INMT 341 Final Exam GRC Questions

0.0(0)
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/130

flashcard set

Earn XP

Description and Tags

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

131 Terms

1
New cards
GRC
How organizations effectively manage processes, people, and technology so that they help generate value
2
New cards
Governace
Governing and managing processes, technology, and systems
3
New cards
Risk Management
Identifying and controlling the risks associated with processes, technologies, and systems
4
New cards
Compliance
Adhering to the laws and regulations that govern organizations
5
New cards
Risk
A measure of the potential for loss or damage when a threat exploits a vulnerability.
6
New cards
Framework
Provides general guidance on what you could do to implement security and protection
7
New cards
Standard
Required to demonstrate compliance with every control within.
8
New cards
Enterprise Risk
Any risk that could potentially affect business objectives
9
New cards
I&T Risk
IT-related risk that could potentially impact the business
10
New cards
Audit Risk
The risk that the auditor expresses an inappropriate opinion that systems are working appropriately when they are not.
11
New cards
Vulnerability
Weakness or flaw in an information system that potentially exposes an entity to threats.
12
New cards
GDPR (General Data Protection Regulation)
Any organization processing personal data of EU residents must protect personal data.
13
New cards
CCPA (California Consumer Privacy Act)
Mirrors GDPR for california.
14
New cards
PIPEDA (Personal Information Protection and Electronic Documents Act)
Canadian law mirroring GDPR
15
New cards
FERPA (Family Educational Rights and Privacy Act)
A federal law that regulates the management of student records and disclosure of information from those records.
16
New cards
FISMA (Federal Information Security Management Act)
US Federal agencies protection of Information and IT systems.
17
New cards
GLBA (Gramm-Leach-Bliley Act)
US financial institutions must protect privacy of personal information, safety of Internet-based products and services, fair and accurate credit transactions, anti-terrorism.
18
New cards
HIPAA (Health Insurance Portability and Accountability Act)
Governs healthcare organizations and partners creating, storing, and transmitting protected health information.
19
New cards
PCI DSS (Payment Card Industry Data Security Standard)
Entities that take credit cards must protect privacy of customer financial data.
20
New cards
SOX (Sarbanes-Oxley Act)
Defined to secure the public against corporate fraud and misrepresentation.
21
New cards
Examples of vulnerabilities
Lack of user knowledge, untested technology, unprotected communications, lack of security functionality, code flaws.
22
New cards
Threat Actors
entities who can create/pose a threat. They carry out actions that take advantage of vulnerabilities.
23
New cards
Threat
An event or condition that has the potential for causing asset loss and/or undesirable consequences or impacts. Can be intentional or accidental.
24
New cards
Risk equation
Threat probability * potential loss (or threat * vulnerability)
25
New cards
Enterprise Risk Management (ERM)
a process designed to identify potential events that may affect the entity, manage risk to be within its appetite, and to provide reasonable assurance regarding the achievement of entity objectives
26
New cards
Hacking
An attempt to gain unauthorized access to some element of a computer system
27
New cards
Social Engineering
An attack based on deceiving users or administrators at the target site into revealing confidential or sensitive information
28
New cards
Malware
Short for malicious software, this is software designed to infiltrate, damage, or obtain information from a computer system without the owner's consent.
29
New cards
SQL Injection
An attacker manipulates SQL code by entering malicious code into a query to gain access to database information in ways not intended during application design
30
New cards
Cross-Site Scripting (XSS)
An attacker manipulates an otherwise trusted Web site's code and injects it with malicious code. Then when unsuspecting users visits the Web site, the code is able to collect data from the user. These attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
31
New cards
Internal Control
a process designed to provide reasonable assurance regarding the achievement of company objectives related to operations, reporting, and compliance.
32
New cards
General Controls
controls designed to make sure an organization's information system and control environment is stable and well managed
33
New cards
Preventative controls
controls that deter problems before they arise
34
New cards
Corrective Controls
controls that identify and correct problems as well as correct and recover from the resulting errors
35
New cards
Detective Controls
controls designed to discover control problems that were not prevented.
36
New cards
Internal control objectives
- effectiveness and efficiency of operations- reliability, timeliness, transparency of information- compliance with applicable laws and regulations
37
New cards
