Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

ISC > ISC > Flashcards

ISC Flashcards

1
Q

What is the key difference in controls when changing from a manual system to a computer system?

A

Methodologies for implementing controls change. The controls almost always are different. Objectives and principles remain the same. Implementation of the principles are different.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the purpose of an organization’s company-wide acceptable use policy (AUP)?

A

An acceptable use policy (AUP) is a control document that is created by an organization to regulated and protect technology resources by assigning varying levels of responsibilities to job roles, listing acceptable behaviors by employees and vendors, and specifying consequences of those who violate the AUP. Users are often asked to sign and agree to the terms of an AUP prior to being granted access to systems, applications, and devices issued by the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Define an Access Control List (ACL)

A

Is a list of rules that outlines which users have permission to access certain resources, such as a file, folder, directory, or other IT resources. Also administers account restrictions, which govern what type of action the user can execute using those resources, such as the ability to edit a file, apply read-only status, or execute a program. Access and account restrictions are enforced by controlling network traffic based on the rules defined in the ACL.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the two types of ACLs

A

Filesystem ACL:
These ACLs grant or deny privileges in an operating system by restricting access to certain files, folders, and directories.

Networking ACL:
These ACLs are used to regulate the type of network traffic that is allowed to flow across a network by configuring routers, switches, and other network devices with an array of lists to enforce. Networking ACLs are not only used for controlling access, but also for improving network performance by restricting or channeling the flow of data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Define a Adverse Event

A

Is any event with a negative consequence. System crashes, packet floods, unauthorized use of system privileges, and unauthorized access to sensitive data would all be examples that best describe an adverse event.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the difference between Confidentiality and Privacy

A

Independent terms when it comes to cybersecurity.

Privacy:
Protects the rights of an individual and gives the individual control over what information they are willing to share with others.

Confidentiality:
Protects unauthorized access to information gathered by the company.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the System Conversion Methods in Change Management?

A

Direct:
Involves the organization ceasing the use of the old system and starting the new one immediately.

Parallel:
The new system is implemented while the old system is still in use for an extended period of time.

Pilot:
An organization performs a conversion on a small scale within a test environment while continuing to use the older system. Allows for validation and testing before rolling it out to the entire organization so adjustments can be made.

Phased:
Also referred to as gradual or modular conversion, this transition plan gradually adds volume to the new system while still operating the old system. Useful for businesses with distributed locations as it allows them to implement one site at a time.

Hybrid:
These are custom combinations of the above approaches, tailored to the unique needs of an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the types of Data Storage?

A

Operational Data Store (ODS):
Is a repository of transactional data from multiple sources and is often an interim aria between an data source and data warehouses.

Data Warehouse:
Very large data repositories that are centralized and used for reporting and analysis rather than for transactional purposes.

Data Mart:
Is much like a data warehouse but is more focused on a specific purpose such as marketing or logistics and is often a subset of a data warehouse.

Data Lake:
Is a repository similar to a data warehouse, but it contains both structured and unstructured data, with data mostly being in its natural or raw format.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How is a document encrypted?

A

A sender used an algorithm to convert cleartext to ciphertext.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Cybersecurity Event vs Incident

A

Cybersecurity Event:
Is a change in the normal behavior of a given system, process, environment or workflow.
In other words: When something happens, it’s an event.
Occurs within a network or information system.

Examples: Employee flags a suspicious email. Someone downloads software (authorized or unauthorized) to a company device. A security lapse occurs due to a server outage.

Cybersecurity Incident:
Is a change in a system that negatively impacts the organization, municipality, or business. Might take place when a cyber attack occurs.

Examples: Employee replies to a phishing email, divulging confidential information. Equipment with stored sensitive data is stolen. A password is compromised through a brute force attack on your system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Network Security

Media Access Control (MAC) Filtering

A

Is a way to control which devices can connect to your WiFi network based on their physical addresses.

This is a form of filtering in which an access point blocks access to unauthorized devices using a list of approved MAC addresses. A MAC address, also referred to as a physical or hardware address, is a unique identifier found on devices in a network that is used as an address for communication with other devices on that network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What should service auditors do when it comes to Reporting Failures, System Incidents, and Concerns

A

They should gain an understanding of processes in place to report system failures, system incidents, and complaints by either external or internal system users by inquiring of management about the controls in place.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Who is responsible for identifying the nature, extent, and timing of system incidents in the service organization’s system description?

