IT Risk And Responses Flashcards

1
Q

The overall process for understanding how risks can be identified and addressed in IT is through the:

A

Security life cycle

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Examples of some technology risks that disrupt a business are:

A

Security risks - deal with hackers or employee abusing access
Availability risks - “the systems down”
Operational risks - not having correct software, or not using correct software effectively
Financial risk - using company printer for personal use
Compliance risk - HIPA laws, etc.
Strategic risk - misalignment with business and IT strategies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Four types of IT threats

A

Natural and political disasters
Errors in software and equipment malfunction
Accidental actions - human error
Intentional actions - fraud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the two categories of IT controls?

A

General controls - focus on broader IT infrastructure and environment
Application controls - focus on specific applications and transaction processing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Ensure that an organizations control environment (people, processes, and IT) is stable and well-managed. Common components of general IT controls include:

A

System development life-cycle standards and controls
Physical and logical controls over infrastructure
Business resiliency management
Change management procedures
Software acquisition, development, operations, and maintenance controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Software specific mechanisms within a computer program that manage use access, permissions, and functionality. Application controls ensure transactions and data processed through a computer are:

A

Accurate
Complete
Valid
Authorized

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

An IT control can serve one of three functions:

A

Preventative
Detective
Corrective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Examples of preventative controls are:

A

Hire competent people
Segregation of duties
Physical access controls
Firewall/antivirus software

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Example of detective controls:

A
Bank recon
Surveillance cameras
intrusion detection systems
Change controls
Log management and system monitoring
Alerts when incidents occur and track them
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Example of corrective controls:

A

Applying operating system upgrades
Maintaining data and system backups
Fixing data entry or transaction errors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Utilize software no protocols to monitor and control access to information and organizations IT infrastructure, typically built into software packages and enforce security measures for access.

A

Logical access controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Authentication controls which is the specific access level or clearance granted based on their job. Examples of authentication controls are:

A
Passwords
PIN number
Biometrics
Smart cards or physical tokens
Push notification
CAPTCHA (select all pictures that include bridges)
Multifactor authentication
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

This control has authorization that restrict access and actions of authenticated users based on granted permissions

A

Access control list

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Works in conjunction with a firewall that monitor network activities for malicious activities.

A

Intrusion detection systems (IDS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

This controls is in place for organizations using operating systems that need to be reviewed when installed and on an ongoing basis to ensure proper authorization and usage:

A

Vulnerability controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Examples of vulnerability controls include:

A

Hardening - turning off features not needed in an operation
Patch management - fixing vulnerabilities before they are exploited
Anti-malware program - an example would be blocking a company’s access to a website like youtube

17
Q

Two types of encryption:

A

Symmetric encryption - sender and receiver use the same shared key
Asymmetric encryption - two keys are used; one is public and the other is private

18
Q

Electronic documents that are created and digitally signed by a trusted party that certify the identity of the owners of a particular public key

A

Digital certificate

19
Q

Use asymmetric encryption to create legally binding electronic documents

A

Digital signatures

20
Q

Cursive style imprint of an individuals name that is applied to a document and is legally binding

A

E-signature

21
Q

What’s the difference between a system analyst and a computer programmer?

A

System analyst design an information system to meet user needs; the computer programmer will then use that design to create an information system by writing computer programs

OR

System analysts deals with hardware and a computer programmer deals with software

22
Q

Difference between security administrators and computer operators/programmers

A

Security administrators are responsible for restricting access to system, applications, or databases to the appropriate personnel; so a security admin could not also be a computer operator/programmer because they could gain access to unauthorized areas or give others unauthorized access.

23
Q

The inherent risk that the loss of an organizations ? Could lead to financial losses, operational inefficiencies, and contractual and other legal issues.

A

Critical information

24
Q

There is a risk that the loss of ? Could cause reputational, operational, and or financial harm to an organization

A

Confidential data

25
The integration of system availability controls, crisis management, disaster recovery plans, and business continuity plans that ensure a business can continue to operate or quickly return to operations without irreparable harm to its people, information, or assets:
Business resiliency
26
A type of control that includes activities to prevent system disruptions and loss of information as well as procedures to continue operations or provide quick recovery from all incidents.
System availability controls
27
What are the characteristics of a cold site that maintains IT operations in case of disaster:
``` Off-site location has connections in place has no equipment in place 1-3 days until operational and is cheapest cost ```
28
What are the characteristics of a warm site that maintains IT operations in case of disaster:
``` Off-site location Can/cannot have connections in place Can/cannot have equipment in place 0-3 days to be operational Moderately expensive ```
29
What are the characteristics of a hot site that maintains IT operations in case of disaster:
``` Off-site location Has connections in place Has equipment in place Immediately operational Most expensive ```