Mini Exam S3-S4 Flashcards
COSO Framework
- Control environment: ensure the proper corporate structure is in place to oversee the development and performance of controls.
- Risk Assessment: focuses on identifying risk, considering the potential for fraud, and understanding changes that could impact internal controls.
- Control Activities: ensure the proper application of policies and procedures that help ensure management directives and control objectives are met.
- Monitoring activities: outline how an org should conduct ongoing evaluations of control activities and communicate internal control deficiencies.
review cyberattack stages and threat modeling
What are security behaviors?
Threat Models -
- PASTA: focus on risks and countermeasures that are prioritized by the value of the assets being protected.
- VAST: Based on Agile project management methodology, its goal is to integrate threat management into programming environment on a scalable basis.
- STRIDE: used for assessing threats related to applications and operating systems.
Review TSC (Trust Services Criteria)
NIST v. COSO
- NIST: National Institute of Standards and Technology offers recommendation around creating patch and vulnerability management programs.
- COSO (Committee of Sponsoring Organizations) an advisory group that provides guidance on internal controls, fraud deterrence, and risk management. While their internal control framework serves as the benchmark for internal controls, including those related to system vulnerabilities.
Patch management
- an important part of minimizing security threats that works in conjunction with vulnerability management solutions.
Sections of the SOC report
- Scope and opinion sections of the service auditor’s report refer to the identified complementary user entity controls.
- Inherent limitations section is the same as a standard and is not amended to refer to identified complementary user entity controls.
- The service auditor’s section responsibility section is the same as a standard report and is not amended to refer to identified complementary user entity controls.
- Service organization’s responsibility section is the same as a standard report and is not amended to refer to identified complementary user entity controls.
Different forms of attack
- Distributed denial of service (DDos) attack is an attack in which multiple attackers, or compromised devices, are working in unison too flood an organization’s network with traffic. These attacks manipulate the operation of network equipment and services in such a way that may be more powerful than a traditional denial of service attack.
risk of deleting/purging confidential info from storage devices
- orgs have the risk that an imprint or residual magnetic flux may still exist on storage devices after data is removed. Keeping the storage device around, the risk remains high that unauthorized access to confidential info may occur.
Pros and cons of symmetric vs. Asymmetric
Type of SOC report
- Type 2: covers a specified period of time
- Type 1: as of a point of time
A Type 1 report assesses the design of controls, whereas a Type 2 report assesses both design and operating effectiveness of controls. Additionally, a Type 1 report is as of a point in time, whereas a Type 2 report covers a period of time.
A SOC 1® report assesses controls relevant to the user entity’s internal control over financial reporting whereas a SOC 2® report assesses controls related to the trust services criteria. Both SOC 1® and SOC 2® reports can be issued as Type 1 or Type 2 depending on the needs of the user. A SOC 3® report is always issued as a Type 2 report for general users
SOC report
- qualified: a material, but not pervasive, misstatement or scope limitation. When a SOC 2 report is modified for a qualified opinion, the service auditor’s responsibility section is updated to refer to the qualified opinion. The opinion section is amended by adding the “except for” language and reference to the matter giving rise to modification.
-adverse: when the service auditor identifies a misstatement in the description of the service org’s system that is assessed as a material and pervasive.
-unmodified:
Hacktivist vs. State-sponsored
- Hacktivists are groups of hackers that operate to promote certain social causes or political agendas or operate on a self-proclaimed relatively moral basis
- State-Sponsored: threat actors that are funded, directed, or sponsored by nations. Known to steal and exfiltrate intellectual property, sensitive info, and even funds to further their nation’s espionage causes.
Role based access control (RBAC) vs. Policy-based access control (PBAC)
- PBAC: uses a combo of user roles and policies consisting of rules to maintain and evaluate user access dynamically. Can be viewed as a framework to evaluate a user’s access based on what is known about that user, such as identity, role, clearance, operational need, and risk.
- Role Based: administer access based on a user’s job role instead of individually assigning permissions. Job roles are placed in categories that correspond with a specific level of access or privilege. Does not provide the desired level of flexibility.
network security method:
- Endpoint security: refers to the notion that every device, also called hosts, connected to a network should have some form of local security that is separate from any other security measure in place on the network or communication channel, such as antivirus software.
– Media access control (MAC) filtering: form of filtering in which access point blocks access to unauthorized devices using a list of approved physical or hardware MAC addresses.
– Network segmentation or isolation: the process of controlling network traffic so that it is either inaccessible or separated from outside communications or other segments within an org own network.
