Chapter 3 - Information Systems Flashcards
1
Q
End Point Devices?
A
Any device that connects to the network
2
Q
What Device is used to collect Environmental Data? Challenges?
A
Internet of Things Senors, Challenge is Secuity and not easy to upgrade
3
Q
What is a UML Diagram sometimes called? What is it?
A
ERD & Visual Representation of a conceptual Data model that shows tables in a database and the Associations between them.
3
Q
What Do Availability Reports Address?
A
Uptime and Downtime Durations
4
Q
What is a CSP always responsible for? Examples?
A
Infrastructure - Networking, Storage, Servers
5
Q
Firewall
What does it do?
Isolates what?
A
Device that controls the flow of data into and out of an information system at network entry points.
o separates or isolates a network segment from the main network while maintaining the connection between networks
6
Q
Switches
A
moves data between connected devices in a network.
7
Q
Servers
3 things they do?
A
are powerful computers that store, process, and manage data
8
Q
- Routers
A
infrastructure components that receive and send data packets to their intended destinations and determine the best path.
9
Q
Progressive Steps to Test Continuity plan
A
- Checklists - Help to execute the complete plan
- Tabletop exercise - Walkthrough a potential scenario
- Simulation - Perform all the tasks at the alternate site (except processing)
- Parallel – Process at both the primary and alternate sites to determine if they are the same
- Full interruption – Perform all tasks only at the alternate site.
10
Q
BCP (business continuity plan). The correct sequence is:
A
- Consider possible threats
- Assess potential impacts
- Evaluate critical needs
- Establish recovery priorities
- Refers to a company’s ability to keep providing products and services despite.
11
Q
Recovery Time Objective (RTO)
Established how?
2 things it calculates?
A
maximum amount of downtime a business can tolerate
* Established by doing a business impact analysis (BIA)
o Calculates the cost of downtime
Tangible – Loss of revenue
Intangible – Harm to reputation
12
Q
Mean Time to recover (MTTR)
A
- Tracks the average time it takes to restore a service or system after an outage.
13
Q
Which Backup is the most efficient for minimizing backup time and storage usage?
A
Incremental
14
Q
Which Backup has a longer restoration time than a full backup?
A
differential
15
Q
Continuous integrations are validated how?
name order 1-4
A
automated test
1.unit - test on individual components /functions
2. integration - group testing of components /functions
3 system -all components are integrated and the whole system is tested
4. acceptance - final testing is done by end users
16
Q
What does Strategy development remediate?
A
It bridges the gap between the business impact analysis by looking at the risk and seeing how the business continuity plan should address it.
17
Q
What two steps are after the strategy development phase and what do they do?
A
- Provisions and process - measures and procedures are created to mitigate risks
- Resource prioritization - prioritizes and allocates resources to different identified tasks.
18
Q
Internally encrypted passwords
A
access control designed to prevent unauthorized access by use of a utility program to identify passwords.
19
Q
What control
1 automatically resubmits correct data
2. Ensures the integrity, accuracy, and completeness of data
A
Online data entry controls
20
Q
Who is responsible for networks and security, servers and storage, and infrastructure facility?
A
IAAS
21
Q
Who is responsible for infrastructure, networks and security, servers and storage, operating systems, and database and analytic tools?
A
Platform as a software
22
Q
Who is responsible for infrastructure, networks and security, servers and storage, operating systems, hosted apps, and databaseand analytic tools?
A
Software as a service
23
Q
How do you calculate system availability?
A
Downtown- agreed service time/ agreed service time
24
What cloud service model is best suited for rapidly developing an application while minimizing capital expenditures?
Platform as a service
25
What cloud service model is best suited for rapidly developing an application while minimizing capital expenditures?
Platform as a service
26
Who is responsible for returning acknowledgments?
Gateways
27
Snapshots, rootkits, and misconfiguration of the hypervisor are disadvantages of what?
Virtualization
28
Detecting access from unauthorized components is an advantage of what?
Automated scans
29
Multifactor authentication is considered what in defense in depth strategies ?
Technical control
30
Devices that allow wireless
devices to connect to the wired network.
wireless Access points
31
what model Provides users with virtualized computing
resources over the internet? is like renting space on a
physical server or renting that server itself. Users get the raw
infrastructure and have to manage the OS, applications, and
data.
IaaS
32
what cloud is Managed by third-party providers, delivering shared computing resources (servers, storage) over the internet.
Benefits: Economies of scale, reduced costs, and easy scalability.
