1. A security assessment is a method for proving the strength of security systems.
B. False
2. Categorizing information and information systems and then selecting and implementing appropriate security controls is part of a Risk-based approach.
3. Whereas only qualified auditors perform security audits, anyone may do security assessments.
A. True
4. NIST 800-53A provides A guide for assessing security controls.
5. Which one of the following is not a method used for conducting an assessment of security controls?
D. Remediate
6. Which of the following is an assessment method that attempts to bypass controls and gain access to a specific system by simulating the actions of a would-be attacker?
B. Penetration test
7. An IT security audit is an Independent assessment of an organization’s internal policies, controls, and activities.
8. Which of the following best describes an audit used to determine if a Fortune 500 health care company is adhering to the Sarbanes-Oxley and HIPAA regulations?
C. Compliance audit
9. The internal audit function may be outsourced to an external consulting firm.
A. True
10. Compliance initiatives typically are efforts around all EXCEPT which one of the following?
D. To adhere to an auditor’s recommendation
11. At all levels of an organization, compliance is closely related to which of the following?
A. Governance B. Risk management C. Government D. Risk assessment E. Both A and B F. Both C and D
12. Which one of the following is true in regard to audits and assessments?
A. Assessments typically result in a pass or fail grade, whereas audits result in a list of recommendations to improve controls.
B. Assessments are attributive and audits are not.
C. An audit is typically a precursor to an assessment.
D. An audit may be conducted independently of an organization, whereas internal IT staff always conducts an IT security assessment.
E. Audits can result in blame being placed upon an individual.
13. Noncompliance...