Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

ISC > lvl up > Flashcards

lvl up Flashcards

(104 cards)

Start Studying
1
Q

Extensible Business Reporting Language (XBRL)

A

an open-information format standard enabling automated sharing of financial information contained in financial statements and other business reports over the World Wide Web. XBRL tags numeric and textual information contained in financial statements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Distributed processing

A

an allocation of various processing tasks to various business divisions, with some tasks centralized and some decentralized.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The Framework Core

A

a legislative imperative for NIST to develop a set of plain language controls for the protection of critical IT infrastructure. The focus is to develop a program to identify, assess, and manage cybersecurity risks in a cost-effective and repeatable manner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Differential backup

A

Copies all changes made since the LAST FULL back up. Each new differential backup file contains the cumulative effects of all activity since the last full backup.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Incremental backup

A

Copying only the data items that have changed since the last backup. This produces a set of incremental backup files, each containing the results of one day’s transactions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A data warehouse

A

a very large data repository that is centralized and used for reporting and analysis rather than for transactional purposes. A data warehouse pulls data either directly from enterprise systems with transactional data or from an ODS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The network administrator is responsible for…

A

maintaining the efficiency and effectiveness of the internal network including managing remote access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

In computer processing, access time is the time that it takes

A

for data to be retrieved from memory from the time that the control unit calls it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Tokenization

A

is the most suitable method for securely handling credit card data while preserving its format. It replaces sensitive data with non-sensitive tokens, maintaining the data’s structure while protecting its actual value.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Expert or Knowledge based system

A

provide answers based on information provided by the user and the rules developed by an expert to address specified situations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A source code comparison program

A

could be used to compare the original code written for a specific program to the current code in use for that program. Thus, it would make note of any differences in the program from the time it was originally written

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Enabling a Holistic Approach

A

This COBIT principle emphasizes the importance of addressing all enablers together, including principles, policies, frameworks, processes, organizational structures, culture, ethics, information, services, infrastructure, applications, people, skills, and competencies, to support a comprehensive governance and management system for enterprise IT.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When considering subsequent events in a SOC engagement, what changes in the control environment should be taken into account?

A

changes in the control environment that should be taken into account include not only changes in management but also changes in system infrastructure, policies, and procedures. These changes may impact the design and operating effectiveness of controls and need to be considered to provide an accurate assessment of the control environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

IT Governance

A

deals with making the IT function of an organization more in line with the organization’s broad objectives and ensuring the highest possible value from IT operations
-Strategic alignment
-Value Delivery
-Performance Measures
-Risk Management
-Resource Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A query utility program

A

generally is used for one-time database inquiries

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A distributed system

A

is a network of remote computers connected to a main computer system. A distributed system is more beneficial when large volumes of data, as opposed to small volumes of data, are generated. A distributed system is more beneficial when data is generated at many locations as opposed to data that is generated centrally.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A systems development life cycle follows the following phases

A

1) Systems or Requirements Analysis (Feasibility Study), (2) System or Software Design, (3) Programming and Testing, (4) Implementation, and (5) Monitoring.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the primary advantage of using the carve-out method to address a sub-service organization’s controls within a primary service organization’s SOC report?

A

It maintains separate SOC reports, which may be beneficial for confidentiality or independence reasons.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

A time-sharing center

A

A computer remotely accessed by a number of different users, who are unaware of each other

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Access control software

A

Preventive controls are distinguished by the fact that they prevent errors from occurring. Access control software ensures that only authorized personnel have access to the system programs and documentation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

A validity check

A

ensures that only authorized data codes will be entered into and accepted by the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Framework Profiles

A

specifically the Current Profile, help organizations establish a baseline for their current cybersecurity activities and outcomes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Parity checking

A

a method wherein the number of bits in the total number of bytes in a transmitted message is added up. Then, a zero or a one is added to make the parity even or odd. If and when a transmitted message is modified and the number of bits has changed, the system detects this and triggers a resending of the message.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Edit checks

