BEC IT2

Question 1

_____ concerns the completeness, validity, accuracy, timeliness, and authorization of system process.

Answer 1

Processing integrity

Question 2

An organization implements an integrated package of authentication controls related to its critical systems. This is an example of:

Answer 2

Defense in depth.

Question 3

_____ concerns whether the system is operational and usable as specified in commitments and agreements.

Answer 3

Availability

Question 4

According to the AICPA ASEC, the requirement of notice related to privacy states:

Answer 4

Individuals must be told about privacy policies including why information is collected, used, retained, and disclosed.

Question 5

The AICPA Assurance Services Executive Committee (ASEC) principles and criteria can be used to evaluate:

Answer 5

(1) the controls of a system and (2) the confidentiality and privacy of the information processed by the system.

Question 6

ASEC specifies five trust services principles:

Answer 6

1. Security- foundation of systems reliability. Security procedures restrict access to authorized users only, protect the confidentiality and privacy of sensitive information, provide integrity of information, and protect against attacks. Security is a top management issue.
2. Availability concerns whether the system is operational and usable as specified in commitments and agreements.
3. Processing integrity concerns the completeness, validity, accuracy, timeliness, and authorization of system processing.
4. Confidentiality concerns whether confidential information is protected consistent with the organization’s commitments and agreements.
5. Privacy addresses whether the system’s collection, use, retention, disclosure, and disposal of personal information conforms to its own commitments and with criteria set forth in generally accepted privacy principles (GAPP). . GAPP includes these 10 subprinciples.

Question 7

Time-based model of controls

Answer 7

P>D+C, so time it takes intruder to break through should be more than time to defect and correct attack for system to be effective

Question 8

Defense in depth

Answer 8

The strategy of implementing multiple layers of controls to avoid having a single point of failure. Combination of firewalls, passwords, etc.

Question 9

IT detective controls include:

Answer 9

1. Log analysis (audit log)
2. Intrusion detection systems
3. Managerial reports (downtime due to security issues)
4. Security testing

Question 10

IT corrective controls include:

Answer 10

1. Computer emergency response team (CERT)
2. Chief security officer hired
3. Patch management for known issues

Question 11

Assessments of cyber risk impact:

Answer 11

Should assess the likelihood and severity of impacts and should be led by senior management in consultation with business and IT stakeholders.

Question 12

Managing cyber risks requires:

Answer 12

Attempting to prevent cyber breaching but addressing those that occur through detective and corrective controls.

Question 13

Principle 6—The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

Answer 13

Unless management understands which systems are critical to organizational objectives and which are not, it will underallocate scarce resources to mission-critical systems and overallocate resources to unimportant systems.

Question 14

Principle 7—The organization identifies risks to the achievement of its objectives across the entity and analyzes risks in order to determine how the risks should be managed.
Principle 8—The organization considers the potential for fraud in assessing risks to the achievement of objectives.

Answer 14

led by senior management, in collaboration with business and IT stakeholders

Question 15

Principle 9—The organization identifies and assesses changes that could significantly impact the system of internal control.

Answer 15

Rapidly changing technologies and cyber-criminals’ quick adaption to these changes yields new methods of exploiting system vulnerabilities

Question 16

Principle 10—The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
Principle 11—The organization selects and develops general control activities over technology to support the achievement of objectives.
Principle 12—The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

Answer 16

Preventive, detective, and corrective controls are all essential to addressing cyber risks. Well-designed preventive controls may stop attacks from being realized by keeping intruders outside of the organization’s internal IT environment and keeping the information systems secure.

Question 17

Principle 13—The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.

Answer 17

Control system data must be transformed into actionable, high-quality information that informs and communicates about the effectiveness of cyber-related controls.

Question 18

Principle 14—The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

Answer 18

Communication about cyber risks should include all personnel, personnel responsible for managing and monitoring cyber risks and controls, and the board of directors.

Question 19

The need for a cybersecurity framework

Answer 19

The goals of the framework included creating a common language for understanding, and cost-effective means for managing, organizational cybersecurity risks without imposing regulations.

Question 20

The need for a cybersecurity framework

Answer 20

The goals of the framework included creating a common language for understanding, and cost-effective means for managing, organizational cybersecurity risks without imposing regulations. Consists of 3 parts: the core, the profile, the implementation tiers.

