Exam (elaborations)
CISA Chapter 5 - Protection of Information Assets (1)
- Course
- Institution
CISA Chapter 5 - Protection of Information Assets (1)
[Show more]
Seller
Follow
lydiaomutho
Content preview
CISA Chapter 5 - Protection of Information AssetsIdentification and Authorization (I&A) - ANS-the process by which by which the system obtains
the identity from a user and the credentials needed to authenticate the identity and then I&A
validates both pieces of information
What is the first line of defense for most systems? - ANS-I&A
Single-Sign On (SSO) - ANS-a single authentication will enable access to all authorized
applications, identity management, mutifactor authentication, etc.
Risk of SSO - ANS-may enable authorized access to applications and data if a single password
is compromised
virtualization - ANS-allows multiple operating systems or guests to coexist on the same physical
server, or host, in isolation of one another; creates a layer between the hardware and the guest
OSs to manage shared processing and memory resources on the host
Peer-to-Peer computing - ANS-injerently insecure; provides direct access to systems bypassing
the network security controls, and may lead to the introduction of malicious code into an
otherwise secure environment
What type of attack can circumvent the strongest technical security? - ANS-social engineering -
the only effective control is regular user education
chain of custody 1 - ANS-in fraud investigations or legal proceedings, maintaining the integrity of
evidence throughout the evidence lifecycle
opportunity perceived - ANS-perceived where poor controls are in place
what is the most critical factor in protecting information assets and privacy? - ANS-laying the
foundation for effective information security management
COBIT 5 separates information galas into three sub dimensions of quality: - ANS-1) intrinsic
quality
2) contextual and representational quality
3) security / accessibility quality
Intrinsic quality - ANS-the extent to which data values are in conformance with the actual or true
values
objectivity - ANS-the extent to which info is unbiased, unprejudiced and impartial
,believability - ANS-is info true and credible?
reputation - ANS-is info highly regarded in terms of its source or content?
Contextual and representational quality - ANS-the extent to which info is applicable to the task
of the information user and is presented in an intelligible and clear manner, recognizing that info
quality depends on the context of use
currency - ANS-the extent to which info is sufficiently up to date for the task at hand
interpretability - ANS-is the info in appropriate languages, symbols and units, with clear
definitions?
security/accessibility quality - ANS-the extent to which information is available or obtainability
Information Security Management System (ISMS) - ANS-a framework of policies, procedures,
guidelines and associated resources to establish, implement, operate, monitor, review, maintain
and improve information security for all types of orgs
computer security incident - ANS-an event adversely affecting the processing computer usage
who is responsible for the overall protection of information assets and for issuing and
maintaining the policy framework? - ANS-Executive management
who is responsible for defining the information security risk management process and
acceptable level of risk and for reviewing the security plans of the org? - ANS-security advisory
group
Who is responsible for articulating and enforcing the policies that companies use to protect their
customers' and employees' privacy rights? - ANS-Chief Privacy Officer
who is responsible for ensuring appropriate security measures are consistent with
organizational policy and are maintained? - ANS-process owners
who is responsible for conducting a risk assessment, selecting appropriate controls to mitigate
the risk to an acceptable level and accepting residual risk of an owned asset? - ANS-information
asset and data owners
information security administrator - ANS-staff level position responsible for providing adequate
physical and logical security for IS programs, data and equipment
Who provides independent assurance to management on the appropriateness and effectiveness
of information security objectives and the controls related to these objectives? - ANS-IS auditors
, what is the first step in classifying assets? - ANS-taking an inventory of all assets
________________________is responsible for the information and should decide on the
appropriate classification, based on the org's data classification and handling policy. - ANS-the
information owner
If documents or media are not labeled according to a classification scheme, this is an indicator
of a potential ___________________ - ANS-misuse of information
3 key elements in the fraud triangle - ANS-1) opportunity
2) motivation
3) rationalization
motivation - ANS-a perceived financial (or other) need
rationalization - ANS-the way the fraudster justifies the crime to his/herself
opportunity - ANS-the method by which the crime is to be committed; the element for which
orgs/auditors have the most control (can be limited by security controls)
compensating controls - ANS-address the weaknesses in the existing controls through concepts
such as layered defense, increased supervision, procedural controls, or increase audits and
logging of system activity
managerial controls - ANS-oversight, reporting, procedures and operations of a process; policy,
procedures, balancing, employee development, compliance reporting
technical controls - ANS-aka logical controls; firewalls, IDS, IPS, passwords, antivirus software
physical controls - ANS-locks, fences, closed-circuit TV; physically restrict access to a facility or
hardware
control framework - ANS-a set of fundamental controls that facilitates the discharge of business
process owner responsibilities to prevent financial or information loss in an enterprise
four layers for IT assets under logical security: - ANS-1) networks
2) platforms (OSs)
3) databases
4) applications
who invokes the appropriate system access control mechanism upon receipt of a proper
authorization request from the information owner or manager to grant a specified user the rights
for access to, or use of, a protected resource? - ANS-security administrator
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller lydiaomutho. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $7.99. You're not tied to anything after your purchase.
Can Stuvia be trusted?
4.6 stars on Google & Trustpilot (+1000 reviews)
78998 documents were sold in the last 30 days
Founded in 2010, the go-to place to buy study notes for 14 years now