Chapter 3 - Information Systems

Question 1

End Point Devices?

Answer 1

Any device that connects to the network

Question 2

What Device is used to collect Environmental Data? Challenges?

Answer 2

Internet of Things Senors, Challenge is Secuity and not easy to upgrade

Question 3

What is a UML Diagram sometimes called? What is it?

Answer 3

ERD & Visual Representation of a conceptual Data model that shows tables in a database and the Associations between them.

Question 3

What Do Availability Reports Address?

Answer 3

Uptime and Downtime Durations

Question 4

What is a CSP always responsible for? Examples?

Answer 4

Infrastructure - Networking, Storage, Servers

Question 5

Firewall

What does it do?
Isolates what?

Answer 5

Device that controls the flow of data into and out of an information system at network entry points.
o separates or isolates a network segment from the main network while maintaining the connection between networks

Question 6

Switches

Answer 6

moves data between connected devices in a network.

Question 7

Servers
3 things they do?

Answer 7

are powerful computers that store, process, and manage data

Question 8

• Routers

Answer 8

infrastructure components that receive and send data packets to their intended destinations and determine the best path.

Question 9

Progressive Steps to Test Continuity plan

Answer 9

1. Checklists - Help to execute the complete plan
2. Tabletop exercise - Walkthrough a potential scenario
3. Simulation - Perform all the tasks at the alternate site (except processing)
4. Parallel – Process at both the primary and alternate sites to determine if they are the same
5. Full interruption – Perform all tasks only at the alternate site.

Question 10

BCP (business continuity plan). The correct sequence is:

Answer 10

• Consider possible threats
• Assess potential impacts
• Evaluate critical needs
• Establish recovery priorities
• Refers to a company’s ability to keep providing products and services despite.

Question 11

Recovery Time Objective (RTO)

Established how?
2 things it calculates?

Answer 11

maximum amount of downtime a business can tolerate
* Established by doing a business impact analysis (BIA)
o Calculates the cost of downtime
 Tangible – Loss of revenue
 Intangible – Harm to reputation

Question 12

Mean Time to recover (MTTR)

Answer 12

• Tracks the average time it takes to restore a service or system after an outage.

Question 13

Which Backup is the most efficient for minimizing backup time and storage usage?

Answer 13

Incremental

Question 14

Which Backup has a longer restoration time than a full backup?

Answer 14

differential

Question 15

Continuous integrations are validated how?
name order 1-4

Answer 15

automated test
1.unit - test on individual components /functions
2. integration - group testing of components /functions
3 system -all components are integrated and the whole system is tested
4. acceptance - final testing is done by end users

Question 16

What does Strategy development remediate?

Answer 16

It bridges the gap between the business impact analysis by looking at the risk and seeing how the business continuity plan should address it.

Question 17

What two steps are after the strategy development phase and what do they do?

Answer 17

1. Provisions and process - measures and procedures are created to mitigate risks
2. Resource prioritization - prioritizes and allocates resources to different identified tasks.

Question 18

Internally encrypted passwords

Answer 18

access control designed to prevent unauthorized access by use of a utility program to identify passwords.

Question 19

What control

1 automatically resubmits correct data
2. Ensures the integrity, accuracy, and completeness of data

Answer 19

Online data entry controls

Question 20

Who is responsible for networks and security, servers and storage, and infrastructure facility?

Answer 20

IAAS

Question 21

Who is responsible for infrastructure, networks and security, servers and storage, operating systems, and database and analytic tools?

Answer 21

Platform as a software

Question 22

Who is responsible for infrastructure, networks and security, servers and storage, operating systems, hosted apps, and databaseand analytic tools?

Answer 22

Software as a service

Question 23

How do you calculate system availability?

Answer 23

Downtown- agreed service time/ agreed service time

Question 24

What cloud service model is best suited for rapidly developing an application while minimizing capital expenditures?

Answer 24

Platform as a service

Question 25

What cloud service model is best suited for rapidly developing an application while minimizing capital expenditures?

Answer 25

Platform as a service

Question 26

Who is responsible for returning acknowledgments?

