INMT 341 Final Exam GRC Questions

GRC

How organizations effectively manage processes, people, and technology so that they help generate value

Governace

Governing and managing processes, technology, and systems

Risk Management

Identifying and controlling the risks associated with processes, technologies, and systems

Compliance

Adhering to the laws and regulations that govern organizations

Risk

A measure of the potential for loss or damage when a threat exploits a vulnerability.

Framework

Provides general guidance on what you could do to implement security and protection

Standard

Required to demonstrate compliance with every control within.

Enterprise Risk

Any risk that could potentially affect business objectives

I&T Risk

IT-related risk that could potentially impact the business

Audit Risk

The risk that the auditor expresses an inappropriate opinion that systems are working appropriately when they are not.

Vulnerability

Weakness or flaw in an information system that potentially exposes an entity to threats.

GDPR (General Data Protection Regulation)

Any organization processing personal data of EU residents must protect personal data.

CCPA (California Consumer Privacy Act)

Mirrors GDPR for california.

PIPEDA (Personal Information Protection and Electronic Documents Act)

Canadian law mirroring GDPR

FERPA (Family Educational Rights and Privacy Act)

A federal law that regulates the management of student records and disclosure of information from those records.

FISMA (Federal Information Security Management Act)

US Federal agencies protection of Information and IT systems.

GLBA (Gramm-Leach-Bliley Act)

US financial institutions must protect privacy of personal information, safety of Internet-based products and services, fair and accurate credit transactions, anti-terrorism.

HIPAA (Health Insurance Portability and Accountability Act)

Governs healthcare organizations and partners creating, storing, and transmitting protected health information.

PCI DSS (Payment Card Industry Data Security Standard)

Entities that take credit cards must protect privacy of customer financial data.

SOX (Sarbanes-Oxley Act)

Defined to secure the public against corporate fraud and misrepresentation.

Examples of vulnerabilities

Lack of user knowledge, untested technology, unprotected communications, lack of security functionality, code flaws.

Threat Actors

entities who can create/pose a threat. They carry out actions that take advantage of vulnerabilities.

Threat

An event or condition that has the potential for causing asset loss and/or undesirable consequences or impacts. Can be intentional or accidental.

Risk equation

Threat probability * potential loss (or threat * vulnerability)

Enterprise Risk Management (ERM)

a process designed to identify potential events that may affect the entity, manage risk to be within its appetite, and to provide reasonable assurance regarding the achievement of entity objectives

Hacking

An attempt to gain unauthorized access to some element of a computer system

Social Engineering

An attack based on deceiving users or administrators at the target site into revealing confidential or sensitive information

Malware

Short for malicious software, this is software designed to infiltrate, damage, or obtain information from a computer system without the owner's consent.

SQL Injection

An attacker manipulates SQL code by entering malicious code into a query to gain access to database information in ways not intended during application design

Cross-Site Scripting (XSS)

An attacker manipulates an otherwise trusted Web site's code and injects it with malicious code. Then when unsuspecting users visits the Web site, the code is able to collect data from the user. These attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

Internal Control

a process designed to provide reasonable assurance regarding the achievement of company objectives related to operations, reporting, and compliance.

General Controls

controls designed to make sure an organization's information system and control environment is stable and well managed

Preventative controls

controls that deter problems before they arise

Corrective Controls

controls that identify and correct problems as well as correct and recover from the resulting errors

Detective Controls

controls designed to discover control problems that were not prevented.

Internal control objectives

- effectiveness and efficiency of operations- reliability, timeliness, transparency of information- compliance with applicable laws and regulations

Information security objectives

Confidentiality, Integrity, Availability, Authentication, Nonrepudiation

Compliance

Focuses on the data handled and stored by a company and the regulatory requirements that apply to its protection.

Effectiveness of security

If the time it takes an attacker to break through the organization's preventative controls is longer than the time it takes to detect and respond to the attack, the security is effective.

IT general controls (ITGC)

a combination of hardware, software, and manual procedures that create an overall control environment. They are essential to ensure that information systems are reliable and that behavior can be predicted, system-wide

IT application controls

specific controls unique to each computerized application, such as payroll or order processing. Apply to specific end user applications

NIST SP 800-53

Its primary goal and objective is to ensure that appropriate security requirements and security controls are applied to all U.S. Federal Government information and information management systems that aligns with the compliance law

Iso 27001

A standard that can be used to certify your system.

Identity and Access Management (IAM)

a framework of business processes, policies, and technologies that facilitates the management of electronic or digital identities. Aims to identify, authenticate, and authorize.

Discretionary Access Control (DAC)

Allows an individual complete control over any objects they own along with programs associated with those objects.

Mandatory Access Control (MAC)

The most restrictive access control model, typically found in military settings in which security is of supreme importance. Uses a hierarchical approach to control access. Access to resource objects is controlled by the settings defined by an administrator. Controlled by the operating system based on what the administrator configured in settings.

Role-Based Access Control (RBAC)

Access control based on the position an individual fills in an organization. Used when administrators need to assign rights based on organization roles instead of individual user accounts.

Attribute-based access control (ABAC)

Access control based on dynamic user, environment, or resource attributes.

Identification

The ability to identify uniquely a user of a system or an application that is running in the system

Authentication

The ability to prove that a user or application is genuinely who that person or what that application claims to be.

