Page 160 - CITP Review
P. 160
4.
a. Incorrect. The IT department certainly are stakeholders in this process, but they are not
responsible for overall entity governance.
b. Incorrect. The entity’s president is a primary stakeholder responsible for day-to-day
operations, but the president is answerable to the entity’s board of directors.
c. Correct. Members of the entity’s board of directors are elected by shareholders and are
responsible to represent the owner’s and protect their collective interests. As such, the
members of the board of directors are considered the highest level stakeholders.
d. Incorrect. The CIO is certainly a stakeholder in this process, but the CIO is not the most
primary stakeholder.
5.
a. Correct. Although often used as a security challenge, an individual’s place of birth is not
unique enough to be generally considered as linked information in regard to PII.
b. Incorrect. An individual’s home address is unique enough to be considered as linked
information in regard to PII.
c. Incorrect. An individual’s email address is unique enough to be considered as linked
information in regard to PII.
d. Incorrect. An individual’s date of birth is unique enough to be considered as linked
information in regard to PII.
6.
a. Incorrect. A readiness assessment is conducted after the initial consultation and design
of cybersecurity related internal controls.
b. Incorrect. A readiness assessment is conducted after the initial cybersecurity risk
assessment.
c. Incorrect. A readiness assessment is conducted after the initial vulnerability
assessment.
d. Correct. A readiness assessment is conducted to identify control and process gaps and
provide corrective action plans (CAPS) prior to and in preparation of a SOC for
Cybersecurity engagement.
© 2019 Association of International Certified Professional Accountants. All rights reserved. Solutions 2