A

Management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the ways to delete confidential information?

A

Physical destruction = involves the physical act of disassembling or changing the chemical construct of the data (i.e. through heat, pressure, or shredding).

Erasing = Performance of a delete operation of a file or its data.

Overwriting (Clearing) = Involves preparing media for reuse by replacing the old data with unclassified data.

Purging = Repeats the clearing process various times and may combine that process with another method, such as degaussing, which involves creating a strong magnetic field used to erase data on storage devices that use magnetism, such as magnetic tapes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which deletion of confidential data method has the least risk?

A

Physical destruction of data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Whaat is the biggest risk to confidential information when deleting/purging confidential information from storage devices?

A

When data is removed, a residual magnetic flux or imprint may remain on storage devices where tools can reverse the effects of wiping.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the difference between Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS)?

A

DoS = An attacker floods a system’s network by congesting it with large volumes of traffic that are greater than the bandwidth it was designed to handle.

DDoS = These occur when multiple attackers or compromised devices are working in unison to flood an organization’s network with traffic. These attacks manipulate the operation of network equipment and services in such a way that they may be more powerful than a traditional DoS attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is Data Obfuscation and what are the three most common obfuscation applications?

A

Obfuscation = is the process of replacing production data or sensitive information with data that is less valuable to unauthorized users.

Encryption = Scrambles unencrypted data using cryptography so that it can generally only be deciphered with a key.

Tokenization = Removes production data and replaces it with a surrogate value or token. Uses mathematical algorithms.

Masking = Swaps data with other like data so that the original identifying characteristics are disguised, or masked, while maintaining a similar structure to the unmodified data set.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is a complementary user entity controls (CUECs)?

A

Are controls that are necessary to be implemented by the user entity, in combination with the service organization’s controls, to provide reasonable assurance that the control objectives stated in management’s description of the service organization’s system (SOC 1) or the service organization’s service commitments and system requirements (SOC 2) were achieved.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Who is responsible for determining whether to carve out or include a subservice organization?

A

Management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the Carve-Out Method?

A

This method is most common and means that the subservice organization’s controls are NOT included in the scope of the SOC report.

The vendor has CARVED OUT all the controls that the subservice is responsible for and essentially make them not applicable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the Inclusive Method?

A

In this method, the controls from the subservice organization that support normal operations are included in the SOC report and will be reviewed by the auditor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

When complementary user entity controls are identified, which sections of the service auditor’s SOC report will be amended to include language that references the complementary user entity controls?

A

Both the scope and opinion sections of the service auditor’s report will refer to the identified complementary user entity controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Describe Patch Management

