ISC

CPA - ISC Flashcards

• CSF Core

• CSF Tiers

• CSF Organization Profiles

What are the 3 primary components to manage cybersecurity risk under the NIST cybersecurity framework?

1. Govern

2. Identify

3. Protect

4. Detect

5. Respond

6. Recover

The NIST framework core consists of 6 components. What are they?

• Tier 1: Partial

• Tier 2: Risk-Informed

• Tier 3: Repeatable

• Tier 4: Adaptive

State the NIST CSF Tiers that apply to cybersecurity risk governance and cybersecurity risk management.

• A current profile specifies the outcome that an organization is achieving (or attempting to achieve) based on the current cybersecurity posture.

• A target profile specifies the desired outcome that an organization prioritized achieving considering the anticipated changes to the organizations cybersecurity posture.

• The differences between the two are identified in a gap analysis.

Explain the difference between a Current Profile & a Target Profile.

1. Identify-P

2. Govern-P

3. Control-P

4. Communicate-P

5. Protect-P

Identify the 5 framework functions under NIST Privacy Framework Core.

1. Common (Inheritable): Implement controls at the organizational level, which are adopted by info systems.

2. System-Specific: Implement controls at the information system level.

3. Hybrid: Implement controls at the organization level where appropriate and the remainder at the info system level.

What are the 3 control implementation approaches that are to be implemented on a per-control basis with respect to implementation models?

• Unintentional Data Breach: A breach resulting from negligence or error.

• Intentional Data Breach: A breach resulting from bad actors illegally gaining access to data.

What are the 2 general categories of data breaches?

• Administrative

• Physical

• Technical

What are 3 categories of safeguards for covered entities or business associates under HIPPA?

• Lawfulness, fairness, transparency

• Purpose Limitation

• Data Minimization

• Accuracy

• Storage Limitation

• Integrity and Confidentiality

What are the principles that must be followed when processing data in compliance with GDPR?

1. Build & maintain a secure network & systems

2. Protect account data

3. Maintain a vulnerability management program

4. Implement strong access control measures

5. Regularly monitor and test networks

6. Maintain an info security policy

What are the 6 goals of the PCI DSS?

Actively manage all enterprise assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise.

Control 01: Inventory and Control of Enterprise Assets

Actively manage all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

Control 02: Inventory and Control of Software Assets

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

Control 03: Data Protection

Establish and maintain the secure configuration of enterprise assets and software.

Control 04: Secure Configuration of Enterprise Assets and Software

Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts as well as service accounts, to enterprise assets and software.

Control 05: Account Management

Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.

Control 06: Access Control Management

Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate and minimize the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability info.

Control 07: Continuous Vulnerability Management

Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.

Control 08: Audit Log Management

Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.

Control 09: Email and Web Browser Protections

Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.

Control 10: Malware Defenses

Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.

Control 11: Data Recovery

Establish, implement, and actively manage network devices in order to prevent attackers from exploiting vulnerable network services and access points.

Control 12: Network Infrastructure Management

Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.

Control 13: Network Monitoring and Defense

Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

Control 14: Security Awareness and Skills Training

Develop a process to evaluate service providers who hold sensitive data or are responsible for an enterprise’s critical IT platforms or processes to ensure these providers are protecting those platforms and data appropriately.

Control 15: Service Provider Management

Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.

Control 16: Application Software Security

Establish a program to develop and maintain response capability to prepare, detect, and quickly respond to an attack.

Control 17: Incident Response Management

Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.

Control 18: Penetration Testing

• Context: An enhancement to the scope and practical applicability of safeguards through incorporation of examples and explanations.

• Coexistence: Alignment with evolving industry standards and frameworks, including NIST’s CSF 2.0 framework.

• Consistency: Disruption to controls users are minimized, not impacting implementation groups.

Explain the principles by which CIS Controls were designed.

Provides a roadmap that organizations can use to implement best practices for IT governance and management.

Describe the purpose of ASACA’s COBIT framework.

