PrepAway - Latest Free Exam Questions & Answers

Which Security and Audit Framework has been adopted by …

Which Security and Audit Framework has been adopted by some organizations working towards Sarbanes—
Oxley Section 404 compliance?

PrepAway - Latest Free Exam Questions & Answers

A.
Committee of Sponsoring Organizations of the Treadway Commission (COSO)

B.
BIBA

C.
National Institute of Standards and Technology Special Publication 800-66 (NIST SP 800-66)

D.
CCTA Risk Analysis and Management Method (CRAMM)

Explanation:
COSO is a model for corporate governance, and CobiT is a model for IT governance. COSO deals more at the
strategic level, while CobiT focuses more at the operational level. You can think of CobiT as a way to meet
many of the COSO objectives, but only from the IT perspective. COSO deals with non-IT items also, as in
company culture, financial accounting principles, board of director responsibility, and internal communication
structures. COSO was formed to provide sponsorship for the National Commission on Fraudulent Financial
Reporting, an organization that studies deceptive financial reports and what elements lead to them.
There have been laws in place since the 1970s that basically state that it was illegal for a corporation to cook its
books (manipulate its revenue and earnings reports), but it took the Sarbanes–Oxley Act (SOX) of 2002 to
really put teeth into those existing laws. SOX is a U.S. federal law that, among other things, could sendexecutives to jail if it was discovered that their company was submitting fraudulent accounting findings to the
Security Exchange Commission (SEC). SOX is based upon the COSO model, so for a corporation to be
compliant with SOX, it has to follow the COSO model. Companies commonly implement ISO/IEC 27000
standards and CobiT to help construct and maintain their internal COSO structure.
Incorrect Answers:
B: BIBA is not required by organizations working towards Sarbanes—Oxley Section 404 compliance.
C: National Institute of Standards and Technology Special Publication 800-66 (NIST SP 800-66) is not required
by organizations working towards Sarbanes—Oxley Section 404 compliance.
D: CCTA Risk Analysis and Management Method (CRAMM) is not required by organizations working towards
Sarbanes—Oxley Section 404 compliance.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 59


Leave a Reply