Scribd Logo
Upload

Welcome to Scribd!

  • IT Security Audit Fundamentals Explained

    Uploaded by

    noor gurib
    29 views6 pages
    The document discusses topics related to IT security audits, information security management systems, and information security governance best practices. It covers the purpose of conducting IT security audits, the typical scope of an audit, and key steps in implementing an information security management system according to a PDCA (Plan-Do-Check-Act) model. It also addresses the importance of senior management involvement in developing security policies and the need to integrate security activities into other management functions through an effective governance framework.

    Original Description:

    Original Title

    Itsma Mcqs Homework

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses topics related to IT security audits, information security management systems, and information security governance best practices. It covers the purpose of conducting IT security audits, the typical scope of an audit, and key steps in implementing an information security management system according to a PDCA (Plan-Do-Check-Act) model. It also addresses the importance of senior management involvement in developing security policies and the need to integrate security activities into other management functions through an effective governance framework.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    29 views6 pages

    IT Security Audit Fundamentals Explained

    Uploaded by

    noor gurib
    The document discusses topics related to IT security audits, information security management systems, and information security governance best practices. It covers the purpose of conducting IT security audits, the typical scope of an audit, and key steps in implementing an information security management system according to a PDCA (Plan-Do-Check-Act) model. It also addresses the importance of senior management involvement in developing security policies and the need to integrate security activities into other management functions through an effective governance framework.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    1. Why do we conduct IT Security Audits?

    A. To assess effectiveness of controls


    B. To look for vulnerabilities in a system
    C. To conduct risk assessment
    D. To implement ISO 27001 controls

    2. The scope of an IT audit often varies, but can involve any combination of the following:

    A. Application & Security


    B. Compliance & Technical
    C. Organizational & Managerial
    D. Regulatory & Procedural

    3. In Risk Analysis, IT Security Auditors must:

    A. Conduct a risk assessment


    B. Carry out vulnerability assessment
    C. Ensure availability of controls
    D. Have knowledge of common business risks

    4. An information security management system (ISMS) is a set of policies and procedures for
    systematically managing an organization’s sensitive data

    True or False?

    True
    Answer: ………….

    5. Which approach is normally used when conducting an ISMS implementation?

    A. SETA
    B. Access control
    C. PDCA
    D. PCA

    6. Which of the following is a crucial step among the 6 main steps in the ISMS
    implementation?

    A. Risk Appetite
    B. Statement of Applicability
    C. Preparing Asset register
    D. Security Awareness
    7. To make sound decisions about information security, management must not be informed
    about the various threats to an organization’s people, applications, data, and information
    systems.

    True or False?

    False
    Answer: ………….

    8. Losses to assets may come from intentional or accidental actions by insiders and people
    outside the organization fall into which category of Threats & Attacks.

    A. Forces of Nature
    B. Hacking
    C. Human error or failure
    D. Espionage or trespass

    9. In an enterprise, cybersecurity is the sole responsibility of whom?

    A. IT Department
    B. CISO
    C. CEO
    D. All the above

    10. Local security coordinators have several responsibilities in an organisation. Which of the
    following is one of them?

    A. Ensuring security policies are followed and any security breaches are identified
    B. Ensuring that the CISO is conducting Risk Assessment properly
    C. Ensuring ISO 27001 implementation is going smoothly
    D. Ensuring that security controls are being implemented properly

    11. IT security governance is the system by which an organization directs and controls IT
    security (based on ISO 38500).

    True or False?

    True
    Answer: ………….

    12. Privacy legislation such as ________ will influence how information is stored and managed
    within the enterprise and how resources are deployed to ensure that it complies with this
    legislation.

    A. Non-Disclosure Agreement
    B. Data Protection Act
    C. Service Level Agreement
    D. Cybersecurity & Cybercrime Act 2021

    13. Information Security Governance is doing the right thing and Information Security
    Management is doing things right. If we say Accountability in Governance, to which of the
    following are we referring to in Management?

    A. Flexibility
    B. Assurance
    C. Responsibility
    D. Operability

    14. Overcoming difficulties in creating and sustaining a security-aware culture is a challenge


    of ineffective

    A. Risk Management
    B. Governance
    C. ISMS
    D. Security

    15. In Information Security Governance Best Practices, information security activities must
    not be integrated into other management activities of the enterprise, including strategic
    planning, capital planning, and enterprise architecture.

    True or False?

    Answer: ………….
    False

    16. Involving senior management in developing, writing and getting commitment to security
    policies will help in which of the following?

    A. To endorse the Risk Management framework


    B. To endorse the Corrective action plan
    C. To endorse the Audit Report
    D. To endorse the Governance process

    17. A policy is a high-level statement of an organization’s values, goals and objectives in a


    specific area, and the general approach to achieving them.

    True or False?

    Answer: ………….
    True
    18. A standard is a set of detailed working instructions that will describe what, when, how
    and by whom something should be done.

    True or False?

    False
    Answer: ………….

    19. A security policy should contain statements on:

    A. how the enterprise will manage information assurance


    B. the compliance with legal and regulatory obligations
    C. none of the above
    D. all of the above

    20. Ensuring that users only access information, facilities or equipment for which they have
    the requisite authorization can be included in which of the following policy?

    A. HR policy
    B. Internet Usage policy
    C. Acceptable Use policy
    D. Equipment Disposal policy

    21. Which of the following can be triggered in case of a violation of a policy by an employee?

    A. Employment termination
    B. Disciplinary process
    C. Both A & B
    D. None of them

    22. A ________ exercise should be completed before the audit or review is started and a
    checklist should be developed to measure the efficacy of the assurance controls.

    A. Inventory
    B. Gap Assessment
    C. Scoping
    D. Risk Assessment

    23. Once the results of an audit or review is recorded within a formal report and presented by
    the reviewer to both senior management and the manager, which type of plan should be
    agreed upon by both the reviewer and the senior management?

    A. A governance plan
    B. A security framework plan
    C. A risk assessment plan
    D. A corrective action plan

    24. An information security strategy should normally consider the trends in threats and
    vulnerabilities to potential types of incidents and areas where cost savings can be made.

    True or False?

    Answer: ……….….
    True

    25. There are normally five phases in the management of an incident. Reporting, Investigation,
    Corrective action, Review and:

    A. Assessment
    B. Planning
    C. Act
    D. Audit

    26. Any organisation must ensure it is abiding by the requirements of the country’s ________
    before providing any information to a third party, even if they are a law enforcement body.

    A. ICT Act
    B. Data Protection Act
    C. Cybersecurity & Cybercrime Act
    D. Electronic Transaction Act

    27. On which online platform can Information Security Incidents be reported?

    A. MAUCORS
    B. M-CORS
    C. Government portal
    D. CSU website

    28. An audit log is an example of what type of control?

    A. Containment
    B. Preventive
    C. Detection
    D. Recovery

    29. To have credibility, an information assurance implementation programme has to be


    ______.

    A. Realistic & Complex


    B. Futuristic & Manageable
    C. Achievable & Realistic
    D. None of the above

    30. An information security strategy is a plan to take the assurance function within an
    organisation from the reality of where it is now, with all its problems and issues, to an
    improved state in the future.

    True or False?

    Answer: …….….
    True

    You might also like