• COBIT 5

• 6 principles for a governance system

• 3 principles for a governance framework

• Other standards and regulations

• Community contribution

What 5 components were used for the development of COBIT 2019’s foundation?

1. Provide stakeholder value

2. Holistic approach

3. Dynamic governance system

4. Governance distinct from management

5. Tailored to enterprise needs

6. End-to-end governance system

What are the 6 governance system principles under COBIT 2019?

• Based on a Conceptual Model: Governance frameworks should identify key components as well as the relationships between those components.

• Open and Flexible: Frameworks should have the ability to change, adding relevant content and removing irrelevant content, while keeping consistency and integrity.

• Aligned to Major Standards: Frameworks should align with regulations, frameworks, and standards.

Describe the 3 principles used to develop the COBIT 2019 core model.

1. Processes

2. Organizational Structures

3. Principles, Policies, Frameworks

4. Information

5. Culture, Ethics, and Behavior

6. People, Skills, and Competencies

7. Services, Infrastructure, and Applications

What are the 7 components to satisfy management and governance objectives under the COBIT 2019 core model?

• Enterprise strategy

• Enterprise goals

• Risk Profile

• Information and technology issues

• Threat landscape

• Compliance requirements

• Role of IT

• Sourcing model for IT

• IT implementation methods

• Technology adoption strategy

• Enterprise size

What are the 11 design factors that should be considered under COBIT?

• Governance Objectives: Evaluate, Direct, and Monitor (EDM)

• Management Objectives:

  • Align, Plan, and Organize (APO)

  • Build, Acquire, and Implement (BAI)

  • Deliver, Service, and Support (DSS)

  • Monitor, Evaluate, and Assess (MEA)

List the governance objectives and management objectives according to the COBIT 2019 core model.

• Management is responsible for the daily planning and administration of company operations, such as executive officers.

• Governance is responsible for evaluating strategic objectives, directing management to achieve those objectives, and monitoring whether objectives are being met.

What are the key differences between management and governance under the COBIT framework?

Computers, the physical components that comprise computers, computer-related equipment, and external peripheral devices are referred to as computer hardware (or just hardware).

Explain the concept of computer hardware in the context of IT infrastructure.

Electronic machines, typically computers or microcomputers (small, low-power computing devices for specific tasks), that directly interact with employees or consumers at the “edge” of a network.

What are end-user devices (EUDs)?

• Switches

• Servers

• Routers

• Other network support devices

Describe some examples of non-EUDs (non-end-user devices)

Facilities and the safeguards on such facilities that contain hardware. Examples include data centers or offices, which may include advanced security systems to monitor and control access.

What is infrastructure housing?

Modems

Connect a network to an internet service provider’s network

Routers

Manage network traffic by connecting devices to form a network. Devices that manage and direct data traffic between networks.

Switches

Connect and divide devices within a computer network. Devices that connect multiple devices within a network and divide connections

Gateways

A computer or device that acts as an intermediary between different networks. Devices that connect different networks by converting data protocols.

Edge-Enabled Devices

Allow computing, storage, and networking functions closer to the device’s source of the data or system requests

Servers

Physical or virtual machines that coordinate the computers, programs, and data that are part of the network. Machines that provide computing power and services to other devices on a network.

Firewalls

Software applications or hardware devices that protect a person’s or a company’s network traffic by filtering it through security protocols with predefined rules

1. Physical Layer (Layer 1)

2. Data Link (Layer 2)

3. Network (Layer 3)

4. Transport (Layer 4)

5. Session (Layer 5)

6. Presentation (Layer 6 - Most Risk)

7. Application (Layer 7)

What are the 7 different layers responsible for specific data exchange functions in the Open Systems Interconnection (OSI) model?

