Ch. 4 Flashcards
Which areas should be included in cybersecurity risk assessment?
- identity management
- end-user education
- disaster recovery/business continuity planning
Malware protection, along with next-generation firewalls, DNS (domain name system) filtering, antivirus software, and email security solutions, is an example of technology used to protect against the risk of cyber attacks.
What are examples of technology used to protect against the risk of cyber attacks?
- malware protection
- firewalls
- domain name system (DNS) filtering
- antivirus software
- email security solutions
Users should have update access for production ____.
data
Application programmers and users should not be able to change production _____?
programs
Application programmers should NEVER have update access to production ______.
data
Who submits change to the change control unit to update programs?
Application programmers submit change to the change control unit
What is one-for-one checking?
involves retaining copies of all unnumbered documents submitted for processing and checking them off individually against a report of transactions processed.
What type of control do batch totals require?
numerical control
Computer sequence checks require that transactions be _______.
numbered
Computer matching is performed by the program or user?
program
What is a smart card?
A smart card continuously generates new and unique passwords, helping to minimize the risk of unauthorized access.
Who are the intended users of SOC 1 reports?
management of the service organization, user entities, and user auditors
Who are the intended users of SOC 2 reports?
Parties that are knowledgeable about the nature of the service provided by the service organization. Restricted.
Who are the intended users of SOC 3 reports?
no restrictions and can be distributed to anyone
Who is responsible to plan and provide oversight to the information systems function?
information systems steering committee
What is fail-soft protection?
The capability to continue processing at all sites except a nonfunctioning one
What is an example of strategic information system?
computer system that converts the inputs into data that allows management to make unstructured decisions concerning the company’s future
What is Customer relationship management (CRM)?
- cloud-based system
- stores customer and prospect contact information, accounts, leads and sales opportunities
- stored in one central database
- CRM refers to practices, strategies, and technologies that businesses use to interact, analyze, forecast, and manage customer relationships, trends, and behaviors.
What system assists with nonroutine decisions, serves strategic levels of the organization, and helps answer questions regarding what a company’s competitors are doing, as well as identifies new acquisitions that would protect the company from cyclical business swings?
Executive support system
The word “strategic” tells you this system provides information at a high level, the executive level.
In a microcomputer system, the place where parts of the operating system program and language translator program are permanently stored is _____?
read-only memory (ROM)
ROM may only be read from to prevent these important programs from being accidentally altered or deleted.
What is the central element of a Management Information System (MIS)?
The use of what?
The use of decision models to organize data
What are the 5 Trust Services criteria? (aka principles)
Security Availability Processing Integrity Privacy Confidentiality
What are disk and magnetic tapes?
What is a bar coding device?
What is magnetic ink character recognition?
Storage devices
Data entry device used with an optical character reader
Most often used by banks to read the magnetic ink on checks and deposit slips
To minimize the likelihood of computer viruses infecting any of its systems, the company should also do what when installing software?
test all new software on a stand-alone PC before installing it on networked computers in the system.
What is a digital signature primarily used to determine?
that a message is unaltered in transmission.
allows the creator of a message to digitally “sign” the data and provides proof of authorization
What position performs following: Developing, coding, and testing computer programs
systems analysts
An advantage of decentralizing data processing facilities is:
that system failure is of lesser significance.
What are all of the components of the data processing cycle?
Collection, refinement, processing, maintenance, output
The usual definition of the data processing cycle (DPC) is “input-processing-output.” The correct answer substitutes the term “collection” for “input.” Refinement refers to classifying and/or batching. Maintenance refers to processing-related operations such as calculation and storage.
The concept of a management information system (MIS) continues to evolve over time. Which of the following is generally understood to be a central element of an MIS?
Processing of data items is based on decision models.
An information system should fulfill all of the following functions
- safeguard an organization’s assets and data.
- insure that the information produced was reliable and accurate.
- collect and store data.
Text-mining technology
(not data mining) enables entities to analyze text data from the web, comment fields, books, and other text-based sources to uncover insights not previously identified. Text mining uses machine learning or natural language processing technology to comb through documents such as emails, blogs, and Twitter feeds to analyze large amounts of information and discover new topics and term relationships. Data mining technology helps examine large amounts of data to discover patterns.
