lvl up Flashcards

1
Q

Extensible Business Reporting Language (XBRL)

A

an open-information format standard enabling automated sharing of financial information contained in financial statements and other business reports over the World Wide Web. XBRL tags numeric and textual information contained in financial statements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Distributed processing

A

an allocation of various processing tasks to various business divisions, with some tasks centralized and some decentralized.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The Framework Core

A

a legislative imperative for NIST to develop a set of plain language controls for the protection of critical IT infrastructure. The focus is to develop a program to identify, assess, and manage cybersecurity risks in a cost-effective and repeatable manner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Differential backup

A

Copies all changes made since the LAST FULL back up. Each new differential backup file contains the cumulative effects of all activity since the last full backup.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Incremental backup

A

Copying only the data items that have changed since the last backup. This produces a set of incremental backup files, each containing the results of one day’s transactions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A data warehouse

A

a very large data repository that is centralized and used for reporting and analysis rather than for transactional purposes. A data warehouse pulls data either directly from enterprise systems with transactional data or from an ODS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The network administrator is responsible for…

A

maintaining the efficiency and effectiveness of the internal network including managing remote access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

In computer processing, access time is the time that it takes

A

for data to be retrieved from memory from the time that the control unit calls it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Tokenization

A

is the most suitable method for securely handling credit card data while preserving its format. It replaces sensitive data with non-sensitive tokens, maintaining the data’s structure while protecting its actual value.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Expert or Knowledge based system

A

provide answers based on information provided by the user and the rules developed by an expert to address specified situations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A source code comparison program

A

could be used to compare the original code written for a specific program to the current code in use for that program. Thus, it would make note of any differences in the program from the time it was originally written

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Enabling a Holistic Approach

A

This COBIT principle emphasizes the importance of addressing all enablers together, including principles, policies, frameworks, processes, organizational structures, culture, ethics, information, services, infrastructure, applications, people, skills, and competencies, to support a comprehensive governance and management system for enterprise IT.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When considering subsequent events in a SOC engagement, what changes in the control environment should be taken into account?

A

changes in the control environment that should be taken into account include not only changes in management but also changes in system infrastructure, policies, and procedures. These changes may impact the design and operating effectiveness of controls and need to be considered to provide an accurate assessment of the control environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

IT Governance

A

deals with making the IT function of an organization more in line with the organization’s broad objectives and ensuring the highest possible value from IT operations
-Strategic alignment
-Value Delivery
-Performance Measures
-Risk Management
-Resource Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A query utility program

A

generally is used for one-time database inquiries

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A distributed system

A

is a network of remote computers connected to a main computer system. A distributed system is more beneficial when large volumes of data, as opposed to small volumes of data, are generated. A distributed system is more beneficial when data is generated at many locations as opposed to data that is generated centrally.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A systems development life cycle follows the following phases

A

1) Systems or Requirements Analysis (Feasibility Study), (2) System or Software Design, (3) Programming and Testing, (4) Implementation, and (5) Monitoring.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the primary advantage of using the carve-out method to address a sub-service organization’s controls within a primary service organization’s SOC report?

A

It maintains separate SOC reports, which may be beneficial for confidentiality or independence reasons.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

A time-sharing center

A

A computer remotely accessed by a number of different users, who are unaware of each other

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Access control software

A

Preventive controls are distinguished by the fact that they prevent errors from occurring. Access control software ensures that only authorized personnel have access to the system programs and documentation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

A validity check

A

ensures that only authorized data codes will be entered into and accepted by the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Framework Profiles

A

specifically the Current Profile, help organizations establish a baseline for their current cybersecurity activities and outcomes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Parity checking

A

a method wherein the number of bits in the total number of bytes in a transmitted message is added up. Then, a zero or a one is added to make the parity even or odd. If and when a transmitted message is modified and the number of bits has changed, the system detects this and triggers a resending of the message.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Edit checks

A

are input controls that examine and verify data as it is being entered and before it is processed. This preventive type of control can identify erroneous data or transactions and prevent them from being processed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

