Exam 1

Question 1

an intentional act where the intent is to destroy a system or some of its components

Answer 1

sabotage

Question 2

a text file created by Web site and stored on a visitor’s hard drive. Store information about who the user is and what the user has done on the site.

Answer 2

Cookie

Question 3

Any and all means a person uses to gain an unfair advantage over another person

Answer 3

fraud

Question 4

typically business people who commit fraud. Usually resort to trickery or cunning, and their crimes usually involve a violation of trust or confidence

Answer 4

White-collar criminals

Question 5

dishonest conduct by those in power which often involves actions that are illegitimate, immoral, or incompatible with ethical standards. Examples include bribery and bid rigging.

Answer 5

Corruption

Question 6

Misrepresenting or leaving out facts in order to promote and investment that promises fantastic profits with little or no risk. Examples include Ponzi schemes and securities fraud

Answer 6

investment fraud

Question 7

theft of company assets by employees

Answer 7

misappropriation of assets

Question 8

intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements.

Answer 8

fraudulent financial reporting

Question 9

pressure, rationalization, and opportunity

Answer 9

fraud triangle

Question 10

a person’s incentive or motivation for committing fraud; could be financial, lifestyle, or emotional. Also management characteristics, industry conditions, and financial can lead to financial statement fraud

Answer 10

pressure

Question 11

the condition or situation that allows a person or organization to commit and conceal a dishonest act and convert it to personal gain. Commit, conceal, and convert

Answer 11

opportunity

Question 12

concealing the theft of cash by means of a series of delays in posting collection to accounts receivable

Answer 12

lapping

Question 13

creating cash using the lag between the time a check is deposited and the time it clears the bank.

Answer 13

check kiting

Question 14

the excuse that fraud perpetrators use to justify their illegal behaviors. Ex. “I’m only borrowing it,” “The company owes me, I am only taking what is rightfully mine.”

Answer 14

rationalization

Question 15

any type of fraud that requires computer technology to perpetrate

Answer 15

computer fraud

Question 16

easiest type of computer fraud, involves falsifying or altering computer input

Answer 16

input fraud

Question 17

includes unauthorized system use, including the theft of computer time and services

Answer 17

processor fraud

Question 18

includes tampering with company software, copying software illegally, using software in an unauthorized manner, and developing software to carry out an unauthorized activity

Answer 18

computer instructions fraud

Question 19

illegally using, copying, browsing, searching, or harming computer data

Answer 19

data fraud

Question 20

displayed or printed output that is stolen or copied or misused

Answer 20

output fraud

Question 21

controls that deter problems before they arise.

Answer 21

preventive controls

Question 22

controls designed to discover control problems that were not prevented

Answer 22

detective controls

Question 23

controls that identify and correct problems as well as correct and recover from the resulting errors.

Answer 23

corrective controls

Question 24

controls designed to make sure tan organization’s information system and control environment is stable and well managed.

Answer 24

general controls

Question 25

controls that prevent, detect, and correct transaction errors and fraud in application programs

Answer 25

application controls

Question 26

system that describes how a company creates value, helps employees understand management’s vision, communicates company core values, and inspires employees to live by those values

Answer 26

belief system

Question 27

system that helps employees act ethically by setting boundaries on employee behavior

Answer 27

boundary system

Question 28

system that measures, monitors, and compares actual company progress to budgets and performance goals.

Answer 28

diagnostic control system

Question 29

system that helps managers to focus subordinates’ attention on key strategic issues and to be more involved in their decisions

Answer 29

interactive control system

Question 30

a security and control framework that allows (1) management to benchmark the security and control practices of IT environments, (2) users of IT services to be assured that adequate security and control exist, (3) auditors to substantiate their internal control opinions and advise on it security and control matters.

