ISC R1

Question 1

Framework Implementation Tier: cybersecurity risk gauging

Tier 1

Answer 1

Tier 1 (partial) - not integrated, not formalized, ad-hoc (need based), reactive manner

Question 2

Framework Implementation Tier: Gauging Cybersecurity Risk

Tier 2

Answer 2

Tier 2 (Risk-informed): approved by management but not org-wide policy. Has established risk management practices.

Question 3

Framework Implementation Tier 3:

Answer 3

Tier 3 (Repeatable): risk management practices are consistently implemented. Adapt based on lesson learned and predictive indicators.

Question 4

Framework Implementation Tier 4:

Answer 4

Tier 4 (Adaptive): adapt its lessons based on lessons learned and predictive indicators from previous and current cybersecurity activities. RM is part of org culture, evolves, continuous awareness.

Question 5

COBIT 2019 Core Model: Governance Objectives:

Answer 5

EDM (Evaluate, Direct and Monitor) = ensuring business delivery, governance framework setting, risk optimization, resource optimization, shareholder engagement.

Question 6

Three Principles of Governance Framework (COBIT):

Answer 6

• Based on Conceptual Model
• Open and Flexible
• Aligned to Major Standards

Question 7

Most widely used enterprise IT Governance Standards

Answer 7

COBIT 2019 Framework (Control Objectives for Information and Related Technologies)

Question 8

COBIT Management Objectives: APO

Answer 8

APO (Align, Plan and Organize)

• Managed data - most significant
• guidance on IT infrastructure, innovation, budgeting Human resources, vendors, quality, security and managing risk.

Question 9

COBIT Management Objective: BAI

Answer 9

BAI (Build, Acquire, Implement)

• guidance on requirement definitions
• identifying solutions
• managing capacity,
• dealing with organizational IT change, managing knowledge, administering assets and managing configurations

Question 10

COBIT Management Objective: DSS

Answer 10

DSS (Deliver, Service and Support)

• addresses security, delivery and support services
• manage operations, service request, manage problems, continuity, security services, business process controls

Question 11

COBIT Management Objective: MEA

Answer 11

MEA (Monitor, Evaluate and Assess)

• technology conformance to performance targets
• manage performance and conformance monitoring, manage system internal controls, compliance, assurance

Question 12

CIS Control 12 : securely managing the network, ensuring network components updated, establishing and maintaining a secure network

Answer 12

CIS Control: Network Infrastructure Management

Question 13

Open Systems Interconnection (OSI)

Answer 13

How protocols work and how well networking devices work with each other - has 7 layers

Question 14

OSI Layer 1

Answer 14

Physical - after decapsulation happens, converts message sent from data link layer, transmitted to other physical devices.

Question 15

OSI Layer 2:

Answer 15

Data Link Layer - data packets are formatted for transmission. Determined by Ethernet. Adds Media Access Control

Question 16

OSI Layer 3

Answer 16

Network Layer - adds routing or address header or footers to the data. IP addresses. Detect errors.

Question 17

OSI Layer 4

Answer 17

Transport Layer - supports and controls communication between devices. Setting the rules, validating integrity, data can be transmitted, data has been lost.

Question 18

OSI Layer 5

Answer 18

Session Layer - allows sessions between communicating devices to be established and maintained. Have dialogue with others.

Question 19

OSI Layer 6

Answer 19

Presentation Layer - transforms data into a format others can interpret. Encryption occurs.

Question 20

OSI Layer 7

Answer 20

Application Layer - serves as interface between application and the network protocol. Does not represent actual application being used.

Question 21

CSP Deployment Model that provides entire virtual data center of resources. Company is responsible for keeping the environment consistently up and running, CSP is responsible for physical management of infrastructure. Org more control, CSP less control.

Answer 21

IaaS (Infrastructure-as-a-Service)

Question 22

CSP Deployment Model that provides proprietary tools to fulfill a specific business purpose. Run on CSP’s hosted infrastructure. CSP is responsible for keeping the application uptime at acceptable level. CSP more control, Org less control.

