Midterm

Question 1

4 actions to preserve confidentiality

Answer 1

Identify and classify information
Encryption
Control access- authentication and authorization
Train employees

Question 2

Data loss prevention

Answer 2

Software that blocks outgoing messages that contain key words of sensitive information

Question 3

Digital watermark

Answer 3

Code embedded in documents that identifies confidential information

Question 4

10 best practices for protecting customers’ privacy

Answer 4

Management- set of policies
Notice- about its policies
Choice and consent- customers must agree to terms
Collection- only collect what is needed
Use, retention, disposal- for a business purpose
Access- customers should have access to info about themselves
Disclosure to third parties
Security
Quality
Monitoring and enforcement

Question 5

Asymmetric encryption systems

Answer 5

Use two different keys (public and private) to encrypt and decrypt
Secure exchange of keys via email, digital signatures

Question 6

Key escrow

Answer 6

Storing copies of encryption keys in a secure location

Question 7

Hashing

Answer 7

Produces a code of a fixed short length regardless of size. Cannot be decrypted back to original text.
Creates a digital signature with hash creator’s private key

Question 8

Digital certificate

Answer 8

Certifies the identity of the owner of a public key

Question 9

Public key infrastructure

Answer 9

System that issues pairs of public and private keys and digital certificates

Question 10

Virtual private network

Answer 10

A network of information securely transferred using encryption and authentication

Question 11

Data entry controls

Answer 11

Field check- numeric or string
Sign check
Limit check
Range check
Size check- number of digits/characters
Completeness check
Validity check
Reasonableness test

Question 12

Processing controls

Answer 12

Data matching
File labels- correct and most current files are being updated
Recalculation of batch totals
Cross-footing and zero balance tests
Write-protection mechanisms
Concurrent update controls

Question 13

Batch totals

Answer 13

Calculate numeric values for a batch of input records

Financial total, hash total, record count

Question 14

Fault tolerance

Answer 14

The capability of a system to continue functioning when a component fails

Question 15

Redundant arrays of independent drives (RAID)

Answer 15

Records data on multiple disk drives to reduce risk of data loss

Question 16

Uninterruptible power supply

Answer 16

Protects in event of power outage, uses battery power to enable system to operate to back up critical data

Question 17

Recovery point objective

Answer 17

The maximum amount of data an organization is willing to lose

Question 18

Disaster recovery plan three options

Answer 18

Cold site
Hot site
Real time mirroring

Question 19

General controls

Answer 19

Make sure an organization’s control environment is stable, IT

Question 20

Application controls

Answer 20

Prevent, detect, and correct transaction errors

Concerned with accuracy, completeness, and authorization

Question 21

5 components of the internal environment

Answer 21

Management philosophy/operating style
Commitment to integrity and competence
Independent Board of directors
Organizational structure
Human resource standards

Question 22

Policy and procedures manual

Answer 22

A document that explains proper business practices, needed knowledge and experience, procedures

Question 23

Custody functions

Answer 23

Handling cash
Handling inventories
Writing checks
Receiving checks

Question 24

Recording functions

Answer 24

Preparing source documents or entering data online
Maintaining journals, files, databases
Preparing reconciliations and performance reports

Question 25

COBIT 5 framework for best practices

Answer 25

Meeting stakeholder needs
Covering the enterprise end to end
Applying a single integrated framework
Enabling an holistic approach
Separating governance from management

Question 26

COSO 5 Risk management model

Answer 26

Internal environment
Objective Setting- operations, reporting, compliance
Event Identification
Risk assessment
Control activities

Question 27

Control activities

Answer 27

Policies, procedures, and rules that provide reasonable assurance that control objectives are met and risk responses are carried out

Question 28

Trust Services framework- Systems reliability

Answer 28

Security-foundation
Confidentiality
Privacy
Processing Integrity
Availability

Question 29

Security life cycle

Answer 29

Assess threats and select risk response
Communicate policy. We want people to be cautious but not scared.
Acquire and implement solutions- outsource
Monitor performance- best practices. Balance scorecard, benchmarking, database of breaches

Question 30

Defense in depth

Answer 30

Employing multiple layers of controls to avoid a single point of failure

Question 31

Protection controls

Answer 31

Training
User access controls
Change controls and change management
Access controls
Hardening, encryption, firewalls

Question 32

Detection controls

Answer 32

Log analysis

Continuous Monitoring

Question 33

Response controls

Answer 33

Computer incident response teams

Chief information security officer

Question 34

Incident response process

Answer 34

Recognition
Containment
Recovery
Follow up

Question 35

Virtualization

Answer 35

Running multiple systems simultaneously on one physical computer

Question 36

Cloud computing

Answer 36

Using a browser to remotely access software, data storage, hardware

Question 37

Intrusion detection system

Answer 37

A system that creates all logs of all network traffic that was permitted to pass the firewall

Question 38

Log analysis

Answer 38

Examining logs to identify evidence of possible attacks

Question 39

Hardening

Answer 39

Modifying the configuration of endpoints to eliminate unnecessary services

Question 40

Patch

Answer 40

Code released by software developers that fixes a particular vulnerability

Question 41

Endpoints

Answer 41

Workstations, servers, printers on an organizations network

Question 42

Intrusion prevention systems

Answer 42

Software or hardware that monitors patterns in the traffic flow to identify and automatically block attacks

Question 43

Demilitarized zone

Answer 43

A separate network located outside the organization’s internal information system that permits controlled access from the internet

Question 44

Financial statement fraud

Answer 44

An intentional or reckless act by act or omission that is materially misleading

Question 45

Conversion

Answer 45

An unauthorized assumption and exercise of the right to ownership over goods or personal chattels belonging to another

Question 46

3 elements of fiduciary action

Answer 46

A fiduciary relationship existed between the plaintiff and defendant
The defendant breached his or her duty to the plaintiff
The breach resulted in harm to the plaintiff OR benefit to fiduciary

Question 47

3 attributes of fraud

Answer 47

Scheme
Concealment
Conversion or benefit