Risk Management and SOX History

Questions and Answers

What does the principle of confidentiality ensure?

Traceability of an entity's actions

Verification of content changes during transmission

Timeliness and reliability of information access

Protection against unauthorized access and disclosure (correct)

What does integrity in information security primarily protect against?

Delayed access to information

Unauthorized access to data

Unreliable authentication of messages

Improper modification or destruction of data (correct)

Which factor describes the incentives or pressures that lead to malicious acts?

Motivation (correct)

Accountability

Integrity

Availability

What is the role of nonrepudiation in information security?

Confirms the origin or receipt of a message

Which term refers to the ability to trace the actions of an individual entity?

Accountability

What vulnerability can arise from flaws in a system?

Potential exploitation for damage or delay

What does the principle of availability focus on in information security?

Ensuring resources are available on time

Which aspect involves a third party's ability to verify message integrity?

Authenticity

What was the primary goal of the Sarbanes-Oxley Act of 2002?

To strengthen investor confidence and restore trust in capital markets

Which section of SOX requires management to evaluate the operational effectiveness of Internal Controls over Financial Reporting?

Section 404 (a)

Who is primarily responsible for the application of risk treatment in achieving business objectives?

Business Process Owners

What does Section 404 (b) of SOX require regarding internal controls?

Attestation regarding the issuer's ICFR compliance

In the context of risk management, what does risk reduction entail?

Minimizing the impact of identified risks

Who has the tertiary responsibility for the oversight of compliance with legal and regulatory expectations?

Those Charged with Governance

Which of the following is a common method of risk transfer in project management?

Insuring against project-related risks

What is the secondary responsibility in evaluating risk treatment effectiveness?

Internal Audit

What is the primary goal of Enterprise Risk Management?

To identify vulnerabilities and reduce risk to an acceptable level.

Which of the following best describes 'risk avoidance'?

Stopping a project to prevent potential risks.

Which term refers to flaws in a system that can be exploited?

Vulnerability

What does 'significant deficiency' indicate in risk treatment?

Risks are managed without appropriate controls.

What is meant by 'uncertainty' in the context of risk management?

Lack of information regarding the impact and timing of an event.

Who does the Enterprise Risk Management process primarily serve?

Stakeholders interested in the achievement of objectives.

Which of the following is a characteristic of a 'material weakness'?

Indicates potential for financial misstatement.

What do compensating controls do in risk assessment?

Compensate for deficiencies by reducing risk exposure.

What is the primary purpose of DNS tunneling?

To disguise information in domain name system queries

Which of the following best describes whaling?

Phishing targeting individuals in senior management

What characterizes a Distributed Denial of Service (DDoS) attack?

It uses multiple compromised computers to flood a network

What is a zero-day exploit?

A flaw discovered before a patch is developed

What is deepfake technology primarily used for?

Producing AI-generated forgeries that can mislead

Which of the following concepts refers to misleading AI/ML systems?

Adversarial AI/ML

What must be done to ensure the safety of buildings regarding fire hazards?

Secure multiple types of fire detection and suppression systems

Where should an emergency evacuation plan be posted?

In a conspicuous place

What is the primary purpose of threat intelligence?

To help organizations understand common vulnerabilities.

What information is typically collected during manual logging of visitors?

Visitor's name, company, reason for visit, and times.

What is a key benefit of virtualization?

It allows multiple operating systems to operate on one server.

What does Mobile Device Management (MDM) primarily help with?

Segregating corporate and personal data on devices.

What is a major concern with Bring Your Own Device (BYOD) policies?

They can result in unauthorized access to sensitive data.

Which of the following best describes cloud computing?

On-demand access to computing resources via the internet.

What is a risk associated with signing in visitors at a front reception desk?

The log can be easily altered or forged.

What is a characteristic of zero-day threats?

They exploit unknown vulnerabilities.

What technique involves a malicious actor posing a false scenario to gain trust?

Pretexting

Which term refers to the method of accessing a server by hijacking a session through the client's IP address?

Session Hijacking

What method is characterized by trial-and-error attempts to crack passwords?

Brute Force

What method involves using existing stolen credentials across different applications?

Credential Stuffing

Study Notes

Risk Management - AUDCIS US SOX History

• Twenty years ago, financial reporting scandals eroded investor confidence.
• The Sarbanes-Oxley Act (SOX) of 2002 aimed to restore trust.
• SOX 404 primarily focuses on internal controls over financial reporting (ICFR).

Evaluation of Design and Operating Effectiveness

• Section 404(a) mandates annual evaluation of internal controls.
• Management documents control procedures and testing.
• Results publicly reported in Form 10-K.

Attestation Over Effectiveness of Internal Controls

• Section 404(b) requires auditor attestation of ICFR.

Enterprise Risk Management

• Identifying vulnerabilities in achieving business objectives.
• Implementing countermeasures to reduce risk.
• Definition of Risk: Uncertainty of an event affecting objective attainment.
• Uncertainty: Lack of information about impact and timing of an event.

Risk Treatment

• Risk Avoidance: Stopping a project.
• Risk Transfer: Outsourcing a project.
• Risk Reduction: Outsourcing part of a project.
• Risk Sharing: Outsourcing part of a project

Enterprise Risk Management Responsibility

• Business Process Owners: Apply risk treatment to achieve business objectives.
• Internal Audit: Assess risk treatment applied by business process owners.
• Those Charged with Governance: Oversee compliance with legal and regulatory expectations, stakeholder management and resource-provision.
• External Audit: Provide assurance to legislative and regulatory bodies.

Reportorial Requirements

• Material Weakness: Potential for a financial misstatement.

Information Security Principle

• Confidentiality: Restrictions against unauthorized access and disclosure.
• Integrity: Restrictions against improper modification or destruction.
• Availability: Protection against untimely and unreliable access.

Fraud Risk Factors

• Motivation: Incentives and pressures driving perpetrator actions.
• Rationalization: Justification for the perpetrator's actions.
• Opportunity: Methods for the perpetrator to commit fraud, e.g., poor internal controls.

Vulnerabilities, Threats, and Attacks

• Risk: Uncertainty affecting objective achievement.
• Uncertainty: Lack of information about impact and timing.
• Vulnerability: Result of flaws in a system.
• Threat: System flaw that's exploited by malicious action.
• Attack: Intentional malicious action to access, damage, or delay an asset.
• IT Risk: Lack of information impacting and timing an event due to a system flaw.

Example of Vulnerabilities

• Authenticity: Verifying content hasn’t changed in transit
• Nonrepudiation: Verifying origin or receipt of a message
• Accountability: Trackable actions of an entity
• Network Availability: Timely and reliable IT resource access

Perpetrators May Use and Their Controls

• Unauthorized hardware/software.
• Untrusted wireless network.
• Use of unsecured network.
• Untrusted devices.

Types of Attacks

• Malware (malicious software).
• Viruses: Software activated to cause damage.
• Trojans: Viruses hidden in legitimate software.
• Worms: Viruses that replicate on their own.
• Spyware: Secretly collects sensitive data.
• Ransomware: Demands payment to recover data.

Social Engineering

• Exploitation of human behavior to gain physical/security access.
• Tailgating/piggybacking: Tagging along behind employees.
• Eavesdropping: Listening to private communications.
• Shoulder surfing: Physically spying on someone.
• Brute Force: Trial-and-error password cracking.
• Keylogging: Recording every keystroke.
• Credential stuffing: Re-using stolen credentials.
• Kerberoasting: Brute force attack on authentication systems.
• Downgrading: Forcing into less secure environments.
• Phishing: Enticing victims to share info.
• Spear phishing: Targeted phishing attacks.
• WHaling: Attacking top-level executives.
• Smishing: Phishing via text messages.
• Vishing: Phishing via phone calls.
• Spoofing: Disguising as a trusted source.
• Honeytrap: Luring victims into traps.
• Domain spoofing: Disguises use of a known organization's email.
• ARP spoofing: Disguising use of a known organization protocol.
• Pretexting: False scenarios to gain trust.
• Quid pro quo: Exchanging services for sensitive data
• Man-in-the-middle: Altering communications between parties.
• Session hijacking: Changing IP address to access a server.
• Pass-the-Hash: Using stolen info.
• DNS tunneling: Using DNS to bypass firewalls.
• Denial-of-service (DoS): Flooding networks with malicious requests.
• Distributed denial-of-service (DDoS): Using multiple compromised computers to launch attacks.
• Zero-day exploits: Exploiting vulnerabilities before patches.
• Deepfakes: Al-generated forgeries to cause damage to reputation and sway political landscapes.
• Adversarial AI/ML: Exploiting AI/ML models by introducing inaccuracies.

Physical and Environmental Controls

• Information asset protections (physical).
• Fire and Humidity hazards.
• Disaster recovery plan.
• Recovery time objectives (RTO).
• Recovery point objective (RPO).
• Emergency evacuation plan.
• Fire suppression system.

Virtualization

• Virtualization (on-prem server): Increase efficiency by allowing multiple OSs to coexist on one hardware.
• Cloud Computing (third-party or backup server): On-demand access to computing resources.

Emerging Technologies

• Private Branch Exchange (PBX).
• Peer-to-Peer.
• Voice over Internet Protocol (VoIP).
• Wireless networks.
• Instant messaging (IM).
• Digital signatures.
• Mobile (Edge) Computing.
• Bring your own device (BYOD).
• Internet of Things (IoT).
• Cloud Computing (sharing computing resources).

Cloud Models

• Private Cloud: Solely for one organization.
• Community Cloud: Shared by several organizations.
• Public Cloud: Available to the general public.
• Hybrid Cloud: Composition of two or more clouds for data portability.

IT Forensics

• Process of identifying, preserving, analyzing, and reporting digital evidence.

Description

Explore the key concepts of Risk Management and the Sarbanes-Oxley Act (SOX) in this quiz. Understand the importance of internal controls and the process of evaluating their effectiveness. Learn how these regulations impact financial reporting and risk treatment strategies.