Answer 30

Control Objectives for information and related technology (COBIT)

Question 31

includes Control Environment, Risk assessment, control activities, information and communication, and monitoring as guidance for evaluating and enhancing internal control systems

Answer 31

Committee of Sponsoring Organizations (Coso) Internal Control-Integrated framework

Question 32

Includes Internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring as guidance for evaluating and enhancing internal control systems

Answer 32

Enterprise Risk Management framework (ERM)

Question 33

The company culture that is the foundation for all other ERM components as it influences how organizations establish strategies and objectives; structure business activities and identify, assess, and respond to risk.

Answer 33

internal environment

Question 34

the amount of risk a company is willing to accept to achieve its goals and objectives, To avoid undue risk, risk appetite must be in alignment with company strategy

Answer 34

Risk appetite

Question 35

the outside, independent board of director members responsible for financial reporting, regulatory compliance, internal control, and hiring and overseeing internal and external auditors

Answer 35

audit commitee

Question 36

a document that explains proper business practices, describes needed knowledge and experience, explains document procedures, explains how to handle transactions, and lists the resources provided to carry out specific duties

Answer 36

policy and procedures manual

Question 37

an investigation of a prospective or current employee that involves verifying their educational and work experience, talking to references, checking for a criminal record or credit problems, and examining other publicly available information

Answer 37

background check

Question 38

high level goals that are aligned with and support the company’s mission and create shareholder value

Answer 38

strategic objectives

Question 39

objectives that deal with the effectiveness and efficiency of company operations and determine how to allocate resources

Answer 39

operations objectives

Question 40

objectives to help ensure the accuracy, completeness, and reliability of company reports; improve decision making; and monitor company activities and performance

Answer 40

reporting objectives

Question 41

objectives to help the company comply with all applicable laws and regulations

Answer 41

compliance objectives

Question 42

a positive or negative incident or occurrence from internal or external sources that affects the implementation of strategy or the achievement of objectives.

Answer 42

event

Question 43

the susceptibility of a set of accounts or transactions to significant control problems in the absence of internal control

Answer 43

inherent risk

Question 44

the risk that remains after management implements internal controls or some other response to risk

Answer 44

residual risk

Question 45

Impact x likelihood= . . .
the product of the potential dollar loss that would occur should a threat become a reality and the risk or probability that the threat will occur

Answer 45

Expected loss

Question 46

policies, procedures and rules that provide reasonable assurance that control objectives are met and risk responses are carried out

Answer 46

control activities

Question 47

separating the accounting functions of authorization, custody, and recording to minimize an employee’s ability to commit fraud

Answer 47

segregation of duties

Question 48

cooperation of two or more people in an effort to thwart internal controls

Answer 48

collusion

Question 49

employing multiple layers of controls to avoid a single point failure

Answer 49

defense-in-depth

Question 50

implementing a combination of preventive, detective, and corrective controls that protect information assets long enough to enable an organization to recognize that an attack is occurring and take steps to thwart it before any information is lost or compromised

Answer 50

time-based model of security

Question 51

using deception to obtain unauthorized access to information resources

Answer 51

social engineering

Question 52

verifying the identity of the person or device attempting to access the system; usually includes something you know, something you have, or some physical or behavioral characteristic

Answer 52

authentication

Question 53

a physical or behavioral characteristic that is used as an authentication credential

Answer 53

biometric identifier

Question 54

the use of two or more types of authentication credentials in conjunction to achieve a greater level of security

Answer 54

multifactor authentication

Question 55

the use of multiple authentication credentials of the same type to achieve a greater level of security

Answer 55

multimodal authentication

Question 56

the process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform

Answer 56

authorization

Question 57

a table used to implement authorization controls

Answer 57

access control matrix

Question 58

matching the user’s authentication credentials against the access control matrix to determine whether that employee should be allowed to access that resource and perform the requested action.