A

are input controls that examine and verify data as it is being entered and before it is processed. This preventive type of control can identify erroneous data or transactions and prevent them from being processed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
System design usually includes design of
Data, process, and user interface
25
A low likelihood risk
is a risk that is presented by someone who lacks the motivation or the capability to cause damage and for which controls are already in place. Ethical Hackers, though possessing expertise in hacking, are known to use their skills only for ethical and non-malicious uses. They lack the motivation to pose any potential threat to the entity.
26
Big Data is often characterized by the Five V’s
-Volume: This refers to the vast amount of data generated every second. We are in an era where we are drowning in information, with data coming from social media, machines, and many other sources. -Velocity: This refers to the speed at which new data is generated and the pace at which data moves around. With the advent of the Internet of Things, more data is being generated faster than ever before. -Variety: This refers to the new types of data that are being generated. This isn't just structured data (e.g., databases), but also unstructured data (e.g., text, images, video clips, etc.). -Veracity: This refers to the quality of the data. With many forms of data, it's difficult to know which information is accurate, and what to trust. Veracity deals with the uncertainty of data, which can vary greatly. -Value: This refers to our ability to turn our data into value. This is the most important V because it involves the ability to turn data into meaningful information. In the endl, it's not about how much data you have, but how you use it that matters.
27
Who are the two primary entities covered by the scope of GDPR?
Data Processors and Data Controllers
28
The carve-out method primarily differs from the inclusive method in which of the following ways?
The complementary subservice organization controls are reported after managements system description
29
Under the carve out method, management explains
the nature of the subservice organizations services but not its controls in the description of the service organizations system. Any CSOCs are reported separately after managements system description
30
Threat modeling process
Process that considers threats from an attackers perspective. The steps include finding critical assets, mapping connections, ranking threats, creating mitigation polices, and validating controls.
31
If the service auditor found that a control was not implemented...
then they would conclude there is a deficiency in the suitability of the design of a control
32
Policy based access controls (PBAC)
a combination of role-based and rule-based access control models with settings configured by the system administrator.
33
Discretionary Access Controls (DAC)
the data object owner makes authorization decisions.
34
Role Based Access controls (RBAC)
35
A fairly stated SOC 2 description meets the...
DC 200 Description Criteria
36
When will a third party be classified as a vendor?
When a service organization retains responsibility for controls by monitoring a third party providers activities. If the service orgs controls are sufficient by themselves, management does not need to explain the vendors services in the description of the system
37
The subject matter of a SOC 2 engagement
is managements description of the service organizations system and the related controls
38
What is the significance of managements written representation in a SOC engagement for a service organization?
It forms the basis for the auditors opinion on the systems description, control design, and control effectiveness. The purpose is for management to accept responsibility for its actions and for the information provided
39
Under the inclusive method in a SOC 2 examination the subservice organization must...
provide a signed representation letter separate from the one provided by the service organization management.
40
Who is the responsible party?
the service organizations management
41
When a service organizations management chooses the carveout method for a subservice org during a SOC engagement, managements description must explicitly state...
that the description does not extend to complementary subservice organization controls
42
An Independent Service Auditors Report should include...
a statement that the service auditor did not evaluate the suitability or operating effectiveness of the complementary user entity controls.
43
According to the SSAE when a service organization uses the inclusive method, the service auditors report must include...
a statement that the service auditor performed procedures related to the subservice organizations controls
44
Unit testing
Involves initial, narrow tests performed on individual components. The primary purpose of unit testing is to find and resolve defects in individual components
45
The staging environment
Before going live, a small sample group of end users should try out the changes and provide feedback in a staging environment.
46
Technology debt refers to
the cost of maintaining existing legacy systems plus the opportunity costs of not switching to modern systems
47
Automated testing
the most common method of validating CI code changes before deployment
48
Accounting information systems collect what kind of data?
