

Answer 88

A

Zero Trust Network Architecture (ZTNA)- A security concept that assumes constant risk and requires continuous verification at every user-network interaction point.

Least Privilege - Practice of granting users the minimum necessary access privileges to perform their job duties.

Need-to-know - Users are given only the information necessary to perform their job tasks, focusing on data needed rather than access privileges.

Whitelisting - Is the process of identifying a list of applications that are authorized to run on an organization’s systems and only allowing those programs to execute.

Answer 89

A

Mirroring copies a database onto a different machine for the purpose of data redundancy in the event the primary database fails.

Replication involves copying and transferring data between different databases located in different sites, such as a geographically (physical) different data center or the cloud. Allows operations to resume quickly using data in the secondary site after a system failure.

Answer 90

A

-Quality risk
-Quality of service
-Productivity
-Staff turnover
-Language skills
-Security
-Qualifications of outsourcers
-Labor insecurity

Answer 91

A

Preparation - prepare for incidents
Detection - Detect and identify incidents
Containment - Contain the incident from spreading
Eradication - Eradicate threats
Reporting - Report and communicate status
Recovery - Recover and restore normal operations
Learning - Learn and improve

Answer 92

A

Examination - Process of analyzing, observing, and reviewing one or more assessment objects (Job roles, security specifications, security activities, or relevant operational activities).

Interviewing - Involves having individual or group discussions to better understand, collect, and evaluated evidence.

Testing - Is the process of testing assessment objects that reflect how the object performs in its current state compared to a target or expected state.

Answer 93

A

A device or software that connects networks that use different protocols or languages.

Answer 94

A

Manages traffic between these networks by forwarding data packets to their intended IP addresses, and allowing multiple devices to use the same internet connection.

Is a gateway that passes data between one or more local area networks (LANs).

Answer 95

A

Similar to routers in that they connect and divide devices within a computer network. But they do not perform as many advanced functions as a router, such as assigning IP addresses.

Answer 96

A

01-Plan and Prep = Define the scope, Identify key controls and processes, and identify personnel

02-Obtain an Understanding = Review documentation, interview personnel, create notes.

03-Perform Walk-Through = Reperform processes, verify results and effectiveness.

04-Create Documentation = Create workpapers, document procedures.

05-Test = Test controls identified in walk-through, obtain samples if needed.

06-Evaluate and Report = Interpret results, prepare a report to summarize findings, provide recommendations.

Answer 97

A

*Obtain an understanding of the service organization’s system

*Understand the service organization’s process and procedures used to prepare the description of the system.

Answer 98

A

The trust services criteria set forth the outcomes that an entity’s controls should meet to achieve the entity’s objectives.

Answer 99

A

Backup controls.

Answer 100

A

Confidentiality

Brainscape's Knowledge GenomeTM

ISC Flashcards

Brainscape's Knowledge Genome^TM