Question 21

Core elements of cybersecurity framework:

Answer 21

1. Functions -cybersecurity activities and include: Identify, Protect, Detect, Respond, and Recover (5 core functions). They help manage cybersecurity risk by organizing information, enabling risk management, addressing threats, and enabling learning through monitoring.
2. Categories -cybersecurity outcomes that link to organizational needs and activities. Examples of categories are: asset management, access control, physical security, and incident detection processes.
3. Subcategories- divide categories into specific outcomes of technical and/or management activities, high-level control goals. Examples include: Identify and catalog external information systems; Protect data at rest.
4. (Informative) References- are specific standards, guidelines, and practices that provide benchmarks and methods for achieving the control goals (i.e., outcomes) found in the subcategories.

Question 22

Complete the missing words in the following sentence: ____ are actions that implement _____.

Answer 22

Procedures, policies

Question 23

All polities, including IT policies should:

Answer 23

1. Be linked to the entity’s strategy and objectives
2. Need an owner who is responsible for ensuring that the policy is operating and is updated
3. Need a process for evolving with change
4. Should include a title, purpose, scope and context, statement of responsibilities, and time for updating

Question 24

Important IT policies:

Answer 24

1. Values and Service Culture—What is expected of IT function personnel in their interactions with clients and others
2. Contractors, Employees, and Sourcing—Why, when, and how an entity selects IT human resources from among employees or outside contractors
3. Electronic Communications Use—Policy related to employee use of the Internet, intranet, email, blogs, chat rooms, and telephones
4. Use and Connection Policy—Policy that states the entity’s position on the use of personal devices and applications in the workplace and connection to the entity’s systems.
5. Procurement—Policy on the procurement processes for obtaining IT services
6. Quality—Statement of IT performance standards
7. Regulatory Compliance—Statement of regulatory requirements of IT systems
8. Security—Policy related to guarding against physical or electronic threats to IT. May include disaster recovery preparation policies
9. Service Management and Operational Service Problem Solving—Policies for ensuring the quality of live IT services

Question 25

E-business is

Answer 25

Business process that relies on electronic dissemination of information or on automated transaction processing. Conducted within the organization as well as between the organization and its trading partners.

Question 26

E-commerce is

Answer 26

This term is narrower than e-business and is used to refer to transactions between the organization and its trading partners.

Question 27

Types of E-commerce

Answer 27

Business-to-Business (B2B) E-Commerce
Business-to-Consumer (B2C) E-Commerce— relies heavily on intermediaries or brokers to facilitate the sales transaction.
Business-to-Employee (B2E)—Involves the use of web-based technology to share information with, and interact, with an organization’s employees
Business-to-Government (B2G)

Question 28

Risks of E-commerce:

Answer 28

1. System availability- don’t want system to go down
2. Security and confidentiality
3. Authentication- must trust the person is who they say they are
4. Nonrepudiation- audit trail that renders transaction verifiable
5. Integrity- secure from hackers

Question 29

E-commerce models:

Answer 29

1. Electronic Marketplaces and Exchanges—These marketplaces bring together buyers and sellers of goods who connect virtually rather than physically to one another. Ex. eBay.
2. Viral Marketing—Organizations increasingly attempt to increase brand awareness or generate sales by inducing people to send messages to friends using social networking applications.
3. Online Direct Marketing—Many companies now have large online presences to sell directly to consumers or other businesses. Ex. Amazon.
4. Electronic Tendering Systems—These tendering or bidding systems allow companies to seek bids for products or services that the organizations wish to purchase. Also called “e-procurement systems.”
5. Social Networking/Social Computing—Is concerned with how people use information systems to connect with others.

Question 30

Which of the following statements is correct concerning the security of messages in an electronic data interchange (EDI) system?

Answer 30

Encryption performed by a physically secure hardware device is more secure than encryption performed by software.

Question 31

E-commerce applications:

Answer 31

1. Customer relationship management- retain and gain customers, analyze info to develop personalized marketing plans
2. Electronic data interchange (EDI)
3. Electronic funds transfer (EFT)- ATM, POS terminals, direct deposit, Paypal (token-based payments), allows transfer of funds from one bank account directly to another
4. Supply chain management (SCM)-incorporates all activities from purchase of raw materials to sale and consumption

Question 32

Electronic data interchange (EDI)

Answer 32

Computer-to-computer exchange of business data in structured formats allowing direct processing of the data by the receiving system; EDI reduces handling costs and speeds transaction processing compared to traditional paper-based processing. EDI requires that all transactions be submitted in a specified format; translation software is required to convert transaction data from the internal company data format to the EDI format and vice versa. The vast majority of EDI transactions are still processed through value-added networks due to well-established controls, security and audit trails.

Question 33

Risk of cloud computing:

Answer 33

1. Unauthorized cloud activity- put preventive and detective controls in place
2. Lack of CSP transparency- only used pre-approved cloud vendors
3. CSP reliability and performance- effective incident management procedures must be in place
4. Cyber attack- Incident management plan that considers increased risk of attack on CSP

Question 34

Risk management plan for cloud computer should include who?

Answer 34

Senior management and IT steering committee, if risk is substantial, include the BOD

Question 35

According to COSO, which of the following differences relevant to the risk assessment process is most likely to exist between a large entity and a small entity?

Answer 35

The CEO of a small entity is more likely than the CEO of a large entity to be attuned to risks arising from internal factors through hands-on involvement with all levels of personnel. The engagement of the owner in a small entity is likely to improve the assessment of risks because of their hands-on involvement with all levels of personnel.

Question 36

An internal cloud is:

Answer 36

A cloud that is behind an entity’s firewall.

Question 37

A cloud computing system solution integrates which of the following elements?

Answer 37

A business process, a deployment model, and a service delivery model. Effective cloud solutions require considering and integrating a relevant business process, a deployment model and a service delivery model.

Question 38

A small accounting firm buys SaaS from a third-party CSP. As a part of this process, the accounting firm regularly requests and receives data about the system’s performance of the CSP. This is an example of managing which of the following cloud-computing risks?

Answer 38

Lack of CSP transparency

Question 39

Which of the following statements is true regarding small business computing?

Answer 39

Spreadsheets should be reviewed and tested by an independent third party.

Question 40

Which of the following critical accounting function is most likely to be absent in a small business computing environment?

Answer 40

Authorization.

Question 41

Which of the following is an effective control related to personal computing in a small business?

Answer 41

Locking doors when offices are open and removing storage devices to secure locations.

Question 42

Small business and segregation of duties

Answer 42

Because there are too few individuals to provide for segregation of duties, incompatible functions are frequently combined. It is critical to effective control that the functions of authorization, custody of assets, and record keeping be separated. If essential, the duties of authorization and review/auditing may be combined.

Question 43

Specific Risks and Controls Related to Small-Organizational Computing

Answer 43

1. Physical Access— make sure that doors are locked when offices are open and that removable storage devices are stored in secure locations.
2. Logical Access—All machines should require a username and password
3. Data Backup Procedures—Company-wide standards for backing up files should be established and enforced
4. Program Development and Implementation—User-developed programs—which include spreadsheets and databases—should be subject to third-party review and testing
5. Data Entry and Report Production— all work should be regularly reviewed by an independent third party.

Question 44

Mobile device risks

Answer 44

1. Malicious applications—Mobile devices are susceptible to malicious applications that contain hidden functionalities to collect and transmit user data to third parties.
2. Loss and theft—The ubiquity and portability of mobile devices makes them particularly vulnerable to loss or theft, system capabilities must enable blocking the device from accessing organizationally sensitive systems.
3. Restricting access and permission rights—may be desirable to allow users fewer access and permission rights on mobile devices. (called view-only access).

Question 45

A data warehouse in an example of

Answer 45

Online analytical processing.

Question 46

The multi-location system structure that is sometimes called the “Goldilocks” solution because it seeks to balance design tradeoffs is

Answer 46

Distributed

Question 47

A distributed processing environment would be most beneficial in which of the following situations?

Answer 47

Large volumes of data are generated at many locations and fast access is required.

Question 48

Multi-location system structures:

Answer 48

1. Centralized system- Maintain all data and perform all data processing at a central location, slower response but higher security and consistency
2. Decentralized system- Allow each location to maintain its own processing system and data files, most of the transaction processing is accomplished at the regional office, and summarized data is sent to the central office, better responsiveness but greater potential security violations
3. Distributed (hybrid) system- rather than maintaining a centralized or master database at a central location, the database is distributed across the locations according to organizational and user needs, more current and complete information, better communication among remote locations to distribute database (but extra cost of doing so)

Question 49

Components of a network:

Answer 49

1. Nodes- any device connected to the network (client node, server node)
2. Transmission media
3. Network operating system
4. Communications devices (modem, hub, repeaters, multiplexers, concentrators, bridges, routers, gateways)

Question 50

Transmission media

Answer 50

1. Wire communications
   a. Copper or twisted pair-Traditionally used for phone connections, The slowest, least secure (e.g., easy to tap) and most subject to interference of the wired media, Least expensive media
   b. Coaxial cable— faster, more secure, and less subject to interference but slightly higher cost.
   c. Fiber optic cable—Extremely fast and secure, fiber optic cable communications are based on light pulses instead of electrical impulses; therefore, they are not subject to electrical interference
2. Wireless communications
   a. Microwave transmission— used primarily by WANs.
   b. Wi-Fi or spread-spectrum radio transmission-Found in both LANs and WANs, slower than wired systems using coaxial cable or fiber optic cable
   c. Bluetooth—Uses the same radio frequencies as Wi-Fi but with lower power consumption resulting in a weaker connection
   c. Digital cellular (cellular digital packet data, or CDPD)—transmission of data over the cell network; used by WANs.

