IT Risk And Responses

Question 1

The overall process for understanding how risks can be identified and addressed in IT is through the:

Answer 1

Security life cycle

Question 2

Examples of some technology risks that disrupt a business are:

Answer 2

Security risks - deal with hackers or employee abusing access
Availability risks - “the systems down”
Operational risks - not having correct software, or not using correct software effectively
Financial risk - using company printer for personal use
Compliance risk - HIPA laws, etc.
Strategic risk - misalignment with business and IT strategies

Question 3

Four types of IT threats

Answer 3

Natural and political disasters
Errors in software and equipment malfunction
Accidental actions - human error
Intentional actions - fraud

Question 4

What are the two categories of IT controls?

Answer 4

General controls - focus on broader IT infrastructure and environment
Application controls - focus on specific applications and transaction processing

Question 5

Ensure that an organizations control environment (people, processes, and IT) is stable and well-managed. Common components of general IT controls include:

Answer 5

System development life-cycle standards and controls
Physical and logical controls over infrastructure
Business resiliency management
Change management procedures
Software acquisition, development, operations, and maintenance controls

Question 6

Software specific mechanisms within a computer program that manage use access, permissions, and functionality. Application controls ensure transactions and data processed through a computer are:

Answer 6

Accurate
Complete
Valid
Authorized

Question 7

An IT control can serve one of three functions:

Answer 7

Preventative
Detective
Corrective

Question 8

Examples of preventative controls are:

Answer 8

Hire competent people
Segregation of duties
Physical access controls
Firewall/antivirus software

Question 9

Example of detective controls:

Answer 9

Bank recon
Surveillance cameras
intrusion detection systems
Change controls
Log management and system monitoring
Alerts when incidents occur and track them

Question 10

Example of corrective controls:

Answer 10

Applying operating system upgrades
Maintaining data and system backups
Fixing data entry or transaction errors

Question 11

Utilize software no protocols to monitor and control access to information and organizations IT infrastructure, typically built into software packages and enforce security measures for access.

Answer 11

Logical access controls

Question 12

Authentication controls which is the specific access level or clearance granted based on their job. Examples of authentication controls are:

Answer 12

Passwords
PIN number
Biometrics
Smart cards or physical tokens
Push notification
CAPTCHA (select all pictures that include bridges)
Multifactor authentication

Question 13

This control has authorization that restrict access and actions of authenticated users based on granted permissions

Answer 13

Access control list

Question 14

Works in conjunction with a firewall that monitor network activities for malicious activities.

Answer 14

Intrusion detection systems (IDS)

Question 15

This controls is in place for organizations using operating systems that need to be reviewed when installed and on an ongoing basis to ensure proper authorization and usage:

Answer 15

Vulnerability controls

Question 16

Examples of vulnerability controls include:

Answer 16

Hardening - turning off features not needed in an operation
Patch management - fixing vulnerabilities before they are exploited
Anti-malware program - an example would be blocking a company’s access to a website like youtube

Question 17

Two types of encryption:

Answer 17

Symmetric encryption - sender and receiver use the same shared key
Asymmetric encryption - two keys are used; one is public and the other is private

Question 18

Electronic documents that are created and digitally signed by a trusted party that certify the identity of the owners of a particular public key

Answer 18

Digital certificate

Question 19

Use asymmetric encryption to create legally binding electronic documents

Answer 19

Digital signatures

Question 20

Cursive style imprint of an individuals name that is applied to a document and is legally binding

Answer 20

E-signature

Question 21

What’s the difference between a system analyst and a computer programmer?

Answer 21

System analyst design an information system to meet user needs; the computer programmer will then use that design to create an information system by writing computer programs

OR

System analysts deals with hardware and a computer programmer deals with software

Question 22

Difference between security administrators and computer operators/programmers

Answer 22

Security administrators are responsible for restricting access to system, applications, or databases to the appropriate personnel; so a security admin could not also be a computer operator/programmer because they could gain access to unauthorized areas or give others unauthorized access.

Question 23

The inherent risk that the loss of an organizations ? Could lead to financial losses, operational inefficiencies, and contractual and other legal issues.

Answer 23

Critical information

Question 24

There is a risk that the loss of ? Could cause reputational, operational, and or financial harm to an organization

Answer 24

Confidential data

Question 25

The integration of system availability controls, crisis management, disaster recovery plans, and business continuity plans that ensure a business can continue to operate or quickly return to operations without irreparable harm to its people, information, or assets:

Answer 25

Business resiliency

Question 26

A type of control that includes activities to prevent system disruptions and loss of information as well as procedures to continue operations or provide quick recovery from all incidents.

Answer 26

System availability controls

Question 27

What are the characteristics of a cold site that maintains IT operations in case of disaster:

Answer 27

Off-site location
has connections in place
has no equipment in place
1-3 days until operational
and is cheapest cost

Question 28

What are the characteristics of a warm site that maintains IT operations in case of disaster:

Answer 28

Off-site location
Can/cannot have connections in place 
Can/cannot have equipment in place
0-3 days to be operational
Moderately expensive

Question 29

What are the characteristics of a hot site that maintains IT operations in case of disaster:

Answer 29

Off-site location
Has connections in place
Has equipment in place
Immediately operational
Most expensive