11/18 Class IT Control

Question 1

IT controls

Answer 1

IT controls prevent problems,

Question 2

IT GCC’s

Answer 2

information tech general computer controls

Question 3

application controls

Answer 3

controls that the programmers must follow and document every part of the system and that will stop bad things from happening

Question 4

Good general computer controls start

Answer 4

at the top,
good lines of authority will stop any fraud or error
segregation of duties -

Question 5

segregation of duties IT

Answer 5

keeping the programmers separate from the live environment and the development sphere, this makes so that they can't change live data, four people that should be separated in IT
developers 
users
security people
computer operators

Question 6

Logical/access/authentication control

Answer 6

what you know - user name and password
who you are - fingerprint, retinal scanner
what you have - token based controls, magnetic cards etc

Question 7

RSA Card

Answer 7

randomly makes a user name and constantly changes

Question 8

authentication

Answer 8

anything related to ecommerce, you need to see what is working behind the browser, look at how the browser is working and how it is secured. public key and private key keeps people accountable

Question 9

the administrators

Answer 9

you must monitor these people

Question 10

project

Answer 10

if you are doing ecommerce you need to see what the controls are. we don’t care so much about what they do but how they do it and if they have good controls in place,
appendix must include references and screen shots of you testing the controls

Question 11

Change management

Answer 11

programs are out there that have version control.

Question 12

Backup/Recovery/Continuity

Answer 12

making so that we have our data backed up and getting data when you lose it

Question 13

disaster recovery

Answer 13

how do we recover data? have data somewhere else that is easily setup to get going

Question 14

business continuity

Answer 14

making so that my data pops up somewhere else in the event of a disaster
cold side - all we have is the data offsite
hot side - a site is already running with the other one to work when one fails(business continuity)
warm side - data offsite, arrangement with someone who has a lease on standby ready for a disaster

Question 15

Network

Answer 15

firewall, IDS, etc.

completeness and accuracy,

Question 16

intrusion detection software (IDS)

Answer 16

lets you know that someone is trying to break into the system, works with the firewall

Question 17

Encryption

Answer 17

encrypting your software so that people can’t modify it
external source - internet
internal - onsite
database level - fields and tables of data

Question 18

VPN virtual private network

Answer 18

an encrypted network where only you and the other side use it, it makes its own key
mainly for private networks

Question 19

SSL secure socket layer

Answer 19

when there is a closed secure connection with another site, uses a certificate authority to authenticate the communication
example: your site and american express
public networks

Question 20

Vulnerability

Answer 20

when we hire people to see where we are vulnerable

Question 21

Penetration

Answer 21

when we allow people to get all the way into your system and show you where you can fraud the company

Question 22

Physical Security

Answer 22

data center - offsite location to hold data
co location facility (secure location) - separate location that holds the data as a fail safe
lots of locks and verifications

Question 23

elemental security

Answer 23

air conditioner is running(temperature control), humidity control, above ground against floods, spring to foundation, fire suppression
3 backup generators

Question 24

network operation center

Answer 24

monitor your network

Question 25

application control

Answer 25

input- what can go wrong with the input?
programmed edit checks,
field check - checking the format of input/words/numbers
validity check-testing if it is a valid input
limit check-tests if the quantity is reasonable nothing over this
range check-gives it a range, it can be below or above this
reasonableness check - credit check, checking if someone is ordering too much or an abnormal amount
completeness check - making sure data is in a field
sign check - positive or negative number
sequence check - the next invoice has the be the one that is entered
self-checking digit - checks if the credit card is one of the ones we use

Question 26

control totals and reconciliations

Answer 26

record counts - counts to see if there were more or less than there are supposed to be
batch total - adds the amounts in a batch to see if the main total is right
hash total - random total of the numbers

Question 27

Other

Answer 27

automated authorization - when they send an authorization to someone to authorize it
auto forced SOD - only sends that authorization to someone who can’t commit fraud

Question 28

processing controls

Answer 28

run to run totals(internal reconciliation) - tests the transaction table vs the output
checks for duplicate transactions - checking for gaps
Logs - records who is getting in
Exception Reporting - see if something is abnormal and send it to someone to review
Checklists - operator follows a process to insure accuracy

Question 29

output

Answer 29

testing for completeness and accuracy - test the data and its output, run transactions through
security overviewing - making sure only the right people can see it