IT Risks and Responses

Question 1

T/F: a successful organization cannot operate without technology

Answer 1

True; as organizations integrate more technology into their operations, new and greater risks materialize

as part of the security life cycle, organizations must identify the risks, assess the impact of those risks, develop a protection strategy, and monitor the risks and mitigation efforts

Question 2

T/F: fundamental risks inherently exist in technology

Answer 2

True; some of those risks are described below:

technology risk - the risk of disruption to business as a result of any information technology activity

security risk - comprises the risks associated with unauthorized access or use of an organization’s information technology

availability risk - the risk that an organization will not be able to access and utilize its information technology as needed

operational risk - the risk that an organization is unable to operate effectively or efficiently due to issues concerning information technology

financial risk - the risk of losing financial resources as a result of them being misused, lost, wasted, or stolen

compliance risk - it is focused on the issues related to information technology not sufficiently meeting the requirements of regulatory bodies

strategic risk - the risk of misalignment of business and IT strategies

Question 3

What are the 4 types of threats IT faces at an organization?

Answer 3

natural and political disasters, errors in software and equipment malfunctions, accidental actions, and intentional actions

Question 4

T/F: a common misconception is that it risks can be mitigated through software and hardware-based controls alone

Answer 4

True; mitigation of IT risks starts with the people within the organization; specifically, risk mitigation is a management concern; management must determine what the overall risk appetite is for the organization and in turn develop a security strategy that includes policies and procedures to align that risk appetite with information systems and information technology

when designing controls to fully safeguard a system, an organization must include threat identification controls designed to safeguard confidentiality

Question 5

What are the 2 categories of IT controls?

Answer 5

general IT controls - they are designed to ensure that an organization’s control environment (people, processes, and IT) is stable and well-managed

application controls - software-specific mechanisms within a computer program that manage user access, permissions, and functionality

Question 6

What are the 3 ways in which controls can be implemented?

Answer 6

manual controls - a control performed by a person without making direct use of automated systems

automated controls - an action or process initiated automatically without the need for a person to initiate that action or process, so that a system maintains integrity

IT dependent manual controls - relies on an individual performing a control function with some use of an IT component, such as an IT-generated report; these controls have components of both manual and automated controls

Question 7

What are the 3 functions a control can serve?

Answer 7

preventive controls - takes precautions to prevent problems in the future

detective controls - finds and reveals issues or deficiencies not averted by preventive controls

corrective controls - have the ability to identify, repair, restore, and recover from issues that cause damage to a system or process

Question 8

Fact: it is essential that information within an organization is both reliable and secure; to ensure that this goal is met, it is vital that system access controls and segregation of duties exist to mitigate risks of fraud and error

Answer 8

logical access controls - utilize software and protocols to monitor and control access to information and an organization’s IT infrastructure; logical access controls are typically built into software packages and operating systems to enforce security measures for access rights from local as well as remote locations for internal or external users

user access controls - controls must be put in place to identify which users access the system and to track their activity while using this system; as a result, each system user needs a unique identity to ensure that if error or fraud occurs within a system, it can be traced to the perpetrator

authentication controls - a robust user verification process must be in place when users access a system so that their identity can be authenticated and specific access level or clearance granted based on their job role; examples are: passwords, PIN numbers, biometrics, smartcards or physical tokens, push notifications, multifactor authentication, and CAPTCHA (completely automated public turing test to tell computers and humans apart)

Question 9

Fact: passwords are designed to protect access to secure systems, applications, and information

Answer 9

a strong password management policy must address the following password characteristics: password requirement, password length, password complexity, password age, password reuse

Question 10

T/F: access control lists are a form of authorization control

Answer 10

True; although authentication verifies identity, authorization restricts access and actions of authenticated users based on granted permissions; access control lists list users, information, and applications, and provide the types of access and rights granted; typical rights include the ability to do the following to an application or file: create (or write) access, read only, update access, delete

Question 11

Fact: when an individual is onboarded, changes position, is promoted/demoted, or is discharged from an organization, it is important that his or her access, authentication, and authorization is modified as appropriate; this typically involves coordination between HR and IT

Answer 11

an organization must have security in place to protect its private network from unauthorized access; a firewall is a security measure that may be composed of both software and hardware that prevent unauthorized access to an organization’s private network

organizations use operating systems and software applications that need to be reviewed when installed and on an ongoing basis to ensure proper authorization and usage; the vulnerability controls include:

hardening - when applications or systems are first installed, they should be hardened, meaning they can reduce their surface vulnerability by turning off features or functions that are not needed during operations

patch management - as vulnerabilities are discovered in operating systems or applications, they should be addressed by patches (fixes) before they are exploited

anti-malware program - malware consists of malicious programs such as worms and viruses that have the ability to self-propagate and spread, allowing pathways for unauthorized access to occur; malware can enter networks and specific host computers through websites, programs, and data files

Question 12

What is data encryption?

