Blog

Which of the following statements about the COBIT 2019 domain, Evaluate, Direct and Monitor (EDM) is true?

How many times did a non-U.S. IP address log into the Main Campus – Chicago office location on a Tuesday, between 4:00am and 4:59am?  If necessary, refer to the Hour/Time table in the previous question for assistance.

A company makes full backups every Friday night and partial backups on Mondays, Tuesdays, Wednesdays, and Thursdays.  Based on that backup schedule, which of the following statements is true?

Many of you, if not all of you, have probably experienced a phishing email attempt by a ‘hacker’ attempting to gain access to your account.  Other attempts to gain access may include brute-force attempts looking for weak passwords, or targeting dormant accounts, shared accounts, accounts that came embedded in applications or hardware (i.e., service accounts), or trying passwords that have been re-used at other sites and have been comprised.   As a result, companies should use a series of processes, controls, and tools to assign and manage authorization credentials for user accounts, administrator accounts, and service accounts across the company’s assets and software. Companies that utilize such processes, controls, and tools are performing the [CISControl] control in the Center for Internet Security (CIS) v8 framework.  

You are a recently hired consultant at an accounting and information systems consulting firm.  The firm has been engaged by a cloud service provider to evaluate its controls and to provide recommendations as to how the company can enhance its security while also demonstrating its compliance with various security frameworks. Specifically, the company has processes/controls that enable it to identify malicious activity in its network quickly and has the ability to retain evidence of whether attacks against its network have been successful or not.  Furthermore, the company has controls to help determine the extent of the attack and can use its evidence as part of follow-up investigations and incident response.  The Center for Internet Security (CIS) v8 control that the company is describing is [CISControls]. 

Which of the following was not one of the principles used when developing the COBIT framework?

For each statement on the left identify the appropriate change management environment(s) name from the right.  An environment may be used more than once or not at all.

With all the various frameworks available to accounting professionals it is important to know frameworks have different audiences, subject matter, and uses.  Knowing the similarities and differences among frameworks helps the professional choose the right framework for a given situation. Given the descriptions on the left, identify the appropriate framework on the right.  A framework may be used more than once or not at all.

Your firm has been hired to help map a client’s control activities to the appropriate National Institute of Standards and Technology (NIST) Control Family in the NIST 800-53 framework.  The client’s control is that the IT Department periodically scans the network for vulnerabilities.  This control best matches the description of which of the following NIST 800-53 Control Families?

A local company has approached you to help them determine their progress/maturity toward improving their overall IT security posture.  During your interviews with company personnel you learn that the company has individuals responsible for managing and protecting the IT infrastructure along with multiple departments with differing risk profiles.  This company also stores and processes sensitive data for its clients and can withstand only short interruptions in service.  Because of the sensitivity of the data it stores and processes any breach of the company’s network would be a major concern as it may lead to a loss of public confidence. The Center for Internet Security (CIS) Implementation Group (IG) that mostly closely matches your client’s environment is [implementationgroup].