Hadoop:
a free, open-source software framework that stores large amounts of data
Predictive analytics technology:
uses data, statistical algorithms, and machine-learning techniques to identify the likelihood of future outcomes based on historical data
Big data:
a term that describes the large volume of diverse and complex data available to businesses on a day-to-day basis
In terms of the overall success of the internal control system, human resource policies can be said to:
be relevant to the internal control system’s goal of employee satisfaction.
The human resources department allows employees to make some payroll-related changes, such as new withholdings, changes in retirement allocations, and name changes. This empowers employees and increases morale and employee satisfaction.
Statement of Financial Accounting Concepts (SFAC) 1, paragraph 34, Objectives of Financial Reporting by Business Enterprises, states:
“Financial reporting should provide information that is useful to present and potential investors and creditors and other users in making rational investment, credit, and similar decisions.” Thus, the objectives of financial reporting are based on user needs.
To develop and implement a systems reliability plan, an organization’s IT governance should assign plan responsibility and accountability to who?
top-level IT manager
What are the five Trust Services criteria?
Security, availability, processing integrity, privacy confidentiality,
SAPPC
COBIT helps to do what 3 things?
- balance risk and controls information systems,
- provides assurance that security and IT controls are adequate, and
- guides auditors and internal controls.
Business processes are comprised of which of the following items?
- input(s),
- actor(s) (either automated, like a computer, or an actual person),
- the actual activity or process that transforms the input(s), and
- output(s) (the final result)
What is the difference between systems?
strategic information system
Transaction processing system
office automation system
Decision support systems
strategic information system provides information that may allow an organization to make strategic, competitive decisions. It converts the inputs into data that allows management to make unstructured decisions concerning the company’s future
Transaction processing systems support basic routine business functions.
office automation system is used by clerical personnel to process existing information.
Decision support systems process semi-structured and unstructured problems.
Which of the following lists best describes the probable control activities likely to be employed at the cash register/sales counter level in these cases?
- Proper authorization of transactions,
- design and use of documents, and
- independent checks on performance
Risk of a distributed database, in which data about individuals would reside on computers at local offices but would be accessible to managers worldwide, has what risks?
Database integrity might not be preserved during a network or computer failure because of the complexity of updates, the time delays when multiple sites are involved, and the number of nodes to be coordinated.
Both the centralized and distributed systems permitted access to all data, so if access security is maintained at the same levels, there should be no difference in the vulnerability of the database to outsiders.
In terms of the overall success of the internal control system, human resource policies can be said to:
be relevant to the internal control system’s goal of employee satisfaction.
If certain data elements were not defined in the online database expansion, the following problem could result:
Incomplete transaction processing
In an accounting information system, which of the following types of computer files most likely would be a master file?
Inventory subsidiary
A master file is used in electronic data processing and contains relatively permanent information used for reference and updated periodically. An inventory file lists the inventory on hand at a point in time. It is an asset, a balance sheet account.
When should system librarian accept program into production?
The system librarian should only accept a modified program that has been properly tested by someone independent of the programmer to make sure that no unauthorized changes have been made.
Who studies the existing information system?
Studying the existing information system is a task typically assigned to a systems analyst in the operational and maintenance phase of the system development life cycle; it is not an example of change control.
What 3 things does managing the information system function include?
- charging user departments for computer services,
- project development planning (e.g., using Gantt charts), and
- responsibility accounting principles.
What type of review determines if the project’s anticipated benefits were achieved, and to encourage accurate and objective initial cost and benefit estimates?
POST-implementation reviews
Password protection for a screensaver program can be
easily bypassed.
Setting up a password for the screensaver program on the notebook computer would provide the least security for sensitive data stored on a notebook computer
The best control technique to detect paying a terminated employee using employee identification numbers would be a:
hash total.
To assist in maintaining control over such access, many systems use tests that are maintained through an internal access control matrix which consists of:
authorized user code numbers,
passwords,
lists of all files and programs, and
a record of the type of access each user is entitled to have for each file and program.
A systems program manipulates:
application programs.
By definition, systems software consists of programs that act on the instructions provided in application programs. Stated another way, a systems program manipulates application programs.
Name 3 computer machine language
- on/off electrical switches
- internal binary code is usually arranged as a
- hexadecimal (base 16) code.