Local-Area Networks (LANS)

Provide network access to a limited geographic area

Wide-Area Networks (WANs)

Connect multiple LANs to provide access to larger geographic areas

Software-Defined Wide Area Networks (SD-WANs)

Monitor the performance of WAN connections and manage traffic to optimize connectivity

Virtual Private Networks (VPNs)

Virtual connections through a secure channel or tunnel that provide remote and secure access to an existing network

Demilitarized Zone (DMZ)

Provides an additional layer of security to an organization’s LAN by creating a physical or logical subnetwork outside of the LAN’s firewall to house the organization’s external facing resources to an untrusted network such as the internet. The setup of the DMZ typically involves at least 2 firewalls: one firewall to separate the DMZ from the internet and another firewall to separate DMZ from the LAN

1. IaaS (Infrastructure-as-a-Service): More control

2. PaaS (Platform-as-a-Service): Medium control

3. SaaS (Software-as-a-Service): Less control

Identify the 3 primary cloud computing models and the respective levels of control associated with each model.

Provides specific guidance to organizations for applying the COSO framework to cloud computing. In general, an organization must integrate the governance of cloud computing into its overall risk management strategy.

What is the purpose of the COSO’s Enterprise Risk Management for Cloud Computing publication?

Cross-functional systems that support different business functions and facilitate the integration of information across departments such as accounting, customer management, finance, human resources, inventory management, manufacturing, marketing, and vendor management. An ERP may include accounting information system (AIS) capabilities while being more robust than a standalone AIS and integrated with other departments.

Define Enterprise Resource Planning (ERP) Systems.

• Transaction Processing System (TPS)

• Financial Reporting System (FRS)

• Management Reporting System (MRS)

What are 3 subsystems (or modules) that typically make up an accounting information system (AIS)?

1. Record valid transactions.

2. Properly classify those transactions.

3. Record transactions at their correct value.

4. Record transactions in the correct accounting period.

5. Properly present transactions and related information in the financial statements.

Describe the 5 objectives of the 3 AIS subsystems.

• Revenue and cash collection cycles

• Purchasing and disbursement cycles

• Human resources and payroll cycles

• Production cycles

• Fixed asset cycles

• Treasury cycles

• General ledger and reporting cycles

Identify common transaction cycles within an accounting department.

• Automation

• Shared Services

• Outsourcing

• Offshore operations

What are 4 broad areas of process improvements that can enhance accounting information system performance?

A system’s ability to initiate and complete transactions so that they are valid, accurate, completed timely, and authorized to meet an organization’s objective.

Describe the concept of processing integrity.

A properly designed control that either:

1. does not operate as designed; or

2. is performed by a person who lacks authority or competence to perform the control effectively.

How does the AICPA define a deficiency in the operation of a control in a SOC 2 engagement?

Accumulate documentation of deviations in the operating effectiveness of controls discovered. If the service auditor cannot obtain reasonable assurance that system requirements or service commitments are being met, then the deficiency should be considered material.

When considering the identification of deviations in the operating effectiveness of controls, what should the service auditor consider?

• Focus on preventative controls due to the volume and speed of transactions being processed.

• Increase the frequency of detective controls, also due to the volume of transactions.

• Develop controls that use other analytic technology like AI tools.

• Develop a code of conduct and establish policies that comply with KYC and AML.

• Create cross-disciplinary teams with segregation of duties and clear reporting lines in mind.

When implementing the COSO’s controls in a blockchain setting, what should an organization consider?

1. Assess the risks.

2. Identify mission-critical applications and data.

3. Develop a plan for handling the mission-critical applications.

4. Determine the responsibilities of the personnel involved in disaster recovery.

5. Test the disaster recovery plan.

Describe the 5 common steps in a disaster recovery plan.

Cold Site

Located off-site, connections are in place, equipment is not in place, typically takes 1-3 days to be operational, and is the cheapest.

Warm Site

Located off-site, connections are/are not in place, equipment is/is not in place, typically takes 0-3 days to be operational, and is moderately expensive.

Hot Site

Located off-site, connections are in place, equipment is in place, typically immediate to be operational, and is the most expensive.

• Identify the organization’s key business processes.

• Identify the risks that exist in key business processes.

• Determine the acceptable downtime for key business processes.

• Implement mitigation and contingency plans to address risks and downtimes.

Describe the considerations needed for business continuity plans.

• Failure of IT Infrastructure

• Insufficient Capacity and Resources

• Lack of Business Resiliency

What are the common system availability risks?