System design usually includes design of

A

Data, process, and user interface

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

A low likelihood risk

A

is a risk that is presented by someone who lacks the motivation or the capability to cause damage and for which controls are already in place. Ethical Hackers, though possessing expertise in hacking, are known to use their skills only for ethical and non-malicious uses. They lack the motivation to pose any potential threat to the entity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Big Data is often characterized by the Five V’s

A

-Volume: This refers to the vast amount of data generated every second. We are in an era where we are drowning in information, with data coming from social media, machines, and many other sources.
-Velocity: This refers to the speed at which new data is generated and the pace at which data moves around. With the advent of the Internet of Things, more data is being generated faster than ever before.
-Variety: This refers to the new types of data that are being generated. This isn’t just structured data (e.g., databases), but also unstructured data (e.g., text, images, video clips, etc.).
-Veracity: This refers to the quality of the data. With many forms of data, it’s difficult to know which information is accurate, and what to trust. Veracity deals with the uncertainty of data, which can vary greatly.
-Value: This refers to our ability to turn our data into value. This is the most important V because it involves the ability to turn data into meaningful information. In the endl, it’s not about how much data you have, but how you use it that matters.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Who are the two primary entities covered by the scope of GDPR?

A

Data Processors and Data Controllers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

The carve-out method primarily differs from the inclusive method in which of the following ways?

A

The complementary subservice organization controls are reported after managements system description

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Under the carve out method, management explains

A

the nature of the subservice organizations services but not its controls in the description of the service organizations system.
Any CSOCs are reported separately after managements system description

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Threat modeling process

A

Process that considers threats from an attackers perspective. The steps include finding critical assets, mapping connections, ranking threats, creating mitigation polices, and validating controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

If the service auditor found that a control was not implemented…

A

then they would conclude there is a deficiency in the suitability of the design of a control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Policy based access controls (PBAC)

A

a combination of role-based and rule-based access control models with settings configured by the system administrator.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Discretionary Access Controls (DAC)

A

the data object owner makes authorization decisions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Role Based Access controls (RBAC)

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

A fairly stated SOC 2 description meets the…

A

DC 200 Description Criteria

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

When will a third party be classified as a vendor?

A

When a service organization retains responsibility for controls by monitoring a third party providers activities. If the service orgs controls are sufficient by themselves, management does not need to explain the vendors services in the description of the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

The subject matter of a SOC 2 engagement

A

is managements description of the service organizations system and the related controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What is the significance of managements written representation in a SOC engagement for a service organization?

A

It forms the basis for the auditors opinion on the systems description, control design, and control effectiveness. The purpose is for management to accept responsibility for its actions and for the information provided

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Under the inclusive method in a SOC 2 examination the subservice organization must…

A

provide a signed representation letter separate from the one provided by the service organization management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Who is the responsible party?

A

the service organizations management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

When a service organizations management chooses the carveout method for a subservice org during a SOC engagement, managements description must explicitly state…

A

that the description does not extend to complementary subservice organization controls

42
Q

An Independent Service Auditors Report should include…

A

a statement that the service auditor did not evaluate the suitability or operating effectiveness of the complementary user entity controls.

43
Q

According to the SSAE when a service organization uses the inclusive method, the service auditors report must include…

A

a statement that the service auditor performed procedures related to the subservice organizations controls

44
Q

Unit testing

A

Involves initial, narrow tests performed on individual components. The primary purpose of unit testing is to find and resolve defects in individual components

45
Q

The staging environment

A

Before going live, a small sample group of end users should try out the changes and provide feedback in a staging environment.

46
Q

Technology debt refers to

A

the cost of maintaining existing legacy systems plus the opportunity costs of not switching to modern systems

47
Q

Automated testing

A

the most common method of validating CI code changes before deployment

48
Q

Accounting information systems collect what kind of data?