A

Is an important part of minimizing security threats that works in conjunction with vulnerability management solutions. Keeps devices up to date and secure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
What do Detective Controls do? List examples of them.
They detect a threat event while it is occurring and provide assistance during investigations and audits after the event has occurred. Network Intrusion Detection System (NIDS) Antivirus Software Monitoring Network Monitoring Tools Log Analysis Intrusion Detection Systems (IDS)
24
What do Corrective Controls do? List examples of them.
Are intended to fix known vulnerabilities as a result of recent security incidents, security self-assessments, or changes in industry practices. These controls become preventive or detective once they are put in place and operating effectively. Reconfigurations Upgrades and Patches Revised Policies and Procedures Updated Employee Training Recovery and Continuity Plans Antivirus Software Removal of Malicious Viruses Virus Quarantining
25
When a service organization has more than one subservice organization, do they choose carve-out or inclusive method?
It is up to the service organization management to apply the carve-out method, inclusive method, or a mix of both to the subservice organizations. There is no requirement for a consistent application of one method. When a service organization uses multiple subservice organizations, it may prepare its description using the carve-out method for one or more subservice organizations and the inclusive method for others.
26
What are the five trust criteria?
CAPPS Confidentiality = Information designated as confidential is protected to meet the entity's objectives. Availability = Information and systems are available for operation and use to meet the entity's objectives. Processing Integrity = System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives. Privacy = Personal information is collected, used, retained, disclosed, and disposed of to meet the entity's objectives. Security = Information and systems are protected against unauthorized access; unauthorized disclosure of information; and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity's ability to meet its objectives.
27
What is a service commitment of a SOC 2?
Declarations made by service organization management to user entities and others (such as user entities' customers) about the system used to provide the service.
28
What are system requirements for a SOC 2?
Specifications on how the system should function to meet all service commitments for user entities, user entity customers, vendors, business partners, laws and regulations.
29
What are the stages of a cyberattack
Reconnaissance: First stage, attackers discover and collect as much information about the target IT system as possible. Gaining Access: When information collected in the previous steps is used to gain access to the target of an attack using a variety of techniques. Escalation of Privileges: Once access into a system is obtained, attackers attempt to gain higher levels of access in this stage. Maintaining Access: Attacker remains in the system for a sustained period of time until the attack is completed and looks for alternative ways to prolong access or return later. Network Exploitation and Exfiltration: Attackers proceed with the objective of disrupting system operations by stealing sensitive data, modifying data, disabling access to systems or data, or performing other malicious activities. Covering Tracks: Occurs while the attack is in progress or after the attack is completed and involves the attacker concealing the entry or exit points in which access was breached.
30
What are the criteria that must be met for a vendor to be considered a subservice organization?
The services provided by the vendor must be relevant to the users' understanding of the service organization's system and the controls must be necessary, in combination with the controls of the service organization, to provide reasonable assurance that the system commitments and service requirements are achieved.
31
What are examples of Personal Identifiable Information (PII)?
Name SSN, Passport Number, Driver's License Number, Taxpayer Number, Credit Card Number Address, Street or Email Personal Characteristics, Photos, Fingerprints, Handwriting, or other Biometric Data
32
What are the three Threat Methodologies?
Process for Attack Simulation and Threat Analysis (PASTA) Visual, Agile, and Simple Threat (VAST) Spoofing, Tampering, Repudiation, Information Disclosure, Denial-of-service attack, and Elevation or privilege (STRIDE)
33
CIS Control 16: Application Software Security
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.
34
Types of system backups
Full: Exact copy of the entire database. Incremental: Copying only the data items that have changed since the last backup. Differential: Copies all changes made since the last full backup.
35
Main contents of a Type 1 report
Management's description of the service organization's system. A written assertion by management of the service organization about whether, AS OF A SPECIFIED DATE, based on the criteria: - Management's description of the system fairly presents the service organization's system that was designed and implemented. - The controls related to the control objectives stated in management's description of the system were suitably designed to achieve those control objectives. A report that expresses an opinion on the matters described above.
36
Main contents of a Type 2 report
Management's description of the service organization's system. A written assertion by management of the service organization about whether, THROUGHOUT A SPECIFIED DATE, based on the criteria: - Management's description of the system fairly presents the service organization's system that was designed and implemented. - The controls related to the control objectives stated in management's description of the system were suitably designed and operated effectively to achieve those control objectives. A report that expresses an opinion on the matters described above and includes a description of the tests of controls and the results.