Answer 22

Business PaaS (Plaftorm-as-a-Service)

Question 23

CSP Deployment Model that provides business application or software that org use to perform specific functions or processes. Customers purchase through licensing. Access through internet - upgrades.

Answer 23

Software-as-a-Service (SaaS)

Question 24

Cloud Risk

Answer 24

• Rate of competitor adoption
• Being in the same risk ecosystem as CSP and other tenants
• Transparency
• Reliability and Performance
• Lack of application portability
• Security and compliance
• Cyber attacks
• Data leakage
• IT Org change
• CSP long-term viability

Question 25

COSO ERM Framework - help company understand to which it wants to outsource technology options

Answer 25

Internal Environment

Question 26

COSO ERM - how outsourcing can hinder or reach its objectives.

Answer 26

Objective-setting

Question 27

COSO ERM where management must understand how CSP identify a problem, more complex or easier.

Answer 27

Event Identification

Question 28

COSO ERM - risk of its cloud strategy, risk profile, likelihood of impact of all risks.

Answer 28

Risk Assessment

Question 29

COSO ERM - to avoid risk, reduce its likelihood, share the risk by transferring a portion.

Answer 29

Risk Response

Question 30

COSO ERM - how traditional controls, detective, preventative, automated and manual - modified in cloud environment.

Answer 30

Control Activities

Question 31

COSO ERM - operating in cloud will affect timeliness, availability and dissemination of information.

Answer 31

Information and Communication

Question 32

COSO ERM - should modify to accommodate new complexities introduced by adopting a cloud solution.

Answer 32

Monitoring

Question 33

Pick Ticket - list provided to warehouse for inventory, items and quantities picked and packaged, sent to shipping = what transaction cycle?

Answer 33

Revenue Cycle

Question 34

Business Improvement Process = Adapting one system and loading to another system

Answer 34

Robotic Process Automation

Question 35

Business Improvement Process - consolidating similar functions from different departments/geographic locations - promote efficiencies.

Answer 35

Shared Services

Question 36

Business Improvement Process - hiring a third-party org to process a function within the organization - potentially cut costs, employees to be repurposed, fill job vacancies.

Answer 36

Outsourcing

Question 37

Difference between AIS and ERP

Answer 37

ERP - integrating multiple departments for a smooth flow of business process. Shipping data, data is less intensive and there is a central repository. AIS - accounting and financial system, stores financial data AIS is part of ERP.

Question 38

Type of test in controls that shows an error when transaction amount exceeded the original.

Answer 38

Reasonableness Test

Question 39

CIS Control 1 : actively track and manage all IT assets connected to a company’s IT Infrastructure physically or virtually within a cloud environment.

Answer 39

Inventory and Control of Enterprise Assets

Question 40

CIS Control 2 : provides recommendations for orgs to track and manage all software applications so that only authorized software is installed on company devices.

Answer 40

Inventory and Control of Software Assets

Question 41

CIS Control 3 : develop ways to securely manage the entire life cycle of their data, from the initial identification and classification data to its disposal.

Answer 41

Data Protection

Question 42

CIS Control 4 : Establish and maintain secure baseline configurations for their enterprise assets, including network devices, mobile and portable end-user devices, non-computing assets such as IOT.

Answer 42

Secure Configuration of Enterprise Assets and Software

Question 43

CIS Control 5 : outlines best practices for companies to MANAGE credentials and AUTHORIZATION for user accounts, privilege user accounts and service accounts.

Answer 43

Account Management

Question 44

CIS Control 6 : specifying the type of ACCESS that user accounts should have. Organization’s users should only have the necessary privileges required for their job roles.

Answer 44

Access Control Management

Question 45

CIS Control 7: CONTINUOUSLY identifying and tracking VULNERABILITIES within its infrastructure so that it can remediate and eliminate weak points or windows of opportunity for bad actors.

