Exam 1 Flashcards
an intentional act where the intent is to destroy a system or some of its components
sabotage
a text file created by Web site and stored on a visitor’s hard drive. Store information about who the user is and what the user has done on the site.
Cookie
Any and all means a person uses to gain an unfair advantage over another person
fraud
typically business people who commit fraud. Usually resort to trickery or cunning, and their crimes usually involve a violation of trust or confidence
White-collar criminals
dishonest conduct by those in power which often involves actions that are illegitimate, immoral, or incompatible with ethical standards. Examples include bribery and bid rigging.
Corruption
Misrepresenting or leaving out facts in order to promote and investment that promises fantastic profits with little or no risk. Examples include Ponzi schemes and securities fraud
investment fraud
theft of company assets by employees
misappropriation of assets
intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements.
fraudulent financial reporting
pressure, rationalization, and opportunity
fraud triangle
a person’s incentive or motivation for committing fraud; could be financial, lifestyle, or emotional. Also management characteristics, industry conditions, and financial can lead to financial statement fraud
pressure
the condition or situation that allows a person or organization to commit and conceal a dishonest act and convert it to personal gain. Commit, conceal, and convert
opportunity
concealing the theft of cash by means of a series of delays in posting collection to accounts receivable
lapping
creating cash using the lag between the time a check is deposited and the time it clears the bank.
check kiting
the excuse that fraud perpetrators use to justify their illegal behaviors. Ex. “I’m only borrowing it,” “The company owes me, I am only taking what is rightfully mine.”
rationalization
any type of fraud that requires computer technology to perpetrate
computer fraud
easiest type of computer fraud, involves falsifying or altering computer input
input fraud
includes unauthorized system use, including the theft of computer time and services
processor fraud
includes tampering with company software, copying software illegally, using software in an unauthorized manner, and developing software to carry out an unauthorized activity
computer instructions fraud
illegally using, copying, browsing, searching, or harming computer data
data fraud
displayed or printed output that is stolen or copied or misused
output fraud
controls that deter problems before they arise.
preventive controls
controls designed to discover control problems that were not prevented
detective controls
controls that identify and correct problems as well as correct and recover from the resulting errors.
corrective controls
controls designed to make sure tan organization’s information system and control environment is stable and well managed.
general controls
controls that prevent, detect, and correct transaction errors and fraud in application programs
application controls
system that describes how a company creates value, helps employees understand management’s vision, communicates company core values, and inspires employees to live by those values
belief system
system that helps employees act ethically by setting boundaries on employee behavior
boundary system
system that measures, monitors, and compares actual company progress to budgets and performance goals.
diagnostic control system
system that helps managers to focus subordinates’ attention on key strategic issues and to be more involved in their decisions
interactive control system
a security and control framework that allows (1) management to benchmark the security and control practices of IT environments, (2) users of IT services to be assured that adequate security and control exist, (3) auditors to substantiate their internal control opinions and advise on it security and control matters.
Control Objectives for information and related technology (COBIT)
includes Control Environment, Risk assessment, control activities, information and communication, and monitoring as guidance for evaluating and enhancing internal control systems
Committee of Sponsoring Organizations (Coso) Internal Control-Integrated framework
Includes Internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring as guidance for evaluating and enhancing internal control systems
Enterprise Risk Management framework (ERM)
The company culture that is the foundation for all other ERM components as it influences how organizations establish strategies and objectives; structure business activities and identify, assess, and respond to risk.
internal environment
the amount of risk a company is willing to accept to achieve its goals and objectives, To avoid undue risk, risk appetite must be in alignment with company strategy
Risk appetite
the outside, independent board of director members responsible for financial reporting, regulatory compliance, internal control, and hiring and overseeing internal and external auditors
audit commitee
a document that explains proper business practices, describes needed knowledge and experience, explains document procedures, explains how to handle transactions, and lists the resources provided to carry out specific duties
policy and procedures manual
an investigation of a prospective or current employee that involves verifying their educational and work experience, talking to references, checking for a criminal record or credit problems, and examining other publicly available information
background check
high level goals that are aligned with and support the company’s mission and create shareholder value
strategic objectives
objectives that deal with the effectiveness and efficiency of company operations and determine how to allocate resources
operations objectives
objectives to help ensure the accuracy, completeness, and reliability of company reports; improve decision making; and monitor company activities and performance
reporting objectives
objectives to help the company comply with all applicable laws and regulations
compliance objectives
a positive or negative incident or occurrence from internal or external sources that affects the implementation of strategy or the achievement of objectives.