Identifying inputs and outputs would occur at what stage?
systems design and development phase, preceding implementation.
Which of the following input controls would prevent an incorrect state abbreviation from being accepted as legitimate data?
Validity check
A reasonableness check or test would compare
the data entry to the database to make sure that the input was logically correct, not valid. In other words, does the entry make sense in light of the data required?
A field check makes sure that the entry is
the correct type for the field (numeric or alphanumeric). Any letters would satisfy this requirement, whether or not they were a valid state abbreviation.
A check digit verification uses
redundant digits to detect errors in data transcription. This check would not prevent an incorrect state abbreviation from being accepted as legitimate data.
One of the steps companies should not take is
to outsource computer control and security staff.
If the system must be available on a continuous basis, there is an important need for what?
Maintain redundant systems for instant availability to assure the flow of transactions
Data backups will enable reconstruction of lost information, but do not affect availability of the system to users.
Only the program librarian should be allowed to
make changes to the production library.
A system where several minicomputers are connected for communication and data transmission purposes, but where each computer can also process its own data, is known as a:
distributed data processing network.
An advantage of having a computer maintain an automated error log in conjunction with computer edit programs is that:
reports can be developed that summarize the errors by type, cause, and person responsible.
Which of the following areas of responsibility are normally assigned to a systems programmer in a computer system environment?
Operating systems and compilers
Systems programmers use the design developed by the analysts to develop an information system and write the computer programs. It follows, therefore, that the programmers would be concerned with the operating system and how it will handle various applications, as well as with compilers (computer programs that convert a source program into an object program, reducing the programming effort).
The purpose of a software monitor is to:
collect data on the use of various hardware components during a computer run.
Routines that utilize the computer to check the validity and accuracy of transaction data during input are called:
edit programs.
Edit programs may be used to examine selected fields of input data and to reject those transactions (or other types of data input) whose data fields do not meet preestablished standards of data quality.
Which of the following transaction processing modes provides the most accurate and complete information for decision making?
Online
Which of the following is responsible for authorizing and recording transactions and for correcting errors?
Users
The data control group logs data inputs, processing, and outputs, and makes sure that transactions have been authorized. They do not authorize or record transactions themselves.
Computer operators maintain and run daily computer operations.
Security management is responsible for preventing unauthorized physical and logical access to the system.
Which of the following describes infrastructure as a service (IaaS)?
IaaS provides the basic building blocks for cloud IT and typically provides access to IT assets from a cloud provider who charges on a pay-as-you-go basis.
All of the following are classifications of controls used to make systems more secure except:
nonphysical access controls.
The five classifications of controls used to make systems more secure are
- segregation of duties,
- physical access controls,
- logical access controls,
- personal computers and client/server network protection, and
- internet and telecommunications controls.
Which of the following is a network node that is used to set up as a boundary that prevents traffic from one segment to cross over to another?
firewall
A firewall is a method used to isolate the company computers behind a device that acts as a gatekeeper. This gatekeeper prevents traffic from one segment from crossing over to another.
The use of message encryption software:
increases system overhead.
The machine instructions necessary to encrypt and decrypt data constitute system overhead, which means that processing may be slowed down.
To maintain effective segregation of duties within the information technology function, an application programmer should have which of the following responsibilities?
Code approved changes to a payroll program
Which of the following database controls would be most effective in maintaining a segregation of duties appropriate to the users’ reporting structure within an organization?
Access security features
Access security features restrict users to functions and data compatible with organizational structure.
Software change control procedures provide controls over what?
provide controls over software changes for application development functions.
Dependency checks provide controls over what?
form and type of data entered by users.
Backup and recovery procedures provide controls over what?
continued availability of data resources to users.
An EDP control used to assure that paychecks had been written for all employees for a pay period would be the use of a:
hash total on employee Social Security numbers.
Record count simply calculates the number of records. It may be effective for the number of checks, but not validate the correct employees.
Because of the sensitivity of its data, an online system for developing estimates and generating proposals was implemented with several layers of access control. Control over users’ initial log-in is a function of the:
operating system.
Initial log-in to a system is a function of the operating system–level access control software.
- An integrated test facility is an audit approach to validating processing.
- Database subschema authorizations control access to specific views of fields in a database.
- Access to applications and their data is a function of application level software.
