ISC CPA Exam

3 Primary Componenets to manage cyber security risk under the NIST Cybersecurity Framework

1. CSF Core

2. CSF Tiers

3. CSF Organization Profiles

6 NIST CSF framework cosre components

1. Govern

2. Identify

3. Protect

4. Detect

5. Respond

6. Recover

NIST CSF Tiers that apply to cybersecurity risk governance and cybersecurity risk management

Tier 1: Partial

Tier 2: Risk-Informed

Tier 3: Repeatable

Tier 4: Adaptive

Current Profile

Specifies the outcome that an organization is acheiving(or attempting to achieve) based in the current cybersecurity posture.

Target Profile

specified the desired outcome that an organization prioritized acheving, considering the anticipated changes to the organization's cybersecurity posture

Gap Analysis

identified differences between current state and future state

5 NIST Privacy FRamework Core Functions

1. Identify-P

2.Govern-P

3. Control-P

4. Communicate-P

5.Protect-P

What are the three control implementation approaches that are to be implemented on a per-control basis with respect to implementation models?

1. Common(inheritable)

2. System-Specific

3. Hybrid

Common (inheritable)

Implement controls at the organizational level, which are adopted by information systems

System-Specific

Implement controls at the information system level

Hybrid

Implement controls at the organization level where appropraite and the remainder at the information system level.

2 categries of Data Breaches

1. Unintentional

2. Intentional

Unintentional Data Breach

a breach resulting from negligence or error

intentional data breach

a breach resulting from bad actors illegally gaining access to data

3 categories of safeguards for covered entities or business associates under HIPAA

1. Administrative

2. Physical

3. Technical

What are the principles that must be followed when processing data in compliance with GDPR?

- Lawfulness, Fairness, Transparency

- Purpose Limitation

- Data Minimization

- Accuracy

- Storage Limitation

- Integrity and Confidentiality

All processors or controllers of data shall be responsible for—and able to demonstrate compliance with—these principles (accountability).

6 goals of PCI DSS

1. Build and maintain a secure network and systems

2. Protect account data

3. Maintain a vulnerability management program

4. Implement strong access control measures

5. Regularly monitor and test networks

6. Maintain an information security policy

Control 01: Inventory and Control of Enterprise Assets.

Actively manage all enterprise assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise.

Control 02: Inventory and Control of Software Assets.

Actively manage all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

Control 03: Data Protection.

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

Control 04: Secure Configuration of Enterprise Assets and Software.

Establish and maintain the secure configuration of enterprise assets and software.

Control 05: Account Management.

Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.

Control 06: Access Control Management.

Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.

Control 07: Continuous Vulnerability Management.

Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise's infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.

Control 08: Audit Log Management.

Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.

Control 09: Email and Web Browser Protections.

Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.

CIS Controls Principles

1. Context

2. Coexistence

3. Consistency

Context

An enhancement to the scope and practical applicability of safeguards through incorporation of examples and explanations

Coexistence

Alignment wth evolving industry standards and frameworks, including NIST's CSF 2.0 Framework

Consistency

Disruption to controls users are minimized, not impacting implementation groups

Control 10: Malware Defenses.

Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.

Control 11: Data Recovery.

Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.

Control 12: Network Infrastructure Management.

Establish, implement, and actively manage network devices in order to prevent attackers from exploiting vulnerable network services and access points

Control 13: Network Monitoring and Defense.

Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise's network infrastructure and user base.

Control 14: Security Awareness and Skills Training.

Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

Control 15: Service Provider Management.

Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise's critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.

Control 16: Application Software Security.

Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.

Control 17: Incident Response Management.

Establish a program to develop and maintain an incident response capability to prepare, detect, and quickly respond to an attack

Control 18: Penetration Testing.

Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.

ISACA's COBIT framework purpose

provides a roadmap that organizations can use to implement best practices for IT governance and management

5 components were used for the development of COBIT 2019's foundation

- COBIT 5

- Six principles for a governance system

- Three principles for a governance framework

- Other standards and regulations

- Community contribution

6 governance priinicples under COBIT 2019

1. Provide Stakeholder Value

2. Holistic Approach

3. Dynamic Governance System

4. Governance Distinct From Management

5. Tailored to Enterprise Needs

6. End-to-End Governance System

3 principles used to develop the COBIT 2019 core model.

