Mini Exam S1-S2 review Flashcards
//Topology
Refers to the physical layout of equipment or “Nodes”, in a network which is essential for understanding how to properly engineer the network for optimal performance. Each topology has different requirements for components, such as length and type of connecting cables, data transmission rates and physical position of each mode in the network. These are dependent on the size of the network; the performance needs of the org and the environment in which the network is built.
- Org’s physical network infrastructure is generally constructed using one of four topologies or combo of the four:
Each topology has a diff physical layout of network equipment known as “nodes” which requires different components and specifications such as types of connecting tables, devices used, data transmission rates needed and the physical positioning each node.
Mesh Topologies have multiple nodes that are interconnected, allowing a large volume to traffic to transit across the network and create redundancy. I f one node stops functioning, the remaining nodes will continue to function using any of the other node transactions. Number of pathways allows high levels of traffic and promotes network stability if a node is damaged, it can be costly to implement and maintain over the network’s lifespan.
Bus topologies are linear or tree form, with each device connected to either two or other devices or a main line. If one device in the line is damaged, the data cannot pass through, creating a single point of signal, acting as a single point of network stops. If the central line is compromised, the entire network goes offline.
Ring topology is similar to a bus topology in that all devices are connected linearly, except a ring topology forms a circle instead of a straight line. If functionality of any one node or the main line is disrupted, services for the entire network stops. there are unidirectional ring paths and multidirectional that allow transmission to move in one direction or two-way data transmission. Transmission collision is minimized but slow network performance.
The Star topology: central hub through which all data passes to other peripheral devices. The hub acts as a server and the other devices as a client. if the hub quits functioning, then all devices connected to that hub will also stop functioning, making it a single point of failure. Makes it easier to identify damaged cables.
////Testing prior to launching a finished version
Acceptance testing: occurs in later stages when end users can begin testing beta versions of a product. User ratings and feedback are used to tweak or make any changes. Form of QA testing to make sure the finished product aligns with end-user expectations.
Unit testing: used to test the smallest increment or unit of a system that can be analyzed such as lines of codes. This form of testing does not involve end users evaluating whether the new software meets their expectations.
Integration: Referred to as string or thread testing, evaluates the way a newly designed system works with other existing systems. Does not involve an end-user group assessing the new system functionality.
System testing: Assesses all individually constructed modules work in unison once combined. Does not seek feedback from users.
Def of firewall
firewall is a software application or hardware device that protects company’s network traffic by filtering it through security protocols by using predefined rules that are aligned with company policies. Intended to prevent unauthorized access and stop employees from downloading harmful programs.
Not a physical barrier in IT.
HIPPA administrative safeguard
Include:
- security management processes
– assigned security responsibility
- Information access management
- contingency plans
- security and awareness training
///Governance system principle under COBIT 2019:
COBIT DISTINGUISHES BETWEEN GOVERNANCE AND MANAGEMENT.
Board of directors are responsible for governance whereas middle and senior management responsible for management objectives.
6 Governance system principles:
1st: Provide stakeholder value– create value for the company’s
stakeholder by balancing benefits, risks, and resources.
2nd: Holisitc Approach – comprise of diverse components, collectively providing a holistic approach.
3rd: dynamic governance system– describes the consideration of impact on all others when a change in one governance system occurs so the system continues to meet the demands of the organization. system should be dynamic enough to adjust as new challenges arise
4th: Governance distinct from management
5th: tailored to enterprise needs, explains that governance models should be customized to the needs of each company.
6th: end-to-end governance– explains that all processes within the organization involving information and technology should be factored into a governance system.
3 Governance framework principles:
- Based on a conceptual model: identify key components as well as the relationship between those components in order to provide for greater automation and to maximize consistency.
- Open and flexible: have the ability to change, adding relevant content and removing irrelevant content, while keeping consistency and integrity.
- Aligned to major standards: should align with regulations, frameworks and standards
Governance objectives:
- Evaluate, Direct, and Monitor (EMD)
4 Management Objectives:
- Align, Plan, and Organize (APO)
-Build, Acquire, and Implement (BAI)
-Deliver, service and support (DSS)
- Monitor, Evaluate, and Assess (MEA)
Stage of the data life cycle
- Definition
- Capture/Creation: Obtain the data internally or externally. ETL, Active data collection and Passive data collection.
- preparation
- synthesis
- analytics and usage stage
- publication
- Archival
-Purging: when data is completely removed
///CSP (cloud service provider)
IaaS (Infrastructure as a service): provide only the core IT hardware infrastructure. provide only a virtual data center, networking, storage, and servers but generally does not provide application design or environment management services.
SaaS (Software as a Service): provide all infrastructure, management of the environment, and application design. the application simplifies the design and e-commerce process.
PaaS (Platform as a Service): provide infrastructure and the management of that infrastructure. they do not provide application design.
BPaaS (Business-Process-as-a-Service): typically provide one or more of components of an organization’s core operations such as payroll, accounting, or outsourced IT in combination with outsourced computing. usually offered in conjunction with SaaS models.
Change management Controls:
- reversion access: some changes may cause unexpected complications; it is important to have the ability to revert to the prior system or process that existed before the change.
- separation of duties
- post-implementation
- standardizing change request
Continuous software development and continuous integration practices
Characteristics?
Designed to streamline the testing process and providing a feedback loop that is more timely than the traditional “build-test deploy” model.
With Continuous integration, developers regularly merge changes to their code in a central repository in which they automate building and testing code. This approach more frequently helps identify bugs faster, enhances application quality and shortens the time needed to release software updates.
In continuous deployment, software is automatically created, tested, and then deployed to a production environment. Minimizing the time for writing code and releasing new software versions while maintaining some form of testing so application and system ops are not interrupted.
CIS control principle:
Consistency: where disruption to controls users are minimized, limiting the impact on implementation groups.
Coexistence: where controls are in alignment with evolving industry standards and framework, including NIST’s CSF 2.0 framework.
Context: enhancement is made to the scope and practical applicability of safeguards through examples and explanations.
NIST privacy framework core functions categories:
Govern: governance policies, process, and procedures; risk management; awareness and training; and monitoring review.
Protect: data protection policies, processes, and procedures; identify management, authentication, and access control; data security; maintenance; and protective technology.
Control: data processing policies, processes, and procedures; data processing management; and disassociated processing.
Identify: inventory and mapping, business environment, risk assessment, and data processing ecosystem risk management.
Forms of backup
Full: Exact copy of the entire database. Time consuming but fastest recovery.
Incremental: copying only the data items that have changed since the last backup. set of incremental backup files. Each containing the results of one day’s transactions. Recovery is the slowest. Initial creation of each incremental load is fast.
Differential: copies all changes made since the last full backup. loading takes the longest. recovery is faster than incremental but slower than full.
Transaction cycle
- revenue and cash collection cycle: Remits payments with customers. sends packing slip to the shipping dept, transmits inventory release orders to the warehouse. Remittance.
- Purchasing & Disbursement cycles: Submits Purchase Orders (PO)
- General ledger and Reporting Cycles: Records cash, interest,
investment activity, records sales transactions - Treasury Cycles: Manages cash and working capital
///Patch management
SOC 2 service auditors should:
- Patch management is the process of discovering security vulnerabilities or coding weaknesses in software version updates.
patch management process:
- evaluating new patch releases
- using a vulnerability tool to identify weaknesses
- testing patches before deploying them
- approving patches
- verifying patches were executed effectively after deployment
Must meet the TSC. service auditors inspect policies to make sure patch management has a documented process to follow.
Patches are only tested in non-production environment prior to releasing an update.
///Mirroring vs. replication
both address redundancy mainly from a storage perspective in that they duplicate databases to alternated machines.
mirroring involves copying a database onto a different machine at the same site, whereas Replication also involves transferring data to a different database at a secondary site.
PCI DSS
cryptography during transmission over open, public networks enhances the ability to accomplish the goal of protecting account data.
SOC report
- disclosure of the cause of deviations:
inclusion of causative factors when describing the tests of controls in a SOC report is optional. When a deviation is noted, the required elements to be included are the number of items tested and the # and nature of deviations.