Answer 58

compatibility test

Question 59

a device that connects an organization’s information system to the internet

Answer 59

border router

Question 60

a special-purpose hardware device or software running a general purpose computer that controls both inbound and outbound communication between the system behind the firewall and other networks

Answer 60

firewall

Question 61

a separate network located outside the organizations internal information system that permits controlled access from the internet

Answer 61

demilitarized zone

Question 62

special purpose devices that are assigned to read the source and destination address fields in IP packet headers to decide where to send the packet next

Answer 62

routers

Question 63

a set of if-then rules used to determine what to do with arriving packets

Answer 63

access control list (ACL)

Question 64

a process that uses various fields in a packet’s IP and TCP headers to decide what to do with the packet

Answer 64

packet filtering

Question 65

a process that examines the data in the body of a TCP packet to control traffic, rather than looking only at the information in the IP and TCP headers. Usually takes longer but is more secure

Answer 65

deep packet inspection

Question 66

software or hardware that monitor patterns in the traffic flow to identify and automatically block attacks

Answer 66

intrusion prevention systems (IPS)

Question 67

a standard method for verifying the identify of users attempting to connect via dial-in access

Answer 67

remote authentication dial-in user service (radius)

Question 68

searching for an idle modem by programming a computer to dial thousands of phone lines

Answer 68

war dialing

Question 69

collective term for the workstations,servers, printers and other devices that comprise an organizations network

Answer 69

endpoints

Question 70

flaws in programs that can be exploited to either crash the system or take control of it

Answer 70

vulnerabilities

Question 71

automated tools designed to identify whether a given system possesses any unused and unnecessary programs that represent potential security threats.

Answer 71

vulnerability scanners

Question 72

the process of modifying the default configuration of endpoints to eliminate unnecessary settings and devices

Answer 72

hardening

Question 73

the formal process used to ensure that modifications to hardware, software, or processes do not reduce systems reliability

Answer 73

change control and change management

Question 74

the process of examining logs to identify evidence of possible attacks

Answer 74

log analysis

Question 75

a system that creates logs of all network traffic that was permitted to pass the firewall and then analyzes those logs for signs of attempted or successful intrusions.

Answer 75

intrusion detection system (IDS)

Question 76

an authorized attempt to break into the organizations information system

Answer 76

penetration test

Question 77

a team that is responsible for dealing with major security incidents

Answer 77

computer incident response team (CIRT)

Question 78

a program designed to take advantage of a known vulnerability

Answer 78

exploit

Question 79

code released by software developers that fixes a particular vulnerability

Answer 79

patch

Question 80

the process of regularly applying patches and updates to software

Answer 80

patch management

Question 81

running multiple systems simultaneously on one physical computer

Answer 81

virtualization

Question 82

using a browser to remotely access software, data storage, hardware, and applications

Answer 82

cloud computing

Question 83

a record of company data sent to an external party and then returned by the external party for subsequent input to the system

Answer 83

turnaround document

Question 84

an edit check that tests whether the characters in a field are of the correct field type (ex. numeric data in numeric fields)

Answer 84

field check

Question 85

an edit check that verifies that the data in a field have the appropriate arithmetic sign

Answer 85

sign check

Question 86

an edit check that tests a numerical amount against a fixed value

Answer 86

limit check

Question 87

an edit check that tests whether a data item falls within predetermined upper and lower limits

Answer 87

range check

Question 88

an edit check that ensures that the input data will fit into the assigned field.

Answer 88

size check

Question 89

an edit check that verifies that all data required have been entered

Answer 89

completeness check (or test)

Question 90

an edit test that compares the ID code or account number in transaction data with similar data in the master file to very f that the account exists

Answer 90

validity check

Question 91

an edit check of the logical correctness of relationships among data items

Answer 91

reasonableness test

Question 92

ID numbers (such as employee number) can contain a check digit computed from the other digits

Answer 92

check digit

Question 93

recalculating a check digit to verify that a data entry error has not been made

Answer 93

check digit verification

Question 94

an edit check that determines if a batch of input data is in the proper numerical or alphabetical sequence

Answer 94

sequence check

Question 95

the sum of a numerical item for a batch of documents, calculated prior to processing the batch, when the data are entered, and subsequently compared with computer-generated totals after each processing step to verify that the data was processed correctly