Question 51

Types of networks:

Answer 51

1. Local Area Networks (LANs)- use dedicated lines
2. Wide Area Networks (WANs)—Although WANs can vary dramatically in geographic area, most are national or international in scope.
3. Storage Area Networks (SANs)— LANs that connect storage devices to servers
4. Personal Area Networks (PANs)—Often a home network that links devices used by an individual or family to one another and to the Internet.
   Networks can be public or private.

Question 52

The data control protocol used to control transmissions on the Internet is

Answer 52

Transmission control protocol/Internet protocol (TCP/IP) is the protocol used by the Internet. TCP/IP is a packet-switched network protocol. The Internet is the world’s largest packet-switched network.

Question 53

Which of the following technologies is specifically designed to exchange financial information over the World Wide Web?

Answer 53

Extensible business reporting language (XBRL).

Question 54

The Internet is made up of a series of networks which include

Answer 54

Gateways to allow mainframe computers to connect to personal computers.

Question 55

Intranets and extranets

Answer 55

Intranets and extranets are private (e.g., limited access) networks built using Internet protocols. Therefore, users can access network resources through their web browser rather than a proprietary interface. This substantially reduces training time for users and system development time for programmers. Thus, intranets and extranets are rapidly replacing traditional proprietary LANs and WANs.

Question 56

Web 2.0 features

Answer 56

1. Blog—Similar to an electronic bulletin board. An efficient way to share information.
2. Wiki—A knowledge-sharing website developed collaboratively by a community or group, all of whom can freely add, modify, or delete content.
3. Twitter—A micro-variation of a blog.
4. RSS (Really Simple Syndication)/ATOM Feeds—An easy way to get news and information.

Question 57

Which of the following statements about firewalls is NOT true?

Answer 57

“Network firewall” and “application firewall” are two different names for a program designed to prevent and detect unauthorized access to the system. The name “application firewall” comes from the ability of these systems to monitor and control the execution of programs or “applications” in addition to screening messages from users. This capability makes application firewalls much more effective than simple network firewalls, which are only able to monitor communications from users, but cannot control program execution.

Question 58

Data control language used in a relational database is most likely to include commands used to control

Answer 58

Which users have various privileges relating to a database. Data definition language is more directly associated with original defining of a database.

Question 59

Major Tom’s Ground Control Flight Services uses biometrics. The control goal of the use of biometrics is:

Answer 59

Authentication

Question 60

Logical Access Control

Answer 60

Controlling electronic access to data via internal and external networks. Functions of such systems include managing user profiles, assigning identifications and authentication procedures, logging system and user activities, establishing tables to set access privileges to match users to system resources and applications, and, log and event reporting. The primary controls over logical access involve user identification (authentication) and user authorization.

Question 61

User identification (authentication)

Answer 61

Normally accomplished by creating a username for each authorized user and associating the username with a unique identifier. Passwords, security tokens (smart cards, one-time passwords), biometric controls, multi-factor authentication (combo of above).

Question 62

User authorization

Answer 62

Authorization matrix or access control list (ACL) specifies each user’s access rights to programs.

Question 63

Types of firewalls:

Answer 63

1. Network- Filters data packets based on header information (source and destination IP addresses and communication port), Very fast, Forwards approved packets to application firewall
2. Application-Inspects data packet contents, Controls file and data availability to specific applications

Question 64

Honeypot or Honeynet

Answer 64

Server that lures hackers to a decoy system

Question 65

When designing the physical layout of a data processing center, which of the following would be least likely to be a necessary control?

Answer 65

Adequate physical layout space for the operating system.

Question 66

In an accounting system, a header can be used to

Answer 66

Identify data records

Question 67

IT facility controls are

Answer 67

General

Question 68

Which of the following statements best characterizes the function of a physical access control?

Answer 68

Separates unauthorized individuals from computer resources.