Answer 26

Gateways

Question 27

Snapshots, rootkits, and misconfiguration of the hypervisor are disadvantages of what?

Answer 27

Virtualization

Question 28

Detecting access from unauthorized components is an advantage of what?

Answer 28

Automated scans

Question 29

Multifactor authentication is considered what in defense in depth strategies ?

Answer 29

Technical control

Question 30

Devices that allow wireless
devices to connect to the wired network.

Answer 30

wireless Access points

Question 31

what model Provides users with virtualized computing
resources over the internet? is like renting space on a
physical server or renting that server itself. Users get the raw
infrastructure and have to manage the OS, applications, and
data.

Answer 31

IaaS

Question 32

what cloud is Managed by third-party providers, delivering shared computing resources (servers, storage) over the internet.

Benefits: Economies of scale, reduced costs, and easy scalability.

Examples: Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure.

Answer 32

public Cloud

Question 33

what are the roles and responsibilities of Cloud Service Providers?

Answer 33

1. Infrastructure Maintenance:
   ● Ensure the physical hardware, data centers, and networking
   components are up-to-date, secure, and operational.
   ● Perform regular backups, hardware refreshes, and disaster
   recovery operations.
2. Platform & Software Updates:
   ● Continually update and patch the underlying software and
   platforms to ensure they are secure and free of known
   vulnerabilities.
   ● This includes updates for IaaS, PaaS, and SaaS offerings.
3. Security & Compliance:
   ● Implement and maintain security measures to protect the
   infrastructure and the data stored within.
   ● Ensure compliance with various industry regulations and
   standards (like GDPR, HIPAA, etc.).
   ● Provide tools and features that allow customers to enhance
   their security, such as encryption, multi-factor authentication,
   and intrusion detection systems.
4. Service Availability & Reliability:
   ● Ensure services are available and reliable, meeting the
   Service Level Agreements (SLAs) promised to customers.
   ● Implement redundancies to minimize downtime and
   maximize uptime.
5. Scalability & Performance Optimization:
   ● Offer scalable solutions that can adjust to the changing
   demands of the customer.
   ● Monitor and manage the performance of services, optimizing
   where necessary.
6. Support & Customer Service:
   ● Provide technical support to customers, assisting with any
   issues, questions, or challenges they face.
   ● Offer training, resources, and documentation to help
   customers maximize the value of their cloud services.
7. Transparent Billing & Cost Management:
   ● Clearly outline costs and pricing models for the services
   offered.
   ● Provide tools for customers to monitor and manage their
   resource usage and associated costs.
8. Integration & Compatibility:
   ● Ensure cloud services can integrate smoothly with popular
   enterprise software and other cloud offerings.
   ● Maintain APIs and SDKs for developers to integrate with and
   build upon the cloud platform.
9. Innovation & Feature Development:
   Continually innovate and introduce new features, tools, and
   services based on evolving technological trends and customer
   needs.

Question 34

how do the COSO frameworks address cloud computing governance? 5 Ways

Answer 34

Control Environment: Organizations must prioritize governance, security, compliance, and risk management during cloud transitions.

Risk Assessment: Regular assessment of new risks, such as data breaches and data loss, is essential.

Control Activities: Key activities include:

Ensuring proper configuration of cloud services.
Restricting access to sensitive data.
Monitoring for unauthorized activities.

Information & Communication: Effective communication is crucial; stakeholders should be aware of data storage, access rights, and protection measures.

Monitoring: Continuous monitoring and regular audits are necessary to ensure compliance with internal controls.

Question 35

what ways does the COSO Enterprise Risk Management (ERM) Framework govern cloud computing?

Answer 35

Governance and Culture: Organizations should understand
their cloud computing strategy within the larger business
context, ensuring that there’s a culture of awareness and
understanding about the cloud.
● Strategy and Objective-Setting: When setting objectives for
cloud adoption, the risks and opportunities should align with
the organization’s broader strategy.
● Performance: By comparing risk tolerance to risk exposure,
organizations can understand how cloud-related risks might
imact performance objectives.
● Review and Revision: Cloud strategies should be regularly
reviewed and revised based on changing business needs
and emerging risks.
● Information, Communication, and Reporting: Organizations
should have a clear communication strategy to report on
cloud risks and performance to both internal and external
stakeholders.

