Security Part 2 Flashcards
Both the AICPA’s description and control criteria state that an entity’s cybersecurity risk assessment procedures should include what?
- An ongoing process for identifying changes that would cause additional risks or alter existing risks
- Ex: changes in technology use
What are the different types of intrusion detection systems?
- Network based
- Host based
- Protocol based
- Application protocol based
What is a network-based intrusion detection system?
- They examine all traffic on the network
- They include 2 subtypes: Wireless IDS and network behavior analysis
What are administrative controls in a defense-in-depth strategy?
- They include policies and procedures implemented by an organization to control access to the system and train employees
What is defense in depth?
It is a strategy to cybersecurity in which 3 different control categories are used to protect an organization’s assets:
1) Physical
2) Technical
3) Administrative
What are the trust services criteria?
They are used to benchmark controls in attestation and risk advisory engagements that evaluate the trust services CATEGORIES of:
- Security
- Availability
- Processing integrity
- Confidentiality
- Privacy
What is the COMMON CRITERIA of the TRUST SERVICES CRITERIA?
It is linked to the 17 COSO principles and apply to trust services criteria
- Risk assessment is part of the common critiera and it involves identifying and analyzing risks
What is the SUPPLEMENTAL CRITERIA of the TRUST SERVICES CRITERIA?
- Change Management
- Logical access controls
- Systems operations
What makes up LAYERED SECURITY?
- Human security
- Perimeter security
- Network security
- Endpoint security
- Application security
- Data security
Layered security is part of which control in defense-in-depth?
Technical controls
What is the big picture idea behind layered security?
- This approach creates overlapping protective LAYERS so that if 1 security measure fails, deeper layers will stop or slow an attack
What must all SOC 2 engagements include?
The security trust services category
Which of the following types of trust services criteria apply to a SOC 2 examination for the security trust services category?
Common
Supplemental