Token

A device that is used to authenticate a user, typically in addition to a username and password. Typically displays a pseudo random number that changes every few minutes.

Authorization

Determines what a person can access once he/she is authorized to use the system.

Principle of Least Privilege

the practice of limiting access to the minimal level that will allow normal functioning

Access Control List (ACL)

internal computerized table of access rules (permissions) regarding the levels of computer access permitted to logon IDs and computer terminals.

Logical access controls

Limits connections to computer networks, system files, and data via authenticating and authorizing users. Uses advanced password programs and advanced biometric security features.

Physical access controls

Limits access to campuses, buildings, and physical IT assets.

Change Management

Process of monitoring change requests, approving changes, documenting changes, testing changes, scheduling changes, implementing and following up on changes.

Firewall

A network security system, that uses rules to control incoming and outgoing network traffic

Intrusion Prevention System (IPS)

Uses rules to make decisions about packets, usually are "deny" rules.

Router

Hub that takes access requests and routes them to fill requests

Load Balancer

A dedicated network device that can direct requests to different servers based on a variety of factors.

Demilitarized Zone (DMZ)

a separate network located outside the organization's internal information system that permits controlled access from the internet

Server

A computer program that provides services to other computer programs (and their users) in the same computer or other computers.

Hub

Common connection point for devices in a network

Data Loss Prevention (DLP)

a strategy necessary due to insider threats. These software products use business rules to classify and protect confidential and critical information so that unauthorized end users cannot accidentally or maliciously share data whose disclosure could put the organization at risk. This helps a network administrator control what data end users can transfer, thereby reducing the likelihood that end users send sensitive or critical information outside the corporate network.

Media Access Control (MAC) address

Specifically identifies devices.

Virtual Private Network (VPN)

A secure private network that uses the public telecommunications infrastructure to transmit data. Encrypts all data that pass between two internet points, maintaining privacy and security.

log analysis

Used to record details of information system events. Detective control which involves monitoring and reviewing the logs to look for evidence of attacks.

Intrusion Detection System (IDS)

Monitors traffic at many different points, and provides visibility inti the security posture of the network.

Continuous monitoring

a detective control that involves gathering selective evidence to monitor system reliability and employee compliance with organization's information security policies on a continuous basis

Cryptography

the study of secure communications techniques that allow only the sender and intended recipient of a message to view its contents

Encryption

The process of taking an unencrypted message (plaintext), applying a mathematical function to it (encryption algorithm with a key) and producing an encrypted message (ciphertext)

Plain text

digital information that a user can read

Ciphertext

digital information unintelligible to a user

Cipher

An algorithm to perform encryption

Algorithm

a procedure or formula for solving a problem, based on performing a sequence of specified actions

Key

In cryptography, a variable value that is applied using an algorithm to a string of unencrypted text to produce encrypted text, or to decrypt encrypted text.

encryption key

A piece of information, in a digitized form, used by an encryption algorithm to convert the plaintext to the ciphertext

Key length

The size of the encryption key measured in bits.

Decryption

A technique used to recover the original plaintext from the ciphertext so that it is intelligible to the reader. The decryption is a reverse process of the encryption.

Decryption key

A digital piece of information used to recover plaintext from the corresponding ciphertext by decryption

encryption algorithm

A mathematically based function or calculation that encrypts/decrypts data

Symmetric Key Encryption

involves one key for both encryption and decryption.

asymmetric encryption

A cipher technique in which different cryptographic keys are used to encrypt and decrypt a message

Public key

everyone has access

private key

Used to decrypt (only known by owner)

Data Encryption Standard (DES)

Symmetric key encryption algorithm that was adopted by the government as a federal standard for protecting sensitive unclassified information. later replaced with Advanced Encryption Standard (AES).

Advanced Encryption Standard (AES)

a symmetric-key block cipher algorithm and U.S. government standard for secure and classified data encryption and decryption. Supports keys from 128 to 256 bits in size.

Public Key Infrastructure (PKI)

A series of processes and technologies for the association of cryptographic keys with the entity to whom those keys were issued.

digital certificate

Used to verify the trustworthiness of a website. Digital credential that provides information about the identity of an entity as well as other supporting information.

Certificate Authority

a trusted third party that validates user identities by means of digital certificates

digital signature

Used to verify the trustworthiness of information. Mathematical technique used to validate the authenticity and integrity of a message, software, or digital document. Provides proof that document has not been altered and proof of the creator.

Hash function

An algorithm that maps or translates one set of bits into another (generally smaller) so that a message yields the same result every time the algorithm is executed using the same message as input.

Disaster Recovery Plan (DRP)

A set of human, physical, technical and procedural resources to recover, within a defined time and cost, an activity interrupted by an emergency or disaster

cold site

An IS backup facility that has the necessary electrical and physical components of a computer facility, but does not have the computer equipment in place. The site is ready to receive the necessary replacement computer equipment in the event the users have to move from their main computing location to the alternative computer facility.

hot site

A fully operational offsite data processing facility equipped with both hardware and system software to be used in the event of a disaster

Business Continuity Plan

Plan used by an enterprise to respond to disruption of critical business processes.

Full backup

exact copy of an entire database

differential backup

Backs up only the files that changes since the last full backup.

Incremental backup

Backs up only the files that have changed since the last full OR incremental backup