90 STUDY GUIDE Flashcards

Question

#7111.14 COSO Internal Control Framework: | CONTROL ACTIVITIES

Answer 1

**Control activities** 1. *Policies and procedures:* Develops policies and procedures to govern the use of cloud computing services, including data protection policies, access control procedures, and incident response plans 2. *Control activities* implementation: Implements control activities such as encryption, multifactor authentication, and regular security assessments to manage risks associated with cloud computing 3. *Information and communication technology controls*: Implements controls to ensure the reliability and security of the information and communication technology used in cloud computing

Answer 2

**Information and communication** 1. *Communication with external parties*: Establishes mechanisms for communicating with cloud service providers and other external parties to manage risks effectively 2. *Communication with internal parties*: Facilitates internal communication to ensure that personnel are aware of the policies, procedures, and risks associated with cloud computing

Answer 3

**Monitoring** 1. *Ongoing monitoring*: Implements ongoing monitoring processes to evaluate the effectiveness of cloud computing governance and identify any improvement areas 2. *Separate evaluations*: Conducts separate evaluations, such as audits or assessments, to independently verify the effectiveness of cloud computing governance 3. *Reporting of deficiencies*: Establishes processes for reporting deficiencies in cloud computing governance to the appropriate levels of management and for taking corrective action * By integrating these principles and components of the COSO Internal Control Framework into cloud computing governance, organizations can develop a comprehensive approach to manage the risks and optimize the benefits associated with cloud computing effectively.

Answer 4

**Common enterprise back‐end devices** Various devices deliver application services in a distributed environment. Growing usage of the internet of things (IoT) has been an essential consideration in recent years. Organizations must understand how connected devices such as cars, thermostats, video cameras, and medical equipment impact their operations. IoT can lead to significant innovations, productivity gains, and new services. However, IoT also poses privacy concerns due to personally identifiable information (PII), user tracking capabilities, and risks of data leakage. | Which of the following is the most difficult to implement in a distribut ## Footnote Which of the following is the most difficult to implement in a distributed environment? Security

Answer 5

Assets are valuable objects that require protection from intrusion, theft, and exposure. Assets can be both tangible and intangible.

Answer 6

IT asset management encompasses all assets considered valuable to the organization, including physical assets, i.e., computer hardware and software assets such as off‐the‐shelf applications and software registration keys. Therefore, it is crucial to identify an asset to help management determine how to protect the asset from internal and external threats appropriately. Decommissioned applications are not required to be part of the IT assets inventory as they are no longer active on the company’s IT network. Decommissioned applications may be tracked in a separate inventory listing. The application inventory should include critical information including but not limited to the asset owner, asset custodian, asset’s value to the organization, impact of the asset loss and recovery prioritization, asset location, and security classification.

Answer 7

The first step of IT asset management is to identify and create a complete inventory of all IT assets, including software and hardware. The application inventory should include critical information including but not limited to the asset owner, asset custodian, asset’s value to the organization, impact of the asset loss and recovery prioritization, asset location, and security classification. Developing a complete IT asset inventory is a necessary precursor to developing and deploying an effective security strategy.

Answer 8

A system interface is a group of interrelated elements, including hardware and software, that interact through one or more computers. System interfaces refer to moving data output from one application as data input to another, with minimal human interaction. Interfaces that involve humans are user interfaces. System interfaces facilitate data transfer even if the software of the two systems is written using two different programming languages. System interfaces offer organizations the flexibility to acquire applications that best serve their objectives and ensure that systems can interact and share data.

Answer 9

Data transfers through system interfaces can be categorized as the following: **System‐to‐system:** Data is transferred between two systems, both internally within an organization or externally to other organizations. System‐to‐system interfaces are increasingly being used to transfer data to specialized tools for further analysis and insights through data mining. **Partner‐to‐partner**: Partner‐to‐partner interface involves two organizations (partners) continuously exchanging data back and forth between their systems regularly. **Person‐to‐person**: Person‐to‐person transfers can be as simple as sending an email communication. Person‐to‐person transfers are typically more challenging to capture, secure, and control.

Answer 10

**Security risks associated with system interfaces** Organizations adopt a centralized methodology to track and manage system interfaces and ensure complete documentation for relevant laws and regulations. However, a lack of centralized methodology may lead to unmanaged and unmonitored interfaces, exposing the organization to risks related to data security, integrity, and privacy. Organizations typically use a managed file transfer (MFT) software program to centralize the scheduling, monitoring, and tracking of all system interfaces. Organizations must implement controls that help ensure integrity of the data exchanged through system interfaces. If an interface is not working correctly or as intended, incorrect management reports may be generated that will negatively impact business decisions. Sometimes, inaccurate reporting may lead to compliance and legal issues. Maintaining the security of the data sent through system interfaces ensures that the data from the originating system is the same as the data in the recipient system (data integrity). Therefore, it is essential to protect the data during the transmission process. Data confidentiality is achieved by protecting and securing the data from interception, errors, and malicious activities. In addition, the unavailability of system interfaces could also impact the reliability of data.

