ISC - sims questions

Which of two of the six GDPR principles for processing data state that the data must be processed for a specific reason or protected from getting damaged?

Integrity and Confidentiality; Purpose Limitation

Which of the following is response for carrying out IT governance policies?

Middle management!!

[board of directors is responsible for setting governance policies; executives ensure that an IT governance structure is in place and executed effectively; End users are responsible for following processes and procedures]

Precision Business Advisors is meeting with senior management on ways to manage its exposure to different IT risks in its business operations by adhering to the COSO framework, Enterprise Risk Management—Integrating with Strategy and Performance. Precision should follow the guidance on defining risk outlined in which of the framework's following components?

Strategy and Objective setting [risk appetite]!

-Governance and Culture -- sets tone for enterprise risk management by establishing board oversight

-Performance component helps organizations prioritize risk based on an already defined risk appetite

-The Review and Revisions component assists organizations in assessing substantial change, reviewing risk and performance, and pursuing improvement initiatives in risk management.

Top management's most important role(s) in business process design is:

Providing support and encouragement for IT development projects and aligning information systems with corporate strategies.

[facilitating the coordination and integration of information systems activities to increase goal congruence and reduce goal conflict is the role of the steering committee // determine information needs and system requirements to communicate to systems developers is the role of the accountant as a user of an accounting information system]

Macedonia Corporation's mainframe programming and operations staff is in an uproar. They have heard that the internal auditors are planning to insist upon all sorts of controls on the systems and programming activity, and they feel that these controls will cause them nothing but trouble. What sort of controls might Macedonia's internal auditors reasonably require?

Input controls that require that certain key data be validated

Duggan Industries is working to find areas for improvements with its vendor interactions. They want to have a visual representation of the logical relationships between the servers and the vendors to demonstrate how they logically interact with one another and what physical connections exist. Duggan Industries should employ which type of documentation technique?

System interface diagram

demonstrated how users and functions interface with the organization's systems

Elena is providing input into a security assessment report (SAR) by documenting the test of controls she is performing in accordance with NIST Special Publication 800-39. The control she is testing evaluates the organization's vulnerability scanning function, which identifies both internal and external security risks to the company. This test of controls aligns with which of the following four NIST framework components?

Assess Risk

Jamal is a service auditor engaged in a SOC 2® audit in which he is attesting to the incident response plan and system description for a company that provides outsourced disaster recovery services for its clients. Jamal would like to sample several instances of system failures that the service organization's clients experienced to determine whether the mean time to repair (MTTR) met client performance expectations. How could he test the service organization's incident response plan (IRP) procedures specific to these client expectations for system failures?

perform a service level agreement and compliance test

Which of the following most accurately describes management's responsibility with respect to its system description in a SOC 1® report?

The description does not omit or distort information relevant to the system and is prepared to meet the common needs of a broad range of user entities and their auditors.

[The description should be complete, accurate and met the common needs of a broad range of user entities and their auditors]

In a SOC for cybersecurity engagement, management is responsible for presenting a description of the entity's cybersecurity risk management program that is:

in accordance with the description criteria

If the application of complementary user entity controls is considered necessary to achieve the related control objectives statement in management's description of the service organization's system in a SOC 1® engagement, the auditor's report should include a statement to that effect in which report section?

opinion

Which of the following NIST privacy framework functions have the exact same categories as the NIST CSF?

detect, respond, recover

Regarding risk management processes, which Tier under the NIST CSF indicates that management may approve and communicate cybersecurity efforts, but cybersecurity may be isolated from organizational processes?

risk informed

Sunriss Corp. is implementing a vulnerability management program to comply with one of the six goals of the PCI DSS (Payment Card Industry Data Security Standard). To accomplish this, Sunriss Corp. must meet which of the following requirements?

Develop and maintain secure systems and software

Which of the following governance system principles within COBIT 2019 aligns with the notion that governance systems must adjust as new challenges arise so that the global impact of a change is understood?

-Dynamic Governance System (should be flexible enough to adjust to new challenges but remain relevant. this principle also asserts that when one system change occurs, the effect on the rest of the system as a whole should be considered to ensure that the system can meet the demands of the organization

[End to End: primary focus is intended to increase the scope of its framework beyond the IT functional to all organizational functions involving information and technology

Holistic Approach: states that governance systems for IT can comprise diverse components, collectively providing a holistic model.]

Which objective within the COBIT 2019 governance system components emphasizes the importance of managing data, IT infrastructure and architecture, budgeting, and risk?

APO - Align, Plan, and Organize

Which of the following COSO components and principles would help a company focus on preventative controls due to the volume and speed of transactions that occur on a blockchain?