Question 36

what is a subset of an organization’s information system
specifically designed to manage and report on the financial data
of the enterprise. It ensures that all financial transactions are
processed and recorded accurately and timely

Answer 36

Accounting Information System

Question 37

4 ways to test if control is operating correctly?

Answer 37

1.sample transactions
2. review logs
3. interview personnel
4. Simulation

Question 38

What type of mirroring?

data is written to both the primary and
mirrored disks at the same time

Answer 38

synchronous
mirroring

Question 39

What type of mirroring?

there’s a slight delay between writing data to
the primary and mirrored disk,

Answer 39

asynchronous
mirroring

Question 40

What does the SOC for Cybersecurity examination describe?

Answer 40

An entity’s cybersecurity risk management program and related controls

Question 41

List the five trust services categories.

Answer 41

• Security
• Availability
• Processing integrity
• Confidentiality
• Privacy

Question 42

Which trust services category does not have additional criteria?

Answer 42

Security

Question 43

Who developed the trust services criteria?

Answer 43

AICPA

Question 44

What framework do the trust services criteria align with?

Answer 44

COSO Internal Control-Integrated Framework

Question 45

How do management and CPAs use the trust services criteria?

Answer 45

To measure or evaluate controls related to the trust services categories

Question 46

What do the supplemental trust services criteria relate to? 4 things

Answer 46

• Logical and physical access controls
• System operations
• Change management
• Risk mitigation

Question 47

What should a service auditor do if management refuses to provide a written representation letter?

Answer 47

Consider the effect of the resulting scope limitation on the type of opinion issued

Question 48

What opinion should be provided due to a scope limitation?

Answer 48

A modified opinion

Question 49

How is a third-party provider classified if a company retains responsibility for controls?

Answer 49

As a vendor, not a subcompany

Question 50

What do the DC Section 100 Description Criteria connect with

Answer 50

The 5 COSO Internal Control-Integrated Framework components

Question 51

List the components of the COSO Internal Control-Integrated Framework.

Answer 51

• Control environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring activities

Question 52

How do you conduct risk management ?3 ways

Answer 52

• Identifying risks
• Assessing risks
• Mitigating risks

Question 53

What is the purpose of strategic planning in risk management?

Answer 53

To handle potential disruptions and ensure the resilience of the overall system

Question 54

What are endpoint devices?

Answer 54

Any type of physical hardware that connects to a network

Question 55

What is a primary use of Internet of Things (IoT) sensors?

Answer 55

Collecting environmental data

Question 56

What is a common security challenge in IT systems?

Answer 56

Security is built in and not easy to upgrade

Question 57

What do availability reports address?

Answer 57

System uptime and downtime durations

Question 58

What is a UML diagram also referred to as?

Answer 58

Entity Relationship Diagram (ERD)

Question 59

What does a UML diagram represent?

Answer 59

A conceptual data model showing tables in a database and associations between them

Question 60

What does an ERP improve and reduce?

Answer 60

A shared database improves data quality by reducing duplication and errors

Question 61

What does a single source of truth in ERP reduce?

Answer 61

Risk of inconsistencies

Question 62

What is the responsibility of a Cloud Service Provider (CSP)?

Answer 62

Infrastructure components (networking, storage, servers)

Question 63

What are IT infrastructure assets?

Answer 63

Hardware and software components of an IT system

Question 64

What types of IT infrastructure assets exist?

Answer 64

Physical or virtual, on-premises or cloud-based

Question 65

What is the purpose of categorizing IT infrastructure assets?

Answer 65

Efficient incident response and effective asset management

Question 66

What are examples of IT infrastructure assets?

Answer 66

• Modems
• Routers
• Switches
• Hubs
• Firewalls

Question 67

What is a firewall?

Answer 67

A security device that controls the flow of data into and out of an information system

Question 68

What does a firewall monitor and filter?

Answer 68

Network traffic based on protocols

Question 69

What is the function of switches in a network?

Answer 69

Move data between connected devices

Question 70

What do servers do?

Answer 70

Store, process, and manage data

Question 71

What is the purpose of VPNs?

Answer 71

Prevent unauthorized access by establishing secure communication channels

Question 72

Fill in the blank: A firewall ______ the flow of data into and out of an information system.

Answer 72

controls

Question 73

True or False: A shared database in ERP systems allows for multiple entries of the same data.

Answer 73

False

Question 74

What are some risks associated with cloud computing?

Answer 74

Creating dependency relationships, reliability and performance issues, vendor lock-in, security threats, data leakage, compliance concerns

These risks can significantly affect organizations’ operations and data security.

Question 75

What does trust services criterion PI1.1 require?

Answer 75

Entities must define data for reporting obligations

This criterion is essential for ensuring transparency and accountability in data management.

Question 76

What are the types of application controls?

Answer 76

Input, Processing, Output

These controls help in error prevention, detection, and correction.

Question 77

Name three types of input controls.

Answer 77

Validity checks, Range (limit) checks, Authorization checks

Input controls are crucial for ensuring that data entered into applications is accurate and authorized.

Question 78

What are some examples of processing controls?

Answer 78

Data validation, Sequence checks, Completeness checks, Duplication checks, File identification checks

These controls ensure that data is processed correctly and completely.

Question 79

List three types of output controls.

Answer 79

Distribution lists, Printer security, Storage controls, Confidentiality controls, Data transmission controls

Output controls are important for protecting the integrity and confidentiality of the data produced by applications.

Question 80

What is technology debt?

Answer 80

The cost of maintenance for existing systems plus the opportunity cost of not switching to modern systems

Technology debt can hinder an organization’s ability to innovate and stay competitive.

Question 81

What are common sources of technology debt?

Answer 81

Heavily customized IT systems, obsolete technology, reliance on short-term solutions

These sources contribute to increased maintenance costs and missed opportunities for improvement.

Question 82

How do heavily customized systems affect technology debt?

Answer 82

They are harder to improve with off-the-shelf updates and difficult to interface with other systems

This can lead to increased complexity and costs in managing IT systems.

Question 83

What impact do short-term solutions have on technology debt?

Answer 83

They prevent organizations from focusing on long-term strategy

This can result in a continuous cycle of debt accumulation as organizations prioritize immediate fixes over sustainable improvements.

Question 84

How does obsolete technology contribute to technology debt?

Answer 84

It generally requires more maintenance and creates high opportunity costs

Organizations may miss out on capabilities that could have been achieved with newer technology.

Question 85

Which of the following controls is particular to a specific process or subsystem, rather than related to the timing of its occurrence?

Answer 85

Application

Question 86

What document describes what the system will do? What three things does it address?

Answer 86

Systems specification document

1. Desc of functional user requirements
2. Desc of non fun requirements
3. Desc of data elements

Question 87

What join generates an output of the matching records in both tables?

Answer 87

Inner join

Question 88

What two things are PAAS responsible for?

Answer 88

Application and Data

Question 89

which of the following cloud service delivery models is best suited for rapidly developing an application while minimizing capital expenditures?

Answer 89

PAAS

Question 90

The CIA triad is associated with which of the following CIS controls?

Answer 90

Data recovery-

Restores data before the security incident

Question 91

Primary purpose and focus of NIST SP 800-53?

Answer 91

Security and privacy

Question 92

Which of the following components of the NIST Cybersecurity Framework identifies the outcomes an organization has prioritized and selected to remediate control gaps?

Answer 92

profiles

Question 93

According to the NIST Privacy Framework, which of the following functions involves developing and implementing control activities to manage data with sufficient granularity for managing privacy risks?

Answer 93

Control P

Question 94

According to the NIST Privacy Framework, which of the following functions involves developing the orgs understand needed to manage the privacy risk for individuals ?