Failure of IT Infrastructure

The availability of systems may directly be affected by failures in hardware, software, and network applications.

Insufficient Capacity and Resources

System availability may be slowed down or disrupted if the infrastructure is unable to meet the processing or storage needs.

Lack of Business Resiliency

Organizations may lose critical, confidential, or private data if a business resiliency program is insufficient/nonexistent.

• Physical controls

• IT infrastructure controls

• Uninterrupted power supple (UPS)

• Redundancy

• System backup (full, incremental, or differential)

What are some examples of system availability controls?

The policies, procedures, and resources employed to govern change in an organization.

Describe the term change management.

• Development environment

• Testing environment

• Staging environment

• Production environment

• Disaster recovery environment

Identify 5 forms of computing environments.

• Lack of expertise

• Lack of a formal selection and acquisition process

• Software/hardware vulnerability and compatibility

What are 3 examples of risks that exist pertaining to the selection and acquisition of software?

• User resistance

• Lack of management support

• Lack of stakeholder support

• Resource concerns

• Business disruption

• Lack of system integration

What are 6 examples of integration risks during the change management process?

• Lack of organizational knowledge

• Uncertainty of third party’s knowledge and management

• Lack of security

What are 3 examples of outsourcing risks during the change management process?

• Establish acceptance criteria

• Analyze logs

• Evaluate the results

• Monitor

• Test using continuous adoption

List the procedures to test change management controls for IT resources.

Waterfall Model

Characterized by different teams of employees performing separate tasks in sequence with each team beginning work from the pre-written authoritative agreement of the preceding team and ending work when the requirements for the team have been met.

Agile Model

Characterized by different teams of employees working on different phases or tasks simultaneously, with shorter deadlines to encourage efficiency. Offers a more flexible approach to change management.

• Direct method

• Parallel method

• Pilot method

• Phased method

• Hybrid method

When an organization is converting its computer systems from one system to another, what are the different conversion methods?

Unit Testing

System test that examines the smallest increment, or unit, of an application.

Integration Testing

System test that examines if different components or modules within an application will work cohesively.

System Testing

System test that verifies that all combined modules of a completed application work as designed in totality.

Acceptance Testing

System test that assesses an application to determine whether it meets end-user requirements.

Configuration

Setting system parameters to meet a company's needs during an enterprise resource planning system implementation is known as ________.

Closed Loop Verification

Management is evaluating a newly installed system by applying metrics that examine how easily the system can scale volume up or down, the speed at which it can process transactions, and the amount of uptime over a given period. If the system meets predetermined standards in each of these categories, then implementation will be considered complete. This sort of change control testing is an example of __________.

Direct Conversion

Immediately stop using the old system and start using the new system with no overlap or testing period.

Parallel Conversion

Run the new system alongside the old system for an extended time to compare results and ensure accuracy before fully switching (safest option).

Pilot Conversion

Test the new system on a small scale in a non-production environment before rolling it out to the entire organization.

Phased Conversion

Gradually implement the new system in stages (by location or module) while still operating the old system.

Hybrid Conversion

A custom mix of the conversion methods tailored to the organization's specific needs.

1. Definition

2. Capture or Create

3. Preparation

4. Synthesis

5. Analytics and Usage

6. Publication

7. Archival

8. Purging

Identify the 8 steps in the data life cycle.

1. Remove unnecessary headings or subtotals.

2. Clean leading zeros and nonprintable characters.

3. Format negative numbers.

4. Identify and correct inconsistencies across data.

5. Address inconsistent data types.

Identify 5 steps that may be completed when cleaning captured data.

Extract, Transform, and Load (ETL)

Data that already exists is extracted from its original source, transformed into useful information, and loaded into the tool you choose to use for analysis. This term refers to the process and technology employed as a whole.

Active Data Collection Method

Data collection method that occurs when directly asking users for data through means such as a survey or an interview.

Passive Data Collection Method

Data collection method that occurs when interactions occur involving the collection of data without direct permission from users.