Structured data, such as text, dates, and numbers
49
Advantages of incremental backups
-fast -less storage -can be run frequently
50
An AIS serves three main purposes:
-collecting and storing information about a company's financial activities -providing data that allow stakeholders to make decisions -assuring adequate internal controls are implemented
51
Tests should be performed in the following progression: | Appication development
1. Unit 2. Integration 3. System 4. Acceptance
52
Architecture
is an IT function risk area that focuses on an organizations ability to develop systems that align long term technologies with its strategies and objectives
53
A shared database improves
data quality by reducing opportunity for duplication and errors
54
An inner join
extracts records that have a matching
55
Semi-structured data
Data that have a partial structure but are not defined as structured data. Semi-structure data may hold metadata, or tags,
56
Domain Contraints
restrict input to a predefined range of acceptable values. restrict the attribute data type and may also require data to be entered in a specific format
57
The CIA triad (Confidentiality, integrity, availability)
Is a data cybersecurity model which is referred to in the explanation of why data recover, the 11th CIS control, is critical
58
COBIT governance framework principles
BOA Based on conceptual model Open and flexible Aligned to major standards
59
When complementary user entity controls are identified, the scope section of the service auditor's SOC 1® Type 2 report will be amended to include which of the following?
A statement will be included in the scope section of the service auditor's report that indicates that the complementary user entity controls were not evaluated for design suitability or operating effectiveness as a part of the engagement.
60
Purpose limitation
the principle where data must be processed for specified, explicit, and legitimate purposes.
61
Data minimization
the principle that requires that data processing must be relevant, adequate, and limited to what is necessary for the purpose.
62
A network address translation firewall
allows machines on a private network to share a single public address so that it masks their true private addresses.
63
Management representations are intended...
to confirm explicit or implicit representations given to the service auditor, indicate and document the continuing appropriateness of those representations, and reduce the possibility of a misunderstanding between the service auditor and management.
64
Active data collection
The collection of data through direct interviews with users is an example of the active data collection method of collecting data. Directly asking a party for data is considered active collection, whether in person, through a survey, or other means.
65
Describe the holistic approach governance system principle under COBIT 2019
Governance systems for IT can comprise diverse components.
66
An SQL (Structured Query Language) Injection is an example of what type of attack?
an application attack in which an attacker injects malicious SQL code into existing SQL code on a company’s website to gain unauthorized access to a company’s data. Application-based attacks target specific software or applications such as databases or websites to gain unauthorized access or disrupt functionality.
67
A bridge is a network component...
connects separate networks that use the same protocol, even if those networks have different topologies or transmission speeds. Bridges operate at the data link layer of a network.
68
During the payment clearing process, which of the following methods of data obfuscation would most likely be used in relation to credit card transactions?
Tokenization Given the high sensitivity of financial data, tokenization (replacing the entire piece of data) would most likely be used in credit card transactions during the payment clearing process.
69
When an adverse opinion is issued in a SOC 2® engagement, which section of the service auditor's report should include the matter(s) giving rise to the adverse opinion?
When an adverse opinion is issued, a separate paragraph should be added in the opinion section, before the opinion paragraph, to provide a description of the matter(s) giving rise to modification.
70
CIS Control 05: Account Management
Use processes and tools to assign and manage authorization to credentials for user accounts to enterprise assets and software.
71
Data flow diagrams
visually depict the logical flow of data for business processes. They are standardized tools that are used with BPMN notation such as connecting objects, swim lanes, and flow objects. Documenting the expenditure cycle using a data flow diagram would have at least one swim lane, a start and end flow object, multiple tasks, a gateway, and several sequence flow notations charting the life cycle of this transaction cycle.
71
The NIST Privacy Framework's purpose is to
help organizations manage privacy risk by considering privacy best practices as they design and deploy systems, products, and services that affect individuals, communicating privacy practices to the rest of the organization, and encouraging cross-organizational workforce collaboration relating to user privacy and IT security.
72
Mandatory access controls
the system admin assigns each object a security classification and a category that defines the department or role that is granted access The most secure and expensive model
73
