28 Questions
What is the main issue with the company's IT risk management process according to the information provided?
The company does not have a defined risk appetite framework or quantify risks in financial terms.
What is the key policy requirement regarding the frequency of updating the IT risk register?
The risk register should be updated on a quarterly basis.
According to the documented policy, what should the company do to quantify IT risks?
Estimate the financial impact of each risk in monetary terms.
What is the main issue with the company's employee training and education program?
The company's training program does not cover the latest cybersecurity threats and best practices.
According to the documented policy, what is the requirement for employee training and education?
The policy requires continuous education and awareness programs to keep staff up to date on the latest security threats and best practices.
Which of the following best describes the relationship between the observed IT risk management procedure and the documented policy requirement?
The observed procedure partially adheres to the documented policy requirement.
What is the purpose of conducting random tests or simulations after training employees?
To assess if employees are implementing what they have learned in their daily work
Why is it important to review incident reports related to security breaches?
To identify potential gaps in security knowledge and awareness
What does frequent updated training reflect?
A proactive approach to security awareness
Why is it essential to evaluate follow-up mechanisms after formal training sessions?
To ensure continuous learning and reinforcement of security concepts
What is the main purpose of performing a walkthrough of an organization's IT security procedures?
Assessment of the design of control activities and processes
Who might be involved in the walkthrough of an organization's IT security procedures?
IT risk management, training and education, and human resources
What is the primary purpose of preventive controls in cyber risk management?
To stop a threat from occurring in the first place
Which type of control is an intrusion prevention system (IPS)?
Preventive
What is the purpose of firewalls in cyber risk management?
To control traffic entering and leaving a network based on predefined security rules
What is the main benefit of device and software hardening in cyber risk management?
It involves securing a system by reducing its exposure to risks
Which cybersecurity framework does COSO recommend integrating with its ERM framework?
NIST
Which authentication method is recommended for large enterprises handling sensitive data?
Biometric authentication, smart cards, or digital signatures in addition to MFA
For remote workers, which security measures are recommended?
Strong password management coupled with MFA, and VPN use
Which authentication method is specifically mentioned for the healthcare or financial industries?
Both biometric authentication and smart cards or tokens for two-factor authentication
In high-security environments like government agencies or the military, which authentication methods are mentioned?
Personal identification numbers (PINs) for hardware access, digital signatures, biometric systems, and smart cards
What is the process of verifying access to specific resources after identifying and authenticating a user called?
Authorization
In the discretionary access control (DAC) authorization model, who decides who can access a piece of data or resource?
The owner of the data or resource
What is the primary purpose of incorporating the organization's cyber risk/threat profile into its overall risk assessment?
All of the above
According to COSO, what is the recommended approach for deploying control structures to mitigate cyber risks?
Both b and c
What is the primary role of the information and communication component in COSO's cyber risk management framework?
To foster good decision making for risk management by ensuring relevant, quality information
What is the primary difference between COSO's approach and the inclusion of specific control activities?
COSO provides a framework of principles for organizations to apply to their unique cyber risk profiles, while specific control activities provide pre-defined controls
Which of the following is NOT a key recommendation from COSO for mitigating cyber risks?
Implementing a single, comprehensive control structure
Explore how to identify and incorporate cyber risk/threat profiles into an organization's overall risk assessment. Learn about industry-specific cyber threats, updating assessments, and deploying internal control responses as recommended by COSO.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free
