ISC Deck 2

Question 1

Cloud Service Provider (CSP)

Answer 1

relies on sharing of resources, is very secure and leads to economies of scale. managed by third parties
Is NOT on site, leads to fewer IT professionals.

Question 2

BCP vs DR Plans

Answer 2

BCP is preventative and DR is corrective
DR is part of BCP
BCP is continuous.

Question 3

Types of Security Controls

Answer 3

Physical (ID badges, security guards, generators)
Technical - IT controls (general or app)
Administrative (Seg of Duties)

Question 4

Types of preventative and detective controls

Answer 4

Access control software - preventative
Echo Checks and Hash Total - Detective

Question 5

IT Roles and their functions

Answer 5

Data Librarian - control over entity’s data
System’s analyst - investigates business system and decides how computer can be applied
Computer Operator - runs comp eq
Programmer - writes, tests and debugs programs for apps or systems.
System Steering committee - involved in long range plans and overseeing info systems.
Systems Programmer - programs OS, installs, upgrades and compiles

Question 6

Business Impact Analysis (BIA)

Answer 6

Used to ID business units that are essential. Assesses time to return these to full functionality in event of a disruption.

Question 7

Management Assertion applicable to ALL SOC report

Answer 7

That the description of the system is fairly presented

Question 8

Two primary entities covered by GDPR

Answer 8

Data processors and Data Controllers.
Data Processors handle data but do NOT determine purpose. Controller does that.

Question 9

COBIT 2019 Holistic Approach

Answer 9

Ensure that all enablers are implemented in a holistic manner

Question 10

What is a validity check?

Answer 10

ensures that only authorized info is entered and accepted by the system.

Question 11

Public Cloud

Answer 11

Client’s data is stored in the cloud and managed by a third party. Data is still secure and not available across orgs. Resources are also not shared.

Question 12

Types of Encryption

Answer 12

Asymmetric Encryption - Public AND private key (more secure)
Symmetric Encryption - Public only

Question 13

Purpose of Mgmt System Description for SOC2

Answer 13

enable report users to understand the system and the processing and flow of data. Prepare in accordance with specific criteria and describes procedures/controls in place to manage risk

Question 14

SOC Independence

Answer 14

Must be independent of responsible party - service org. No independence required of user entity.
If subservice org is used and mgmt uses the inclusive, they become a responsible party which requires independence.

Question 15

Device and Software Hardening

Answer 15

Reducing total vulnerabilities points and surfaces that can be attacked.

Question 16

Steps in a Disaster Recovery Plan

Answer 16

Assess Org Risk
ID applications/data that are critical
Develop plan
Designate Personnel
Testing Plan

Question 17

Business Impact Analysis Steps

Answer 17

Establish BIA Approach
ID Critical Resources
Define disruption impacts
Estimate Losses
Establish recovery priorities
Create BIA report
implement BIA recommendations

Question 18

Metrics for Phishing Simulations

Answer 18

Report Rates: percent of employees who report phishing emails during sim
Click Rates: those who click on phishing link in sim
Re-Click rates: those who initially failed and click again.

Question 19

Tokenization

Answer 19

removes production data and replaces it with a surrogate value. Hashing or encryption can be ways to transform data

Question 20

Masking

Answer 20

Swaps data with other like data to disguise while maintaining a similar structure to original. Ex. SSNs (999) or Credit card numbers (xxx)