Personal Topics

Question 1

What are the components of the governance system under COBIT 2019?

Answer 1

processes,
org structures
principles, policies & frameworks
information
culture & ethics,
people, skills & competencies
services, infrastructure & applications

Question 2

HIPPA Violations ($)?

Answer 2

Tier 3 is willful neglect
$10K min per violation
$50K max per violation
$1.5M annual cap for identical violations

Question 3

System backup methods (full, incremental, differential) - which takes the least amount of downtime to create the backup file?

Answer 3

Greatest to least:
Full > differential > incremental

Question 4

What is RPO?

Answer 4

RPO = recovery point objective
RPO = the maximum amount of some metric that is intolerable (ex: a company can tolerate losing 1,000 units per day due to a power outage)

Question 5

What is “WHERE” used for in SQL?

Answer 5

to filter records based on certain criteria (ex: find values exceeding $1,000)

Question 6

What is the asterik “*” used for in SQL?

Answer 6

• is used to select every single value

Question 7

When do you reference complementary user entity controls (CUECs) in the SOC1 audit report?

Answer 7

• Required to reference in the opinion section of the SOC1 report when the controls are necessary to meet standard control objectives of the service org in conjunction with the controls of the service org

Question 8

What should be included in the SOC 2 Type 2 Report in the ‘Description of Test of Controls’ section?

Answer 8

• the controls tested
• whether the items tested represent all or a selection of items in the population
• nature of tests performed so that users can determine the effect on their risk assessments
• number of items tested only if there are deviations. do not mention if no exceptions are noted.

Question 9

What is the carve-out method?

Answer 9

• for complementary subservice org controls
• less extensive
• service org management should exclude complementary subservice org controls from the description of the service org’s system

Question 10

What is the inclusive method?

Answer 10

• for complementary subservice org controls
• most extensive
• required to have written representations from subservice & the service org’s managements

Question 11

What are differential backups?

Answer 11

• Backup all data since the last full backup
• fastest to restore

Question 12

What is the purpose of an AUP (org vs mobile device)?

Answer 12

• Organizational: broader in scope; regulates and protects technology resources by assigning varying levels of responsibilities to job roles, listing acceptable behavior by users
• Mobile devices: limited in scope; defined policies for how mobile devices may be used

Question 13

Which common criteria and which additional specific criteria related to the trust services criteria must a service auditor address?

Answer 13

• the common criteria for all trust services categories
• address additional specific criteria for all but security (only for confidentiality, processing integrity, privacy and availability)

Question 14

If a virus infects a business network, who would be affected?

Answer 14

• vendor’s systems can get infected
• partner orgs may reallocate resources to help thereby disrupting operations
• customers’ ordering systems may be infected

Note: an employee trying to log onto the orgs website to log time would not be affected (us trying to log into PayCom-we wouldn’t be affected)

Question 15

What is recovery time objective (RTO)?

Answer 15

The maximum amount of targeted time to restore a company to its usual operations

Question 16

Should orgs have separate risk management strategies from their CSP’s?

Answer 16

No - they should integrate for a cohesive way to manage risk

Question 17

SQL: join vs left join

Question 18

In what type of report do you test operating effectiveness of controls?

Answer 18

• SOC type 2; when the service org uses the inclusive method to present its services and controls, tests of operating effectiveness of controls would extend to the relevant controls of a sub service org

Question 19

What is the service auditor’s responsibility vs service org management’s responsibility in an SOC engagement?

Answer 19

• Service auditor: responsible for ensuring appropriate controls are in place and that internal employees are aware of how to appropriately report incidents
• Service org management: design, implement, and maintain internal controls; ensure that incidents are remediated timely; ensure that any incidents or control deviations are identified; make assertions about the system’s design, operation, and effectiveness

Question 20

What do routers do?

Answer 20

• hardware or software devices
• manage network traffic by connecting devices
• assign IP addresses

Question 21

What do gateways do?

Answer 21

• convert protocols so networks can communicate
• act as intermediaries

Question 22

What do servers do?

Answer 22

• execute commands and provide computing power for other machines on the network
• coordinate data, programs, and computers so the network can operate

Question 23

Open Systems Interconnection (OSI) Model

Answer 23

• a construct used to explain how different protocols work in a network by breaking network functions into seven layers
• 7 layers

Question 24

Are causative factors optional or required in SOC reports?

Answer 24

• causative factors are optional
• if included, they go in the Description of Tests of Controls section

Question 25

What are the primary forms of data collection?

Answer 25

Surveys, interviews, and observation (it’s new data collection)

Question 26

What is a secondary form of data collection?

Answer 26

Analyzing documents (it’s already existing data)

Question 27

Where is service auditor independence and objectivity mentioned in the SOC report?

Answer 27

In the introductory section

Question 28

What do you omit from the SOC report when a disclaimer of opinion is given?

Answer 28

When a disclaimer of opinion is used, the report should omit an explanation of what is required by the professional standards of the service auditor, a statement that sufficient and appropriate evidence was obtained, and a statement describing the nature of an examination engagement.

Question 29

Mirroring versus replication

Answer 29

Mirroring increases redundancy and only requires one site, whereas replication requires a secondary site

Question 30

Risk of data security heightens at what stage in the data life cycle?

Answer 30

- publication stage, where data is made available externally

Question 31

Who issues standards for CSPs?

Answer 31

Cloud Security Alliance

Answer 32

Cloud service providers can be IaaS (Infrastructure-as-a-Service) companies that provide only the core IT hardware infrastructure, PaaS (Platform-as-a-Service) companies that provide core infrastructure plus some IT management services and the ability to develop applications, or SaaS (Software-as-a-Service) companies that provide all infrastructure, management of the environment, and application design. The alternative to these options is for organizations to house and maintain their own data centers, servers, and networking equipment and be responsible for all application design.

Question 33

Who decides whether the carve out or inclusive method is used for the SOC report?

Answer 33

- management of the service org is responsible for deciding whether to carve out or include the sub service org’s controls in the description of the system & in the scope of the engagement - inclusive method- CSOCs are mentioned and evaluated for their effectiveness

Question 34

Redundant infrastructure

Answer 34

A company should have alternate sites that are many (maybe even hundreds) of miles away from each other to ensure that each site is not affected or wiped out by the same natural disaster or disruption

Question 35

What metric to look at for continuing relationships with insurance companies?

Answer 35

The highest reimbursement rates, not the denials

Question 36

Recover NIST core function

Answer 36

- returning to normal operations - transitioning from a state of vulnerability to a state where that vulnerability no longer exists

Question 37

When you use the carve out method, what is required in management’s system description?

Answer 37

- The description excludes control objectives and related controls at the subservice organization, but does include a description of the services performed by the subservice organization - an indication of whether the inclusive or carveout method has been used - any complementary subservice organization controls (CSOCs) assumed in the design of the service organization controls

Question 38

Which TSC does incident reporting and identification, response procedures apply to?

Answer 38

- All TSC

Question 39

What TSC does hot site migrations & testing recovery plans & backup recovery relate to?

Answer 39

- Availability specific (hot sites are used when the main site is unavailable) - testing a recovery plan also related to availability of alternate site usage

Question 40

What is a DDOS attack?

Answer 40

- Distributed denial of service: Multiple computers overloading a server with requests so that the system doesn’t function as normal anymore

Question 41

Buffer overflow

Answer 41

Sending more data than a buffer can handle allowing for a malicious attack

Question 42

IaaS (Infrastructure as a Service)

Answer 42

Provided the underlying infrastructure and users are responsible for managing data, operating systems and applications. The provider is responsible for managing the infrastructure Example: Amazon web services

Question 43

What’s the main goal of a management written assertion (in SOC 2 Type 2 report)?

Answer 43

to provide assurance to clients and users regarding the design and effectiveness of the service org’s controls

Question 44

What is a honeypot?

Answer 44

a decoy system or network meant to attract potential hackers; a defensive measure to learn how to better protect a system or network

Question 45

What’s the main danger of a buffer overflow attack?

Answer 45

it gives room for the attacker to execute arbitrary code and inject the system with malicious activity and they’ll have control over the system