lvl up Flashcards
Extensible Business Reporting Language (XBRL)
an open-information format standard enabling automated sharing of financial information contained in financial statements and other business reports over the World Wide Web. XBRL tags numeric and textual information contained in financial statements.
Distributed processing
an allocation of various processing tasks to various business divisions, with some tasks centralized and some decentralized.
The Framework Core
a legislative imperative for NIST to develop a set of plain language controls for the protection of critical IT infrastructure. The focus is to develop a program to identify, assess, and manage cybersecurity risks in a cost-effective and repeatable manner.
Differential backup
Copies all changes made since the LAST FULL back up. Each new differential backup file contains the cumulative effects of all activity since the last full backup.
Incremental backup
Copying only the data items that have changed since the last backup. This produces a set of incremental backup files, each containing the results of one day’s transactions.
A data warehouse
a very large data repository that is centralized and used for reporting and analysis rather than for transactional purposes. A data warehouse pulls data either directly from enterprise systems with transactional data or from an ODS.
The network administrator is responsible for…
maintaining the efficiency and effectiveness of the internal network including managing remote access.
In computer processing, access time is the time that it takes
for data to be retrieved from memory from the time that the control unit calls it
Tokenization
is the most suitable method for securely handling credit card data while preserving its format. It replaces sensitive data with non-sensitive tokens, maintaining the data’s structure while protecting its actual value.
Expert or Knowledge based system
provide answers based on information provided by the user and the rules developed by an expert to address specified situations.
A source code comparison program
could be used to compare the original code written for a specific program to the current code in use for that program. Thus, it would make note of any differences in the program from the time it was originally written
Enabling a Holistic Approach
This COBIT principle emphasizes the importance of addressing all enablers together, including principles, policies, frameworks, processes, organizational structures, culture, ethics, information, services, infrastructure, applications, people, skills, and competencies, to support a comprehensive governance and management system for enterprise IT.
When considering subsequent events in a SOC engagement, what changes in the control environment should be taken into account?
changes in the control environment that should be taken into account include not only changes in management but also changes in system infrastructure, policies, and procedures. These changes may impact the design and operating effectiveness of controls and need to be considered to provide an accurate assessment of the control environment.
IT Governance
deals with making the IT function of an organization more in line with the organization’s broad objectives and ensuring the highest possible value from IT operations
-Strategic alignment
-Value Delivery
-Performance Measures
-Risk Management
-Resource Management
A query utility program
generally is used for one-time database inquiries
A distributed system
is a network of remote computers connected to a main computer system. A distributed system is more beneficial when large volumes of data, as opposed to small volumes of data, are generated. A distributed system is more beneficial when data is generated at many locations as opposed to data that is generated centrally.
A systems development life cycle follows the following phases
1) Systems or Requirements Analysis (Feasibility Study), (2) System or Software Design, (3) Programming and Testing, (4) Implementation, and (5) Monitoring.
What is the primary advantage of using the carve-out method to address a sub-service organization’s controls within a primary service organization’s SOC report?
It maintains separate SOC reports, which may be beneficial for confidentiality or independence reasons.
A time-sharing center
A computer remotely accessed by a number of different users, who are unaware of each other
Access control software
Preventive controls are distinguished by the fact that they prevent errors from occurring. Access control software ensures that only authorized personnel have access to the system programs and documentation.
A validity check
ensures that only authorized data codes will be entered into and accepted by the system
Framework Profiles
specifically the Current Profile, help organizations establish a baseline for their current cybersecurity activities and outcomes.
Parity checking
a method wherein the number of bits in the total number of bytes in a transmitted message is added up. Then, a zero or a one is added to make the parity even or odd. If and when a transmitted message is modified and the number of bits has changed, the system detects this and triggers a resending of the message.
Edit checks
are input controls that examine and verify data as it is being entered and before it is processed. This preventive type of control can identify erroneous data or transactions and prevent them from being processed.
System design usually includes design of
Data, process, and user interface
A low likelihood risk
is a risk that is presented by someone who lacks the motivation or the capability to cause damage and for which controls are already in place. Ethical Hackers, though possessing expertise in hacking, are known to use their skills only for ethical and non-malicious uses. They lack the motivation to pose any potential threat to the entity.
Big Data is often characterized by the Five V’s
-Volume: This refers to the vast amount of data generated every second. We are in an era where we are drowning in information, with data coming from social media, machines, and many other sources.
-Velocity: This refers to the speed at which new data is generated and the pace at which data moves around. With the advent of the Internet of Things, more data is being generated faster than ever before.
-Variety: This refers to the new types of data that are being generated. This isn’t just structured data (e.g., databases), but also unstructured data (e.g., text, images, video clips, etc.).
-Veracity: This refers to the quality of the data. With many forms of data, it’s difficult to know which information is accurate, and what to trust. Veracity deals with the uncertainty of data, which can vary greatly.
-Value: This refers to our ability to turn our data into value. This is the most important V because it involves the ability to turn data into meaningful information. In the endl, it’s not about how much data you have, but how you use it that matters.
Who are the two primary entities covered by the scope of GDPR?
Data Processors and Data Controllers
The carve-out method primarily differs from the inclusive method in which of the following ways?
The complementary subservice organization controls are reported after managements system description
Under the carve out method, management explains
the nature of the subservice organizations services but not its controls in the description of the service organizations system.
Any CSOCs are reported separately after managements system description
Threat modeling process
Process that considers threats from an attackers perspective. The steps include finding critical assets, mapping connections, ranking threats, creating mitigation polices, and validating controls.
If the service auditor found that a control was not implemented…
then they would conclude there is a deficiency in the suitability of the design of a control
Policy based access controls (PBAC)
a combination of role-based and rule-based access control models with settings configured by the system administrator.
Discretionary Access Controls (DAC)
the data object owner makes authorization decisions.
Role Based Access controls (RBAC)
A fairly stated SOC 2 description meets the…
DC 200 Description Criteria
When will a third party be classified as a vendor?
When a service organization retains responsibility for controls by monitoring a third party providers activities. If the service orgs controls are sufficient by themselves, management does not need to explain the vendors services in the description of the system
The subject matter of a SOC 2 engagement
is managements description of the service organizations system and the related controls
What is the significance of managements written representation in a SOC engagement for a service organization?
It forms the basis for the auditors opinion on the systems description, control design, and control effectiveness. The purpose is for management to accept responsibility for its actions and for the information provided
Under the inclusive method in a SOC 2 examination the subservice organization must…
provide a signed representation letter separate from the one provided by the service organization management.
Who is the responsible party?
the service organizations management
