GRC Governance, Risk, Compliance (Training Seminar for the Certified in Governance, Risk a, Exams of Training and Development

Download GRC Governance, Risk, Compliance (Training Seminar for the Certified in Governance, Risk a and more Exams Training and Development in PDF only on Docsity! GRC Governance, Risk, Compliance (Training Seminar for the Certified in Governance, Risk and Compliance) GRC - CORRECT ANSWER strategy for managing an organization's overall Governance, enterprise Risk management and Compliance with regulations. -Structured approach to aligning IT with business objectives, while effectively managing risk and meeting compliance requirements Benefits of a well-planned GRC Strategy - CORRECT ANSWER 1) improved decision-making 2) more optimal IT investments 3) Elimination of Silos 4) Reduced Fragmentation among divisions and departments Governance - CORRECT ANSWER ensuring that organizational activities, like managing IT operations, are aligned in a way that supports the organization's business goals Risk - CORRECT ANSWER making sure that any risk (or opportunity) associated with organizational activities is identified and addressed in a way that supports the organization's business goals Compliance - CORRECT ANSWER Making sure that organizational activities are operated in a way that meets the laws and regulations impacting those systems IT Governance - CORRECT ANSWER 1) The processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals 2)A move from ad hoc IT devision making to establishing formal IT governance structures that specify how IT decisions are made, carried out, reinforced, and even challenged IT Governance Helps Asssess - CORRECT ANSWER 1) Aligning IT with the enterprise and realizing promised benefits 2) Using IT to exploit opportunities and maximize benefits 3) Using IT resources responsibly 4) Managing IT Risks 5) Recognizing opportunities and acting upon them Responsibility of IT Governance - CORRECT ANSWER -shareholders, represent by board of directors and executive management -Effective if implemented and accomplished throughout the organization IT Governance Framework - CORRECT ANSWER -describes the leadership, organization structures, and processes that ensure IT sustains and extends organizational strategies and objectives -Includes: 1) defined roles, responsibilities, and relationships 2)Methods & processes 3)overarching philosophy or operating strategy to guide, direct, and manage IT resources Frameworks (Professional Guidance) that help organizations learn to Implement IT Governance - CORRECT ANSWER 1) ITIL 2) ISO:IEC 38500:20015 3) COBIT 5 2) COSO's ERM (enterprise risk management): integrating Strategy & Performance Frameworks specific for IT risks/controls - CORRECT ANSWER COBIT 5 (most used) ISO/IEC 27000 (information security management systems NIST Cybersecurity Framework COSO - CORRECT ANSWER provides framework for controls over financial reporting, but does not provide controls specific for Information technology COBIT 5 - CORRECT ANSWER framework which provide controls for IT COSO Internal Control Framework - CORRECT ANSWER widely adopted as the principal way to evaluate financial reporting internal controls COSO Internal Control Framework Issues - CORRECT ANSWER -too narrow of a focus -focusing on controls first has an inherent bias toward past problems and concerns COSO ERM Framework - CORRECT ANSWER developed to help overcome COSO's limitations -Focuses on Risk first, then controls COSO Control Activities (business process controls) - CORRECT ANSWER -proper authorization of transactions and activities -segregation of duties -project development and acquisition controls -change management controls -design and use of documents and records -safeguarding assets, records, and data -independent checks on performance Segregation of Financial Duties - CORRECT ANSWER Custodial Functions Recording Functions Author Segregation of Systems Duties - CORRECT ANSWER - system admin - network management ISACA's COBIT 5 Framework - CORRECT ANSWER 5 Key Principles: 1)Meeting stakeholder needs 2) covering the enterprise end-to-end 3)Applying a single integrated framework 4)Enabling a holistic approach 5)separating governance from management COBIT 5 Framework - CORRECT ANSWER - manage vulnerabilities and ensure compliance -evaluate and optimize enterprise risk -oversee and manage information security -keep ahead of rapidly changing regulations -align IT goals and strategic business objectives Risk - CORRECT ANSWER the combination of the probability of an event and its consequence -refers to the likelihood of being targeted