37
Key differences between Type 1 and Type 2 SOC Report
A type 1 report covers the system design as of a given point in time whereas a type 2 report covers both the design and operating effectiveness over a period of time.
38
Who are SOC 1 reports restricted to?
Management of the service organization User entities of the service organization's system Independent auditors of such user entities. *It does not include potential users of the service organization.
39
What does a SOC 3 report not include?
A description of the system (detailed controls within the system are not disclosed) A description of the service auditor's tests of controls, and the results thereof.
40
What is a Race Condition?
Where two or more processes trying to modify shared data simultaneously leading to unpredictable results.
41
What is system hardening?
Hardening is a cybersecurity strategy that involves strengthening the security of a network component by reducing its vulnerability to attacks.
42
What are 4 main examples of system hardening?
Database hardening Endpoint hardening Network hardening Server hardening
43
Examples of physical (on-premises) attacks
Intercepting Discarded Equipment = Stealing thrown out equipment and getting the data from it. Piggybacking = Using an authorized person's access to gain entrance to a physical location or electronic access. Targeted by Attackers = Tampering = Getting to the physical IT infrastructure and modifying the way its network deals with data. Theft = Straight up stealing stuff.
44
When forming an Opinion in a SOC Engagement the auditor should evaluate:
The sufficiency and appropriateness of the evidence obtained; and Whether uncorrected misstatements, individually or in the aggregate, are material.
45
What are the contents of the Auditor's Report for a SOC Engagement?
Management's description of the system Management's assertion Independent service auditor's report Auditor's tests of controls and results of tests
46
COSO Control Environment
Covers control from the perspective of the board and management through integrity, ethics, the proper corporate structure, and establishing an environment that holds employees accountable. The entity demonstrates a commitment to integrity and ethical values. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives. The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
47
COSO Risk Assessment
Focuses on identifying risk, considering the potential for fraud, and understanding changes that could impact internal controls. The entity specifies with sufficient clarity to enable the identification and assessment of risks relating to objectives. The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The entity considers the potential for fraud in assessing risks to the achievement of objectives, The entity identifies and assesses changes that could significantly impact the system of internal control.
48
COSO Control Activities
Relates to the control activities implemented and designed to ensure the proper application of policies and procedures that help ensure management directives and control objectives are met. Selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. Also selects and develops general control activities over technology to support the achievement of objectives. Deploys control activities through policies that establish what is expected and procedures that put into action. Added trust services supplemental criteria -Logical and physical access controls -System Operations -Change Management -Risk Mitigation
49
COSO Information and Communication
Focus on obtaining, generating, and controlling information and communication. Obtains or generates and uses relevant, quality information to support the functioning of internal control. Internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. Communicates with external parties regarding matters affecting the functioning of internal control.
50
COSO Monitoring
Outlines how an organization should conduct ongoing evaluations of control activities and communicate internal control deficiencies. The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. Evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
51
Common sections of management's system description SOC 1
Types of services provided. Procedures performed. System functionality Subservice organizations Controls Information on other aspects of the control environment, risk assessment process, information and communication, control activities, and monitoring activities that are relevant to the services provided. Prepare reports Deficiencies in information. Complementary user entity controls (CUECs) Relevant details of changes to the service organization's system during the period covered by the description. (Type 2 only) The description does not omit or distort information relevant to the system and is prepared to meet the common needs of a broad range of user entities and their auditors and thus may not include every aspect that a user entity may consider important in its own particular environment.
52
Common sections of management's system description SOC 2
Types of services provided Principal service commitments and system requirements -Service Commitments -System Requirements Components of the system used to provide the services Identified system incidents Applicable trust services criteria Complementary user entity controls (CUECs) Subservice organizations -Inclusive method -Carve-out method Irrelevant specific criteria Detail of system and controls changes during the period that are relevant to the service organization's service commitments and system requirements (Type 2 only)
53
What is management's description of the entity's cybersecurity risk management program?
It is a set of policies, processes, and controls designed to: -Protect information and systems from security events that could compromise the achievement of the entity's cybersecurity objectives; and -Detect, respond to, mitigate, and recover from, on a timely basis, security events that are not prevented.
54
What are the categories of description criteria for an entity's cybersecurity risk management program?
Nature of business and operations Nature of information at risk Cybersecurity risk management program objectives (cybersecurity objectives) Factors that have a significant effect on inherent cybersecurity risks cybersecurity risk governance structure Cybersecurity risk assessment process Cybersecurity communications and the quality of cybersecurity information Monitoring of the cybersecurity risk management program Cybersecurity control processes
55
The written assertions from management to the auditor state what? SOC 1 & 2
Management's description of the system fairly presents the system that was designed and implemented The controls stated in management's description of the system were suitably designed. The controls stated in management's description of the system operated effectively (Type 2 only)
56
In a SOC 3 engagement, management's assertion addresses whether:
The controls within the system were effective throughout the specified period to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria, including a description of the boundaries of the system and the service organization's principal service commitments and system requirements.
56
What should an auditor do if management refuses to give a written assertion?
The auditor is required to withdraw from the engagement when possible under applicable laws and regulations. If law or regulation does not allow the service auditor to withdraw, the auditor should disclaim an opinion on the description, the suitability of design of controls in a Type 1, and the operation effectiveness of controls in a Type 2.
57
What are the key components of a SOC 1 & 2 report?
-Management's description of the system -Management's Assertion -Independent Service Auditor's Report Auditor's Tests of Controls and Results of Tests (Type 2 only)
58
What are the key differences between CSOC and CUEC?
CSOCs are controls that a subservice organization must execute in order for a service organization's controls to function effectively, whereas CUECs are controls a user organization must employ for the service organization's controls to function. In both scenarios, the service organization relies on other entities (vendor or client) for their own controls to work properly.
59
NIST Implementation Tiers
Tier 1 (Partial) = On-demand or no security procedures. Very little awareness of cybersecurity risk. Risk management is ad hoc. Tier 2 (Risk-informed) = More knowledge or risk but lack a coordinated strategy and uniform departmental rules. May be isolated from organizational processes. Tier 3 (Repeatable) = More equipped to deal with risk and threats. Have risk management and cybersecurity best practices that have received executive approval. Tier 4 (Adaptive) = Mostly in banking, healthcare, and critical infrastructure. High tech solutions are incorporated. Adaptive policies and procedures. Responsive to evolving threats. Organization-wide and similar to other forms of organizational risk.
60
Define NIST SP 800-53
Is a set of security and privacy controls applicable to all information systems and has become the standard for federal information security systems. Designed for protecting information systems against sophisticated threats.
61
NIST SP 800-53 Purpose and Applicability
These standards are designed to help organizations identify the security and privacy controls needed to manage risk and satisfy the following security and privacy requirements: Office of management and budget (OMB circular A-130: Requires the controls for federal information systems. The federal information security modernization act (FISMA): Requires the implementation of minimum controls to protect federal information and information systems.
62
Under the HIPAA security rule, covered entities must protect electronic PHI (Protected Health Information) from all:
Security threats that are reasonably anticipated.
63
What are the goals of (PCI DSS)?
Build and maintain a secure network and systems Protect cardholder data Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy
64
What are the PCI DSS requirements
Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti-virus software or programs Develop and maintain secure systems and applications Restrict access to cardholder data through use of need-to-know restrictions Identify and authenticate access to system components Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes Maintain a policy that addresses information security for all personnel.
65
Who is responsible for setting IT governance policies?
Board of Directors
66
What are the components of the COBIT 2019 Governance System?
*These components are factors that either collectively or individually contribute to the successful execution of a company's governance system over information technology and systems. -Processes -Organizational Structures -Principles, Policies, Frameworks -Information -Culture, Ethics, and Behavior -People, Skills, and Competencies -Services, Infrastructure, and Applications
67
Network Infrastructure Hardware What are they and what do they do?
Modems - Connect a network to an internet service provider's network, usually through a cable connection. It is the device that brings internet into a home or office. Each modem has a public IP address Routers - Mange network traffic by connecting devices to form a network. They read the source and destination fields in information packet headers to determine the most efficient path through the network for the packet to travel. Act as a link between a modem and switches or user's device. Switches - Similar to routers in that they connect and divide devices within a computer network. Works like a power strip that converts one network jack into several so multiple devices can share one network connection. Gateways - Is a computer or device that acts as an intermediary between different networks. Servers - Physical or virtual machines that coordinate the computers, programs, and data that are part of the network. Firewalls - Software applications or hardware devices that protect network traffic by filtering it through security protocols with predefined rules.