A

Structured data, such as text, dates, and numbers

49
Q

Advantages of incremental backups

A

-fast
-less storage
-can be run frequently

50
Q

An AIS serves three main purposes:

A

-collecting and storing information about a company’s financial activities
-providing data that allow stakeholders to make decisions
-assuring adequate internal controls are implemented

51
Q

Tests should be performed in the following progression:

Appication development

A
  1. Unit
  2. Integration
  3. System
  4. Acceptance
52
Q

Architecture

A

is an IT function risk area that focuses on an organizations ability to develop systems that align long term technologies with its strategies and objectives

53
Q

A shared database improves

A

data quality by reducing opportunity for duplication and errors

54
Q

An inner join

A

extracts records that have a matching

55
Q

Semi-structured data

A

Data that have a partial structure but are not defined as structured data. Semi-structure data may hold metadata, or tags,

56
Q

Domain Contraints

A

restrict input to a predefined range of acceptable values. restrict the attribute data type and may also require data to be entered in a specific format

57
Q

The CIA triad (Confidentiality, integrity, availability)

A

Is a data cybersecurity model which is referred to in the explanation of why data recover, the 11th CIS control, is critical

58
Q

COBIT governance framework principles

A

BOA
Based on conceptual model
Open and flexible
Aligned to major standards

59
Q

When complementary user entity controls are identified, the scope section of the service auditor’s SOC 1® Type 2 report will be amended to include which of the following?

A

A statement will be included in the scope section of the service auditor’s report that indicates that the complementary user entity controls were not evaluated for design suitability or operating effectiveness as a part of the engagement.

60
Q

Purpose limitation

A

the principle where data must be processed for specified, explicit, and legitimate purposes.

61
Q

Data minimization

A

the principle that requires that data processing must be relevant, adequate, and limited to what is necessary for the purpose.

62
Q

A network address translation firewall

A

allows machines on a private network to share a single public address so that it masks their true private addresses.

63
Q

Management representations are intended…

A

to confirm explicit or implicit representations given to the service auditor, indicate and document the continuing appropriateness of those representations, and reduce the possibility of a misunderstanding between the service auditor and management.

64
Q

Active data collection

A

The collection of data through direct interviews with users is an example of the active data collection method of collecting data. Directly asking a party for data is considered active collection, whether in person, through a survey, or other means.

65
Q

Describe the holistic approach governance system principle under COBIT 2019

A

Governance systems for IT can comprise diverse components.

66
Q

An SQL (Structured Query Language) Injection is an example of what type of attack?

A

an application attack in which an attacker injects malicious SQL code into existing SQL code on a company’s website to gain unauthorized access to a company’s data. Application-based attacks target specific software or applications such as databases or websites to gain unauthorized access or disrupt functionality.

67
Q

A bridge is a network component…

A

connects separate networks that use the same protocol, even if those networks have different topologies or transmission speeds. Bridges operate at the data link layer of a network.

68
Q

During the payment clearing process, which of the following methods of data obfuscation would most likely be used in relation to credit card transactions?

A

Tokenization
Given the high sensitivity of financial data, tokenization (replacing the entire piece of data) would most likely be used in credit card transactions during the payment clearing process.

69
Q

When an adverse opinion is issued in a SOC 2® engagement, which section of the service auditor’s report should include the matter(s) giving rise to the adverse opinion?

A

When an adverse opinion is issued, a separate paragraph should be added in the opinion section, before the opinion paragraph, to provide a description of the matter(s) giving rise to modification.

70
Q

CIS Control 05: Account Management

A

Use processes and tools to assign and manage authorization to credentials for user accounts to enterprise assets and software.

71
Q

Data flow diagrams

A

visually depict the logical flow of data for business processes. They are standardized tools that are used with BPMN notation such as connecting objects, swim lanes, and flow objects. Documenting the expenditure cycle using a data flow diagram would have at least one swim lane, a start and end flow object, multiple tasks, a gateway, and several sequence flow notations charting the life cycle of this transaction cycle.

71
Q

The NIST Privacy Framework’s purpose is to

A

help organizations manage privacy risk by considering privacy best practices as they design and deploy systems, products, and services that affect individuals, communicating privacy practices to the rest of the organization, and encouraging cross-organizational workforce collaboration relating to user privacy and IT security.

72
Q

Mandatory access controls

A

the system admin assigns each object a security classification and a category that defines the department or role that is granted access
The most secure and expensive model

73
Q

Defense in depth is a based on the concept that…

A

individual system components can never be completely secure.

74
Q

The 4 supplemental trust service criteria

A

-logical and physical access controls
-system operations
-change management
-risk mitigation

75
Q

Rivest-Shamir-Adleman (RSA)

A

Asymmetric encryption

76
Q

Data in a database would most likely be protected through…

A

symmetric key encryption

77
Q

Which group is responsible for selecting members of the incident response and incident handling teams?

A

Senior management

78
Q

OODA loop

A

A four stage decision making framework: observe, orient, decide, and act
-useful tool for incident response teams

79
Q

Physical data model

A

the most detailed representation of data structures compared to conceptual or logical data models. The administrator could see the foreign key and column data types.

80
Q

software-as-a-service (SaaS)

A

customers only use the application and its tools

81
Q

PaaS mode

A

a CSP provides proprietary tools or solutions to allow customers to build or operate their applications on the CSP’s infrastructure.

82
Q

Operational Data Store

A

A repository of transactional data from multiple sources and is often an interim area between a data source an a data warehouse

83
Q

Open and Flexible

A

Being Open and Flexible means that the framework should have the ability to change, add relevant content, and remove irrelevant content. Therefore, not being able to remove content would violate the Open and Flexible principle.

84
Q

Network hardening

A

focuses on strengthening infrastructure that connects all devices across an organization’s network. This includes removing unused physical or virtual ports so that potential attackers are unable to use those ports to bypass security measures.

85
Q

Management’s description of the entity’s cybersecurity risk management program

A

detailed information on an entity’s cybersecurity risk management program objectives, risk governance structure, and risk assessment

86
Q

When the inclusive method is used by a service organization, management’s description of the service organization’s system should include

A

The nature of the services provided by the subservice organization and the components of the subservice organization’s system used to provide services to the service organization.

87
Q

Mobile code

A

refers to any software designed to disseminate to multiple computers, infecting each device it encounters by altering them in some way so that a copy of the code is embedded on that device or system.

88
Q

Business resiliency refers to

A

continuous operation or the ability to quickly return to operations after an event, whereas business continuity is more operations-focused in that it concentrates on continuing product and service delivery (speed)

89
Q

Conceptual data models are a

A

high-level, big-picture representation of the data structures.

90
Q

SARs typically contain

A

a summary of findings, a system overview, assessment methodology, security assessment findings, recommendations, and an action plan.

91
Q

The primary purpose of the risk assessment procedures performed by a service auditor?

A

To provide a basis for designing and performing procedures that are responsive to the risks

92
Q

Performing a reduction analysis involves

A

decomposing assets that are being protected with the intent to obtain a greater understanding of how those assets interact with potential cybersecurity threats. This decomposition process helps organizations understand existing security clearances, policies around trust and security changes, and how data flows through the organization.

93
Q

Salting

A

A technique that adds a random string of characters to each password before hashing and storing it
-strengthen security and protect against dictionary and brute force attacks

94
Q

Iteration count

A

determines the number of times your master password is hashed (scrambled) when creating the master encryption key

95
Q

Demilitarized zone DMZ

A

a subnetwork that separates an organization’s internal network from an external network, such as the internet.

96
Q

Gantt chart

A

a type of bar chart, devised by Henry Gantt in the 1910s, to illustrate a project schedule. It helps in scheduling, managing and monitoring specific tasks in a system. It is not a data collection tool.

97
Q

Electronic data interchange (EDI) is a means of electronic communication between

A

entities, not people. EDI typically involves automatic monitoring of inventory levels and sales orders (by the business customer’s system), purchase order placement and fulfillment, and payment. It is not designed as a tool for collaboration.

98
Q

AICPA DC section 200 description criteria

A

are used to measure or evaluate managements description of the system, not controls

99
Q

AICPA TSP section 100 Trust Service criteria

A

managements asserts that controls were designed, implemented, and operated to provide reasonable assurance of achieving the service organizations principal service commitments and system requirements

100
Q

Second Normal Form

A

All non-key attributes in a table to depend on the entire primary key

101
Q

A value-added network (VAN)

A

provides additional services beyond mere connections to the Internet, particularly services enabling EDI (Electronic Data Interchange) to route communications and data transactions between entities such as trading partners

102
Q

Abstraction

A

is the process of hiding certain levels of complexity within a task so that only pertinent information needed to perform a job is displayed to the person performing that task.