Examples: Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure.
public Cloud
33
what are the roles and responsibilities of Cloud Service Providers?
1. Infrastructure Maintenance:
● Ensure the physical hardware, data centers, and networking
components are up-to-date, secure, and operational.
● Perform regular backups, hardware refreshes, and disaster
recovery operations.
2. Platform & Software Updates:
● Continually update and patch the underlying software and
platforms to ensure they are secure and free of known
vulnerabilities.
● This includes updates for IaaS, PaaS, and SaaS offerings.
3. Security & Compliance:
● Implement and maintain security measures to protect the
infrastructure and the data stored within.
● Ensure compliance with various industry regulations and
standards (like GDPR, HIPAA, etc.).
● Provide tools and features that allow customers to enhance
their security, such as encryption, multi-factor authentication,
and intrusion detection systems.
4. Service Availability & Reliability:
● Ensure services are available and reliable, meeting the
Service Level Agreements (SLAs) promised to customers.
● Implement redundancies to minimize downtime and
maximize uptime.
5. Scalability & Performance Optimization:
● Offer scalable solutions that can adjust to the changing
demands of the customer.
● Monitor and manage the performance of services, optimizing
where necessary.
6. Support & Customer Service:
● Provide technical support to customers, assisting with any
issues, questions, or challenges they face.
● Offer training, resources, and documentation to help
customers maximize the value of their cloud services.
7. Transparent Billing & Cost Management:
● Clearly outline costs and pricing models for the services
offered.
● Provide tools for customers to monitor and manage their
resource usage and associated costs.
8. Integration & Compatibility:
● Ensure cloud services can integrate smoothly with popular
enterprise software and other cloud offerings.
● Maintain APIs and SDKs for developers to integrate with and
build upon the cloud platform.
9. Innovation & Feature Development:
Continually innovate and introduce new features, tools, and
services based on evolving technological trends and customer
needs.
34
how do the COSO frameworks address cloud computing governance? 5 Ways
Control Environment: Organizations must prioritize governance, security, compliance, and risk management during cloud transitions.
Risk Assessment: Regular assessment of new risks, such as data breaches and data loss, is essential.
Control Activities: Key activities include:
Ensuring proper configuration of cloud services.
Restricting access to sensitive data.
Monitoring for unauthorized activities.
Information & Communication: Effective communication is crucial; stakeholders should be aware of data storage, access rights, and protection measures.
Monitoring: Continuous monitoring and regular audits are necessary to ensure compliance with internal controls.
35
what ways does the COSO Enterprise Risk Management (ERM) Framework govern cloud computing?
Governance and Culture: Organizations should understand
their cloud computing strategy within the larger business
context, ensuring that there's a culture of awareness and
understanding about the cloud.
● Strategy and Objective-Setting: When setting objectives for
cloud adoption, the risks and opportunities should align with
the organization's broader strategy.
● Performance: By comparing risk tolerance to risk exposure,
organizations can understand how cloud-related risks might
imact performance objectives.
● Review and Revision: Cloud strategies should be regularly
reviewed and revised based on changing business needs
and emerging risks.
● Information, Communication, and Reporting: Organizations
should have a clear communication strategy to report on
cloud risks and performance to both internal and external
stakeholders.
36
what is a subset of an organization's information system
specifically designed to manage and report on the financial data
of the enterprise. It ensures that all financial transactions are
processed and recorded accurately and timely
Accounting Information System
37
4 ways to test if control is operating correctly?
1.sample transactions
2. review logs
3. interview personnel
4. Simulation
38
What type of mirroring?
data is written to both the primary and
mirrored disks at the same time
synchronous
mirroring
39
What type of mirroring?
there's a slight delay between writing data to
the primary and mirrored disk,
asynchronous
mirroring
40
What does the SOC for Cybersecurity examination describe?
An entity's cybersecurity risk management program and related controls
41
List the five trust services categories.
* Security
* Availability
* Processing integrity
* Confidentiality
* Privacy
42
Which trust services category does not have additional criteria?
Security
43
Who developed the trust services criteria?
AICPA
44
What framework do the trust services criteria align with?
COSO Internal Control-Integrated Framework
45
How do management and CPAs use the trust services criteria?
To measure or evaluate controls related to the trust services categories
46
What do the supplemental trust services criteria relate to? 4 things
* Logical and physical access controls
* System operations
* Change management
* Risk mitigation
47
What should a service auditor do if management refuses to provide a written representation letter?