Defense in depth is a based on the concept that...
individual system components can never be completely secure.
74
The 4 supplemental trust service criteria
-logical and physical access controls -system operations -change management -risk mitigation
75
Rivest-Shamir-Adleman (RSA)
Asymmetric encryption
76
Data in a database would most likely be protected through...
symmetric key encryption
77
Which group is responsible for selecting members of the incident response and incident handling teams?
Senior management
78
OODA loop
A four stage decision making framework: observe, orient, decide, and act -useful tool for incident response teams
79
Physical data model
the most detailed representation of data structures compared to conceptual or logical data models. The administrator could see the foreign key and column data types.
80
software-as-a-service (SaaS)
customers only use the application and its tools
81
PaaS mode
a CSP provides proprietary tools or solutions to allow customers to build or operate their applications on the CSP's infrastructure.
82
Operational Data Store
A repository of transactional data from multiple sources and is often an interim area between a data source an a data warehouse
83
Open and Flexible
Being Open and Flexible means that the framework should have the ability to change, add relevant content, and remove irrelevant content. Therefore, not being able to remove content would violate the Open and Flexible principle.
84
Network hardening
focuses on strengthening infrastructure that connects all devices across an organization's network. This includes removing unused physical or virtual ports so that potential attackers are unable to use those ports to bypass security measures.
85
Management's description of the entity's cybersecurity risk management program
detailed information on an entity's cybersecurity risk management program objectives, risk governance structure, and risk assessment
86
When the inclusive method is used by a service organization, management's description of the service organization's system should include
The nature of the services provided by the subservice organization and the components of the subservice organization's system used to provide services to the service organization.
87
Mobile code
refers to any software designed to disseminate to multiple computers, infecting each device it encounters by altering them in some way so that a copy of the code is embedded on that device or system.
88
Business resiliency refers to
continuous operation or the ability to quickly return to operations after an event, whereas business continuity is more operations-focused in that it concentrates on continuing product and service delivery (speed)
89
Conceptual data models are a
high-level, big-picture representation of the data structures.
90
SARs typically contain
a summary of findings, a system overview, assessment methodology, security assessment findings, recommendations, and an action plan.
91
The primary purpose of the risk assessment procedures performed by a service auditor?
To provide a basis for designing and performing procedures that are responsive to the risks
92
Performing a reduction analysis involves
decomposing assets that are being protected with the intent to obtain a greater understanding of how those assets interact with potential cybersecurity threats. This decomposition process helps organizations understand existing security clearances, policies around trust and security changes, and how data flows through the organization.
93
Salting
A technique that adds a random string of characters to each password before hashing and storing it -strengthen security and protect against dictionary and brute force attacks
94
Iteration count
determines the number of times your master password is hashed (scrambled) when creating the master encryption key
95
Demilitarized zone DMZ
a subnetwork that separates an organization's internal network from an external network, such as the internet.
96
Gantt chart
a type of bar chart, devised by Henry Gantt in the 1910s, to illustrate a project schedule. It helps in scheduling, managing and monitoring specific tasks in a system. It is not a data collection tool.
97
Electronic data interchange (EDI) is a means of electronic communication between
entities, not people. EDI typically involves automatic monitoring of inventory levels and sales orders (by the business customer’s system), purchase order placement and fulfillment, and payment. It is not designed as a tool for collaboration.
98
AICPA DC section 200 description criteria
are used to measure or evaluate managements description of the system, not controls
99
AICPA TSP section 100 Trust Service criteria
managements asserts that controls were designed, implemented, and operated to provide reasonable assurance of achieving the service organizations principal service commitments and system requirements
100
Second Normal Form
All non-key attributes in a table to depend on the entire primary key
101
A value-added network (VAN)
provides additional services beyond mere connections to the Internet, particularly services enabling EDI (Electronic Data Interchange) to route communications and data transactions between entities such as trading partners
102
Abstraction
is the process of hiding certain levels of complexity within a task so that only pertinent information needed to perform a job is displayed to the person performing that task.

ISC (18 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions