Prepared by Kamal Khan, CISA,
CISSP, CITP, MBCS
1. Information security is possibly one of the most vibrant areas
in the IT sector, in which technical innovation constantly paves
the way to defeat emerging threats.
2. The attempt to execute the threat in combination with the
vulnerability is called fracking.
3. Due to a sharp increase in the number of published
vulnerabilities in 2013-14, many organizations had to set
up emergency response teams to respond to cyberthreats
4. Cyberthreat assessment is currently recognized in the industry
as red hatting, which is the practice of viewing a problem from
an adversary’s or competitor’s perspective.
5. To make the organization more resilient against cyberthreats,
focus should be kept on addressing the root cause and not
merely fixing the security flaws discovered during the exercise.
6. The US Government Accountability Office (GAO) cites that
from 2006 to 2012, the number of cyberincidents reported by
federal agencies increased by 782 percent.
7. In November 2014, the US Office of Management and
Business (OMB) issued memorandum M-14-03 requiring all
federal departments and agencies to establish an information
security continuous measuring (ISCM) program.
8. The Continuous Asset Evaluation, Situational Awareness,
and Risk Scoring (CAESARS) reference architecture consists
of a sensor subsystem, a database/repository subsystem,
an analysis/risk-scoring subsystem, and a presentation and
9. An ISCM solution has a broad set of stakeholders (e.g., chief
information officers [CIOs], chief information security officers
[CISOs], program managers, system administrators), and
they all need to be trained to properly operate and use the
10. Ninety-two percent of data breaches are caused by employee
error, and more than 76 percent of data breaches involve
11. User activity monitoring solutions follow authenticated users
as they travel the network, access files and use applications
while also recording every keystroke, preference and option
12. Organizations need a policies and procedures document
that clearly defines what the company monitors, how that
information is used and what constitutes acceptable behavior.
13. In communicating with employees and trusted third parties,
communication is not essential to ensure that they fully
understand corporate initiatives, policies or procedures.
HENDERSON, SHEETZ AND WALLACE ARTICLE
14. A software metric provides a quantitative indication of some
attributes of software, such as size, complexity or quality.
Examples of software metrics include function points,
cyclomatic complexity and source lines of code.
15. Resistance to software metrics has resulted in inappropriate
use and high failure rates for software metric initiatives. More
than 89 percent of software metric initiatives fail within the
first 12 months.
16. The potential of software metrics to mitigate risk during the
software development process, coupled with the IS auditor’s
responsibility to ensure that the development process is timely
and cost-effective, makes the appropriate use of software
metrics a concern for IS auditors.
17. IS auditors should ensure that members of a development
team appreciate the value of software metrics. IS auditors can
accomplish this task via observation, inquiries, and taking an
active, yet independent, role in the systems development process.
18. Efforts should not only be directed toward education and
training, but also toward developing software metrics that
more practitioners perceive as predictive and prescriptive.
Based on Volume 1, 2015—Analytics and Risk Intelligence
Value— 1 hour of CISA/CISM/CGEIT/CRISC continuing professional education (CPE) credit
TRUE OR FALSE
Take the quiz online: