Blog

Which of the following sections of a SOC 1 Type 2 report includes the complementary subservice organization controls and the complementary user entity controls written by the service organization.  

Receptors for the general senses are only located in the head.

Which office location had the most network logins from a non-U.S. IP address? [officelocation]

Which of the following statements about the COBIT 2019 domain, Evaluate, Direct and Monitor (EDM) is true?

How many times did a non-U.S. IP address log into the Main Campus – Chicago office location on a Tuesday, between 4:00am and 4:59am?  If necessary, refer to the Hour/Time table in the previous question for assistance.

A company makes full backups every Friday night and partial backups on Mondays, Tuesdays, Wednesdays, and Thursdays.  Based on that backup schedule, which of the following statements is true?

Many of you, if not all of you, have probably experienced a phishing email attempt by a ‘hacker’ attempting to gain access to your account.  Other attempts to gain access may include brute-force attempts looking for weak passwords, or targeting dormant accounts, shared accounts, accounts that came embedded in applications or hardware (i.e., service accounts), or trying passwords that have been re-used at other sites and have been comprised.   As a result, companies should use a series of processes, controls, and tools to assign and manage authorization credentials for user accounts, administrator accounts, and service accounts across the company’s assets and software. Companies that utilize such processes, controls, and tools are performing the [CISControl] control in the Center for Internet Security (CIS) v8 framework.  

You are a recently hired consultant at an accounting and information systems consulting firm.  The firm has been engaged by a cloud service provider to evaluate its controls and to provide recommendations as to how the company can enhance its security while also demonstrating its compliance with various security frameworks. Specifically, the company has processes/controls that enable it to identify malicious activity in its network quickly and has the ability to retain evidence of whether attacks against its network have been successful or not.  Furthermore, the company has controls to help determine the extent of the attack and can use its evidence as part of follow-up investigations and incident response.  The Center for Internet Security (CIS) v8 control that the company is describing is [CISControls]. 

Which of the following was not one of the principles used when developing the COBIT framework?

For each statement on the left identify the appropriate change management environment(s) name from the right.  An environment may be used more than once or not at all.