Consider the effect of the resulting scope limitation on the type of opinion issued
48
What opinion should be provided due to a scope limitation?
A modified opinion
49
How is a third-party provider classified if a company retains responsibility for controls?
As a vendor, not a subcompany
50
What do the DC Section 100 Description Criteria connect with
The 5 COSO Internal Control-Integrated Framework components
51
List the components of the COSO Internal Control-Integrated Framework.
* Control environment
* Risk assessment
* Control activities
* Information and communication
* Monitoring activities
52
How do you conduct risk management ?3 ways
* Identifying risks
* Assessing risks
* Mitigating risks
53
What is the purpose of strategic planning in risk management?
To handle potential disruptions and ensure the resilience of the overall system
54
What are endpoint devices?
Any type of physical hardware that connects to a network
55
What is a primary use of Internet of Things (IoT) sensors?
Collecting environmental data
56
What is a common security challenge in IT systems?
Security is built in and not easy to upgrade
57
What do availability reports address?
System uptime and downtime durations
58
What is a UML diagram also referred to as?
Entity Relationship Diagram (ERD)
59
What does a UML diagram represent?
A conceptual data model showing tables in a database and associations between them
60
What does an ERP improve and reduce?
A shared database improves data quality by reducing duplication and errors
61
What does a single source of truth in ERP reduce?
Risk of inconsistencies
62
What is the responsibility of a Cloud Service Provider (CSP)?
Infrastructure components (networking, storage, servers)
63
What are IT infrastructure assets?
Hardware and software components of an IT system
64
What types of IT infrastructure assets exist?
Physical or virtual, on-premises or cloud-based
65
What is the purpose of categorizing IT infrastructure assets?
Efficient incident response and effective asset management
66
What are examples of IT infrastructure assets?
* Modems
* Routers
* Switches
* Hubs
* Firewalls
67
What is a firewall?
A security device that controls the flow of data into and out of an information system
68
What does a firewall monitor and filter?
Network traffic based on protocols
69
What is the function of switches in a network?
Move data between connected devices
70
What do servers do?
Store, process, and manage data
71
What is the purpose of VPNs?
Prevent unauthorized access by establishing secure communication channels
72
Fill in the blank: A firewall ______ the flow of data into and out of an information system.
controls
73
True or False: A shared database in ERP systems allows for multiple entries of the same data.
False
74
What are some risks associated with cloud computing?
Creating dependency relationships, reliability and performance issues, vendor lock-in, security threats, data leakage, compliance concerns
## Footnote
These risks can significantly affect organizations' operations and data security.
75
What does trust services criterion PI1.1 require?
Entities must define data for reporting obligations
## Footnote
This criterion is essential for ensuring transparency and accountability in data management.
76
What are the types of application controls?
Input, Processing, Output
## Footnote
These controls help in error prevention, detection, and correction.
77
Name three types of input controls.
Validity checks, Range (limit) checks, Authorization checks
## Footnote
Input controls are crucial for ensuring that data entered into applications is accurate and authorized.
78
What are some examples of processing controls?
Data validation, Sequence checks, Completeness checks, Duplication checks, File identification checks
## Footnote
These controls ensure that data is processed correctly and completely.
79
List three types of output controls.
Distribution lists, Printer security, Storage controls, Confidentiality controls, Data transmission controls
## Footnote
Output controls are important for protecting the integrity and confidentiality of the data produced by applications.
80
What is technology debt?
The cost of maintenance for existing systems plus the opportunity cost of not switching to modern systems
## Footnote
Technology debt can hinder an organization's ability to innovate and stay competitive.
81
What are common sources of technology debt?
Heavily customized IT systems, obsolete technology, reliance on short-term solutions
## Footnote
These sources contribute to increased maintenance costs and missed opportunities for improvement.
82
How do heavily customized systems affect technology debt?
They are harder to improve with off-the-shelf updates and difficult to interface with other systems
## Footnote
This can lead to increased complexity and costs in managing IT systems.
83
What impact do short-term solutions have on technology debt?
They prevent organizations from focusing on long-term strategy
## Footnote
This can result in a continuous cycle of debt accumulation as organizations prioritize immediate fixes over sustainable improvements.
84
How does obsolete technology contribute to technology debt?
It generally requires more maintenance and creates high opportunity costs
## Footnote
Organizations may miss out on capabilities that could have been achieved with newer technology.
85
Which of the following controls is particular to a specific process or subsystem, rather than related to the timing of its occurrence?
