ISC Deck 3 multi-unit Flashcards
What is the SOC 1 criteria?
The auditor familiarizes herself with the CONTROL OBJECTIVES relevant to financial recording.
What is the SOC 2 criteria?
The auditor studies the Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy.
If an examination has a SCOPE limitation and effects are MATERIAL and PERVASIVE, what type of opinion is given?
Disclaimer
If an examination has a SCOPE limitation and effects are MATERIAL but NOT PERVASIVE, what type of opinion is given?
Qualified
If an examination has NO material or scope limitations, what type of opinion is given?
Unqualified (Clean)
If an examination has misstatements that are BOTH MATERIAL and PERVASIVE, what type of opinion is given?
Adverse
The primary reason to establish internal control is to
Provide reasonable assurance that the objectives of the organization are achieved
What do the objectives of internal control involve?
1) Safeguarding assets
2) Promoting reliable financial reporting
3) Ensuring efficient operations
4) Encouraging employees to follow entity policy
What does the circle symbol represent in a business process flowchart?
Circles in a business process flowchart are sometimes used to denote connectors, especially when a flowchart is split over multiple pages
What does the diamond symbol represent in a business process flowchart?
Decision points are represented by diamonds.
What does the parallelogram symbol represent in a business process flowchart?
Input or output points are represented by parallelograms.
What does the oval symbol represent in a business process flowchart?
The start or end of a process is denoted by an oval symbol.
What are the 4 attributes of suitable criteria used to evaluate controls for a SOC engagement as per the attestation standards?
1) Objectivity: The criteria are free from bias
2) Completeness: The criteria are complete when they do not omit relevant factors.
3) Relevance: The criteria are relevant to the system being evaluated.
4) Measurability: The criteria permit reasonably consistent measurements, qualitative or quantitative of the information.
What is a principle of GDPR associated with controlling data?
Accountability
What are the 18 controls of version 8 of CIS? Unit 6.6
The 3 GDPR objectives are:
1) Est. of rules relating to the protection of natural persons with regards to processing personal data.
2) second objective is the protection of the fundamental rights and freedoms of natural persons and their right to the protection of their personal data
3)The third objective ensures the free movement of personal data within the EU.
DOES NOT restrict movement of personal data outside the EU
Which of the following PCI DSS requirements states that network security controls must be defined, understood, and controlled?
Install & maintain network & systems
What type of approach does the NIST Privacy Framework employ to ensure that it is adaptable to the needs of organizations and flexible enough to address emerging privacy concerns?
Risk based and outcome based approach
Which of the following NIST Privacy Framework Core functions focuses on understanding organizational risk tolerance?
Protect-P
What is the role of the project manager during the assessment phase of the change control process?
Determining if the change request is approved or denied
Which organizational responsibility defined in NIST SP 800-53 includes the consideration of continuous monitoring of information systems to determine ongoing effectiveness of controls, changes in information systems, and the state of security organization-wide?
Management of security & privacy risk
What are the 6 principles of COBIT 2019 governance framework?
1) Meet stakeholder needs
2) Holistic approach
3)Dynamic governance system
4) Distince governance from mgmt
5) Tailored to enterprise needs
6) End-to-end governance system
When must an HIPAA covered entity disclose protected health info?
1) to individuals or their personal reps specifically when they request access to or an accounting of disclosure of thier PHI
2) to Health & Human Services when it is undertaking a compliance investigation or review or enforcement action.
Which of the following has similar procedures to a SOC 3 engagement?
A SOC examination only
Which of the following is included in a SOC 3 engagement?
An assertion by the service organization management
What is system-centric modeling?
It is a threat modeling framework that centers on understanding the system being modeled before evaluating threats against it.
