ISC Deck 1

Question 1

HIPAA Components

Answer 1

Privacy Rule - Standards
Security Rule - Protect/Safeguards
Breach Notifications - Notify, no more than 60 days
Enforcement - civil/criminal punishment

Question 2

Framework Tiers

Answer 2

Tier 1 - Partial - No integration/formal processes; ad-hoc
Tier 2 - Awareness; basis understanding company-wide but NOT formal
Tier 3 - Repeatable - Formal processes and integration
Tier 4 - Adaptable - Tier 3 plus prioritization of continuous improvement.

Question 3

HIPAA Covered Entities

Answer 3

Must transmit protected health information (PHI) electronically.

Question 4

Three Components of NIST Framework

Answer 4

Framework Core (ID, protect, detect, respond, recover)
Framework Tiers -Assess current risk mgmt
Framework Profile - establish baseline for current and find desired.

Question 5

NIST Privacy Framework Additions

Answer 5

Govern
Control
Communicate

Question 6

HIPAA for Treatment

Answer 6

Normally PHI should only be the minimum necessary, but for TREATMENT, this does not apply and the provider can view all of it to better understand patient.

Question 7

GDPR Objectives

Answer 7

Give EU individuals more control over personal data
Harmonize data protection laws across EU

Question 8

GDPR Rights

Answer 8

Right of Access
Right of Erasure
Right to Object
Right to Data Portability

Question 9

GDPR Principles

Answer 9

Lawfulness: legal basis, transparent
Purpose Limitation: defined purpose
Data Minimization: minimum necessary data
Storage Limitation: retention
Integrity and Confidentiality

Question 10

Gateway vs Router

Answer 10

Gateway and routers do similar things in that they transmit packets across networks. Gateways are more advanced in that they translate protocols which is when packets are not in the same format and need to be understood in order to be transmitted.

Question 11

DSI Layers

Answer 11

Path of data in a network to a receiving device
Application (7): interface with data
Presentation (6): converts data in correct form; encryption
Session (5): communication is established
Transport (4); rules on how data is transferred
Network (3): address to ensure proper destination
Data Link (2): formatted for transmission; data packets
Physical (1): converts to bit

Question 12

IaaS vs PaaS

Answer 12

Both reduce cap exp, increase scalability of business
IaaS allows control over OS, firewalls and uptime
PaaS is normally focused on one function, which in many cases is developing an application and not having to worry about the underlying infrastructure management.

Question 13

AIS Audit Trail

Answer 13

Invoice - Journal - Ledger - TB - F/S Reports

Question 14

Cloud Computing Deployment Models

Answer 14

Public
Private
Hybrid
Community - purpose is to share with industry peers

Question 15

Disaster Recovery Plan

Answer 15

Focus on IT disruptions
1. Assess Risk
2. ID
3. Develop
4. Determine Responsibilities
5. Test

Question 16

Cold Site vs Hot Site

Answer 16

Hot site is the most available in event of disaster. Both software and hardware are available almost immediately
Cold site takes a few days since not all hardware/software is readily available

Question 17

Business Continuity vs DRP

Answer 17

Encompasses all critical business functions, not jus IT.

Question 18

Types of Backups

Answer 18

Full - all data; backup is time consuming but recovery is most simple
Differential - all data that has changed since last full backup; backup can be most time consuming; recovery is in the middle.
Incremental - only data that has been altered; recovery is most complicated but backup is least time consuming.

Question 19

Change Management Conversion Methods

Answer 19

Direct - most risky
Parallel - Least Risky
Pilot
Phased

Question 20

System Description in SOC 1 and SOC 2 report

Answer 20

Comprehensive overview of services organizations system. Includes details about
Software
Infrastructure
People
Procedures
Data

Question 21

SOC 2 vs SOC 3

Answer 21

Both are concerned with the trusted services criteria.
SOC3 provides less detail since they are summary reports for GENERAL use. Can be used for marketing and provide assurance at a high level.
SOC2 provides more detail since it is for a specific audience with knowledge

Question 22

Database Management System

Answer 22

Set of programs that manages a database (creates, accesses, modifies) - PRIMARY Function

Question 23

Management Assertion in SOC Engagement

Answer 23

From service org management asserting accuracy and completeness of the system description and operating effectiveness of controls (Type 2 only)

Question 24

Data Mining

Answer 24

distilling previously unknown relationships in an existing database. Uses pattern recognition and statistical methods

Question 25

Presentation of Test Results for SOC report

Answer 25

Should be very specific, showing results, number of exceptions out of total population. Describe the nature (what is being tested for) and the extent (number of exceptions) in a clear and precise way.

Question 26

What is a primary key?

Answer 26

a field that uniquely identifies a row or record in a database table. Cannot be null and every table must have one. Done in order to maintain file integrity.
Example. a record is a row of info. lets say for a customer table, there are customer addresses, dates of sale, balances and customer ID. The customer ID would be a primary since it uniquely identifies the record as there is only ONE customer ID for that customer.

Question 27

Trusted Services Criteria

Answer 27

Security
Privacy
Confidentiality
Availability
Processing Integrity

Question 28

Distributed Data Processing system

Answer 28

A system where there are are many different users with access to the main computer in different locations. Can be risky since control is now decentralized

Question 29

Validity Checks

Answer 29

ensures that only authorized data is entered into and accepted by the system. For example, if someone mistype a sales order, the validity check will detect the transposition.

Question 30

Outsourcing Data Processing

Answer 30

Pros: lower cap exp, predictability, superior service quality, and greater expertise supplied by specialists.
Cons: inflexibility, lack of control, and concerns about confidentiality.