by a given attack being successful, and general exposure to a given threat -measuring the impact of a threat Threat - CORRECT ANSWER any source that is capable of acting against an asset in a manner that can result in harm. -Those dangers that have the potential to impact if adequate controls are not in place to thwart the damage Vulnerability - CORRECT ANSWER -a security weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events by allowing an attack to be successful How do we mitigate risks? - CORRECT ANSWER Internal controls Internal Control - CORRECT ANSWER a process, affected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: 1)effectiveness and efficiency of operations 2)Reliability of financial reporting 3)Compliance with applicable laws and regulations Control Activities - CORRECT ANSWER -COSO: the policies and procedures that help ensure management directives are carried out -COBIT: addresses IT risks Internal Controls & Risk - CORRECT ANSWER -controls do not eliminate risks, they mitigate risks -provides reasonable, rather than absolute assurance, because complete assurance is difficult or impossible to achieve and prohibitively expensive Internal Controls Limitations - CORRECT ANSWER -susceptible to errors and poor decisions -can be overridden by management or by collusion of two or more employees Determine Risk Level - CORRECT ANSWER determined by examining the likelihood of occurrence and impact When to stop implementing controls to mitigating risk - CORRECT ANSWER when the residual risk is at an acceptable level and management is willing to formally accept the risk Cyberinsurance - CORRECT ANSWER way to mitigate the risk through transference to another entity -does not mitigate the risk or transfer accountability -can reduce the financial impact of the event ISACA Risk Qualification - CORRECT ANSWER to qualify as a risk a threat needs to be associated with a vulnerability that, if exploited , could negatively impact an information asset Hacking - CORRECT ANSWER an attempt to gain unauthorized access to some element of a computer system Social Engineering - CORRECT ANSWER an attack based on deceiving users or administrators at the target site into revealing confidential or sensitive information Malware - CORRECT ANSWER -malicious software designed to infiltrate, damage, or obtain information from a computer system without the owner's consent Botnet (Hacking) - CORRECT ANSWER large automated and distributed network of previously compromised computers that can be simultaneously controlled to launch large-scale attacks such as a denial-of-service attack on selected victims Data diddling (Hacking) - CORRECT ANSWER changing data with malicious intent before or during input into the system Data Leakage (Hacking) - CORRECT ANSWER siphoning our or leaking information by dumping computer files or stealing computer reports and tapes Denial of Service (Dos) Attack (Hacking) - CORRECT ANSWER an assault on a service from a single source that floods it with so may requests that it become overwhelmed and is either stopped completely or operates at a significantly reduced rate Hijacking (Hacking) - CORRECT ANSWER an exploitation of a valid network session for unauthorized purposes Key Logging (Hacking) - CORRECT ANSWER using software to record all keystrokes on a computer Man in the middle (MITM) (Hacking) - CORRECT ANSWER an attack strategy in which the attacker intercepts the communication steam between two parts of the victim system and then replaces the traffic between the two components with the intruder's own, eventually assuming control of the communication Masquerading (impersonation) (Hacking) - CORRECT ANSWER penetrating systems by using the identity of legitimate users and their login credentials Pass-the-hash (Hacking) - CORRECT ANSWER an attacker steal a hashed user credential and, without cracking it, reuses it to trick an authentication system into creating a new authenticated session the same netwrok Hash - CORRECT ANSWER a value or values created using a mathematical function Password Cracking (Hacking) - CORRECT ANSWER a tool that tests the strength of user passwords by searching for passwords that are easy to guess. It repeatedly tries words from specially crafted dictionaries and often also generates thousands of permutations of characters, numbers and symbols Piggybacking (Hacking) - CORRECT ANSWER following an authorized person into a restricted access area by electronically attaching to an authorized telecommunications link to intercept and possibly alter transmission Phreaking (Hacking) - CORRECT ANSWER -Traditionally: breaking into the telephone network illegally, for long distance calls -Modern: used to include anyone who breaks or tries to break the security of any network Podslurping (Hacking) - CORRECT ANSWER using small, portable devices to download large amounts of data on an unauthorized basis Spamming (Hacking) - CORRECT ANSWER computer-generated messages sent as unsolicited advertising Spoofing (Hacking) - CORRECT ANSWER faking the sending address of a transmission in order to gain illegal entry into a secure system Targeted Attacks (Hacking) - CORRECT ANSWER attackers selected a person or asset then actively pursue and compromise the target while maintaining anonymity Token Impersonation (Hacking) - CORRECT ANSWER mimicking a token Token - CORRECT ANSWER a physical device that is used to authenticate a user, typically in addition to a username or password -displays a pseudo random number that changes every few minutes War Dialing (Hacking) - CORRECT ANSWER software packages that sequentially dial telephone numbers, recording any numbers that answer Eavesdropping (Social Engineering) - CORRECT ANSWER listening to a private communication without permission Identity Theft (Social Engineering) - CORRECT ANSWER a crime where a thief steals personal information, such as full name or social security number, to commit fraud Pharming (Social Engineering) - CORRECT ANSWER a scamming practice in which malicious code is installed on a personal computer or server, misdirecting users to a fraudulent web sites Pretexting (Social Engineering) - CORRECT ANSWER a crime where an individual lies to obtain privileged data, then establishes trust with the target individual, the attacker might ask a series of questions designed to gather key individual identifies such as conformation of typical security questions Phishing (Social Engineering) - CORRECT ANSWER a type of electronic mail attack that attempts to convince a user that the originator is genuine, but with the intention of obtaining information for use in social engineering Shoulder Surfing (Social Engineering) - CORRECT ANSWER using observation to steal data (card) skimming (Social Engineering) - CORRECT ANSWER the theft of credit/debit card data and PIN numbers when the user is at an ATM or POS Spear Phishing (Social Engineering) - CORRECT ANSWER an email-spoofing attack where an attacker masquerades as a trusted party and targets a specific organization or individual, seeking unauthorized access to sensitive information -more likely to be conducted by perpetrators out fro financial gain, trade secrets or military information URL hijacking (Social Engineering) - CORRECT ANSWER if a user enters an address with a type, a the attacker takes advantage and directs you to a completely different Web site URL - CORRECT ANSWER the string of characters that from a web address Adware (Malware) - CORRECT ANSWER a software package that automatically plays, displays or downloads advertising material to a computer after the software is installed on it or while the application is being used -done without notification or consent Keylogger (Malware) - CORRECT ANSWER software used to record all keystrokes on a computer Packet Sniffer (Malware) - CORRECT ANSWER -sometimes referred to as a network monitor or network analyzer -can be used legitimately by a network or system admin to monitor and troubleshoot network traffic Ransomware (Malware) - CORRECT ANSWER restricts access to the compromised systems until a ransom demand is satisfied spyware (Malware) - CORRECT ANSWER software whose purpose is to monitor a computer user's actions and report these actions to a third party, without the informed consent of that machine's owner or legitimate user Trojan Horse (Malware) - CORRECT ANSWER purposefully hidden malicious or damaging code within an authorized computer program -unlike viruses, they do not replicate themselves, but they can be just as destructive to a single computer Trap Door (Malware) - CORRECT ANSWER unauthorized electronic exit, or doorway, that allows the user to bypass normal system controls out of an authorized computer program into a set of malicious instructions or programs Virus (Malware) - CORRECT ANSWER a program with the ability to reproduce by modifying other programs to include a copy of itself -may contain destructive code that can move into multiple programs, data files or devices on a system and spread through multiple systems in a network Worm (Malware) - CORRECT ANSWER a programmed network attack in which a self-replicating program does not attach itself to programs, but rather spreads independently of users' actions