Component: Monitoring activities; principle: conducts ongoing and/or separate evaluations

Principle 16, "conducts ongoing and/or separate evaluations", within the monitoring activities component emphasizes the importance of preventative controls through the application of continuous monitoring. This focus is derived from the volume and speed of transactions being processed on a blockchain, making it practical to prevent an unwanted event from occurring through continual monitoring, which would be in addition to detecting or remediating it after the event occurs.

Which of the following is true regarding the description criteria for management's description of the entity's cybersecurity risk management program?

The description should include information regarding the cybersecurity objectives and the factors that have a significant effect on inherent cybersecurity risks.

The description criteria categories include:

-the nature of business and operations

-nature of information at risk

-cybersecurity objectives

-facts that have a significant effect on inherent cybersecurity risks

-cybersecurity risk governance structure

-cybersecurity risk assessment process

-cybersecurity communications and the quality of cybersecurity information

-monitoring of the cybersecurity risk management program

-cybersecurity control processes

The inclusion of system and control change details during the period covered by management's system description is relevant for which of the following engagements?

A SOC 1 Type 2 and SOC 2 Type 2

In a SOC 2® engagement, for a vendor to be considered a subservice organization:

The services provided by the vendor must be relevant to he report users' understanding of the service organization's system

In a SOC 1® engagement, which type of opinion is most appropriate when the service auditor identifies a material deficiency in the suitability of the design of a control, but the impact is limited to one control objective and does not have an impact on the service auditor's opinion of other control objectives?

qualified

Precision Business Advisors is a service organization, and they have engaged a service auditor to perform a SOC 2® engagement related to the privacy and confidentiality of the customer data that they collect from third-party customers of their clients. The system used by Precision Business Advisors asks each customer to give or decline authorization for Precision Business Advisors to save their personal data when their case is closed. Which of the following statements is true?

The request for authorization to save customer data after the closure of a case is within the boundaries of the system

[the boundaries of a system that addresses confidentiality and privacy would include all components related to the life cycle of the customer's confidential and personal information within well defined processes and informal ad hoc procedures, including authorization for saving the information]

In a SOC engagement, written representations should be as of what date?

The date of the issuance of the SOC report

What describes an off site location that has all the electrical connections and other physical requirements for data processing, but it does not have the actual equipment?

Cold Site

Landry has grown somewhat haphazardly over the years and no longer has any written data processing procedures or controls because the only copy of its data processing procedures manual was destroyed in a fire several years previously. Landry should consider implementing which of the following?

I.

Securing access to its mainframe computer room and moving its computer room to a convenient area right under its chemical mixing department.

II.

Implementing a new password protection scheme. Currently, all employees use their employee numbers as passwords, and all of the software uses the generic access passwords that were originally provided by the software vendor.

III.

Implementing a permanent file backup process to utilize the empty space right next to where the mainframe computer room might be moved that could be easily and cheaply converted into a data storage room.

Only II is correct

Understanding the best structure to manage and safeguard the integrity of transaction processing is in which of following Framework Functions in the NIST Privacy Framework Core?

Control

helps orgs create the best management structure so that privacy is protected during data processing activities. This structure could include controls such as policies, and procedures governing data processing, the management of those protocols over time, and techniques used to anonymize data

Barlings is a large regional primary care clinic that is accepting new patients. Under the HIPAA Privacy Rule, Barlings needs no further authorization after PHI has been collected for:

Treatment or processing payment

Control 10: Malware Defenses

disabling autorun and autoplay when using portable media is not only a defense tactic, but is also a subcategory for Control 10: Malware Defenses. This preventative measure stops automated malware execution when inserting a USB drive, memory drive, or other removable media. Instead, it requires under intervention so that the contents are reviewed prior to launching or executing a script or program.

In the context of change management for hardware and software applications, a system component inventory is effective at tracking

components nearing end of life

Which of the following models would the database administrator require the details of when requiring a needing to fine tune performance issues related to a foreign key and column data type?

physical (most detailed -- you can see the foreign key and column data types)

What is the below system query language (SQL) code retrieving?

SELECT Department, AVG(GPA)

FROM Students

GROUP BY Department

HAVING AVG(GPA) > 3.5

The average GPA of all students in each department

[The SQL code retrieves the average GPA of all students in each department and then filters the results to only include departments with an average GPA greater than 3.5]

Hallmarks of a successful security awareness program

-phishing simulations

-employee mechanisms

-program champions and supporters

-metrics that measure program effectiveness

examples of success metrics:

*the number of resources allocated to that program

*the dollar amount allocated to the program

*number of corrective action plans issued for identified deficiencies

Which of the following is a subject matter that a service auditor may be engaged to report on during a SOC 3® engagement?