Application
86
What document describes what the system will do? What three things does it address?
Systems specification document
1. Desc of functional user requirements
2. Desc of non fun requirements
3. Desc of data elements
87
What join generates an output of the matching records in both tables?
Inner join
88
What two things are PAAS responsible for?
Application and Data
89
which of the following cloud service delivery models is best suited for rapidly developing an application while minimizing capital expenditures?
PAAS
90
The CIA triad is associated with which of the following CIS controls?
Data recovery-
Restores data before the security incident
91
Primary purpose and focus of NIST SP 800-53?
Security and privacy
92
Which of the following components of the NIST Cybersecurity Framework identifies the outcomes an organization has prioritized and selected to remediate control gaps?
profiles
93
According to the NIST Privacy Framework, which of the following functions involves developing and implementing control activities to manage data with sufficient granularity for managing privacy risks?
Control P
94
According to the NIST Privacy Framework, which of the following functions involves developing the orgs understand needed to manage the privacy risk for individuals ?
Identify-p
95
According to the NIST Privacy Framework, which of the following functions involves developing and implementing governance structure that enables an ongoing understanding of the orgs priorities?
Govern
96
What phase is "obtain an understanding" connected with?
planning
97
what are three things a CPA must obtain to gain an understanding?
gain an understanding of the subject matter to identify risks
assess the risk of material misstatement,
and design further procedures
98
What qualifies something to be considered an built-in feature?
if installed during the post implementation
99
What are the 5 phases of business impact analysis?
1. Prepare: identifying stakeholders and defining goals
2. Gather information: collecting data about stakeholder needs
3. Analyze: quantifying the impact of disruptions to critical business processes
4. Write/Present BIA report: creating the BIA report and presenting it to management
5. Implement: implementing the BIA plan
100
Pros and cons of differential backup?
Advantages
1. Provides more efficient restoration
2. Requires less storage than using only full backups
3. Offers a middle-ground solution
Disadvantages
1. longer restoration time than a full backup
2. requires more storage than incremental backups
101
What should you do with critical patches and what should you do after they are deployed?
Deploy them immediately without normal testing
-conduct a post-implementation review.
102
What does this pertain to?
-Be available to data users
-Contain specific information about the data (eg, nature of fields, sources, units of measurement, time periods
-Be complete and accurate
-Identify any information necessary to understanding each data element
Processing Integrity
103
Pros and cons of full backup?
Pros
-easy to store and manage
-fastest restoration after a disaster
Cons
-backups are slow
-takes a lot of storage space
-resource intensive
-if compromised, everything is lost
104
Pros and cons of incremental backup?
Pros
-fast backup of increments
-less storage needed
-can be run frequently
Cons
-longer restore time
-restore must be completed in the correct order
-each increment must be backed up correctly
105
What implementation Tier is based on past, present, and predictive factors?
Adaptive Tier 4
106
What control is responsible for developing policies and procedures to govern cloud computing services?
Control activities
107
What reduces the risk of double spending in a block chain system?
Consensus mechanism
Ensures transactions are validated and agreed upon by the network participants
108
What service is this?
-provides the basic building blocks for cloud IT and typically provides access to IT assets from a cloud provider who charges on a pay-as-you-go basis.”
IAAS
109
What service is this?
* refers to cloud computing services that supply an on-demand environment for developing, testing, delivering, and managing software applications, allowing developers to focus on creating and delivering those applications rather than worrying about resource procurement, capacity planning, software maintenance, or infrastructure management.
PAAS
110
What service is this?
* delivers software applications over the internet, on demand, and typically on a subscription basis
SAAS
111
What is the main purpose of RAID?
redundant array of inexpensive or independent disks
is to provide backup, so if one disk fails, all the data is immediately available.
112
WHAT allows the cloud infrastructure to adapt and allocate resources based on demand? During peak hours, it ensures that the website can handle increased traffic effectively.
Dynamic scaling
113
What agreement allows two organizations to back each other up
reciprocal agreement
114
What plan has a dual purpose in that they function as both preventage and recovery controls?
Contingency plans
115
What is challenging to sell to companies since it requires “up-front” money and commitment from management?
Mitigation
116
What are devices that connect devices to a network, allowing users to share files, access resources, and collaborate?
Network equipment
ex- wireless access point
117
Which cloud computing models does a cloud service provider have the least service delivery responsibilities?
IAAS
118
SAAS manages which of the following components that are not part of a PAAS model?
Data and application
