GRC Analyst Master Class Flashcards

Questions and Answers

What does 'Left of Boom' refer to?

• Controls to put in place if you are starting from nothing
• An entity that uses the services of a service organization
• A practitioner that reports on the internal controls at a service organization
• Identify and Protect steps of the NIST Cybersecurity Framework (correct)

What are the CIS Top 18?

• Controls to put in place if you are starting from nothing (correct)
• A series of questions for evaluating risks
• A redacted report for public sharing
• Very hard to achieve compliance

What does 'True Compliance' imply?

Very hard to do. Just because a company says they are compliant means they're probably not.

What should drive cybersecurity standards?

Audit actions should not have compliance driving cybersecurity standards.

Who must sign off on a SOC report?

CPA.

What is a vendor questionnaire?

A series of questions used to help with evaluating or assessing overall risk.

Who should have an NDA in place when viewing a SOC report?

Anyone who sees a SOC report.

What is an attestation?

Opinion.

Why conduct a SOC audit?

Audit once, report many.

Who owns the service auditor test?

Service auditor.

What organization governs audit categories and criteria exceptions?

American Institute of Certified Public Accountants (AICPA).

What is a service auditor?

A practitioner that reports on the internal controls at a service organization.

What are Complimentary Subservice Organizational Controls (CSOC)?

Controls expected to be in place at the subservice organization.

What are Complimentary User Entity Controls (CUEC)?

Controls expected to be in place at the user entity.

What is a Subservice Organization?

Used by another service organization to perform some of the services provided to user entities.

What is a User Entity?

An entity that uses the services of a service organization.

What does SOC 1 involve?

ITGC or IT generic controls and financial controls.

How do I know if I need a SOC 1?

Do I impact my customer's general ledger?

What does SOC 2 focus on?

Security as a common criteria.

What is SOC 3?

A redacted report or marketing collateral.

What does SOC 2+ bring into scope?

Brings different frameworks into scope.

What is a Type 1 report?

Point in time report.

What is a Type 2 report?

Period of time report. Gold standard is coverage of a full year.

Match the Trust Service Categories:

Security = Protection of systems Availability = Ensuring systems are operational Processing integrity = Accurate transactions Confidentiality = Protecting sensitive information Privacy = Data processing or controlling

What are the levels of system categorization according to NIST RMF?

Low, Moderate, High (A)

What does 'Assess security controls (NIST RMF)' usually entail?

Usually done by independent auditor.

Who authorizes an information system according to NIST RMF?

Someone with authority such as the CIO or system owner.

What is a CAP audit?

Correction Action Plan audit done each year.

What does the system categorization level follow?

Go with the highest level.

What is Document Control Implementations?

Reality: The system is already online.

What is NIST 800-18?

Guide for Developing Security Plans for Federal Information Systems.

What does the System Security Plan (SSP) document?

Documentation of how the controls and security is implemented for your system.

Study Notes

Cybersecurity Frameworks and Concepts

• Left of Boom: Focuses on the Identify and Protect steps of the NIST Cybersecurity Framework to avert incidents.
• CIS Top 18: Initial security controls recommended for organizations starting from scratch.
• True Compliance: Achieving genuine compliance is challenging; stated compliance often does not reflect actual status.

Audits and Reporting

• Audit Actions: Compliance should not dictate cybersecurity standards; leverage relevant controls during audits to demonstrate practices.
• SOC Report Signer: Must be signed by a Certified Public Accountant (CPA) to validate its authenticity.
• Vendor Questionnaire: Used for evaluating or assessing risks associated with vendors.
• SOC Report Viewer: Individuals accessing SOC reports must have a Non-Disclosure Agreement (NDA) in place for confidentiality.
• Attestation: Represents an opinion regarding compliance or practices.
• Why SOC: Offers efficiency through a single audit that can serve multiple reporting purposes.

Audit Governance and Roles

• Service Auditor Test: Conducted by the service auditor, ensuring adherence to controls.
• AICPA: The American Institute of Certified Public Accountants governs audit categories and criteria exceptions.
• Service Auditor: Reports on internal controls at service organizations, ensuring compliance and effectiveness.
• Complimentary Subservice Organizational Controls (CSOC): Expected controls at the subservice organization supporting user entities.
• Complimentary User Entity Controls (CUEC): Anticipated controls at the user entity that utilize services.

Service Organizations and User Entities

• Subservice Organization: Performs some services for user entities relevant to their internal control over financial reporting.
• User Entity: An organization that uses services from a service organization impacting its financial statements.

Types of SOC Reports

• SOC 1: Focuses on IT General Controls (ITGC) and financial controls.
• SOC 2: Concentrates on security as a critical criterion in assessments.
• SOC 3: A public-facing report, designed on existing audit reports, meant for marketing purposes.
• SOC 2+: Integrates various frameworks into the assessment scope.
• Type 1 Report: Evaluates conditions at a specific point in time.
• Type 2 Report: Assesses conditions over a defined period, with a full-year evaluation being the gold standard.

Trust Service Categories

• Trust Service Categories: Include Security, Availability, Processing Integrity, Confidentiality, and Privacy. Core categories are Security, Availability, and Confidentiality; specific focus depends on the scope.

NIST Risk Management Framework (RMF)

• Categorize the System: Systems categorized as low, moderate, or high; most (80%) qualify as moderate. High systems are resource-intensive.
• Assess Security Controls: Typically performed by an independent auditor to evaluate control effectiveness.
• Authorize Information System: CIO or system owner validates audit results, manages unimplemented controls through a Plan of Action and Milestones (POAM), and accepts risks before system authorization.

Miscellaneous

• CAP Audit: Conducted annually for corrective action plans to ensure compliance and security practices.
• System Categorization Level: Adopts the highest categorization for security assessments.
• Document Control Implementations: Often handled while systems are operational, signifying the need for a robust System Security Plan (SSP).
• NIST 800-18: A guideline for developing security plans for federal information systems.
• System Security Plan (SSP): A comprehensive document detailing how security controls are implemented, including rationale, serving as a living document.

Description

Test your knowledge on key terms and concepts in Governance, Risk, and Compliance (GRC) with these flashcards. This quiz covers essential frameworks like the NIST Cybersecurity Framework and CIS Top 18, and emphasizes the importance of true compliance and audit actions. Perfect for GRC professionals looking to refresh their understanding.