Answer 95

batch totals

Question 96

a type of batch total that equals the sum of a field that contains monetary values, or something that you would normally add like total hours worked

Answer 96

financial total

Question 97

a type of batch total generated by summing values for a field that would not usually be totaled

Answer 97

hash total

Question 98

a type of batch total that equals the number of records processed at a given time

Answer 98

record count

Question 99

an online data entry completeness check that request each required item of input data and then waits for an acceptable response before requesting the next required

Answer 99

prompting

Question 100

an input validation method that uses data entered into the system to retrieve and display other related information so that the data entry person can verify the accuracy of the input data

Answer 100

closed-loop verification

Question 101

type of internal label that appears at the beginning of each file and contains the file name, expiration date, and other file identification information.

Answer 101

header record

Question 102

type of internal label that appears at the end of a file; in transaction files, the trailer record contains the batch totals calculated during input

Answer 102

trailer record

Question 103

an error that results when numbers in two adjacent columns are inadvertently exchanged

Answer 103

transposition error

Question 104

a processing control which verifies accuracy by comparing two alternative ways of calculating the same total

Answer 104

cross-footing balance test

Question 105

a processing control that verifies that the balance of a control account equals zero after all entries to it have been made

Answer 105

zero-balance test

Question 106

controls that lock out users to protect individual records from errors that could occur if multiple users attempted to update the same record simultaneously

Answer 106

concurrent update controls

Question 107

a data transmission control that uses a hash of a file to very accuracy

Answer 107

checksum

Question 108

an extra bit added to every character; used to check transmission accuracy

Answer 108

parity bit

Question 109

a data transmission control in which the receiving device recalculates the parity bit to verify accuracy of transmitted data

Answer 109

parity checking

Question 110

the capability of a system to continue performing when there is a hardware failure

Answer 110

fault tolerance

Question 111

a fault tolerance technique that records data on multiple disk drives instead of just one to reduce the risk of data loss

Answer 111

redundant arrays of independent drives (RAID)

Question 112

an alternative power supply device that protects against the loss of power and fluctuations in the power level by using battery power to enable the system to operate long enough to back up critical data and safely shut down

Answer 112

uninterruptible power supply (UPS)

Question 113

a copy of a database, file or software program

Answer 113

backup

Question 114

the amount of data the organization is willing to reenter or potentially

Answer 114

recovery point objective (RPO)

Question 115

to restore an organization’s information system following a disaster, representing the length of time that the organization is willing to attempt to function without its information system

Answer 115

recovery time objective (RTO)

Question 116

maintaining complete copies of a database at two separate data centers and updating both copies in real-time as each transaction occurs

Answer 116

real-time mirroring

Question 117

exact copy of an entire database

Answer 117

full backup

Question 118

a type of partial backup that involves copying only the data items that have changed since the last partial backup. This produces a set of incremental backup files, each containing the results of one day’s transactions

Answer 118

incremental backup

Question 119

a type of partial backup that involves copying all changes made since the last full backup. Thus, each new differential backup file contains the cumulative effects of all activity since the last full backup.

Answer 119

differential backup

Question 120

a copy of a database, master file, or software that is retained indefinitely as a historical record, usually to satisfy legal and regulatory requirements

Answer 120

archive

Question 121

a plan to restore an organization’s IT capability in the event that its data center is destroyed

Answer 121

disaster recovery plan (DRP)

Question 122

a disaster recovery option that relies on access to an alternative facility that that is prewired for necessary telephone and internet access, but does not contain any computing equipment

Answer 122

Cold site

Question 123

a disaster recovery option that relies on access to a completely operational alternative data center that is not only prewired but also contains all necessary hardware and softeware

Answer 123

hot site

Question 124

a plan that specifies how to resume not only IT operations but all business processes in the event of a major calamity

Answer 124

business continuity plan (BCP)