SOX Security School final exam answers

1. The correct answer is: c. The Committee of Sponsoring Organizations

COSO developed its Internal Control framework to improve the quality of financial reporting through business ethics, effective internal controls and corporate governance.

Did you get this question wrong? Review these materials:
Article: SOX, security standards and building a compliance framework
Webcast: Ongoing SOX compliance: A security team's to-do list


























































2. The correct answer is: b. COBIT

The COBIT Standard, which provides a framework for IT governance, is referred to by COSO.

Did you get this question wrong? Review these materials:
Article: SOX, security standards and building a compliance framework
Webcast: Ongoing SOX compliance: A security team's to-do list


























































3. The correct answer is: c. ISO17799

ISO17799 is called a "code of practice for IT security" and provides examples that could apply to a variety of organizations.

Did you get this question wrong? Review this article:
SOX, security standards and building a compliance framework


























































4. The correct answer is: d. Expansion of project scope beyond those required for SOX compliance

Many organizations make the mistake of expanding the scope of SOX compliance to every system in the enterprise, thereby diminishing the likelihood that the organization can achieve effective compliance in the most critical financial systems.

Did you get this question wrong? Review these materials:
Article: SOX, security standards and building a compliance framework
Webcast: Ongoing SOX compliance: A security team's to-do list


























































5. The correct answer is: c. Defined process

Auditors are likely to look for a minimum of a defined process for any important practice. Requirements for compliance will become stricter over time.

Did you get this question wrong? Review these materials:
Article: SOX, security standards and building a compliance framework
Webcast: Ongoing SOX compliance: A security team's to-do list


























































6. The correct answer is: d. Important control objectives are spread throughout the standard in every section.

Control objectives are spread throughout the standard and must be interpreted in the context of the business and organization. It is not straightforward.

Did you get this question wrong? Review these materials:
Article: SOX, security standards and building a compliance framework
Webcast: Ongoing SOX compliance: A security team's to-do list
Article: SOX reality check: Policy tools


























































7. The correct answer is: c. Transparency and accountability

Transparency and accountability are the most important concepts underlying SOX compliance. Transparency allows errors and attempts at fraud to be caught early. Accountability places authority and blame where it should, forcing everyone to be responsible for their actions.

Did you get this question wrong? Review this article:
SOX, security standards and building a compliance framework


























































8. The correct answer is: d. Risk of impact on key business systems that affect financial reporting

Organizations should conduct a risk assessment and apply their resources to address where risks to inaccurate financial statements could arise.

Did you get this question wrong? Review these materials:
Article: SOX, security standards and building a compliance framework
Webcast: Ongoing SOX compliance: A security team's to-do list
























































9. The correct answer is: a. It identifies the critical parties who should be involved in determining what and how resources should be secured.

Information classification serves as the basis of determining what needs to be protected, who owns it, who maintains it and who uses it. These are critical components of determining who should have access to resources and how they should be protected.

Did you get this question wrong? Review this webcast:
Ongoing SOX compliance: A security team's to-do list


























































10. The correct answer is: d. All of the above

All of these are critical: Proper notification approval of account creation and change; appropriate separation of duties for requests, approvals and administration; and support for rich reporting of account maintenance and access control changes.

Did you get this question wrong? Review these materials:
Article: SOX reality check: Provisioning systems
Webcast: How-to guide: SOX, ID management and access control


























































11. The correct answer is: c. An auditor or system administrator with no business or technical interest in the system.

Auditors or reviewers must be independent but do not need to be external employees. The important thing is that they derive no benefit from access to the logs.

Did you get this question wrong? Review these materials:
Article: SOX, security standards and building a compliance framework
Article: SOX reality check: Provisioning systems
Webcast: Ongoing SOX compliance: A security team's to-do list
Webcast: How-to guide: SOX, ID management and access control


























































12. The correct answer is: c. Regular review and documentation of privileges

While all of these tasks may be facilitated by centralized systems, regular review -- a recurring cost -- is made more efficient and is better documented by automated systems.

Did you get this question wrong? Review these materials:
Article: SOX reality check: Provisioning systems
Webcast: How-to guide: SOX, ID management and access control


























































13. The correct answer is: d. All of the above

Most organizations should involve all these parties in the approval workflow to ensure that appropriate risks are identified and understood.

Did you get this question wrong? Review these materials:
Article: SOX reality check: Provisioning systems
Webcast: How-to guide: SOX, ID management and access control


























































14. The correct answer is: c. It provides an accurate picture of the current state of the SOX environment and the actions that were taken to create that state.

Change control, separate from access control (b.), provides an audit trail that describes the current configuration or state, and the path taken to get there.

Did you get this question wrong? Review this webcast:
Ongoing SOX compliance: A security team's to-do list


























































15. The correct answer is: d. All of the above

Virtually all aspects of the SOX control environment require and benefit from change control. ID management, network devices, system and application configurations, and even policies and procedures are critical items to maintain.

Did you get this question wrong? Review this webcast:
Ongoing SOX compliance: A security team's to-do list


























































16. The correct answer is: d. Work top down, concentrating on policies and practices affecting financial reporting.

The course recommends driving the SOX project and scope from the most critical financial reports and the risks that might affect them.

Did you get this question wrong? Review this webcast:
Ongoing SOX compliance: A security team's to-do list


























































17. The correct answer is: c. Fraud was detected by external auditors and not internal auditors.

If fraud is detected by an external auditor, particularly if missed by internal audits, it signifies a critical flaw in the controls of the corporation and would lead to failure.

Did you get this question wrong? Review this webcast:
Ongoing SOX compliance: A security team's to-do list
























































18. The correct answer is: d. Documentation

Where companies often do a good job of implementing effective controls, they do not document them as thoroughly as they should. This won't cause a failure of an audit (in most cases) but it will require remedy.

Did you get this question wrong? Review this webcast:
Ongoing SOX compliance: A security team's to-do list


























































19. The correct answer is: b. Yes. Understanding the vulnerabilities of all systems helps organizations assess and address risks of compromise of SOX critical systems.

Vulnerabilities of SOX related systems may be exploited by those parties that have a vested interest (internal employees) to commit fraud. It's critical that a company understand the state of its most important systems.

Did you get this question wrong? Review this webcast:
How-to guide: SOX and vulnerability remediation


























































20. The correct answer is: d. Web portals

Communication is one of the most challenging aspects of the SOX compliance effort, particularly in large organizations. Portals help organizations share policies, project plans, schedules, documentation and other compliance information across the enterprise.

Did you get this question wrong? Review this article:
SOX reality check: Compliance management products

This was first published in February 2006

Dig deeper on Sarbanes-Oxley Act

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close