Section 2 - Compliance & Audit Work Flashcards
Why are Cybersecurity Frameworks Valuable? (Select All that Apply)
They allow an Information Security Program to Report current state to Management and External Parties.
They allow you to have a comprehensive approach to Information Security.
They allow you to outsource Information Security to a different organization.
They create infographics that make visually communicating program status easy.
They allow an Information Security Program to Report current state to Management and External Parties.
They allow you to have a comprehensive approach to Information Security.
Which of the following can be used as Cybersecurity Frameworks? (Select All that Apply)
NIST Cybersecurity Framework
SOC2
ISO 2701
PCI DSS
NIST Cybersecurity Framework
SOC2
ISO 2701
What is the benefit of Regulations that require Information Security Controls?
Regulations force and require minimum Cybersecurity Controls and Standards.
Regulations ensure that the Government can Audit your Organization.
Regulations identify funding opportunities for Organizations.
Regulations allow businesses to transfer their Information Security Operations.
Regulations force and require minimum Cybersecurity Controls and Standards.
Which of the Following are Audit Activity Phases? (Select All that Apply)
Audit Prep Control Implementation Status Analysis End-User Education Threat Modeling Reporting
Audit Prep
Control Implementation Status Analysis
Reporting
What are Key Components of a Final Audit Report? (Select All that Apply)
Executive Summary Purpose Who was Interviewed Flight and Travel Logistics Auditor Professional Credentials Control Compliance Status Risk Analysis for Missing Controls Scope of Audit
Executive Summary Purpose Who was Interviewed Control Compliance Status Scope of Audit
What is Shadow IT?
Technology that is located in the Datacenter.
Technology that is located at Remote Sites.
Technology that has gone End of Life.
Technology that was implemented outside of IT and “Normal Processes”.
Technology that was implemented outside of IT and “Normal Processes”.
What is Cyber Resiliency?
The intent of ensuring an organization is Secure.
The intent of ensuring an organization can continue to operate during an incident.
The intent of having defense in depth.
The intent of being unhackable.
The intent of ensuring an organization can continue to operate during an incident.
What is the NIST Special Publication 800-53 Document used for?
It explains how to build an Information Security Program.
It is a Cybersecurity Control Dictionary to understand what Controls can be implemented at an Organization.
It demonstrates the approach to maturing a Cybersecurity Program.
It illustrates how to perform a Cybersecurity Audit.
It is a Cybersecurity Control Dictionary to understand what Controls can be implemented at an Organization.
What are 3 Audit Techniques for Data Collection? (Select All that Apply)
Interviewing Threat Modeling Document Review System Testing Risk Analysis
Interviewing
Documentation Review
System Testing
If you determine a Control is NOT implemented, what does that mean?
The Control exists but is not implemented fully across the Org.
The Control is fully implemented and working across the Org.
The Control is an Administrative Control and doesn’t require technology to be implemented.
The Control is fully absent at the Org.
The Control is fully absent at the Org.
In the Audit Cycle - specifically with Reporting, how is a Report typically Outlined?
Executive Summary Purpose of the Audit Scope of the Audit Who was Involved, Interviewed What you are Auditing Results of the Audit Conclusion
What NIST Special Publication is used to Prep an Audit - Collecting Data, Responses, Dispositions, Evidence Collected?
NIST Special Publication 800-171 Sheet