Answer 12

it is an essential foundation for electronic commerce; it involves using a password or a digital key to scramble a readable (plaintext) message into an unreadable (ciphertext) message; the intended recipient of the message then uses another digital key to decrypt or decipher the ciphertext message back into plaintext

with encryption keys, the longer the length of the key, the less likely it is that the message or transaction will be decrypted by the wrong party and that the key will be broken by a brute-force attack (the attacker simply tries every possible key until the right one is found); there are two types of encryption:

symmetric - the sender and the recipient use the same shared key

asymmetric - two keys are used; one is public and the other is private (more secure and more common place now)

Question 13

What are digital certificates?

Answer 13

another form of data security, they are electronic documents that are created and digitally signed by a trusted party and that certify the identity of the owners of a particular public key; digital certificates operate on what is known as a public key infrastructure (PKI), which is the system and processes used to issue and manage asymmetric keys and digital certificates

a digital signature uses asymmetric encryption to create legally binding electronic documents (ex. Docusign)

Question 14

What are physical controls?

Answer 14

they are used to deter unauthorized access, monitor facilities, and control the workplace environment; these controls are established to protect the entire facility; however, they can be applied to specific areas or rooms within the facility as well; examples include: locked doors, fencing and barricades, security systems, security monitoring

Question 15

What is segregation of duties?

Answer 15

it is one of the most important controls in accounting and is particularly important within the IT infrastructure; it reduces opportunities for anyone to be in a position to both perpetrate and conceal errors or fraud in the normal course of one’s duties

the following areas within the IT infrastructure need to have a proper segregation of duties: system programming, end user transaction/data entry, data custody and storage, and authorization responsibility and monitoring

Question 16

System analysts vs computer programmers

Answer 16

system analyst - design an information system to meet user needs

computer programmer - use that design to create an information system by writing computer programs

Question 17

What is critical information?

Answer 17

any and all information that is vital for the operation of an organization; this information must be properly safeguarded

Question 18

What are confidentiality risks?

Answer 18

confidential information poses many risks as data loss may cause reputational, operational, and/or financial harm to an organization; risks to consider when performing threat identification concerning confidentiality include: inappropriate and/or unauthorized access, misuse or theft of confidential information, legal and regulatory concerns

Question 19

What are privacy risks?

Answer 19

they directly impact the data of an organization’s employees, customers, and users; private data is protected by many regulatory standards; major risks associated with private data include: insufficient disclosure of collection or collection without consent, inappropriate use or disclose of private information, risks of not fully adhering to regulations and laws, reputational risks

Question 20

What is business resiliency?

Answer 20

the integration of system availability controls, crisis management, disaster recovery plans, and business continuity plans into a central set of procedures to ensure that a business can continue to operate or quickly return to operations without irreparable hard to its people, information, or assets

Question 21

What are system availability controls?

Answer 21

they include activities to prevent system disruptions and loss of information as well as procedures to continue operations or provide quick recovery from an incident; crisis management, disaster recovery, and business continuity plans are all components of system availability controls; in addition to these plans, system availability controls include: physical controls, IT infrastructure controls, uninterrupted power supply, redundancy, and backup files

Question 22

What is a crisis management plan?

Answer 22

in terms of business operations, a crisis is an unexpected, large-scale incident that can cause major negative effects on an organization and its stakeholders; crisis management policies are vital, as a crisis presents stressful situations that involve important decisions that must be made quickly; these decisions can be difficult if an organization does not have clearly defined roles, responsibilities, and procedures

Question 23

What is a disaster recover plan?

Answer 23

it consists of an entity’s plans for restoring and continuing its information technology function in the event of the destruction of not only program and data files, but also computer processing capability; short-term problems or outages do not normally constitute disasters; if processing cannot be quickly reestablished at the original processing site (possibly because the original processing site no longer exists), then disaster recovery is necessary

in the event of a disaster, an organization has 3 main options for how to maintain IT operations:

cold site - an off-site location that has all the electrical connections and other physical requirements for data processing, but it does not have the actual equipment; usually requires 1-3 days to be made operational; this is the cheapest form of off-site location

warm site - falls between a cold site and a hot site; it is a facility that already has hardware installed but will fall short of the processing capabilities typically found in a hot site or at the actual business during normal operations due to a lack of fully operational computer and office equipment

hot site - an off-site location that is equipped to take over the company’s data processing as these locations are not only pre-wired for use but also include the necessary hardware and office equipment to perform the functions of the organization; backup copies of essential data files and programs may also be maintained at the location or a nearby data storage facility; this is the most expensive form of off-site location

Question 24

What is a business continuity plan?

Answer 24

while disaster recover plans are focused on restoring the IT infrastructure during a disaster, the business continuity plan is focused on keeping the business operational; it is more comprehensive than disaster recovery plans and contains contingency and mitigation procedures around all business processes, including relocating facilities, HR tasks, and managing relationships with customers and suppliers

the overall goal of the business continuity plan will be how to continue operations or restore operations in the most efficient and effective manner possible with consideration given to all aspects of the organization

Question 25

What are business resiliency services?

Answer 25

organizations are relying more heavily on cloud computing and software as a service (SaaS) to operation their core business processes; in line with this, service providers offer multiple business resiliency services such as disaster recovery, backup, and business continuity; these options allow organizations to utilize companies with specialized knowledge and resources to take on their resiliency efforts; the disadvantages, however, can come in the form of overreliance, loss of control, higher cost, and risks of effectiveness