event
the susceptibility of a set of accounts or transactions to significant control problems in the absence of internal control
inherent risk
the risk that remains after management implements internal controls or some other response to risk
residual risk
Impact x likelihood= . . .
the product of the potential dollar loss that would occur should a threat become a reality and the risk or probability that the threat will occur
Expected loss
policies, procedures and rules that provide reasonable assurance that control objectives are met and risk responses are carried out
control activities
separating the accounting functions of authorization, custody, and recording to minimize an employee’s ability to commit fraud
segregation of duties
cooperation of two or more people in an effort to thwart internal controls
collusion
employing multiple layers of controls to avoid a single point failure
defense-in-depth
implementing a combination of preventive, detective, and corrective controls that protect information assets long enough to enable an organization to recognize that an attack is occurring and take steps to thwart it before any information is lost or compromised
time-based model of security
using deception to obtain unauthorized access to information resources
social engineering
verifying the identity of the person or device attempting to access the system; usually includes something you know, something you have, or some physical or behavioral characteristic
authentication
a physical or behavioral characteristic that is used as an authentication credential
biometric identifier
the use of two or more types of authentication credentials in conjunction to achieve a greater level of security
multifactor authentication
the use of multiple authentication credentials of the same type to achieve a greater level of security
multimodal authentication
the process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform
authorization
a table used to implement authorization controls
access control matrix
matching the user’s authentication credentials against the access control matrix to determine whether that employee should be allowed to access that resource and perform the requested action.
compatibility test
a device that connects an organization’s information system to the internet
border router
a special-purpose hardware device or software running a general purpose computer that controls both inbound and outbound communication between the system behind the firewall and other networks
firewall
a separate network located outside the organizations internal information system that permits controlled access from the internet
demilitarized zone
special purpose devices that are assigned to read the source and destination address fields in IP packet headers to decide where to send the packet next
routers
a set of if-then rules used to determine what to do with arriving packets
access control list (ACL)
a process that uses various fields in a packet’s IP and TCP headers to decide what to do with the packet
packet filtering
a process that examines the data in the body of a TCP packet to control traffic, rather than looking only at the information in the IP and TCP headers. Usually takes longer but is more secure
deep packet inspection
software or hardware that monitor patterns in the traffic flow to identify and automatically block attacks
intrusion prevention systems (IPS)
a standard method for verifying the identify of users attempting to connect via dial-in access
remote authentication dial-in user service (radius)
searching for an idle modem by programming a computer to dial thousands of phone lines
war dialing
collective term for the workstations,servers, printers and other devices that comprise an organizations network
endpoints
flaws in programs that can be exploited to either crash the system or take control of it
vulnerabilities
automated tools designed to identify whether a given system possesses any unused and unnecessary programs that represent potential security threats.
vulnerability scanners
the process of modifying the default configuration of endpoints to eliminate unnecessary settings and devices
hardening
the formal process used to ensure that modifications to hardware, software, or processes do not reduce systems reliability
change control and change management
the process of examining logs to identify evidence of possible attacks
log analysis
a system that creates logs of all network traffic that was permitted to pass the firewall and then analyzes those logs for signs of attempted or successful intrusions.
intrusion detection system (IDS)
an authorized attempt to break into the organizations information system
penetration test
a team that is responsible for dealing with major security incidents
computer incident response team (CIRT)
a program designed to take advantage of a known vulnerability
exploit
code released by software developers that fixes a particular vulnerability
patch
the process of regularly applying patches and updates to software
patch management
running multiple systems simultaneously on one physical computer
virtualization
using a browser to remotely access software, data storage, hardware, and applications
cloud computing
a record of company data sent to an external party and then returned by the external party for subsequent input to the system
turnaround document
an edit check that tests whether the characters in a field are of the correct field type (ex. numeric data in numeric fields)
field check
an edit check that verifies that the data in a field have the appropriate arithmetic sign
sign check
an edit check that tests a numerical amount against a fixed value
limit check
an edit check that tests whether a data item falls within predetermined upper and lower limits
range check
an edit check that ensures that the input data will fit into the assigned field.