1. Based in Conceptual Model

2. Open and Flexible

3. Aligned to major standards

Based on Conceptual Model

Governance frameworks should identify key components as well as the relationships between those components in order to provide for greater automation and to maximize consistency

Open and Flexible

Frameworks should have the ability to change, adding relevant content and removing irrelevant content, while keeping consistency and integrity

Aligned to Major Standards

Frameworks should align with regulations, frameworks, and standards

7 components to satisfy management and governance objectives under the COBIT 2019 core model

1. Processes

2. Organizational Structures

3. Principles, Policies, Frameworks

4. Information

5. Culture, Ethics, and Behavior

6. People, Skills, and Competencies

7. Services, Infrastructure, and Applications

11 Design Factors under COBIT

- Enterprise Strategy

- Enterprise Goals

- Risk Profile

- Information and Technology Issues

- Threat Landscape

- Compliance Requirements

- Role of IT

- Sourcing Model for IT

- IT Implementation Methods

- Technology Adoption Strategy

- Enterprise Size

Governance Objectives under COBIT 2019

Evaluate, Direct, and Monitor (EDM)

Management Objectives under COBIT 2019

- Align, Plan, and Organize (APO)

- Build, Acquire, and Implement (BAI)

- Deliver, Service, and Support (DSS)

- Monitor, Evaluate, and Assess (MEA)

management under COBIT framework

Management is responsible for the daily planning and administration of company operations, such as executive officers.

governance under COBIT framework

Governance is responsible for evaluating strategic objectives, directing management to achieve those objectives, and monitoring whether objectives are being met.

Computer Hardware

Computers, the physical components that comprise computers, computer-related equipment, and external peripheral devices are referred to as computer hardware (or just "hardware").

End-User Devices (EUDs)

Electronic machines, typically computers or microcomputers, that directly interact with employees or consumers at the "edge" of a network.

Non-EUDs (non-end-user devices) examples

- Switches

- Servers

- Routers

- other network support devices

Infrastructure Housing

The facilities and the safeguards on those facilities that contain hardware. Examples include data centers or offices, which may include advanced security systems to monitor and control access.

Traditional Hardware examples

1. Modems

2. Routers

3. Switches

4. Gateways

5. Edge-Enabled Devices

6. Servers

7. Firewalls

Modems

Connect a network to an internet service provider's network

Routers

manage network traffic by connecting devices to form a network

Switches

connect and divide devices within a computer network

Gateways

a computer or device that acts as an intermediary between different networks

Edge-enabled devices

Allow computing, storage, and networking functions closer to the devices where the data or system request originates, rather than a distant central location.

Servers

physical or virtual machines that coordinate the computers, programs, and data that are part of the network

Firewalls

Software applications or hardware devices that protect a person's or a company's network trafffice by filtering it through security proticols with predefined rules

7 layers for specific data exchange in an OSI Model

1. Physical (Layer 1)

2. Data Link (Layer 2)

3. Network (Layer 3)

4. Transport (Layer 4)

5. Session (Layer 5)

6. Presentation (Layer 6)

7. Application (Layer 7)

common network architechure designs

Local-Area Networks (LANs)

Wide-Area Networks (WANs)

Software-defined Wide Area Networks (SD-WANs)

Virtual Private Networks (VPNs)

Demilitarized Zone (DMZ)

Local-Area Networks (LANs)

provides network access to a limited geographic area

Wide-Area Networks (WANs)

connect multiple LANs to provide access to larger geographic areas

Software-defined Wide Area Networks (SD-WANs)

monitors the performance of WAN connections and manages traffic to optimize connectivity

Virtual Private Networks (VPNs)

Virtual connections through a secure channel or tunnel that provide remote and secure access to an existing network

Demilitarized Zone (DMZ)

provides an additional layer of security to an organization's LAN by creating a physical or logical subnetwork outside of the LAN's firewall to house the organization's external facing resources to an untrusted network such as the internet. The setup of the DMZ typically involves at least two firewalls: one firewall to separate the DMZ from the internet and another firewall to separate the DMZ from the LAN.

3 Cloud Computing Models

1. IaaS - infrastructure as a services

2. PaaS - platform as a service

3. SaaS - software as a service

IaaS (Infrastructure as a Service)

access to networking, computers and storage

PaaS (Platform as a Service)

just manage app not hardware or OS

SaaS (Software as a Service)

no inf nor app mgmt just configure and use

What is the purpose of COSO's Enterprise Risk Management for Cloud Computing publication?