Answer 11

**Auditor’s role in auditing system interfaces** The auditor must determine whether the auditee has knowledge of all internal and external interfaces in its IT environment and whether there is a process to track and manage the system interfaces. The auditor should design procedures to review the managed file transfer (MFT) solution and determine whether it supports commonly used file transfer formats and is compatible with the organization’s existing technology platforms and applications. Additionally, the auditor should determine whether the MFT solution has built‐in mechanisms to protect the data in transit (e.g., through encryption), has a job scheduling and monitoring function, and complies with applicable laws and regulations. The auditor should determine whether data transferred through system interfaces is validated for completeness and accuracy. The auditor should also determine whether data transmitted through system interfaces is protected through encryption and password protection techniques. Organizations should implement controls over nonrepudiation to ensure that only the targeted recipient is the data recipient. An IS auditor should also determine whether system interface activity is captured using an audit trail that records information, including the sender and the recipient of the data, when data was transmitted and received, and the encryption protocols applied to the data.

Answer 12

Reference: 7113.38 Disaster recovery plans should contain the following: >Recovery priorities. The plan should identify and prioritize: hardware, software, applications, and data necessary to sustain ---the most critical applications. -the sequence and timing of all recovery activities. >Insurance to: -replace equipment or data lost in the disaster -compensate for business interruptions Some organizations are self-insured and assume all risks while others take insurance coverage from insurance companies. Obtaining insurance coverage for computer‐related property or equipment is no different than for other types of property (building, machinery, or personal property). A complete inventory of property is not only important for insurance purposes but also equally useful for disaster recovery planning. The steps involved in this process include the following: -Determine the cost to replace each inventoried item. -Inquire where the item can be replaced. -Know the items that are irreplaceable. -Determine the consequences if the items are lost. A major area for the auditor to review is the adequacy of insurance coverage on IS resources such as property, software, IT equipment, facilities, and data, and the protection against human errors and omissions, fraud, theft, and embezzlement. An effective insurance recovery program does not alter or eliminate the need for a comprehensive disaster recovery plan but rather complements such a plan. This is because both have different but valuable purposes, and they work best together. System reliability controls include mean time to repair (MTTR) and mean time between failures (MTBF). Information availability controls include backup and recovery, physical and logical security, and alternate computer equipment and facilities. To successfully implement system reliability principles, a company must: -develop and document a comprehensive set of control policies before designing and implementing specific control procedures. Otherwise, they will most likely end up purchasing a confusing mixture of products that do not protect every information system resource. -effectively communicate policies to all employees, customers, suppliers, and other authorized users. All users should be sent regular, periodic reminders about security policies and be trained in how to comply with them. -design and employ appropriate and cost-beneficial control procedures to implement the policies. -monitor the system and take corrective action to maintain compliance with policies. System reliability is a moving target as IT advances create new threats, alter the risks associated with existing threats, and provide new ways to deal with threats. To ensure system reliability, companies must implement a set of preventive controls and supplement them with methods for detecting incidents and procedures for taking corrective remedial action. A company must also employ multiple layers of controls so that if one control fails or is circumvented, another control will prevent, detect, or correct the reliability breakdown. >Specific assignments. A plan coordinator should: -be responsible for implementing the recovery plan. -assign individuals and teams specific recovery responsibilities -such as finding new physical facilities, operating the system, installing software, setting up data communications linkages, recovering data, and procuring forms and supplies. >Backup computer and telecommunications facilities, which can be arranged by: -establishing reciprocal agreements with companies with compatible facilities so each company can use the other’s computers if an emergency occurs -signing a contract for a contingent site. A hot site is configured to meet user requirements. A cold site has everything needed (power, air conditioning, and support systems) to quickly install a computer. Cold site users rely on their computer vendors for prompt delivery of equipment and software if an emergency occurs. -fail-soft distributing processing capacity in a multilocation organization so other facilities can take over if one location is damaged or destroyed -investing in duplicate hardware, software, or data storage devices for critical applications

Answer 13

The HIPAA Privacy Rule is a federal regulation that establishes national standards to protect the privacy of individuals' medical records and other personal health information (collectively defined as protected health information or PHI) and applies to health plans, healthcare clearinghouses, and healthcare providers that conduct certain healthcare transactions electronically (collectively defined as "covered entities"). The Privacy Rule is part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and is enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The Privacy Rule requires covered entities to implement appropriate administrative, technical, and physical safeguards to protect the privacy of PHI and sets limits and conditions on the uses and disclosures of such information without an individual's authorization. The Privacy Rule also gives individuals rights over their PHI, including rights to access and amend, request an accounting of disclosures, request restrictions, request confidential communications, and file complaints. Source: www.hhs.gov/hipaa/for-professionals/privacy/index.html

Answer 14

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to organizations based in the European Union (EU) and the European Economic Area (EEA), as well as to organizations outside the EU/EEA that offer goods or services to or monitor the behavior of individuals in the EU/EEA. The GDPR was adopted by the European Parliament and the Council of the EU in 2016 and became enforceable in 2018, replacing the previous Data Protection Directive 95/46/EC. The GDPR is widely recognized as one of the world's most challenging privacy and security laws. The passing of this comprehensive regulation was Europe's signal to the world of its firm stance on data privacy at a time when more people are entrusting their data to cloud services and breaches are a daily occurrence. The GDPR is an important component of EU privacy law and human rights law; Article 8(1) of the Charter of Fundamental Rights of the European Union states that "everyone has the right to the protection of personal data concerning him or her." The GDPR aims to enhance individuals' control and rights over their personal data and simplify the regulatory environment for international business. The GDPR harmonizes data protection laws across the EU/EEA and seeks to ensure a consistent and high level of protection for individuals' personal data. Source: www.gdpreu.org

Answer 15

Cloud security controls: * ensure the availability of systems and data. * maintain the integrity and confidentiality of sensitive data in transit and at rest. * include the cloud in security policies. * restrict personal use of cloud storage and services. * ensure data storage complies with applicable laws and regulations.

Answer 16

Third-party management (TPM) programs should ensure third parties comply with the following: * Regulatory requirements * Protection of confidential information * Strengthening supply chain security * Maintaining high-quality performance levels * Ethical business practices Third parties can cause significant risks to information security if access is not regulated. Third parties will require varying levels of oversight depending on the type of products, services, or capabilities they provide and their importance to the organization. In addition, the TPM program must address risk beyond third parties (the fourth, fifth parties, etc.) as this risk can infiltrate an organization and breach the control environment through the third-party relationship.

Answer 17

**Emerging and top TPM risks** **Globalization:** Organizations that rely on global third-party networks are exposed to various jurisdictional and regulatory rules and requirements. These are some of the risks that should be considered when developing a third-party management (TPM) program. **Cloud and virtualization:** The advent of the cloud, virtual data centers, and hosted applications mean that companies' critical business information is entrusted to third parties for processing and safekeeping. Data breaches and security incidents are risks that come with the third-party ecosystem. **Social media:** While social media provides transparency and collaboration in some cases, it also brings along potential security and privacy concerns for businesses. **Mobility:** Mobile devices pose multiple security risks to confidential information. A TPM program should ensure controls are enforced for security and privacy compliance.

Answer 18

Virtualization is used to host one or more operating systems within the memory of a single host computer. Thus, virtualization allows virtually any operating system (OS) to operate on any hardware and allows multiple operating systems to work simultaneously on the same hardware (e.g., VMware Workstation Pro). Virtualization has several benefits, such as deploying individual instances of servers or services as needed, real-time scalability, and running the exact OS version needed for a specific application. The concept of OS virtualization has extended to other virtualization concepts, such as virtualized networks. A virtualized network combines hardware and software networking components into a single integrated entity. A virtualization hypervisor is computer software, firmware, or hardware that creates and runs a virtual machine environment—customarily called the “host.” The hypervisor is the component of virtualization that creates, manages, and operates virtual machines.

Answer 19

A virtualized environment can be deployed using one of the following methods: * Bare metal: The hypervisor runs directly on the underlying hardware, without a host operating system (OS). * Hosted virtualization: The hypervisor runs on top of the host OS (e.g., Windows, Linux). The hosted virtualization usually has an additional layer of software (the virtualization application) running in the guest OS that provides utilities to control the virtualization. * Containerization: Containers include the application and all its dependencies but share the kernel with other containers.

Answer 20

**Key risk areas of virtualized systems** The following are high‐level risks for most of the virtualized systems in use: **Complex infrastructure**: The complex configuration alone can be a big problem as it is more difficult to spot anomalies and unusual events happening in virtual machines and networks. **Dynamic design**: Virtualized environments are dynamic by nature and constantly changing. Unlike adding physical equipment, virtual machines can go almost completely unnoticed as they are created in a matter of minutes and are not visible in the workspace. **Quick‐moving workloads**: As the virtualized infrastructure grows, there will come a time when data needs to move from one machine to another. Unfortunately, when juggling multiple workloads over multiple virtual machines, mission‐critical data may accidentally move to a machine with minimal protection. **Misconfiguration of the hypervisor splitting resources** (central processing unit (CPU), memory, disk space, and storage) can result in unauthorized access to resources, and one guest operating system (OS) may inject malware into another. **Rootkits** on the host may install themselves as a hypervisor below the operating system (OS), which would enable the interception of any operations of the guest OS (i.e., logging password entry) as the malware runs below the OS. Antivirus software may not detect this. **Guest tools** enable a guest OS to access files, directories, and other resources on the host OS. This functionality can inadvertently provide an attack vector for malware or allow an attacker to access resources. **Snapshots** are backups of virtual machines and provide a quick mechanism to recover from errors or incomplete updates; they contain sensitive data such as passwords and personal data. Snapshots contain the random‐access memory (RAM) contents when the snapshot was taken, and they may include sensitive information that was not stored on the drive. **Hosted virtualization products**rarely have hypervisor access controls; therefore, if someone can launch an application on the host OS, they can run the hypervisor. The only access control is if someone can log into the host OS.

90 STUDY GUIDE Flashcards

(47 cards)