Question

#1) Select the best choice. For security controls, gap analysis involves comparing the present state of
controls with a desired state of controls. At a minimum, common baseline
security controls should be in place. Any gaps to various types of controls should
be clearly documented, for example - "Information security responsibilities",
which:

a. Defines the program to provide initial and ongoing security education across
the organization.
b. Reduces risk from known vulnerabilities being exploited.
c. Defines how staff will execute upon the policies, assign responsibilities, and
promote accountability.
d. Ensures security-related events are communicated and acted upon to allow
corrective action to be taken by security staff.

#2) Select the best choice. What type of auditing framework combines traditional operational
related audits (PCI DSS specific audit, for example) with information technology
related audits (NIST systems audit, for example)?

a. ISO/IEC 27001
b. integrated audit
c. auditing standard No. 5
d. NIST 800-53A

Answer 1

SOLUTION-(1):- (c) Defines how staff will execute upon the policies, assign responsibilities, and
promote accountability.

EXPLANATION:- "Information security responsibilities" defines how staff will execute upon the policies, assign responsibilities, and promote accountability. "Information security awareness, education and training" defines the program to provide initial and ongoing security education across the organization. "Vulnerability management" reduces risk from known vulnerabilities being exploited. "Security incident management" ensures security-related events are communicated and acted upon to allow corrective action to be taken by security staff.  

Therefore, option(c) is the correct answer and other options are wrong.

SOLUTION-(2):- (b) integrated audit

EXPLANATION:- Integrated auditing framework combines traditional operational related audits (PCI DSS specific audit) with information technology related audits (NIST systems audit). Integrated auditing is a methodology that combines the operational audit function, the financial audit function, and the Information technology audit function. In other words, we can say that an integrated audit framework recognizes the relationship between information technology, financial and operational controls in order to establish an effective and efficient internal control domain. Therefore, option(b) is the correct answer and other options are irrelevant.

=======================================================================