68
What are the types of Firewalls?
Basic packet-filtering firewalls - work by analyzing network traffic that is transmitted in packets (data communicated) and determining whether that firewall software is configured to accept the data. Circuit-Level Gateways - Verifies the source of a packet and meets rules and policies set by the security team. Application-Level Gateways - Inspects the packet itself. These gateways are very resource-intensive and may slow performance. Network Address Translation - Assigns an internal network address to specific, approved external sources so that those sources are approved to be inside the firewall. Stateful Multilayer Inspection - Combines packet-filtering and network address translation Next-Gen - Assigns different firewall rules to different applications as well as users. In this way, a low-threat application has more permissive rules assigned to it while a high-security application may have a highly restrictive rule set assigned.
69
Preventive Controls
Are designed to thwart malicious activity from ever occurring. They attempt to prevent attackers from accessing devices, applications, and networks by employing some of the following tactics: -Safeguarding Practices -Education and Training -Regular Security Updates -Encryption -Firewalls -Patches -Device and Software Hardening -Intrusion Prevention Systems (IPS)
70
Intrusion Prevention System (IPS)
A preventive control It is a network security solution that is intended to detect and stop a cyberattack before it reaches the targeted systems. It does this by receiving a direct feed of traffic so that all data coming into a network pass through the IPS, similar to a firewall.
71
Who is responsible for identifying the nature, extent, and timing of system incidents in the service organization's system description?
Management
72
Where would auditors gain an understanding of processes in place to report system failures, system incidents, and complaints by either external or internal system users? Gaining an understanding and obtaining evidence?
Board meetings minutes Inquiries about third-party administered whistleblower hotlines. Polices, procedures, and communication plans on the intranet, website, or customer portals. Management monitors and provides training to personnel Description of system, system boundaries, and system processes on the intranet and internet. Agreements are established with service providers and business partners that include clearly defined terms, conditions, and responsibilities for service providers. Planned changes to system components from the IT maintenance schedule and communications for internal users, and the customer portal or website.
73
Data Backup Sites
Cold = Facility is prepared Warm = Equipment is in place Hot = Operational data is loaded
73
Risks specific to cloud computing
Additional Industry Exposure Cloud Malware Injection Attacks Compliance Violations Loss of Control Loss of Data Loss of Visibility Multi-Cloud and Hybrid Management Issues Theft or Loss of Intellectual Property
74
What are the four cloud computing deployment models
Public = Owned and managed by a CSP that makes the cloud services available to people or organizations who want to use or purchase them. Private = The cloud is created for a single organization and is managed by the organization or a CSP. The cloud infrastructure can exist on or off the organization's premises. Hybrid = Is composed of two or more clouds, with at least one being a private cloud, that remain unique cloud entities but with technology in place that facilitates the portability of data and applications between each entity. Community = Is shared by multiple organizations to support a common interest, such as companies banding together for regulatory compliance, a common mission, or collaboration with industry peers.
75
What are the five components of COSO Integrating with Strategy and Performance?
Governance and Culture = Sets company's tone and reinforces the importance of having oversight of enterprise risk management. Strategy and Objective-Setting = Considered with enterprise risk management and strategy during the strategic planning process. Risk appetite and business objectives. Performance = Requires the organizations prioritize their risks based on risk appetite so that business objectives are assessed, met, and reported to key stakeholders. Review and Revision = Involves reviewing a company's performance over time and making revisions to functions when needed. Information, Communication, and Reporting = Recommends that a continual process be in place that supports sharing both internal and external information throughout the organization.
76
Types of tests performed to evaluate systems in development.
Unit Testing = Examines the smallest increment, or unit, of an application. Integration Testing = (Thread or String Testing) Performed after unit testing to enhance the likelihood that different components will work cohesively once all units are integrated. Also helps plan for future maintenance and updates. System Testing = Verifies that all combined modules of a completed application work as designed in totality. Acceptance Testing = Developers assess an application to determine whether it meets end-user requirements. May involve beta testing.
77
Define Host-Based Attacks and some examples
Attacks that target individual devices (e.g. laptops, servers) for disruption or unauthorized access. Attacks targeted towards specific systems (Windows, Linux). Brute Force Attacks: password-cracking schemes Keystroke Logging: tracks the sequence of keys pressed on your keyboard. (Trojan) Malware: Is software or firmware that performs an unauthorized process. (viruses, worms, trojan, adware, spyware) Rogue Mobile Apps: When victim installs malicious app.
77
What is a SAR?
Security Assessment Report An engagement that involves organizations addressing the second component of the risk management framework, which includes performing a risk assessment and testing controls to obtain data on the company's current state regarding information security capabilities.
78
What are the key items of a SAR?
-Summary of findings -System overview -Assessment methodology -Security assessment findings -Recommendations -Action plan
79
In SOC engagements, risk assessment primarily focuses on....
Inherent risks (the risks present before the consideration of controls)
80
What are the types of Data Collection and their definitions?
Extract, Transform, and Load (ETL) = When data already exists, internal or external, must extract from original source, transform into useful information, and load into the tool you choose for analysis. Active Data Collection = Is when you need to collect new data. Passive Data Collection = Tracking web usage via cookies or gather time stamps of when users interact with your website or online store.
81
What is a Business Impact Analysis (BIA)?
Identifies the business units, departments and processes that are essential to the survival of an entity as well as the organizational impact in the event of failure or disruption. Will identify how quickly essential business units and/or processes can return to full operation following a disaster.
82
Levels of impact for a Business Impact Analysis (BIA)
High-impact (H) = -Cannot operate without this resource -May experience a high recovery cost -May fail to meet the organization's objectives or maintain its reputation Moderate or medium-impact (M) = -Could partially function temporarily for a period of days or a week -May experience some cost of recovery -May fail to meet the organization's objectives or maintain its reputation Low-impact (L) = -Could operate for an extended period of time -May notice an effect on achieving the organization's objectives or maintaining its reputation
83
Defense tools for Authorization and Authentication in Security Operations
Zero Trust Network Architecture (ZTNA)- A security concept that assumes constant risk and requires continuous verification at every user-network interaction point. Least Privilege - Practice of granting users the minimum necessary access privileges to perform their job duties. Need-to-know - Users are given only the information necessary to perform their job tasks, focusing on data needed rather than access privileges. Whitelisting - Is the process of identifying a list of applications that are authorized to run on an organization's systems and only allowing those programs to execute.
84
Data Mirroring vs Replication
Mirroring copies a database onto a different machine for the purpose of data redundancy in the event the primary database fails. Replication involves copying and transferring data between different databases located in different sites, such as a geographically (physical) different data center or the cloud. Allows operations to resume quickly using data in the secondary site after a system failure.
85
What are the risks to Outsourcing services?
-Quality risk -Quality of service -Productivity -Staff turnover -Language skills -Security -Qualifications of outsourcers -Labor insecurity
86
What are the steps to responding to an incident? Incident Response Plan
Preparation - prepare for incidents Detection - Detect and identify incidents Containment - Contain the incident from spreading Eradication - Eradicate threats Reporting - Report and communicate status Recovery - Recover and restore normal operations Learning - Learn and improve
87
What are the methods (procedures) that define the nature of actions to take in a Security Assessment Engagement (SAR)?
Examination - Process of analyzing, observing, and reviewing one or more assessment objects (Job roles, security specifications, security activities, or relevant operational activities). Interviewing - Involves having individual or group discussions to better understand, collect, and evaluated evidence. Testing - Is the process of testing assessment objects that reflect how the object performs in its current state compared to a target or expected state.
88
Network Gateway
A device or software that connects networks that use different protocols or languages.
89
Network Routers
Manages traffic between these networks by forwarding data packets to their intended IP addresses, and allowing multiple devices to use the same internet connection. Is a gateway that passes data between one or more local area networks (LANs).
90
Network Switches
Similar to routers in that they connect and divide devices within a computer network. But they do not perform as many advanced functions as a router, such as assigning IP addresses.
91
Performing a Walk-Through Steps
01-Plan and Prep = Define the scope, Identify key controls and processes, and identify personnel 02-Obtain an Understanding = Review documentation, interview personnel, create notes. 03-Perform Walk-Through = Reperform processes, verify results and effectiveness. 04-Create Documentation = Create workpapers, document procedures. 05-Test = Test controls identified in walk-through, obtain samples if needed. 06-Evaluate and Report = Interpret results, prepare a report to summarize findings, provide recommendations.
92
What should the auditor do when performing risk assessment procedures?
*Obtain an understanding of the service organization's system *Understand the service organization's process and procedures used to prepare the description of the system.
93
What is true regarding the applicability of the trust services criteria to a SOC engagement?
The trust services criteria set forth the outcomes that an entity's controls should meet to achieve the entity's objectives.
94
What safeguards should a company implement to mitigate the risk of accidental deletion or modification by a user?
Backup controls.
95
In the context of cybersecurity, which term best describes the protection of unauthorized access to information gathered by a company?
Confidentiality
96

ISC (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions