ISC Deck 4 multi-unit Flashcards
Which of the following NIST Privacy Framework Core functions focuses on understanding organizational risk tolerance?
Govern-P
Which of the following NIST Privacy Framework Core functions focuses on understanding organizational risk tolerance?
Data loss prevention (DLP)
NIST SP 800-53 is designed to help organizations select, design, and implement security and privacy controls. Which of the following questions does it not seek to address?
How can control costs be minimized while while still achieving maximum cybersecurity efficiency?
What is risk?
A measure of the extent to which an entity is threatened by a potential circumstance or event.
What is the risk determination step in cyber risk assessment?
The step combines the likelihood and impact assessments to determine the overall risk associated with a potential threat.
What is the difference between privacy and confidentiality?
Privacy is a matter of restricting access to information about individuals.
Confidentiality involves protecting data from disclosure to unauthorized parties.
Which system relieves parties from the need to establish their own pairs of keys when they want to communicate securely?
Public-key infrastructure
What is the difference between public-key encryption from symmmetric key encryption?
Public-key (asymmetric) encryption occurs when communicating parties create a pair of keys, one of which is made public while the other is kept secret.
Symmetric encryption occurs when the communicating parties agree to the use of a single private key.
What does a coded electronic certificate that the certificate authority create contain?
1) the holder’s name
2) its public key
3) a serial number
4) an expiration date
NOTE: The Certificate authority makes its own public key widely available.
Which cyber risk assessment step include the determination of the overall risk associated with a potential threat?
Risk determination - it combines the likelihood & impact assessments to determine overall risk
Which does NIST SP 800-53 not address?
It does not address minimization of control costs while achieving max cybersecurity efficiency
What is a security incident?
A security event is a violation of computer security policies, acceptable use policies, or standard security practices. It is considered a potential exposure. Incidents do not happen all the time ex data breaches
What is an event In IT security?
An event is any observable change in a system or network that might lead to an incident or breach. It does not immediately denote a policy violation. Events are everyday occurrences.
What is an Adverse opinion?
An opinion when a misstatement is BOTH Material and Pervasive.
What is Disclaimer of opinion?
When the service auditor is unable to obtain sufficient appropriate evidence (Scope limitation)
What is an Unqualified (clean) opinion?
When there are no material misstatements.
What is a Qualified opinion?
When the effect of misstatements are Material but NOT Pervasive.
According to the Center for Internet Security (CIS), what should the configuration of data access control lists be based upon?
A user’s Need to Know
What are the typical responsibilities osf the treasury/financing cycle
1) Investing funds
2) Compliance with debt covenants
3) Obtaining and repaying capital
NOTE: It does not oversee daily cash receipts and disbursements
NIST SP 800-53 establishes controls for which applicable parties?
Systems & individuals
In a flowchart which symbol would indicate that someone inputs a transaction or receives information?
A video display symbol
In the cash disbursements process, what action takes place before the check is prepared, signed, and mailed?
The supplier invoice is matched to the purchase order and receiving report to prepare a payment voucher.
In the realm of cybersecurity, how do threat agents exploit race condition vulnerabilities within computing systems?
By using code injection to add unauthorized steps into the process sequence of a trusted operation.
NOTE: Race condition attacks exploit situations where computing systems perform tasks in specific sequences.
How should the concept of materiality be factored into an auditor’s opinion?
Materiality should be evaluated in the context of the common information needs of a broad range of user entities and their auditors.
Which is not a cloud-unique cybersecurity risk associated with a cloud service provider’s (CSP) implementation of a cloud computing environment?
The compromise of the PKI due to lack of segregation of duties over the issuance and use of certificates is a risk generally applicable to cloud computing platforms and is not unique to a CSP’s implementation of a cloud environment.
What is the role of cloud service providers (CSPs) in resource provisioning for cloud computing services?
CSPs provision and allocate computing resources to customers based on their needs and within contract limitations.
What is a data center in the context of IT systems?
A data center is a dedicated facility or infrastructure where an organization houses and operates its computer systems.