Information security objectives
Confidentiality, Integrity, Availability, Authentication, Nonrepudiation
38
New cards
Compliance
Focuses on the data handled and stored by a company and the regulatory requirements that apply to its protection.
39
New cards
Effectiveness of security
If the time it takes an attacker to break through the organization's preventative controls is longer than the time it takes to detect and respond to the attack, the security is effective.
40
New cards
IT general controls (ITGC)
a combination of hardware, software, and manual procedures that create an overall control environment. They are essential to ensure that information systems are reliable and that behavior can be predicted, system-wide
41
New cards
IT application controls
specific controls unique to each computerized application, such as payroll or order processing. Apply to specific end user applications
42
New cards
NIST SP 800-53
Its primary goal and objective is to ensure that appropriate security requirements and security controls are applied to all U.S. Federal Government information and information management systems that aligns with the compliance law
43
New cards
Iso 27001
A standard that can be used to certify your system.
44
New cards
Identity and Access Management (IAM)
a framework of business processes, policies, and technologies that facilitates the management of electronic or digital identities. Aims to identify, authenticate, and authorize.
45
New cards
Discretionary Access Control (DAC)
Allows an individual complete control over any objects they own along with programs associated with those objects.
46
New cards
Mandatory Access Control (MAC)
The most restrictive access control model, typically found in military settings in which security is of supreme importance. Uses a hierarchical approach to control access. Access to resource objects is controlled by the settings defined by an administrator. Controlled by the operating system based on what the administrator configured in settings.
47
New cards
Role-Based Access Control (RBAC)
Access control based on the position an individual fills in an organization. Used when administrators need to assign rights based on organization roles instead of individual user accounts.
48
New cards
Attribute-based access control (ABAC)
Access control based on dynamic user, environment, or resource attributes.
49
New cards
Identification
The ability to identify uniquely a user of a system or an application that is running in the system
50
New cards
Authentication
The ability to prove that a user or application is genuinely who that person or what that application claims to be.
51
New cards
Token
A device that is used to authenticate a user, typically in addition to a username and password. Typically displays a pseudo random number that changes every few minutes.
52
New cards
Authorization
Determines what a person can access once he/she is authorized to use the system.
53
New cards
Principle of Least Privilege
the practice of limiting access to the minimal level that will allow normal functioning
54
New cards
Access Control List (ACL)
internal computerized table of access rules (permissions) regarding the levels of computer access permitted to logon IDs and computer terminals.
55
New cards
Logical access controls
Limits connections to computer networks, system files, and data via authenticating and authorizing users. Uses advanced password programs and advanced biometric security features.
56
New cards
Physical access controls
Limits access to campuses, buildings, and physical IT assets.
57
New cards
Change Management
Process of monitoring change requests, approving changes, documenting changes, testing changes, scheduling changes, implementing and following up on changes.
58
New cards
Firewall
A network security system, that uses rules to control incoming and outgoing network traffic
59
New cards
Intrusion Prevention System (IPS)
Uses rules to make decisions about packets, usually are "deny" rules.
60
New cards
Router
Hub that takes access requests and routes them to fill requests
61
New cards
Load Balancer
A dedicated network device that can direct requests to different servers based on a variety of factors.
62
New cards
Demilitarized Zone (DMZ)
a separate network located outside the organization's internal information system that permits controlled access from the internet
63
New cards
Server
A computer program that provides services to other computer programs (and their users) in the same computer or other computers.
64
New cards
Hub
Common connection point for devices in a network
65
New cards
Data Loss Prevention (DLP)
a strategy necessary due to insider threats. These software products use business rules to classify and protect confidential and critical information so that unauthorized end users cannot accidentally or maliciously share data whose disclosure could put the organization at risk. This helps a network administrator control what data end users can transfer, thereby reducing the likelihood that end users send sensitive or critical information outside the corporate network.
66
New cards
Media Access Control (MAC) address
Specifically identifies devices.