The publication provides specific guidance to organizations for applying the COSO framework to cloud computing. In general, an organization must integrate the governance of cloud computing into its overall risk management strategy.

enterprise resource planning (ERP) systems

Cross-functional systems that support different business functions and facilitate the integration of information across departments such as accounting, customer management, finance, human resources, inventory management, manufacturing, marketing, and vendor management. An ERP may include accounting information system (AIS) capabilities while being more robust than a standalone AIS and integrated with other departments.

3 subsystems of the Accounting Information System (AIS)

- Transaction Processing System (TPS)

- Financial Reporting System (FRS)

- Management Reporting System (MRS)

objectives of the AIS subsystem

- Record valid transactions.

- Properly classify those transactions.

- Record transactions at their correct value.

- Record transactions in the correct accounting period.

- Properly present transactions and related information in the financial statements.

Transaction cycles in accounting department

- Revenue and cash collections cycles

- Purchasing and disbursement cycles

- Human resources and payroll cycles

- Production cycles

- Fixed asset cycles

- Treasury cycles

- General ledger and reporting cycles

Areas of process improvement that enhance AIS performance

- Automation

- Shared services

- Outsourcing

- Offshore operations

Processing Integrity

Processing integrity refers to a system's ability to initiate and complete transactions so that they are valid, accurate, completed timely, and authorized to meet an organization's objective.

How does the AICPA define a deficiency in the operation of a control in a SOC 2® engagement?

A properly designed control that either:

does not operate as designed; or

is performed by a person who lacks authority or competence to perform the control effectively.

When considering the identification of deviations in the operating effectiveness of controls, what should the service auditor consider?

The service auditor should accumulate documentation of deviations in the operating effectiveness of controls discovered.

If the service auditor cannot obtain reasonable assurance that system requirements or service commitments are being met, then the deficiency should be considered material.

When implementing the COSO's controls in a blockchain setting, what should an organization consider?

- Focus on preventative controls due to the volume and speed of transactions being processed.

- Increase the frequency of detective controls, also due to the volume of transactions.

- Develop controls that use other analytic technology like AI tools.

- Develop a code of conduct and establish policies that comply with KYC and AML.

- Create cross-disciplinary teams with segregation of duties and clear reporting lines in mind.

steps in a disaster recovery plan

1. Assess the risks

2. ID mission-critical applications and data

3. Develop a plan

4. Determine responsibilities of the personnel

5. Test the disaster recovery plan

Cold Site

Located off-site, connections are in place, equipment is not in place, typically takes 1-3 days to be operational, and is the cheapest.

Warm Site

Located off-site, connections are/are not in place, equipment is/is not in place, typically takes 0-3 days to be operational, and is moderately expensive.

Hot Site

Located off-site, connections are in place, equipment is in place, typically immediate to be operational, and is the most expensive.

Business Continuity Plan considerations

- Identify the organization's key business processes.

- Identify the risks that exist in key business processes.

- Determine the acceptable downtime for key business processes.

- Implement mitigation and contingency plans to address risks and downtimes.

Failed IT Structure

The availability of systems may directly be affected by failures in hardware, software, and network applications.

Insufficient Capacity and Resources

System availability may be slowed down or disrupted if the infrastructure is unable to meet the processing or storage needs.

Lack of Business Resiliency

Organizations may lose critical, confidential, or private data if a business resiliency program is insufficient/nonexistent.

Examples of system availability controls

- Physical controls

- IT infrastructure controls

- Uninterrupted power supply (UPS)

- Redundancy

- System backup (full, incremental, or differential)

Change management

is used to describe the policies, procedures, and resources employed to govern change in an organization.

forms of computing environments

- Development environment

- Testing environment

- Staging environment

- Production environment

- Disaster recovery environment

risks that exist pertaining to the selection and acquisition of software

- Lack of expertise

- Lack of a formal selection and acquisition process

- Software/hardware vulnerability and compatibility

integration risks during the change management process

- User resistance

- Lack of management support

- Lack of stakeholder support

- Resource concerns

- Business disruption

- Lack of system integration

examples of outsourcing risks during the change management process

- Lack of organizational knowledge

- Uncertainty of the third party's knowledge and management

- Lack of security

procedures to test change management controls for IT resources

- Establish acceptance criteria.

- Analyze logs.

- Evaluate the results.

- Monitor.

- Test using continuous adoption.