Answer 94

Identify-p

Question 95

According to the NIST Privacy Framework, which of the following functions involves developing and implementing governance structure that enables an ongoing understanding of the orgs priorities?

Answer 95

Govern

Question 96

What phase is “obtain an understanding” connected with?

Answer 96

planning

Question 97

what are three things a CPA must obtain to gain an understanding?

Answer 97

gain an understanding of the subject matter to identify risks
assess the risk of material misstatement,
and design further procedures

Question 98

What qualifies something to be considered an built-in feature?

Answer 98

if installed during the post implementation

Question 99

What are the 5 phases of business impact analysis?

Answer 99

1. Prepare: identifying stakeholders and defining goals
2. Gather information: collecting data about stakeholder needs
3. Analyze: quantifying the impact of disruptions to critical business processes
4. Write/Present BIA report: creating the BIA report and presenting it to management
5. Implement: implementing the BIA plan

Question 100

Pros and cons of differential backup?

Answer 100

Advantages
1. Provides more efficient restoration
2. Requires less storage than using only full backups
3. Offers a middle-ground solution

Disadvantages
1. longer restoration time than a full backup
2. requires more storage than incremental backups

Question 101

What should you do with critical patches and what should you do after they are deployed?

Answer 101

Deploy them immediately without normal testing

-conduct a post-implementation review.

Question 102

What does this pertain to?

-Be available to data users
-Contain specific information about the data (eg, nature of fields, sources, units of measurement, time periods
-Be complete and accurate
-Identify any information necessary to understanding each data element

Answer 102

Processing Integrity

Question 103

Pros and cons of full backup?

Answer 103

Pros
-easy to store and manage
-fastest restoration after a disaster

Cons
-backups are slow
-takes a lot of storage space
-resource intensive
-if compromised, everything is lost

Question 104

Pros and cons of incremental backup?

Answer 104

Pros
-fast backup of increments
-less storage needed
-can be run frequently

Cons
-longer restore time
-restore must be completed in the correct order
-each increment must be backed up correctly

Question 105

What implementation Tier is based on past, present, and predictive factors?

Answer 105

Adaptive Tier 4

Question 106

What control is responsible for developing policies and procedures to govern cloud computing services?

Answer 106

Control activities

Question 107

What reduces the risk of double spending in a block chain system?

Answer 107

Consensus mechanism

Ensures transactions are validated and agreed upon by the network participants

Question 108

What service is this?

-provides the basic building blocks for cloud IT and typically provides access to IT assets from a cloud provider who charges on a pay-as-you-go basis.”

Answer 108

IAAS

Question 109

What service is this?

• refers to cloud computing services that supply an on-demand environment for developing, testing, delivering, and managing software applications, allowing developers to focus on creating and delivering those applications rather than worrying about resource procurement, capacity planning, software maintenance, or infrastructure management.

Answer 109

PAAS

Question 110

What service is this?

• delivers software applications over the internet, on demand, and typically on a subscription basis

Answer 110

SAAS

Question 111

What is the main purpose of RAID?

redundant array of inexpensive or independent disks

Answer 111

is to provide backup, so if one disk fails, all the data is immediately available.

Question 112

WHAT allows the cloud infrastructure to adapt and allocate resources based on demand? During peak hours, it ensures that the website can handle increased traffic effectively.

Answer 112

Dynamic scaling

Question 113

What agreement allows two organizations to back each other up

Answer 113

reciprocal agreement

Question 114

What plan has a dual purpose in that they function as both preventage and recovery controls?

Answer 114

Contingency plans

Question 115

What is challenging to sell to companies since it requires “up-front” money and commitment from management?

Answer 115

Mitigation

Question 116

What are devices that connect devices to a network, allowing users to share files, access resources, and collaborate?

Answer 116

Network equipment

ex- wireless access point

Question 117

Which cloud computing models does a cloud service provider have the least service delivery responsibilities?

Answer 117

IAAS

Question 118

SAAS manages which of the following components that are not part of a PAAS model?

Answer 118

Data and application