SOX Security School Final Exam

Are you ready for your next SOX audit? Take this Final Exam to see how much you've learned about SOX compliance and whether you need to revisit SOX Security School.

Are you ready for your next SOX audit? Take this Final Exam to see how much you've learned about SOX compliance and whether you need to revisit SOX Security School.

How to take this exam
Click the radio button of your answer choice. At the end of the exam, click the "Check Answers" box for your score. Any questions answered incorrectly will turn red. For an explanation of each answer, check the "See Answer Explanations" box at the end of the exam.

1. What organization is responsible for the internal control framework required by SOX?
  1. The Securities and Exchange Commission
  2. AICPA
  3. Committee of Sponsoring Organizations
  4. FDIC
2. What standard, referred to by the recommended internal control framework, provides goals for organizing and planning all of IT?
  1. ISO17799
  2. COBIT
  3. The Common Criteria
  4. Draft FIPS Publication 200
3. What is the main purpose of ISO17799?
  1. A policy template for complying with COBIT
  2. A plan for securing your enterprise
  3. A code of practice for security
  4. A guide for SOX compliance
4. What is one of the most common mistakes in SOX compliance projects that leads to unnecessarily increased cost?
  1. Deployment of hardware authentication
  2. Perimeter security enhancements
  3. Increased log review
  4. Expansion of project scope beyond those required for SOX compliance
5. What is the minimum acceptable level of maturity of a given practice to pass a SOX audit (at this time)?
  1. Initial-ad hoc
  2. Repeatable but intuitive
  3. Defined process
  4. Managed and measurable
6. What statement most accurately describes COBIT's applicability to SOX?
  1. All COBIT control objectives are important to SOX compliance
  2. Only the Monitoring objectives are critical
  3. Only the Delivery and Support control objectives are important
  4. Important control objectives are spread throughout the standard in every section
7. What fundamental concept underlies many of the controls required by SOX?
  1. Independence of business and technical organizations
  2. Importance of perimeter controls
  3. Transparency and accountability
  4. Preventative technical controls are favored over compensating business controls
8. Of the following, what set of factors should drive an organization's security focus for SOX compliance?
  1. Common Web vulnerabilities and the risk of compromise of external sites
  2. Denial-of-service attacks and mechanisms to prevent them
  3. Authentication strength across the enterprise
  4. Risk of impact on key business systems that affect financial reporting
9. Why is information classification an important part of building an effective SOX compliance solution?
  1. It identifies the critical parties who should be involved in determining what and how resources should be secured
  2. It dictates the technical controls necessary to protect data
  3. It documents the types of attacks that could damage the corporation
  4. All of the above
10. What aspect of identity management is critical to SOX compliance?
  1. Proper notification and approval of account creation and change
  2. Appropriate separation of duties for requests, approvals and administration
  3. Support for rich reporting of account maintenance and access control changes
  4. All of the above
11. Who should be responsible for reviewing and auditing logs associated with account creation and use of financial systems?
  1. Business users of the system or application
  2. Administrators of the system or application
  3. An auditor or system administrator with no business or technical interest in the system
  4. Exclusively a non-employee of the corporation
12. Of the tasks listed, what critical aspect of identity management is facilitated most by centralized identity management products?
  1. Analysis of necessary approvals and workflow
  2. Creation and deletion of accounts
  3. Regular review and documentation of privileges
  4. Ensuring appropriate separation of duties
13. Who should be involved in approving access to systems and applications?
  1. The system administrator or custodian
  2. The business owner
  3. The proposed user's supervisor
  4. All of the above
14. Which answer best describes why change control is an important part of SOX compliance?
  1. It provides useful information regarding how in-house developed applications have been modified
  2. It helps to control who makes changes to network device configurations
  3. It provides an accurate picture of the current state of the SOX environment and the actions that were taken to create that state
  4. It allows auditors to review application use
15. What parts of a corporate environment need to be kept under change control?
  1. Identity management
  2. Network device configuration
  3. System and application configuration
  4. All of the above
16. What strategy does SOX Security School recommend in achieving SOX compliance?
  1. Apply general security principles enterprise-wide to ensure compliance
  2. Organize compliance efforts by department to allow maximum parallelism
  3. Establish a clear security policy and require compliance according to an aggressive schedule
  4. Work top down, concentrating on policies and practices affecting financial reporting
17. Of the following, which would be considered a Material Weakness and lead to an audit failure?
  1. An administrator was allowed to both create and approve users for a given application (insufficient separation of duties)
  2. Insufficient documentation that an application audit occurred
  3. Fraud was detected by external auditors and not internal auditors
  4. None of the above
18. What part of SOX compliance do most companies fall short on?
  1. Identity management
  2. Access control
  3. Change control
  4. Documentation
19. Is vulnerability management important to SOX compliance? Why or why not?
  1. No. Internal systems are protected from hackers by perimeter firewalls.
  2. Yes. Understanding the vulnerabilities of all systems helps organizations assess and address risks of compromise of SOX critical systems.
  3. Yes. Vulnerability management, consisting of scans and patch application, is all that is necessary to protect systems from compromise.
  4. No. Vulnerabilities cannot affect the integrity of financial reporting.
20. Of those listed, which tools have proven most useful in SOX compliance projects?
  1. Code review tools
  2. Security policy templates
  3. Vulnerability scanners
  4. Web portals

This was last published in June 2006

Dig Deeper on Information security policies, procedures and guidelines