The design and effectiveness of controls within a service org over a system while using the trust services criteria

Which of the following is an additional criterion related to processing integrity?

The entity implements policies and procedures over system inputs to result in products, services, and reporting that meet entity objectives

[confidentiality = the entity disposes of confidential information to meet the entity's objective

privacy = the entity obtains consent when collecting personal data

availability = the entity maintains, monitors, and evaluates current processing capacity and use of system components to manage capacity demand and to enable the implementation of additional capacity to meet entity objectives]

Which of the following would be included in management's system description when a SOC 2® report is being prepared using the carve-out method?

The nature of services provided, the types of complementary subservice organization controls, and the applicable trust services criteria that are intended to be met by the complementary subservice organization controls

Which of the following would be included in management's system description when a SOC 2® report is being prepared using the inclusive method?

The nature of services provided, the complementary subservice organization controls, and the relevant aspects of a subservice organization system, including infrastructure, software, people, procedures and data

Jane has just started at Collins Publishing. Her manager has asked her to identify risks and potential control deficiencies at the organization. Which documentation technique would be the most effective for completing this task?

Flowchart

visual representations of how documents and information flow through a process from both a logical and physical standpoint.

A marketing conglomerate located in a non-EU (European Union) embassy nation processes protected health information (PHI) for a financial institution based in the EU. Which of the following is true regarding adhering to GDPR (General Data Protection Regulation) laws?

The financial institution must comply if data processing is performed outside of the EU

The layer within the OSI (Open Systems Interconnection) model that is responsible for formatting data packets for transmission across specific hardware within a network so that they reach the correct device is known as which of the following?

Data link layer

data packets are formatted for transmission and given MAC addresses.

Savestone Inc. is working with its outsourced IT provider to create documented strategies for dealing with short- and long-term system outages. Together, they created a plan. The plan aligns resources to enable a quick return to operations without harm to resources. This plan addresses which of the following concepts related to system availability?

Business Resiliency

refers to the continuous operation or the ability to quickly return to operations after an event, whereas business continuity is more operations focused in that it concentrates on continuing product and service delivery

Alexandra is evaluating different components of an IT asset within her organization and the way each component interacts with a given cybersecurity threat. This is a phase of threat modeling known as:

Performing a reduction analysis

Involves DECOMPOSING assets that are being protected with the intent to obtain a greater understanding how those assets interact with potential cybersecurity threats. This decomposition process helps organizations understand existing security clearances, policies around trust and security changes, and how data flows through the organization.

[analyzing the impact of an attack requires a company to assess the dollar amount of the effect of a potential threat, helping prioritize solutions. This does not require understanding how an asset interacts with potential threats]

A security analyst is drafting a security assessment report (SAR) after reviewing organizational practices for compliance with certain IT controls. A description of the management information system and techniques used to perform the assessment would be found in which two sections of a SAR?

Assessment methodology and system overview

SARs are reports that serve as evidence of control compliance and documents the findings of the assessor. Typically contain a summary of findings, a system overview, assessment methodology, security assessment findings, recommendations and an action plan

*The assessment methodology is the part of a SAR that outlines the techniques and procedures that will be used to perform an assessment. A description of the management information system used would be found in the system overview within a SAR, as well as the hardware, software, personnel, and other requisite resources

Which of the following is the step where the intended recipient converts the ciphertext into plain text?

Decryption

The trust services supplemental criteria that expand on COSO Principle 12 falling under the control activities component include:

Controls related to logical and physical access, system operations, change management, and risk mitigation

A specified party is most likely to request which type of report when needing assurance about the controls at a service organization relevant to the security, availability, or processing integrity of a system or the confidentiality or privacy of the information processed by the system.

SOC 2 for Service Organizations

In a SOC report, detailed information on an entity's cybersecurity risk management program objectives, risk governance structure, and risk assessment process should be included in which of the following?

Management's description of the entity's cybersecurity risk management program

When the inclusive method is used by a service organization, management's description of the service organization's system should include which of the following?

The nature of the services provided by the subservice organization and the components of the subservice organization's system used to provide services to the service organization

When the carve out method is used by a service organization, management's description of the service organization's system should include which of the following?

The nature of the services provided by the subservice organization and the types of controls expected to be performed at the subservice organization that are necessary, in combination with controls at the service organization, to meet control objectives

Which of the following NIST CSF Tiers may define its cybersecurity risk management as having inconsistency in actions taken to respond to risks but includes awareness of how environmental security risks impact the business?

Tier 2 Risk Informed