size check
an edit check that verifies that all data required have been entered
completeness check (or test)
an edit test that compares the ID code or account number in transaction data with similar data in the master file to very f that the account exists
validity check
an edit check of the logical correctness of relationships among data items
reasonableness test
ID numbers (such as employee number) can contain a check digit computed from the other digits
check digit
recalculating a check digit to verify that a data entry error has not been made
check digit verification
an edit check that determines if a batch of input data is in the proper numerical or alphabetical sequence
sequence check
the sum of a numerical item for a batch of documents, calculated prior to processing the batch, when the data are entered, and subsequently compared with computer-generated totals after each processing step to verify that the data was processed correctly
batch totals
a type of batch total that equals the sum of a field that contains monetary values, or something that you would normally add like total hours worked
financial total
a type of batch total generated by summing values for a field that would not usually be totaled
hash total
a type of batch total that equals the number of records processed at a given time
record count
an online data entry completeness check that request each required item of input data and then waits for an acceptable response before requesting the next required
prompting
an input validation method that uses data entered into the system to retrieve and display other related information so that the data entry person can verify the accuracy of the input data
closed-loop verification
type of internal label that appears at the beginning of each file and contains the file name, expiration date, and other file identification information.
header record
type of internal label that appears at the end of a file; in transaction files, the trailer record contains the batch totals calculated during input
trailer record
an error that results when numbers in two adjacent columns are inadvertently exchanged
transposition error
a processing control which verifies accuracy by comparing two alternative ways of calculating the same total
cross-footing balance test
a processing control that verifies that the balance of a control account equals zero after all entries to it have been made
zero-balance test
controls that lock out users to protect individual records from errors that could occur if multiple users attempted to update the same record simultaneously
concurrent update controls
a data transmission control that uses a hash of a file to very accuracy
checksum
an extra bit added to every character; used to check transmission accuracy
parity bit
a data transmission control in which the receiving device recalculates the parity bit to verify accuracy of transmitted data
parity checking
the capability of a system to continue performing when there is a hardware failure
fault tolerance
a fault tolerance technique that records data on multiple disk drives instead of just one to reduce the risk of data loss
redundant arrays of independent drives (RAID)
an alternative power supply device that protects against the loss of power and fluctuations in the power level by using battery power to enable the system to operate long enough to back up critical data and safely shut down
uninterruptible power supply (UPS)
a copy of a database, file or software program
backup
the amount of data the organization is willing to reenter or potentially
recovery point objective (RPO)
to restore an organization’s information system following a disaster, representing the length of time that the organization is willing to attempt to function without its information system
recovery time objective (RTO)
maintaining complete copies of a database at two separate data centers and updating both copies in real-time as each transaction occurs
real-time mirroring
exact copy of an entire database
full backup
a type of partial backup that involves copying only the data items that have changed since the last partial backup. This produces a set of incremental backup files, each containing the results of one day’s transactions
incremental backup
a type of partial backup that involves copying all changes made since the last full backup. Thus, each new differential backup file contains the cumulative effects of all activity since the last full backup.
differential backup
a copy of a database, master file, or software that is retained indefinitely as a historical record, usually to satisfy legal and regulatory requirements
archive
a plan to restore an organization’s IT capability in the event that its data center is destroyed
disaster recovery plan (DRP)
a disaster recovery option that relies on access to an alternative facility that that is prewired for necessary telephone and internet access, but does not contain any computing equipment
Cold site
a disaster recovery option that relies on access to a completely operational alternative data center that is not only prewired but also contains all necessary hardware and softeware
hot site
a plan that specifies how to resume not only IT operations but all business processes in the event of a major calamity
business continuity plan (BCP)
