Chapter 4 - Risk and control of information systems

Question 1

Risks to information processing facilities may arise from?

Answer 1

• Dissatisfied employees might deliberately modify or destroy information in the system
• A hacker or industrial spy might break into the system
• Viruses or malicious software could be introduced
• Accidental mistakes could be made on input to the system
• Inadequate security of the hardware or data
• Faults in the hardware system

Question 2

Advantages of Intranets and the Internet

Answer 2

• Employees have ready access to vast sources of external data that would not otherwise be available. Using external information can help to improve the quality of decision making
• Organisations can advertise their goods and services on a website and provide other information that helps to promote their image
• and etc

Question 3

What types of controls are there for cost effectiveness and should reduce IS risk to an acceptable level?

Answer 3

• General Controls - ensure appropriate use of computer systems and security from loss of data
• Application Controls - designed for each individual application, detect and correct translation processing errors.
• Software Controls - ensure that the software used is authorised
• Network Controls - arisen in response to growth of distributed processing and e-commerce

Question 4

What are an “alternative” to the classification of IS controls?

Answer 4

• Security controls - controls designed to ensure the prevention of unauthorised access, modification or destruction of stored data
• Integrity controls: controls to ensure that the data are accurate, consistent and free from accidental corruption
• Contingency controls - in the event that security or integrity controls fail there must be a back-up facility and a contingency plan to restore business operations as quickly as possible

Question 5

List problems with password system

Answer 5

• Authorised users may divulge their password to a colleague
• Many passwords may have associations with the user so that a hacker can discover them by experimentation
• Passwords are often written down close to computer and so easily discovered

Question 6

What needs to be done to protect password and user numbers against discovery?

Answer 6

• Change passwords regularly
• Should be memorable but not obviously related to a user’s private life
• be encouraged to never write down their passwords
• strict controls over passwords - they should never be lent or written down where they can be easily seen
• there should be automatic sentinel or watchdog programs to identify when password has been keyed incorrectly

Question 7

List Physical Facility controls controlling access to sensitive areas

Answer 7

• security guards in buildings
• working areas to which access is through a locked door or a door with an ID card entry system or entry system requiring the user to enter a PIN number
• using safes and lockable filing cabinets
• CCTV used to monitor what is happening in a particular part of a building - this may be backed up by security video cameras
• doors automatically locked in the event of a security alarm

Question 8

An oil company uses a mainframe computer for a major system and the management believe that it is essential that the continuity of processing must be assured at all times. Which of the following risk control measures is the most appropriate for ensuring that this happens?

A A secure password protection system
B A standby mainframe
C Surplus capacity in the memory of the operational mainframe
D Fire safety measures

Answer 8

B. Mainframe must be in another location and with continually backing up files

Question 9

the Data Protection Act (DPA) was needed to protect individuals against the misuse of personal data. This was necessary due to:

Answer 9

• Easy interrogation of large files
• Speed of response (lees control)
• Interrogation from outside
• Entire files can be copied or transmitted in seconds
• Computer systems can be cross-linked to obtain personal profiles
• Individuals’ records can be selected easily through the search facilities

Question 10

Key principles of DPA:

Answer 10

• Personal information shall be obtained and processed fairly and lawfully
• Personal data shall be held and used only for specified purposes
• Personal data shall be adequate, relevant and not excessive in relation to those specified purposes
• Personal data shall be accurate and kept up to date
• Personal data should not be kept for longer that is necessary
• A data subject is entitled to be informed and is:
  - entitled to access
  - entitled to have data corrected or erased
• A data user is responsible for the security and protection of data held against unauthorised access, alteration, destruction, disclosure or accidental loss

Question 11

Exemptions to the Act. Data subjects are not entitled to see their personal data if it is held for:

Answer 11

• Law enforcement purposes
• Revenue purposes
• Statistical and research purposes
• Regulating of financial service
• Legally privileged reasons
• Back-up security reasons
• Social work
• Medical purposes

Question 12

The following are exempt from the provisions of the Act:

Answer 12

• Manual records

- Payroll, pension, test preparation, etc.

Question 13

Which of the following are application controls? (Select all that apply)

A   Pre-numbered forms
B   Validation checks
C   Buying software from reputable dealers
D   Renewing licences
E   Firewalls
F   Access logging

Answer 13

A and B. C and D are software controls, E is a network control and F is a more general control

Question 14

The systems development life cycle (SDLC) is assumed knowledge at this level. However, there were six stages within the SDLC, with several activities involved. List those activities:

Answer 14

1. Planning - project initiation document, project quality plan, work breakdown structure, budget
2. Analysis - get to the root of the problem via user involvement in the form of interviews and questionnaires, complaints review;
3. Design - prototyping
4. Development - build the system which has been agreed on
5. Implementation - staff training, file conversion, documentation, testing
6. Review - post completion audit/review on quality, cost, timescale

Question 15

The system development lifecycle has six stages. The correct order of four of the stages is:

A Analysis; development; design; review
B Analysis; design; development; review
C Planning; analysis; development; design
D Planning; design; analysis; review

Answer 15

B

Question 16

CP Ltd are implementing a new, bespoke computer system to replace an existing system. The stages they have gone through so far include the purchase and installation of the hardware, software development, system testing, staff training and the production system documentation. This will be followed by:

A File conversion, database creation and changeover
B File conversion, database creation and review
C Changeover and review
D Changeover and maintenance

Answer 16

A

Question 17

List changeover methods

Answer 17

• Direct changeover
• Parallel running
• Pilot changeover
• Phased changeover

Question 18

What is direct changeover?

Answer 18

This is where the old system is switched off and the new system is switched on. This is appropriate when the two systems are very different or it is too expensive to run two systems. Although this method is cheap, it is also risky since if the new system doesn’t work properly then the company might be unable to revert to their old system quickly.

Question 19

What is parallel changeover?

Answer 19

The old and new systems are run together for a period of time, until it feels safe to switch the old system off. This method will be costly, however, it will be less risky than direct changeover

Question 20

What is pilot changeover?

Answer 20

This is where one part of the business changes over first. When the system operates correctly there, the rest of the business will changeover. The pilot department or division could be using direct or parallel changeover. Again, this is a safer method of changeover as only one part of the business will be affected if anything goes wrong. However, when the system is rolled out across the rest of the company there may be different problems in each location and the IT teams resources will be stretched.

Question 21

What is phased changeover?

Answer 21

This involves bringing in the new system one part of the business at a time, say by department or division. It differs from pilot changeover in that all departments or divisions are staggered with respect to receiving the new system. The downside of this is that this method is time-consuming. However, this method is least risky as should there be a problem in any particular division, the IT staff are able to deal with the problems one at a time.

Question 22

The most risky changeover method is:

Answer 22

Direct changeover

Question 23

A post-implementation review should establish whether the objectives of a project have been met. When appraising a new system after changeover, comparison should be made between predicted and actual performance (variance analysis). This might include what?

Answer 23

• Throughput speed
• Number of errors or queries
• Cost of processing
• Amount of downtime

The review would also need to cover whether users’ needs had been met.

Question 24

Why the review should not be performed too soon after the new system goes live?

Answer 24

Because of ‘teething problems’ and lack of user familiarity will distort the results.