67
New cards
Virtual Private Network (VPN)
A secure private network that uses the public telecommunications infrastructure to transmit data. Encrypts all data that pass between two internet points, maintaining privacy and security.
68
New cards
log analysis
Used to record details of information system events. Detective control which involves monitoring and reviewing the logs to look for evidence of attacks.
69
New cards
Intrusion Detection System (IDS)
Monitors traffic at many different points, and provides visibility inti the security posture of the network.
70
New cards
Continuous monitoring
a detective control that involves gathering selective evidence to monitor system reliability and employee compliance with organization's information security policies on a continuous basis
71
New cards
Cryptography
the study of secure communications techniques that allow only the sender and intended recipient of a message to view its contents
72
New cards
Encryption
The process of taking an unencrypted message (plaintext), applying a mathematical function to it (encryption algorithm with a key) and producing an encrypted message (ciphertext)
73
New cards
Plain text
digital information that a user can read
74
New cards
Ciphertext
digital information unintelligible to a user
75
New cards
Cipher
An algorithm to perform encryption
76
New cards
Algorithm
a procedure or formula for solving a problem, based on performing a sequence of specified actions
77
New cards
Key
In cryptography, a variable value that is applied using an algorithm to a string of unencrypted text to produce encrypted text, or to decrypt encrypted text.
78
New cards
encryption key
A piece of information, in a digitized form, used by an encryption algorithm to convert the plaintext to the ciphertext
79
New cards
Key length
The size of the encryption key measured in bits.
80
New cards
Decryption
A technique used to recover the original plaintext from the ciphertext so that it is intelligible to the reader. The decryption is a reverse process of the encryption.
81
New cards
Decryption key
A digital piece of information used to recover plaintext from the corresponding ciphertext by decryption
82
New cards
encryption algorithm
A mathematically based function or calculation that encrypts/decrypts data
83
New cards
Symmetric Key Encryption
involves one key for both encryption and decryption.
84
New cards
asymmetric encryption
A cipher technique in which different cryptographic keys are used to encrypt and decrypt a message
85
New cards
Public key
everyone has access
86
New cards
private key
Used to decrypt (only known by owner)
87
New cards
Data Encryption Standard (DES)
Symmetric key encryption algorithm that was adopted by the government as a federal standard for protecting sensitive unclassified information. later replaced with Advanced Encryption Standard (AES).
88
New cards
Advanced Encryption Standard (AES)
a symmetric-key block cipher algorithm and U.S. government standard for secure and classified data encryption and decryption. Supports keys from 128 to 256 bits in size.
89
New cards
Public Key Infrastructure (PKI)
A series of processes and technologies for the association of cryptographic keys with the entity to whom those keys were issued.
90
New cards
digital certificate
Used to verify the trustworthiness of a website. Digital credential that provides information about the identity of an entity as well as other supporting information.
91
New cards
Certificate Authority
a trusted third party that validates user identities by means of digital certificates
92
New cards
digital signature
Used to verify the trustworthiness of information. Mathematical technique used to validate the authenticity and integrity of a message, software, or digital document. Provides proof that document has not been altered and proof of the creator.
93
New cards
Hash function
An algorithm that maps or translates one set of bits into another (generally smaller) so that a message yields the same result every time the algorithm is executed using the same message as input.
94
New cards
Disaster Recovery Plan (DRP)
A set of human, physical, technical and procedural resources to recover, within a defined time and cost, an activity interrupted by an emergency or disaster
95
New cards
cold site
An IS backup facility that has the necessary electrical and physical components of a computer facility, but does not have the computer equipment in place. The site is ready to receive the necessary replacement computer equipment in the event the users have to move from their main computing location to the alternative computer facility.
96
New cards
hot site
A fully operational offsite data processing facility equipped with both hardware and system software to be used in the event of a disaster
97
New cards
Business Continuity Plan
Plan used by an enterprise to respond to disruption of critical business processes.
98
New cards
Full backup
exact copy of an entire database
99
New cards
differential backup
Backs up only the files that changes since the last full backup.
100
New cards
Incremental backup
Backs up only the files that have changed since the last full OR incremental backup