Question 69

Physical location controls:

Answer 69

1. The computer room should be climate controlled to control and monitor heat and humidity, which can damage equipment and data files.
2. Fire suppression systems appropriate for electrical fires should be installed.
3. Adequacy of power and backup power systems should be periodically evaluated. Potential electrical system risks include failure (blackout), reduced voltage (brownout), sags, spikes and surges, and electromagnetic interference (EMI).
4. Regular maintenance/monitoring, inspections by local fire departments

Question 70

Data storage on magnetic disks, tapes, USB drives:

Answer 70

1. External labels—visually (physically) identify the disks or USB drives.
2. Internal labels (sometimes called “header” and “trailer” records)—Read by the processing program to determine the identity of the data file.
3. File protection rings or locks—Physically prevent the media from being overwritten.
4. Setting file attributes—Logically restrict the ability of the user to read, write, update, and/or delete records.

Question 71

Which of the following is true regarding public/private key encryption?

Answer 71

Both the public and private keys can be used to encrypt and decrypt messages. Although public/private key technology is more secure than private key technology, there is no difference in the strength of the encryption algorithm: messages encrypted using single key encryption are no easier to crack than messages encrypted using public/private key encryption.

Question 72

Which of the following provides the most reliable form of electronic authentication?

Answer 72

Digital certificate

Question 73

What is a major disadvantage of using a private key to encrypt data?

Answer 73

Both the sender and receiver must have the private key before this encryption method will work. The private key (also known as the single key) is used both to encrypt the message (run the encryption algorithm “forward”) and decrypt (run the encryption algorithm “backward”).

Question 74

Bob sends a message using asymmetric key to Cassie. In this exchange, who holds the private key:

Answer 74

Cassie, the receiver has the private key in an asymmetric encryption.

Question 75

Encryption

Answer 75

This is the process of converting a plaintext message into a secure-coded form (ciphertext). It can provide privacy and authentication (user identification). It can protect stored (i.e., data at rest) or transmitted (i.e., data in motion) data.

The encryption algorithm is the function or formula that encrypts and decrypts (by reversal) the data.
The encryption key is the parameter or input into the encryption algorithm that makes the encryption unique. Used to decrypt data.
Key length is a determinant of strength. Longer keys are harder to decrypt.

Question 76

Symmetric Encryption

Answer 76

Also called single-key encryption, symmetric encryption uses a single algorithm to encrypt and decrypt, just uses a private key. Fast, simple, easy and less secure than asymmetric encryption. Often used for data at rest.

Question 77

Asymmetric encryption

Answer 77

To acquire a public/private key pair, the user applies to a certificate authority (CA). The CA registers the public key on its server and sends the private key to the user. If the public key is used to encrypt, the private key must be used to decrypt. Safer but more complicated, often used for data in motion.

Question 78

Electronic identification methods:

Answer 78

1. Digital signature-Use public/private key pair technology to provide authentication of the sender and verification of the content of the message
2. Digital certificate- For transactions requiring a high degree of assurance, a digital certificate provides legally recognized electronic identification of the sender, and, verifies the integrity of the message content. Based on a public key infrastructure (PKI) which specifies protocols for managing and distributing cryptographic keys

Question 79

Secure Internet Transmission Protocols:

Answer 79

1. Secure Sockets Layer (SSL)
2. Secure Hypertext Transfer Protocol (S-HTTP)
3. Secure Electronic Transactions (SET)- often used in consumer purchases over the internet
4. Virtual Private Network (VPN)

Question 80

Six-step model to create disaster recovery plan:

Answer 80

1. Create a BCM Policy and Program— defining the scope of the BCM plan, identifying roles in this plan, and assigning roles to individuals.
2. Understand and Evaluate Organizational Risks—Identifying the importance of activities and processes is critical to determining needed costs to prevent interruption
3. Determine Business Continuity Strategies— define alternative methods to ensure sustainable delivery of products and services.
4. Develop and Implement a BCM Response—Document and formalize the BCM plan.
5. Exercise, Maintain, and Review the Plan
6. Embed the BCM in the Organization’s Culture

Question 81

Business continuity planning importance:

Answer 81

1. Mission critical (manufacturing, financials)
2. Business critical (payroll, order entry)
3. Task critical (print and file services)

Question 82

2 important goals of DRP:

Answer 82

1. The recovery point objective (RPO) defines the acceptable amount of data lost in an incident. Typically, it is stated in hours, and defines the regularity of backups.
2. The recovery time objective (RTO) defines the acceptable downtime for a system. It specifies the longest acceptable time for a system to be inoperable.

Question 83

Types of backup facilities:

Answer 83

1. Cold site (“empty shell”)—An off-site location that has all the electrical connections and other physical requirements for data processing, but does not have the actual equipment or files.
2. Warm site— already stocked with computer hardware similar to that of the original site, but does not contain backed-up copies of data.
3. Hot site-completely equipped to quickly resume data processing. All equipment plus backup copies of essential data files and programs are often at the site.
4. Mirrored site—Fully redundant, fully staffed, and fully equipped site with real-time data replication of mission-critical systems.
5. Reciprocal agreement—An agreement between two or more organizations (with compatible computer facilities) to aid each other.
6. Internal site—Large organizations (e.g., Walmart) with multiple data processing centers often rely upon their own sites for backup.

Question 84

A checkpoint is used mostly in _____ systems

Answer 84

Batch processing

Question 85

_____ systems include redundancy of components.

Answer 85

Fault tolerant, Businesses rely extensively on the concept of redundant backups—having multiple backup copies

Question 86

A company has a significant e-commerce presence and self-hosts its website. To assure continuity in the event of a natural disaster, the firm should adopt which of the following strategies?

Answer 86

Establish off-site mirrored web server. RAID (redundant array of independent disks; originally redundant array of inexpensive disks) is a useful and relevant control in relation to a natural disaster. However, it is not the most efficient or effective way to assure the continuous delivery of IT services.

Question 87

Back-up and recovery procedures:

Answer 87

1. “Grandfather, father, son” system- three-generation backup procedure: the “son” is the newest version of the file; the “father” is one generation back in time, the “grandfather” is two generations back in time, batch processing in magnetic tape environment
2. Checkpoint and restart—Common in batch processing systems, a checkpoint is a point in data processing where processing accuracy is verified; if a problem occurs, one returns to the previous checkpoint instead of returning to the beginning of transaction processing.
3. Rollback and recovery—Common to online, real-time processing; periodic “snapshots” are taken of the master file

Question 88

Network-based backup:

Answer 88

1. Remote backup service (online backup service)-outsourcing service that provides users with an online system for backing up and storing computer files.
2. RAID—RAID (redundant array of independent disks; ) stores the same data in different places (thus, redundantly) on multiple hard disks. Good for natural disasters.
3. Storage Area Networks (SANs)—Replicate data from and to multiple networked sites; immediately available without the need to recover it
4. Mirroring- Maintaining an exact copy of a data set to provide multiple sources of the same information, used in e-commerce for load balancing—distributing excess demand from the primary site to the mirrored.

Question 89

A company’s web server has been overwhelmed with a sudden surge of false requests that caused the server to crash. The company has most likely been the target of

Answer 89

A denial of service attack. A denial-of-service attack prevents legitimate users from accessing the system by flooding the server with hundreds of incomplete access requests. The object of the attack is to prevent access to the system: the attacker does not actually gain access to information on the system.

Question 90

Which of the following is a computer program that appears to be legitimate, but performs an illicit activity when it is run?

Answer 90

Trojan horse, A Trojan horse is an apparently legitimate program that contains an unauthorized code that performs malicious activities when the program is run. Trojan horse programs are often used to provide a “back door” to the victim’s system

Question 91

A type of malware designed to let the attacker bypass the normal user authentication process (e.g., enter username and password) and enter the user’s system is

Answer 91

A back door, A back door is a program that allows an unauthorized user to gain access to the system by side-stepping the normal logon procedures.

Question 92

Stagger Lee pretended to be an accountant in the payroll department to gain access to the Wichita Lineman Electrical Services Co. accounting system. This is an example of:

Answer 92

Spoofing

Question 93

The combination of these three controls would illustrate each of the core elements that are a part of a defense-in-depth strategy.

Answer 93

Training, managerial reports, and patch management. This answer illustrates a defense-in-depth strategy by combining preventive (i.e., training), detective (i.e., managerial reports), and corrective controls (i.e., path management).

Question 94

A manufacturing company that wants to be able to place material orders more efficiently most likely would utilize which of the following?

Answer 94

Electronic data interchange

Question 95

Which of the following is NOT an example of an e-commerce system?

Answer 95

Customer relationship management (CRM).

Question 96

Communications between trading partners in an electronic data interchange (EDI) environment are usually

Answer 96

sent through a value-added network (VAN).

Question 97

QuikStop, Inc., a local convenience store chain, is planning to install point-of-sale (POS) systems in all eight of its locations by the end of the year. In the first year or so of operation, QuikStop can reasonably expect to experience all of the following EXCEPT

Answer 97

Decreases in total inventory order costs. The reduction in lead-time due to the accuracy and timeliness of the inventory records allows QuikStop to keep lower levels of inventory, thereby reducing its total inventory carry costs.

Question 98

Which of the following best defines electronic data interchange (EDI) transactions in business applications?

Answer 98

Electronic business information is exchanged between two or more businesses.

Question 99

Which of the following is not a benefit of mobile computing?

Answer 99

Reduced usability issues. Mobile computing increases, not decreases, usability issues since systems must be redesigned for display and data entry on small screens.

Question 100

The most appropriate data-gathering techniques for a system survey include interviews, quick questionnaires, observations, and

Answer 100

Systems documentation, Creating system documentation would be an appropriate data-gathering technique for a system survey.

Question 101

After changes to a source program have been made and verified, it moves to

Answer 101

Production

Question 102

Management of a company has a lack of segregation of duties within the application environment, with programmers having access to development and production. The programmers have the ability to implement application code changes into production without monitoring or a quality assurance function. This is considered a deficiency in which of the following areas?

Answer 102

Change control, The management of changes to applications is part of the Source Program Library Management System (SPLMS).

Question 103

A brokerage firm has changed a program so as to permit higher transaction volumes. After proper testing of the change, the revised programs were authorized and copied to the production library. This practice is an example of

Answer 103

Change control, The practice of authorizing changes, approving tests results, and copying developmental programs to a production library is program change control.

Question 104

Source code programs are normally maintained in a library under secure storage by file librarian off-site. How are these new programs developed or old programs modified?

Answer 104

SPLMS (source program library management system) manages the migration from the application development test environment to the active production library. SPLMS ensures that only valid changes are made to the system.

Question 105

Levels of documentation for programs (4):

Answer 105

1. Systems Documentation—Overviews the program and data files used primarily by systems developers; can be useful to auditors.
2. Program Documentation—A detailed analysis of the input data, the program logic, and the data output; used primarily by programmers; important resource if the original programmer is unavailable.
3. Operator Documentation (Also Called the “Run Manual”)— operator documentation provides information necessary to execute the program such as the required equipment used exclusively by the computer operators.
4. User Documentation—Describes the system from the point of view of the end user

Question 106

Forms of documentation:

Answer 106

1. Questionnaires
2. Narratives—Text descriptions of processes.
3. Data Flow Diagrams (DFDs)-Often used in developing new systems, Use simple, user-friendly symbols (unlike flowcharts)
4. Flowcharts- Often used to evaluate controls in a system, Too complicated and technical for some users. DFDs are easier to understand.
5. Entity-Relationship (E-R) Diagrams
6. Decision Tables—Depict logical relationships in a processing system by identifying the decision points and processing alternatives

Question 107

Which of the following input controls would prevent an incorrect state abbreviation from being accepted as legitimate data?

Answer 107

Validity check, A validity check compares the value entered in a field to a list of valid data values. An error message is displayed if the value is not found on the list.

Question 108

Which of the following controls in not usually found in batch processing systems?

Answer 108

Closed loop verification is an input control associated with online real-time systems.

Question 109

A customer notified a company that the customer’s account did not reflect the most recent monthly payment. The company investigated the issue and determined that a clerk had mistakenly applied the customer’s payments to a different customer’s account. Which of the following controls would help to prevent such an error?

Answer 109

Closed loop verification

Question 110

An employee mistakenly enters April 31 in the date field. Which of the following programmed edit checks offers the best solution for detecting this error?

Answer 110

Reasonableness.

Question 111

Application controls (concern the accuracy, validity and completeness of data processing in specific application programs):

Answer 111

1. Input and origination controls—Control over data entry and data origination process
2. Processing and file controls—Controls over processing and files, including the master file update
3. Output controls—Control over the production of reports
   Not all controls work with all processing methods (batch vs. OLRT)

Question 112

Control objectives:

Answer 112

1. Valid—All transactions are appropriately authorized; no fictitious transactions; no duplicate transactions
2. Complete—All transactions have been captured; there are no missing transactions.
3. Accurate—All data has been correctly transcribed, all account codes are valid; all data fields are present; all data values are appropriate.

Question 113

Missing data check

Answer 113

The simplest type of test , checks only to see that something has been entered into the field.

Question 114

Field check (data format/type check)

Answer 114

Verifies that the data entered is of an acceptable type—alphabetic, numeric, a certain number of characters, etc.

Question 115

Limit test

Answer 115

Checks to see that a numeric field does not exceed a specified value; for example, the number of hours worked per week is not greater than 60. (Range test, sign test)

Question 116

Valid code test (validity test)

Answer 116

Checks to make sure that each account code entered into the system is a valid (existing) code; this control does not ensure that the code is correct, merely that it exists. In a database system, this is called referential integrity.

Question 117

Check digit

Answer 117

Designed to ensure that each account code entered into the system is both valid and correct. The check digit is a number created by applying an arithmetic algorithm to the digits of a number, for example, a customer’s account code. The algorithm yields a single digit appended to the end of the code. Whenever the account code (including check digit) is entered, the computer recalculates the check digit and compares the calculated check digit to the digit entered. (Ex. parity check)

Question 118

Reasonableness check (logic test)

Answer 118

Checks to see that data in two or more fields is consistent. For example, a rate of pay value of “$3,500” and a pay period value of “hourly” may be valid values for the fields when the fields are viewed independently; however, the combination (an hourly pay rate of $3,500) is not valid.

Question 119

Sequence check

Answer 119

Verifies that all items in a numerical sequence (check numbers, invoice numbers, etc.) are present

Question 120

Key verification

Answer 120

Key verification is generally found in batch systems, but can be used in online real-time environments as well. As a second example, consider the process required to change a password: enter the old password, enter the new password, and then re-enter (i.e., key verify) the new password.

Question 121

Closed loop verification

Answer 121

After the code is entered, this system looks up and displays additional information about the selected code. For example, the operator enters a customer code, and the system displays the customer’s name and address. Available only in online real-time systems.

Question 122

Batch control totals

Answer 122

Manually calculated totals of various fields of the documents in a batch. Batch totals are compared to computer-calculated totals and are used to ensure the accuracy and completeness of data entry.

Question 123

Preprinted or preformatted screens

Answer 123

Reduce the likelihood of data entry errors by organizing input data logically

Question 124

Default values

Answer 124

Pre-supplied (pre-filled) data values for a field when that value can be reasonably predicted

Question 125

Automated data capture

Answer 125

Use of automated equipment such as bar code scanners to reduce the amount of manual data entry

Question 126

A poor quality connection caused extensive line noise, resulting in faulty data transmission.

Which of the following controls is most likely to detect this condition?

Answer 126

Parity check, designed to detect errors in data transmission

Question 127

More than one file may be stored on a single magnetic disc. Several programs may be in the core storage unit simultaneously. In both cases it is important to prevent the mixing of data. One way to do this is to use

Answer 127

Boundary protection, primary purpose of boundary protection is to prevent the mixing of data on a magnetic memory disc and a core storage unit.

Question 128

Processing controls (file updates are complete and accurate):

Answer 128

1. Run-to-Run Controls— totals of processed transactions are reconciled to batch totals—any difference indicates an error. Also called “control totals.”
2. Internal Labels (“Header” and “Trailer” Records)—Used primarily in batch processing, electronic file identification allows the update program to determine that the correct file is being used
3. Audit Trail Controls—Each transaction is written to a transaction log as the transaction is processed; the transaction logs become an electronic audit trail

Question 129

Types of files:

Answer 129

1. Master files- updated by postings to transaction files.
2. Standing data is a subcategory of master file that consists of infrequently changing master files
3. Transaction files-basis for updating master files.
4. System control parameter files determine the workings, including error characteristics

Question 130

Primary goal of data control:

Answer 130

To ensure that access, change, or destruction of data and storage media is authorized

Question 131

File controls:

Answer 131

1. Parity Check (Parity Bit)—A zero or 1 included in a byte of information, makes sum of bits odd or even
2. Read after Write Check—Verifies that data was written correctly to disk
3. Echo Check—Verifies that transmission between devices is accurate by “echoing back”
4. Error Reporting and Resolution— ensure that generated errors are reported and resolved by individuals who are independent of the initiation of transactions (segregation of duties).
5. Boundary Protection
6. Internal Labels (“Header” and “Trailer” Records)—Used primarily in batch processing
7. External Labels—Labels on removable storage
8. Version Control— correct file version is used in processing
9. File Access and Updating Controls—ensure that only authorized, valid users can access and update files.

Question 132

Output controls:

Answer 132

1. Spooling (print queue) controls—Jobs sent to a printer that cannot be printed immediately are spooled
2. Disposal of aborted print jobs
3. Distribution of reports
4. End user controls—For particularly critical control totals, or where end users have created systems, perform checks of processing totals and reconciling report totals
5. Logging and archiving of forms, data and programs—Should be in a secure, off-site location.
6. Record retention and disposal

Question 133

In applying COSO to cyber risks, managing cyber risks should begin with:

Answer 133

Identifying system value

Question 134

A manufacturing company discovers that its rollback and retention procedures do not include data from a key system related to production quality. Which of the following IT policies should address this violation?

Answer 134

Security, This problem relates to disaster recovery preparation. This means that the relevant IT policy is security.

Question 135

Which of the following statements is correct concerning the security of messages in an electronic data interchange (EDI) system?

Answer 135

Encryption performed by a physically secure hardware device is more secure than encryption performed by software.