Answer 45

Continuous Vulnerability Management

Question 46

CIS Control 8 : establishes and enterprise LOG management process so that organizations can be alerted and recover from an attack in real time or near real time using log collection and analytic feature.

Answer 46

Audit Log Management

Question 47

CIS Control 9 : provides recommendations on how to detect and protect against cybercrime attempted through EMAIL or the INTERNET by directly engaging employees.

Answer 47

Email and Web Browser Protections

Question 48

CIS Control 10 : assists companies in preventing installation and propagation of MALWARE onto company assets and its network.

Answer 48

Malware Defenses

Question 49

CIS Control 11 : establishes DATA backup, testing and RESTORATION processes that allow organizations to effectively RECOVER company assets to a pre-incident state.

Answer 49

Data Recovery

Question 50

CIS Control 13 : establishes processes for MONITORING and DEFENDING a company’s NETWORK infrastructure against internal and external security threats.

Answer 50

Network Monitoring and Defense

Question 51

CIS Control 14: guides organization in establishing a SECURITY AWARENESS AND TRAINING PROGRAM to reduce cybersecurity risk.

Answer 51

Security Awareness and Skill Training

Question 52

CIS Control 15 : helps organization develop processes to evaluate THIRD-PARTY SERVICE providers that have access to sensitive data or that are responsible for managing some or all of company’s IT functions.

Answer 52

Service Provider Management

Question 53

CIS Control 16 : establishes safeguards that manage the entire LIFE CYCLE OF SOFTWARE that is acquired, hosted, or developed in-house to detect, deter and resolve cybersecurity weaknesses before they are exploited.

Answer 53

Application Software Security

Question 54

CIS Control 17 : provides recommendations necessary to establish and incident response management program to detect, RESPOND and PREPARE for potential cybersecurity attacks.

Answer 54

Incident Response Management

Question 55

CIS Control 18 : Helps organization TEST the soPhistication of their cybersecurity defense system in place by simulating actual attacks in an effort to find and exploit weaknesses.

Answer 55

Penetration Testing

Question 56

A design factor under COBIT that drives innovation for business but is not required for critical business operations.

Answer 56

Turnaround

Question 57

A design factor under COBIT that is not critical for operating a business or maintaining continuity

Answer 57

Support

Question 58

A design factor under COBIT that will have an immediate impact for the business but is not required for critical business operations.

Answer 58

Factory

Question 59

A design factor under COBIT that is crucial for both innovation and business operations.

Answer 59

Strategic

Question 60

A Benefit of cloud service provider

Answer 60

Distributed/reduced redundancy among many data centers, having cloud storage reduce the likelihood that data is lost in an attack or disaster.

Question 61

CSP’s often serve multiple cloud customers at ONCE, and use COMMON resource and technology (shared), referred as…

Answer 61

Multi-tenant

Question 62

COSO ISP Component: sets company tone and reinforces the importance of having oversight of ERM. Related to behavior and values.

Answer 62

Governance and Culture

Question 63

COSO ISP Component: company risk’s appetite should be aligned with its strategy and business objectives. During strategic planning process.

Answer 63

Strategy and Objective Setting

Question 64

COSO ISP Component: reviewing company’s performance over time and making revisions of functions needed.

Answer 64

Review and Revisions

Question 65

COSO ISP Component: recommends continual process to be in place that support sharing both internal and external information throughout the organization.

Answer 65

Information Communication and Reporting

Question 66

Process Improvement where business processes use computer programs to perform repetitive tasks.

Answer 66

Business Process Automation

Question 67

Process improvement : seeking out redundant services, combining them and sharing to a group of organizations. (Different countries/locations)

Answer 67

Shared Services

Question 68

Process Improvement: Contracting Services to an external provider

Answer 68

Outsourcing

Question 69

Relate to outsourcing of services to an external part in a different country.

Answer 69

Offshore operations

Question 70

Use of programs to perform repetitive tasks that do not require human labor, such as extracting information from a user interface and inputting that data into a form.

Answer 70

Robotic Process Automation

Question 71

Involves technology developed and used to encode, decode, and interpret human languages so that the technology can perform tasks. Text documents / speeches

Answer 71

Natural Language Processing (NLP) Software

Question 72

Involve an input layer, a hidden layer, and an output layer - modeled after neurons that facilitate the function of human or animal memory.

Answer 72

Neural Networks

Question 73

Purging Data means…

Answer 73

Permanently removing data from storage systems

Question 74

Change management methodology characterized by different teams of employees working on separate tasks in sequence. * pre-written authoritative agreement Plan - analyze - design - develop - test - deploy - maintain

Answer 74

Waterfall Method

Question 75

Challenges of Waterfall Method

Answer 75

*Requires great deal of time to complete *benefits of new system are not realized until completion *no customer input and change can be difficult to manage *employees may be idle before beginning or after completing

Question 76

Change management methodology that offers more flexibility, characterized by cross-functional teams, each dedicated to particular functions or improvements of a system drawn from a prioritized list of customers remaining needs for the system.

Answer 76

Agile Method

Question 77

Characteristics of Agile Method

Answer 77

*Team works linearly * Different teams working on different phases simultaneously * Works on shorter deadlines to encourage efficiency, communication critical. *Stakeholder feedback, consistent communication

Question 78

Alternative site: - off site - with connection - no equipment in place - 1-3 days operations - cheapest

Answer 78

Cold Site

Question 79

Alternative site: - off-site - with/without connection - Yes/No equipment in place - 0-3 days operations - moderately expensive

Answer 79

Warm site

Question 80

Alternative site: - off-site - with connection in place - with equipment in place - Immediately - Most expensive

Answer 80

Hot Site

Question 81

Steps in BIA (Business Impact Analysis)

Answer 81

1. Establish the BIA Approach - executives, time frames, methodologies 2. Identify Critical Resources - interviews with key personnel and documentation review 3. Define Disruption Impacts - qualitative/quantitative effects maybe natural or human-inflicted threats 4. Estimate Losses - ARO, ALE, SLE 5. Establish Recovery Priorities - MTTR, RPO, RTO 6. Create the BIA Report - completed at department level, company wide BIA 7. Implement BIA Recommendations - evaluating report and implementing preventative and corrective actions to remediate risks

Question 82

ARO (Annual Rate of Occurrence) Formula

Answer 82

Number of Occurrences / relevant years

Question 83

Damage in terms of Dollars, expressed as percentage of asset’s value

Answer 83

Exposure Factor

Question 84

SLE (Single Loss Expectancy)

Answer 84

Cost of Individual Loss = EF x value of asset

Question 85

ALE (Annualized Loss Expectancy)

Answer 85

Cost of specific loss in a given year = SLE x ARO

Question 86

System backup: exact copy of entire database - time-consuming so weekly, least-time consuming in restoration

Answer 86

Full Backup

Question 87

System backup: copying only the data that changed since last backup. Slowest of all three backups. Initial creation is fast.

Answer 87

Incremental backup

Question 88

System backup: copies all changes made since last backup. Takes longer than incremental. Restoration is simpler. Recovery is slower than full but faster than incremental.

Answer 88

Differential Backup

Question 89

Amount of time that services are operational, expressed in hours or days.

Answer 89

AST (Agreed Service Time)

Question 90

Amount of time system or application is not functional.

Answer 90

Downtime (DT)

Question 91

MTBF (Mean Time Between Failures)

Answer 91

Total Operational Time / Number of Failures

Question 92

MTTR (Mean Time to Repair)

Answer 92

Total downtime / Number of Failures

Question 93

Four Benefits of Relational Database

Answer 93

1. Completeness 2. No Redundancy 3. Business Rules Enforcement 4. Communication and Integration of Business Processes

Question 94

In designing a database, it refers to normalization that eliminates any attributes that DEPEND on both the primary key and other non-key attributes.

Answer 94

3NF (Third Normal Form)